Configuring General Data Protection Regulation (GDPR) settings

Available for Roles Super Admin
Permissions • Manage company settings
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise

General Data Protection Regulation (GDPR) is a regulation on data protection and privacy applicable to countries in the European Union (EU). In order to maintain compliance with GDPR for roles for which you hire in the EU, Lever allows you to configure settings related to data handling including:

  • Capturing candidates' consent for data collection when they apply for jobs and notifying them of processing activities
  • Defining retention periods for candidate data
  • Surfacing candidates' consent status on their profile
  • Using legitimate interest as a lawful basis for data handling in place of consent

This article will walk you through the steps for configuring GDPR in your Lever environment, in order to support your organization’s data compliance procedures. For help determining which configuration settings are best for your organization, we advise consulting legal counsel.

Configuring GDPR

To configure GDPR settings in your Lever environment:

  • Navigate to Settings > Company > Compliance and scroll to the 'General Data Protection Regulation' heading
  • Click the Set up GDPR button
    • If you have already set up GDPR and you are returning to change your existing configuration, click the Edit configuration button on the GDPR tile.

Close up of set up GDPR button in Lever Settings


If you have any country-specific data compliance configurations enabled in your 'Data compliance' settings at the time that you set up GDPR, those configurations will be automatically disabled once GDPR is enabled. To learn more, refer to our help article on understanding the difference between Data compliance and GDPR settings.

In the GDPR editor, configure the following fields:

Who does it apply to?

Define which candidates are protected by GDPR. Select from the following options:

  • Only candidates and jobs located in the EU
  • Candidates and jobs located in the EU & unknown locations
  • All candidates (regardless of their current location)

Configure GDPR policy application field

For GDPR purposes, Lever uses IP address geolocating to determine where candidates are when they submit their application. This information is then used to determine if GDPR should be applied depending on the location of the candidate. Candidates that do not apply through a job posting (i.e. are candidates that are sourced, referred, or manually added) likely will not have a location set on their profile. If this is the case, anyone with access to the profile will be able to set the location value for the candidate. If Lever does not detect a location for the candidate, their location value will be recorded as "Unknown location." Depending on the candidates you have defined as protected by GDPR, you may want to reach out directly to candidates with unknown locations to get explicit consent to process their data. 

Lawful basis

GDPR requires that your organization has lawful basis to process candidates' data. You always have legitimate interest to process the data of candidates in the active part of your pipeline. For archived candidates, you need to specify the lawful basis upon which you handle their data. Select from the following lawful basis options for handling archived candidate data:

  • Use candidate consent - candidates must explicitly consent to your organizations' processing of their data
  • Rely on legitimate interest - your organization's legal counsel has determined that you have legitimate interest to store archived candidate data without their consent

Lawful basis radio buttons

For each option, you will need to define the point at which consent or legitimate interest expires. When defining lawful basis, you can also include a link to your organization's privacy policy. This link will appear to candidates above the 'Submit Application' button on the application form.

Preview of how consent prompt and privacy policy appear on application form when candidate consent is used as the lawful basis.

Candidate consent

If you use candidate consent as your lawful basis, owners of opportunities associated with candidates whose consent is about to expire will receive a reminder one month before the expiration date to refresh consent. Note that changes made to the consent timeframe after a candidate has applied to a job will not be reflected retroactively. For example, if you were to define a consent timeframe of 2 years and then later change the timeframe to 1 year, the consent of candidates that applied before the change was made would still have any expiry date of 2 years from their time of application. 

Consent expiry timeframe field


If you use Lever's Postings API to power a custom job site, you can submit candidate consent using the 'consent' and 'ip' fields. For more information, refer to our Postings API documentation.

If your organization needs to retain candidates' personal information for an additional time period beyond the point of consent expiration, they can configure this by selecting a time period from the 'Additional retention period' menu.

Additional retention period menu

Legitimate interest

If you use legitimate interest as your lawful basis, owners of opportunities associated with candidates whose interest has expired will receive a reminder to anonymize the candidates' data.

Legitimate interest timeframe field

Anonymized candidates

Configure the degree of anonymization that you want Lever to apply to candidates' email addresses by selecting one of the following options:

  • Store a hashed value of the anonymized candidate's email address
  • Do not store a hashed value of the anonymized candidate's email address

Anonymized candidates radio button options

Selecting the option to not store a candidate's email address as a hashed value will result in complete and permanent deletion of candidates' email addresses when they are anonymized. Storing a candidate's email as a hashed value keeps the candidate's email on file in an unreadable format, and will only ever resurface if a new opportunity is created with the same email address in association with a candidate that previously requested the deletion of their data. For a more detailed breakdown, refer to our help article on anonymizing opportunities.

Was this article helpful?
0 out of 0 found this helpful