|Available for||User roles||Super Admin|
General Data Protection Regulation (GDPR) is a regulation on data protection and privacy applicable to countries in the European Union (EU). In order to maintain compliance with GDPR for roles for which you hire in the EU, Lever allows you to configure settings related to data handling including:
- Capturing candidates' consent for data collection when they apply for jobs and notifying them of processing activities
- Defining retention periods for candidate data
- Surfacing candidates' consent status on their profile
- Using legitimate interest as a lawful basis for data handling in place of consent
This article will walk you through the steps for configuring GDPR in your Lever environment, in order to support your organization’s data compliance procedures. For help determining which configuration settings are best for your organization, we advise consulting legal counsel.
||GDPR can only be configured by users with Super Admin access.|
To configure GDPR settings in your Lever environment:
- Navigate to Settings > Company > Compliance and scroll to the 'General Data Protection Regulation' heading
- Click the Set up GDPR button
- If you have already set up GDPR and you are returning to change your existing configuration, click the Edit configuration button on the GDPR tile.
In the GDPR editor, configure the following fields:
Who does it apply to?
Define which candidates are protected by GDPR. Select from the following options:
- Only candidates and jobs located in the EU
- Candidates and jobs located in the EU & unknown locations
- All candidates (regardless of their current location)
For GDPR purposes, Lever uses IP address geolocating to determine where candidates are when they submit their application. This information is then used to determine if GDPR should be applied depending on the location of the candidate. Candidates that do not apply through a job posting (i.e. are candidates that are sourced, referred, or manually added) likely will not have a location set on their profile. If this is the case, anyone with access to the profile will be able to set the location value for the candidate. If Lever does not detect a location for the candidate, their location value will be recorded as "Unknown location." Depending on the candidates you have defined as protected by GDPR, you may want to reach out directly to candidates with unknown locations to get explicit consent to process their data.
GDPR requires that your organization has lawful basis to process candidates' data. You always have legitimate interest to process the data of candidates in the active part of your pipeline. For archived candidates, you need to specify the lawful basis upon which you handle their data. Select from the following lawful basis options for handling archived candidate data:
- Use candidate consent - candidates must explicitly consent to your organizations' processing of their data
- Rely on legitimate interest - your organization's legal counsel has determined that you have legitimate interest to store archived candidate data without their consent
||If you wish to define country-specific data retention settings (that supersede the global GDPR configuration), you can do so via Settings > Data compliance. To learn more, check out our help article on setting up localized data retention settings.|
If you use candidate consent as your lawful basis, owners of opportunities associated with candidates whose consent is about to expire will receive a reminder one month before the expiration date to either refresh consent. Note that changes made to the consent timeframe after a candidate has applied to a job will not be reflected retroactively. For example, if you were to define a consent timeframe of 2 years and then later change the timeframe to 1 year, the consent of candidates that applied before the change was made would still have any expiry date of 2 years from their time of application.
||If you use Lever's Postings API to power a custom job site, you can submit candidate consent using the 'consent' and 'ip' fields. For more information, refer to our Postings API documentation.|
If your organization needs to retain candidates' personal information for additional time period beyond the point of consent expiration, they can configure this by selecting a time period from the 'Additional retention period' menu.
If you use legitimate interest as your lawful basis, owners of opportunities associated with candidates whose interest has expired will receive a reminder to anonymize the candidates' data.
Configure the degree of anonymization that you want Lever to apply to candidates' email addresses by selecting one of the following options:
- Store a hashed value of the anonymized candidate's email address
- Do not store a hashed value of the anonymized candidate's email address
Selecting the option to not store a candidate's email address as a hashed value will result in complete and permanent deletion of candidates' email addresses when they are anonymized. Storing a candidate's email as a hashed value keeps the candidate's email on file in an unreadable format, and will only ever resurface if a new opportunity is created with the same email address in association with a candidate that previously requested the deletion of their data. For a more detailed breakdown, refer to our help article on anonymizing opportunities.