How do I configure Lever for GDPR compliance?

Available for User roles Can only be configured by Super Admins
Packages Select Lever Packages


This article describes how to configure GDPR settings in Lever to support your company’s compliance needs. For help determining which configuration settings are best for your business, it is best to consult legal counsel.

Lever is committed to providing flexible tools to allow our customers to configure our GDPR features to best meet their compliance needs. If the GDPR does not apply to you, then no need to set anything up! This article shows how to configure Lever to support GDPR compliance by:

  • Collecting upfront consent from candidates when they apply & providing notice of processing activities
  • Setting how long you want to keep candidate data
  • Surfacing consent status on the candidate profile
  • Choosing to rely on legitimate interest instead of consent

Once set up, you'll be collecting consent from candidate, and will be able to:


All of these are configured through one tab in Lever. To set up your account for GDPR compliance, start by navigating to the Company Settings page:


Click on the "Compliance" tab to be brought to the General Data Protection Regulation section. From there, click "Setup GDPR" to being the process.

1. Who is protected?


First, you’ll need to specify which candidates to apply GDPR protections to. Your three options are:

  • Only candidates and jobs located in the EU
  • Candidates and jobs located in the EU and unknown locations
  • All candidates (regardless of their current location)

For GDPR purposes, Lever uses IP address geo-locating to determine where candidates are when they submit their application. This information is then used to determine if they are in the EU, and apply your settings accordingly. Candidates that do not apply through a job posting (i.e. are sourced, referred, or manually added) likely will not have a location set on their profile, and anyone with access to the profile will be able to set this value on the candidate profile itself.


If no location is detected, they’ll fall into the “Unknown locations” category. You may want to reach out to these candidates to explicitly get consent to process their data.

Once you’ve set who the GDPR protections apply to, you’re ready to define what those protections actually are.

2. How do I set my lawful basis to process candidate data?

The GDPR requires that companies have a 'lawful basis' to process an individual's data. Within the context of Lever, that could be either explicit consent, or legitimate interest. Once your organization has determined which lawful basis you'll rely on, all you need to do is select the appropriate option:


Depending on your selection, navigate to the correct section below to complete setup.

Legitimate interest

Your legal team may have decided to rely on legitimate interest instead of consent. If that's the case, you'll want to select "Rely on legitimate interest" under "Lawful basis":


Once that's done, you'll need to determine how long your 'legitimate interest' lasts for. This represents the amount of time after a candidate becomes inactive. Once legitimate interest for a candidate expires, you'll be prompted to anonymize or delete their data.

After you set the expiration period, the last thing is to add in your privacy policy that will appear on your postings. The link will appear as a link just above the "Submit Application" button. Be sure to include the https:// before your link! For further guidance, here’s a helpful article about Privacy policies under the GDPR.


This privacy policy will also be added as a link on the 'consent link' to which candidates are directed. More information can be found on this here

Now you're all set! If relying on legitimate interest, you do not need to complete the remaining steps.

Collecting consent

This setting determines how long the consent you gather from candidates lasts for:


This time starts the moment the candidate provides consent, and ends when your set timeframe expires. The text to the right of the consent checkbox on the posting’s application page will display the timeframe:


If a candidate applies when you have Lever set to store consent for a specific timeframe, changing your settings will not impact the retention time for that candidate. Any settings changes will not retroactively update candidates who have already given their consent.


If you use Lever's Postings API to power a custom jobs site, you can submit candidate consent using the 'consent' and 'ip' fields. See our Postings API documentation for more information.

Adding a privacy policy when collecting consent:

Next, you’ll be prompted to add the URL for your privacy policy that will serve as notice of your processing activities. It will appear directly under the checkbox asking for consent. For further guidance, here’s a helpful article about Privacy policies under the GDPR.


This privacy policy will also be added as a link on the 'consent link' page to which candidates are directed. More information this can be found here.

Here’s a screenshot of what your job posting applications will look like once you’ve set your consent timeframe and privacy policy link:


Keeping data after consent expires:


If you are collecting consent, it’s time to set the data retention timeframe. This can be a bit confusing as it is different from the consent timeframe. Once a candidate’s consent timeframe lapses, or they are archived, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.

If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into your GDPR configuration settings.

Under “Data retention”, simply click into the “Additional retention period” dropdown, and select one of the options. At the end of this timeframe, the candidates will be surfaced to a user for action.

Anonymize candidates

Lever makes it easy for you to stay compliant with global consumer privacy legislation by granting your company more granular control for how candidate personal information is processed upon profile anonymization.


You must select how Lever should handle an anonymized candidate's email address once it is removed upon anonymization. Here are your options:

  • Store a hashed value of the anonymized candidate's email address
  • Do not store a hashed value of the anonymized candidate's email address

This setting will allow your company to choose to skip the generation of a hashed string from a candidate’s deleted email address when the anonymize action is performed on an opportunity in Lever. This will lead to a complete and permanent deletion of a candidate's email address, including hashed data.

To learn how to anonymize candidates in Lever, check out our help article.

Now you're all set! For more information how the consent status displays with the candidate profile, see: How do I see a candidate’s consent status on the candidate profile?

Was this article helpful?
3 out of 3 found this helpful