|Available for||User roles||Super Admin|
||The mutual exclusivity between 'Data compliance' and 'GDPR' settings referenced in this article is part of the off-cycle Fall 2022 Product Release, scheduled for progressive rollout starting in December 2022. For more information on the Fall 2022 release, keep an eye on our Product Release Notes.|
General Data Protection Regulation (GDPR) is a regulation on data protection and privacy applicable to countries in the European Union (EU). In order to maintain compliance with GDPR for roles for which you hire in the EU, Lever allows you to configure settings related to data handling including:
- Capturing candidates' consent for data collection when they apply for jobs and notifying them of processing activities
- Defining retention periods for candidate data
- Surfacing candidates' consent status on their profile
- Using legitimate interest as a lawful basis for data handling in place of consent
This article will walk you through the steps for configuring GDPR in your Lever environment, in order to support your organization’s data compliance procedures. For help determining which configuration settings are best for your organization, we advise consulting legal counsel.
||GDPR can only be configured by users with Super Admin access.|
To configure GDPR settings in your Lever environment:
- Navigate to Settings > Company > Compliance and scroll to the 'General Data Protection Regulation' heading
- Click the Set up GDPR button
- If you have already set up GDPR and you are returning to change your existing configuration, click the Edit configuration button on the GDPR tile.
||If you have any country-specific data compliance configurations enabled in your 'Data compliance' settings at the time that you set up GDPR, those configurations will be automatically disabled once GDPR is enabled. To learn more, refer to our help article on understanding the difference between Data compliance and GDPR settings.|
In the GDPR editor, configure the following fields:
Who does it apply to?
Define which candidates are protected by GDPR. Select from the following options:
- Only candidates and jobs located in the EU
- Candidates and jobs located in the EU & unknown locations
- All candidates (regardless of their current location)
For GDPR purposes, Lever uses IP address geolocating to determine where candidates are when they submit their application. This information is then used to determine if GDPR should be applied depending on the location of the candidate. Candidates that do not apply through a job posting (i.e. are candidates that are sourced, referred, or manually added) likely will not have a location set on their profile. If this is the case, anyone with access to the profile will be able to set the location value for the candidate. If Lever does not detect a location for the candidate, their location value will be recorded as "Unknown location." Depending on the candidates you have defined as protected by GDPR, you may want to reach out directly to candidates with unknown locations to get explicit consent to process their data.
GDPR requires that your organization has lawful basis to process candidates' data. You always have legitimate interest to process the data of candidates in the active part of your pipeline. For archived candidates, you need to specify the lawful basis upon which you handle their data. Select from the following lawful basis options for handling archived candidate data:
- Use candidate consent - candidates must explicitly consent to your organizations' processing of their data
- Rely on legitimate interest - your organization's legal counsel has determined that you have legitimate interest to store archived candidate data without their consent
If you use candidate consent as your lawful basis, owners of opportunities associated with candidates whose consent is about to expire will receive a reminder one month before the expiration date to refresh consent. Note that changes made to the consent timeframe after a candidate has applied to a job will not be reflected retroactively. For example, if you were to define a consent timeframe of 2 years and then later change the timeframe to 1 year, the consent of candidates that applied before the change was made would still have any expiry date of 2 years from their time of application.
||If you use Lever's Postings API to power a custom job site, you can submit candidate consent using the 'consent' and 'ip' fields. For more information, refer to our Postings API documentation.|
If your organization needs to retain candidates' personal information for additional time period beyond the point of consent expiration, they can configure this by selecting a time period from the 'Additional retention period' menu.
If you use legitimate interest as your lawful basis, owners of opportunities associated with candidates whose interest has expired will receive a reminder to anonymize the candidates' data.
Configure the degree of anonymization that you want Lever to apply to candidates' email addresses by selecting one of the following options:
- Store a hashed value of the anonymized candidate's email address
- Do not store a hashed value of the anonymized candidate's email address
Selecting the option to not store a candidate's email address as a hashed value will result in complete and permanent deletion of candidates' email addresses when they are anonymized. Storing a candidate's email as a hashed value keeps the candidate's email on file in an unreadable format, and will only ever resurface if a new opportunity is created with the same email address in association with a candidate that previously requested the deletion of their data. For a more detailed breakdown, refer to our help article on anonymizing opportunities.