|Available for||User roles||Super Admin, Admin, Team Member, Limited Team Member
Super Admin and Admin for GDPR setup and data request report
Before proceeding, note that Lever does not give legal advice. This article pertains to the data request functionality in the LeverTRM platform only. We advise contacting your organization's legal counsel for any questions related to data handling practices.
Under the General Data Protection Regulation (GDPR), candidates have the right to make requests pertaining to any data you have obtained from them through Lever. If you have set up GDPR or localized data compliance for your LeverTRM environment, candidates can make data requests via the consent link (or unsubscribe link for organizations relying on legitimate interest) that they receive as part their application process. Readers of this article will learn about:
- Data request types
- How candidates submit data requests
- Resolving requests to view data
- Resolving requests to edit data
- Resolving requests to remove data
- Reviewing all open and closed data requests
To learn how to set up data privacy configurations in your Lever environment, refer to the following help articles:
- Configuring General Data Protection Regulation (GDPR) settings
- Configuring localized data compliance settings
Data request types
There are three types of data requests that a candidate can make:
Request to view
This is a candidate's request to receive a copy of all of their personal information associated with your LeverTRM instance. In your in-app reports, this is classified as an 'Access' request type.
Request to edit
This a candidate's request to change their personal information in your LeverTRM instance. In your in-app reports, this is classified as a 'Rectification' request type.
Request to be removed
This is a candidate's request to remove all of their personal information from your LeverTRM instance and cease all contact about jobs. In your in-app reports, this is classified as an 'Erasure' request type.
How candidates submit data requests
If GDPR or localized data compliance is set up in your LeverTRM environment, candidates will receive either a consent link or an unsubscribe link when they apply to a posting, depending on how the 'lawful basis' setting is configured. Clicking the link will bring the candidate to a Lever-hosted page where they can configure their preferences. If the candidate clicks the Your Data tab, they will be presented with options to submit any of the three types of data requests listed above.
When a candidate submits a data request, they will receive confirmation that their request has been submitted. The owner of the opportunity associated with the candidate in your LeverTRM environment will be notified via email as well as in Lever that a data request has been submitted. A banner will be appear on the candidate profile of any candidate that has a pending data request. Read on for instructions on how to resolve each type of data request.
Data requests and contact permissions
As soon as a candidate submits a request revoking their consent to be contacted, Lever will automatically cancel any pending Nurture touchpoints or delayed send emails for that candidate. Lever will also issue a warning to users that attempt to start a Nurture campaign or attempt to send an email to a candidate that has a pending data request to revoke consent or where legitimate interest has expired.
Resolving requests to view data
To resolve a candidate's request to access their personal data, click the Resolve drop-down menu in the banner at the top of their profile and select the option to Send personal data.
An email draft to the candidate will automatically be generated, containing the following information from all opportunities associated with the candidate:
- Candidate Name
- Phone Number
- Responses to application questions
- Application comments (e.g. cover letters)
You can add or remove details as needed in the draft before sending the email. Once the email has been sent, click back into the Resolve drop-down menu and select Mark as resolved to make the banner disappear. If a candidate has submitted multiple requests to view their data, you will need to repeat the process of marking as resolved for each additional request in order to make the banner disappear.
Resolving requests to edit data
To resolve a candidate's request to update their information, click the View note link in the banner at the top of their profile to see the details about the update that they are requesting.
Once you have made the necessary changes to their profile, click the Mark as resolved button in the banner. We advise that you also email the candidate to let them know that you have updated their information as requested.
Resolving requests to remove data
When a candidate submits a request to have their personal information removed from your LeverTRM environment, two banners will appear at the top of their candidate profile. To resolve the request, click the Anonymize button in the lower banner. A pop-up will appear summarizing the information that will be anonymized and prompting you to confirm the action.
When a candidate's profile has been anonymized, their personal information will be removed from your LeverTRM environment in accord with your data compliance configuration.
- If you have GDPR enabled, all personally identifiable information related to the candidate will be removed from the frontend and backend of the system.
- If you have localized data compliance enabled, all personally identifiable information related to the candidate will be removed from the frontend of the system; only those personally identifiable fields that you have selected for anonymization based on the location of the posting associated with the candidate's opportunity will be removed from the backend system.
In all cases, non-identifiable information related to the candidate such as notes, interview feedback, and events data are retained on the backend of your Lever instance, and can be accessed via Lever's Data API. Data from these non-identifiable fields will continue to be drawn from for analytics associated with your LeverTRM environment. For a full breakdown of data that is deleted and retained when a candidate is anonymized, refer to our help article on candidate anonymization.
Following anonymization of a candidate's profile, any field in your LeverTRM environment where their name previously appeared (including the pipeline opportunity list and reports) will be replaced with "Anonymized candidate."
If a candidate returns to the consent or unsubscribe link after their profile has been anonymized, they will be presented with a notice that the link is no longer active and confirmation that your organization has deleted their data.
In the image above, 'Lever' would read as your organization's name.
||Candidates do not receive a notification when their data is anonymized. Since anonymization can also makes the candidate's email address inaccessible to users in your LeverTRM environment, we advise that those wishing to send confirmation to the candidate that their data has been deleted either contact the candidate before initiating anonymization or copy the candidate's email address and email them outside of Lever once anonymization is complete.|
Reviewing all open and closed data requests
Super Admins and Admins can view all open and closed data requests via their in-app reports. Talent leaders may find this degree of visibility useful in order to ensure that their teams are resolving all open data requests in a timely manner. The location of the data requests report differs depending on which in-app reporting view you are using.
To review data requests in Legacy Reports, select Data requests under the Compliance heading in the left-side navigation menu.
To review data requests in Visual Insights, select the Compliance dashboard in the dashboard menu. To learn more, refer to our help article on the Compliance dashboard.
To learn about the difference between Legacy Reports and Visual Insights, check out our in-app analytics transition guide.