General Data Protection Regulation

Recruitment Marketing Public


This document outlines at a high-level how Recruitment Marketing is compatible with the European Union General Data Protection Regulation (GDPR).

The introduction of the GDPR had a significant impact on data protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations.

The law will gave individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations. The GDPR also imposed corresponding and greatly increased obligations on organisations that collect this data.

Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

The GDPR is based on the core principles of data protection which exist under the current law. These principles require organisations and businesses to:

  • collect no more data than is necessary from an individual for the purpose for which it will be used;
  • obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose;
  • retain the data for no longer than is necessary for that specific purpose;
  • to keep data safe and secure; and
  • provide an individual with a copy of his or her personal data if they request it.

Under the GDPR individuals have the significantly strengthened rights to:

  • obtain details about how their data is processed by an organisation or business;
  • obtain copies of personal data that an organisation holds on them;
  • have incorrect or incomplete data corrected;
  • have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
  • obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
  • object to the processing of their data by an organisation in certain circumstances;
  • not to be subject to (with some exceptions) automated decision making, including profiling.

There are seven areas of interest with GDPR that this document will outline:

  • Personal Information Data and Security
  • Privacy By Design
  • Obligations of Data Controllers/Data Processors
  • Candidate Consent
  • Right to be forgotten
  • Reporting, breach notification and fines

The regulation is effective from May 25th, 2018.

Personal Information Data and Security

  1. Recruitment Marketing acknowledges that GDPR broadens the definition of personally identifiable information to include any information relating to an identified natural person.
  2. Online identifiers such as IP addresses and location data are now deemed to be personally identifiable information.
  3. All candidate data on Recruitment Marketing is encrypted both while it is in transit and at rest.
  4. Recruitment Marketing protects this data in a number of ways as outlined in our Security Architecture document.
  5. Candidates can request their data from their own personal “My Settings” page. This data will be provided to the candidate by a link emailed to their registered email address. The data will include any of the following information that may be stored against the candidates CRM record:
    1. First Name
    2. Last name
    3. Email
    4. List of devices the candidate is active on
    5. List of IP addresses associated with the candidate
    6. Contents of any forms submitted
    7. Any binary files (such as resumés)
  6. This information will be provided in a common machine readable format (JSON) and the binaries in whatever format the candidate provided them. They will be packaged into a single zip file.

Privacy by design

  1. At PageUp data privacy is engineered across the life cycle of our product/service.
  2. All candidate data on Recruitment Marketing is encrypted both while it is in transit and at rest.
  3. Support for GDPR compliant consent and processes – i.e. cookie banners and calls-to-action – is built into the core product.

Obligations of Data Controllers/Data Processors

  1. Recruitment Marketing is a data processor under GDPR.
  2. Our customers are data controllers under GDPR.
  3. Alongside being a compliant data processor, Recruitment Marketing provides the tools to allow our customers as data controllers to behave and operate in a compliant manner.
  4. All data captured by the Recruitment Marketing platform on behalf of our customers is fully owned by the customer.
  5. It is sandboxed to the customers account on the platform and can not be accessed or used by any other entity, including PageUp themselves.
  6. PageUp never uses the data for any other purpose other than that intended by our customers (the data controller). This is how Recruitment Marketing remains a data processor under GDPR legislation.

Candidate consent

  1. Under GDPR a candidate must provide a statement or a “clear affirmative action”, which may include ticking a box on a website.
  2. However, pre-ticking of boxes or similar inactivity is deemed to be an unacceptable form of consent.
  3. Recruitment Marketing uses three cookies:
    1. A one-time (for each page view) session cookie to provide protection against a security attack called “Cross-site scripting (XSS)”. This cookie is mandatory, short lived (one page interaction) and contains no candidate personally identifiable information. This cookie does not fall under GDPR regulations.
    2. A permanent long lived cookie that is associated with the candidate (known or unknown). This is used to associate individual candidate behaviour with their CRM record. This cookie does fall under GDPR regulations.
    3. A temporary session cookie (lasts for 20 minutes after last interaction) that is associated with the candidate (known or unknown). This is used to associate candidate behaviours into “visits or sessions” and is recorded against their CRM record. This cookie does fall under GDPR regulations.
  4. On initial visit to a Recruitment Marketing hosted page, a GDPR compliant cookie consent message will be shown, requesting consent for use of all three cookies.
  5. The content of the GDPR compliant cookie consent message is configurable by the customer in their Company Admin Settings section. The following options are available:
    1. Control the wording presented to candidates. As a data controller, customers are responsible for ensuring that any messages are compliant with regulations.
    2. When candidate hasn’t yet indicated consent preference, show cookie consent message:
      1. Always
      2. Never (if a customer determines they don’t require a cookie consent)
  6. If consent is not granted by the candidate, the Recruitment Marketing hosted website will continue to work. However, no candidate tracking will take place. The visit will not be recorded against the candidate’s CRM record.
  7. If a candidate has Do Not Track (DNT) enabled on their browser, this will be interpreted (in compliance with GDPR) as actively not consenting to tracking cookies. The Recruitment Marketing hosted website will operate as if consent was denied by a candidate from a cookie consent message.
  8. Candidates can view and adjust their consent preferences from their “My Settings” page at any time.
  9. Candidates who don’t provide consent to tracking cookies will get a deteriorated experience, in accordance with the regulations. For example, Job recommendations based on their viewing habits will not be available to them.
  10. The current consent preference of a candidate is easily viewable from their CRM record.
  11. Call-to-action forms have a consent element to them, allowing the capturing of consent for recording and processing the information provided by the candidate in the form.
  12. Candidates who have not consented to tracking cookies can still independently fill out call-to-action forms. For example, a candidate who has not consented to the placing of tracking cookies can still apply to a job. They will individually consent (as part of the form) to the processing of the application and the form details will be added to their CRM record.
  13. Candidates who are European Union citizens, who are manually imported into Recruitment Marketing CRM from an external source, will be imported with their "consent setting" defaulting to “not consented”.
  14. A user will not be able to run a Email or SMS Campaign against these candidates until they give their consent to be contacted. A user won’t be able to individually communicate with the candidate unless its for the purpose of acquiring consent.
  15. Recruitment Marketing will provide dedicated tools to acquire candidate consent in these scenarios. If consent is not provided, the imported CRM record automatically runs through the “right to be forgotten” process.
  16. From a marketing experience, the use of cookies should be presented clearly but in a positive manner, indicating the benefits – a better customized experience – of opting in.
  17. Candidates interacting with a Recruitment Marketing hosted website want to find and apply for interesting and applicable job vacancies and opting in gives them the greatest opportunity and experience to enable them to be successful.

The following document lists the steps involved in managing candidate cookies in Recruitment Marketing: Candidate cookie management.

Right to be forgotten

  1. Under GDPR regulations a candidate can withdraw consent at any time.
  2. On Recruitment Marketing a candidate can view and adjust their consent preferences from their “My Settings” page at any time.
  3. If a candidate requests all personally identifiable data to be destroyed then the platform will comprehensively do this by removing the following information from their CRM record:
    1. First Name
    2. Last Name
    3. Email address(es)
    4. IP addresses
    5. All stored cookies
    6. All binary files (i.e. resumés, etc)
    7. List of devices the candidate is active on
    8. Contents of any forms submitted
  4. Additionally, the (now blanked CRM record), will be archived and removed from any lists.
  5. As part of “right to be forgotten” a company can choose to have a notification sent to the company contact indicating that a candidate has gone through the “right to be forgotten” process.
  6. Candidates who have been through the “right to be forgotten” process do not impact non-PII analytics.
  7. If in the future, the candidate re-interacts with the Recruitment Marketing, they will get the same experience as a brand new candidate. None of their activity performed before issuing “Right to be forgotten” is retrievable, in compliance with the regulations.

The following document lists the steps involved in activating candidate anonymization in Recruitment Marketing: Candidate anonymization.

Reporting & Breach Notifications

Recruitment Marketing has significant resources and business operations in Republic of Ireland, an EU country with a strong tech presence. All of our engineering activities operate under our Irish registered company.

PageUp in Ireland is registered with the Irish Data Protection Commissioner. This body has extensive experience regulating technology companies and for example, is responsible for Google, Facebook, Microsoft and many more within the European Union.

Under GDPR PageUp has a legal obligation to report any breach of security leading to the release of identifiable PII data being disclosed, destroyed, lost, altered or stolen to the Irish Data Protection Commissioner no later than 72 hours after we become aware of it.

As a data processor we will notify our impacted customer or customers to enable them to fulfil their roles as data controllers.



Article is closed for comments.