Table of Contents
Using RolePoint’s Products
Many users have access to our services through their organizations/employers who control their accounts or use of our services. The updated policy clarifies our relationship to these organizations and explains solutions available to administrators within the organization.
GDPR and RolePoint Compliance
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single EU-wide law to govern the use, sharing, transfer and processing of personal data originating from the EU.
RolePoint will be doing the following to ensure compliance with GDPR:
- Where we are transferring data outside of the EU, RolePoint will have the appropriate data transfer mechanisms in place as required by GDPR. These will meet defined industry standards and best practices.
- RolePoint commits to follow appropriate security measures and precautions in accordance with GDPR.
- RolePoint will assist with notifying regulators and data controllers of breaches and promptly communicating any breaches to customers and users.
- We will ensure that employees authorized to process personal data have committed to confidentiality.
- We will hold any sub-processors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
- RolePoint will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.
Data Subject Consent
Article 6 of the GDPR, states conditions required for data processing. Processing under legitimate interest is one of these six distinct legal grounds upon which personal data can be processed. At least one of these conditions being applicable facilitates the processing of data in accordance with GDPR:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
After consultation and legal review, collecting prospective candidate data fulfils a “legitimate interest” of the company who is trying to find and evaluate the best candidates for employment to operate their organization. Additionally, there is a contractual requirement of RolePoint with it’s clients and the processing of this data would be expected by applicants or referral candidates, meaning consent from these individuals is not required. Alongside our legal team, we’ve completed a risk assessment and ICO’s Legitimate Interest Assessment to document these interests and will maintain an updated version based on any changes in our products or services.
In addition to this, GDPR does not require RolePoint customers or users to obtain consent from job applicants to transfer their personal data from the EU to the US. Article 46 of the GDPR explicitly states that data transfer to the US is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission (an example is the “Model Clause” contract that RolePoint utilizes with customers).
The Right to Be Forgotten
The right to be forgotten or the right to erasure requires processors to erase personal data (1) upon the request of the data subject to which it pertains; or (2) when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” As the data controller, it is up to you to decide the point in the application/hiring process at which you no longer have a legitimate interest in retaining a candidate’s personal data, and such determinations will depend on your company’s specific processes and practices.
RolePoint allows you to:
- Automatically remove data when the legal justification for keeping that information has passed. By default, RolePoint will only hold Personal Information on job applicants for 12 months from data disclosure, and for 6 months for referred candidates who we’ve deemed as ‘unresponsive’.
- Delete data immediately when an individual asks to be forgotten. You can delete their record entirely, or just delete their Personal Information. This can be done individually by clicking a button on their profile or in bulk.
- Provide applicants or prospective/referred candidates a copy of the data RolePoint holds on them, update it or request it’s deletion upon their request.
Enhanced Rights to Notice and Access
Pursuant to Article 15, data subjects now have additional rights to access their individual personal data that is subject to processing. RolePoint provides solutions that enable our customers to respond to and execute upon requests from individuals to access the personal data relevant to them. The data will be provided to the candidate in the form of a CSV file, which will satisfy the GDPR requirement of data portability set forth in Article 20.
The Right to Object
Article 21 of the GDPR grants data subjects an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling. Candidates who object, can be removed from all future communications or roles or positions.
Will RolePoint assist with responding to an Individual Rights Request?
As a processor of personal data for many of our customers, we will assist them with responding to individual rights requests they receive under the GDPR. Customers may be able address these requests by logging into the applicable product and identifying the data needing review or erasure. Where this is not possible, please contact us to request assistance with any such individual rights requests.
Where does RolePoint store and send data?
Can you host my data in the EU?
Yes. Whilst standard data hosting location determinations are based on reducing latency and achieving optimal performance for our users, EU data-centers can be specified as part of contractual agreements.
How does RolePoint handle transfer of data outside of the EU?
If you use our services from Europe, we store your data in servers located either in Europe or the U.S. To safeguard your data when it leaves the European Economic Area, we and our affiliates commit to only access, use, store or share your personal data in accordance with the ISO270001 framework and subject to any EU Model Clauses.
Will RolePoint sign Standard Contractual Clauses or Model Clauses?
Yes. RolePoint provides adequate mechanism for the transfer of personal data from the EU to the U.S. and can agree to Model Clauses where applicable.
Do you offer your customers a standard Data Processing Addendum?
Yes. The RolePoint Data Processing Addendum is available upon request for all customers to review and use to meet your onward transfer requirements under GDPR. To obtain a copy of our DPA please reach out to firstname.lastname@example.org.
Can I make changes to the RolePoint DPA?
The RolePoint DPA is an extension of our Master Service Agreement and outlines our compliance with GDPR. We're unable to make any changes to our DPA on a customer-by-customer basis, but may agree to requirements where customer DPAs are provided..
Can I opt out of having my data collected or shared?
How does RolePoint secure my data?
We’re committed to the development and continual improvement of Information Security and Data Protection and its supporting information security management system in line with ISO27001 principles/framework, in order to provide;
- Assurance with legal, regulatory and contractual obligations
- Reputation management
- Protection of critical assets
- Protection of Personal Identifiable Information (PII) as defined by the Data Protection Act 1998 and the GDPR.
Does RolePoint use sub-processors to further process customer data?
A list of our sub-processors can be found on our sub-processors page.
Who can I contact with questions regarding GDPR?