GDPR Policy

Learn how General Data Protection Regulation applies to Talent Data.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European law regulating data protection. It replaces the 1995 EU Data Protection Directive, applies across Europe, and came into effect on 25 May 2018 in the EU. ‌
GDPR expands the privacy rights granted to data subjects (EU individuals) and places more significant obligations on organizations that handle those individuals' personal data. It intends to standardize data protection across EU member countries.

GDPR gives EU citizens greater control over their personal data, providing greater transparency into how data is used and ensuring that the organizations entrusted with personal data treat it appropriately.

GDPR compliance

As a young company operating in the European market and built in the age of data protection and privacy, we have always been in tune with regulations regarding data use and protection issues, especially the General Data Protection Regulation (GDPR).

HrFlow.ai was one of the first HR companies to offer products and services that are fully compliant with these regulations back in 2016.

Data Processing Agreement

For GDPR compliance, it is essential to establish a Data Processing Agreement (DPA) with third parties before processing personal information.

As a Data Processor, HrFlow.ai considers candidates' data confidential information that can only be processed on behalf of and under the client's explicit instructions, the client being the Data Controller.
The DPA signed with clients details each party's rights and obligations concerning the protection of personal data.

Data retention and removal

While GDPR does not specify retention periods for personal data, it clearly states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the processing's original purposes.

Thanks to its centralized data storage, HrFlow.ai provides its Clients with the ability to manage or delete personal information for any candidate quickly. This operation can be done almost instantly with our APIs and saves the Client valuable time and effort doing it the traditional way.

A critical regulation brought by GDPR is the obligation to provide candidates with the option to withdraw their application and delete all their data automatically.

Privacy

HrFlow.ai follows a strict privacy policy that describes how we collect, store, use, or disclose personal information obtained from our Clients and other third parties.

All data collected, in particular candidates’ personal information, is processed on behalf of our clients, who are the Data Controllers (the entity that determines the purposes and means of personal data processing). At the same time, HrFlow.ai mainly acts as a Data Processor on the Client’s behalf.

Learn more about our Privacy Policy here: Riminder's Privacy Policy

Privacy Impact Assessment (PIA)

Privacy Impact Assessment is a process that helps organizations identify and manage the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships, and more.

The PIA ensures by design conformance with applicable legal, regulatory, and policy requirements for privacy, identifying and evaluating the risks of privacy breaches or other incidents, and determining the appropriate privacy controls to mitigate unacceptable risks.

As part of our Privacy Impact Assessment, we have identified the main risks that could impact personal data processed by HrFlow.ai (illegitimate access to data, unwanted data changes, and data loss), and we have put in place the necessary privacy controls to mitigate these risks. (improved encryption, two-factor authentification, and extensive logs analysis).