General Data Protection Regulation (GDPR )
What is GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) is a set of regulations coming into effect on May 25, 2018 that enhance the data privacy rights of EU individuals and unify data privacy protections within the EU. The scope of the GDPR covers companies operating in the EU, as well as companies operating outside the EU who offer services to, or monitor the behavior of, EU residents.
How does GDPR apply to CareerBuilder?
The GDPR sets out obligations on 1) Data Controllers, or those that determine the purpose and means of the processing of personal data of EU residents, and 2) Data Processors, or those that process personal data of EU residents on behalf of Data Controllers.
For some of its products, CareerBuilder is a Data Controller and for others, it is a Data Processor.
- CareerBuilder as a Data Controller. CareerBuilder is a Data Controller with respect to personal data collected on our job boards, in our CV/résumé databases and in our Supply & Demand portal. When individuals in the EU provide us with information about themselves, for example by applying to a position on one of our job boards or adding their CV/résumé into our database, we control the processing of that data. When we share personal data from these products with our corporate customers, we do so as one independent Data Controller to another independent Data Controller. Our corporate customers are Data Controllers with respect to their subsequent use of any personal data obtained from these CareerBuilder products.
- CareerBuilder as a Data Processor. CareerBuilder is a Data Processor with respect to the personal data collected in the following products: Talent Network, Applicant Tracking, Talent Gather, and CareerBuilder Employment Screening. CareerBuilder processes the personal data collected in these products on behalf of the corporate customers who purchase them, and those corporate customers are the Data Controllers of said data. As a Data Processor, CareerBuilder does not process said data except on instructions from the Data Controller.
What is CareerBuilder doing to foster compliance with GDPR?
CareerBuilder is committed to GDPR compliance across our products and services and preparations are underway to ensure our compliance by May 25, 2018. We are working with third party experts to review our systems, processes, policies and documentation and update them where necessary.
- Security. At this time, CareerBuilder is undertaking various activities to assess our current practices and policies, and take actions to address areas that may need changes. These actions include data mapping, discovery, readiness analysis, and the implementation of any necessary remediation steps.
- Updated Terms. Where we and our corporate customers each act as independent controllers of personal data we are updating our service agreements to include controller to controller data protection terms. Where we act as a processor of personal data, we are appending our service agreements with a data processing agreement that covers the relevant areas of the new legislation, including the obligations of controllers and processors. While CareerBuilder has certified its adherence to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from Europe to the United States, the data processing agreement also incorporates the European standard contractual clauses and both our Privacy Shield certification and the European standard contractual clauses provide an adequate legal transfer mechanism for international transfers of personal data that may occur through our services. These updates to our service agreements will be in place by the time the legislation comes into effect in May 2018.
- Consent. Candidates who submit their personal data to us, for example by applying to job advertisements posted on our web sites or posting their data on our CV/resume database, affirmatively consent to CareerBuilder’s processing of their personal data in accordance with the privacy policies on our web sites. That includes the sharing of their personal data with our corporate customers for their recruiting and talent management needs. We are in the process of reviewing and, where necessary, updating those consent notices and privacy policies to ensure they are compliant with GDPR.
- Privacy Practices. We are reviewing our privacy practices and conducting data protection impact assessments designed to meet the GDPR’s requirements around privacy by design and privacy by default.
What should you be doing as a customer of CareerBuilder?
Companies subject to the GDPR are responsible for ensuring their own compliance and you should seek legal counsel to assist you with this. As a current or future customer of CareerBuilder, you are responsible for ensuring your use of our services is compliant with the GDPR. When CareerBuilder acts as a Data Processor on your behalf, you are responsible for ensuring data you share with us complies with the GDPR. Candidates who submit their personal data directly to the software services sites that we provide on behalf of corporate customers affirmatively consent to the privacy policies made available on such sites. Our customers, as Data Controllers, are responsible for ensuring that all such privacy policies comply fully with the GDPR and other applicable data protection laws and accurately describe the processing of personal data contemplated by our service agreements. CareerBuilder will promptly update privacy policies posted on such sites to incorporate any changes required by our customers.
You can find the full text of the GDPR here.