Compliance
Crelate’s commitment to the GDPR
Recruiting ATS & CRM software built with GDPR in mind
Our mission is to empower and enable the process of connecting talent with opportunities all over the world. We believe that relationships and trust are paramount to the success of this mission.
The European Union (EU) General Data Protection Regulation (GDPR) is a comprehensive set of privacy laws that took effect on May 25, 2018. The GDPR governs how organizations collect, store, and process the personal data of individuals in the EU. It applies to any company that processes the personal data of people in the EU, regardless of the physical location of the company or whether it has customers in the EU.
Section 01
Our commitment
Crelate is committed to complying with the requirements of a Data Processor under the GDPR.
We are also committed to providing our customers with tools and features they can use to help achieve their own compliance as Data Controllers. For the specific legal terms that govern how we process personal data on your behalf, see our Data Processing Addendum and Privacy Policy.
Section 02
Helping you comply with the GDPR
Crelate provides capabilities that customers can use to support their GDPR obligations. Customizable application forms, portal disclaimers, email templates, and deletion and reporting tools all support these efforts, including:
Candidate Portal & consent
Custom form capabilities support the consent-gathering process, with links to your recruitment privacy policy and customizable consent disclaimers of your choice.
Request tracking
Tools to gather and manage requests from candidates (Data Subjects) to withdraw consent, make corrections, and delete or provide data — supporting the “right to be forgotten.”
Consent & contact tracking
Visualizers and reports make it easier to see who has provided consent and who has been contacted within a specific period of time.
Personal-data deletion
Delete data in bulk, including personal data, while maintaining the accuracy of reports such as time-in-stage.
Important: The tools and capabilities Crelate provides to help customers stay compliant change over time as best practices and market feedback dictate, and are subject to change with or without notice. Crelate does not claim to ensure our customers’ compliance with the GDPR. It is up to each customer to determine whether the tools and capabilities we provide meet their specific compliance requirements.
Section 03
Frequently asked questions
What is a Data Subject?
A “Data Subject” is an identified or identifiable natural person.
What is a Data Controller?
A Data “Controller” is the natural or legal person, public authority, agency, or other body which — alone or jointly with others — determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller (or the specific criteria for its nomination) may be provided for by that law.
What is a Data Processor?
A Data “Processor” is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Am I a Data Controller or a Data Processor?
As an employer or agency that collects candidate information, you are a Data Controller. Crelate is a Data Processor, as we provide software that processes the data you collect on your behalf. The Data Controller determines the purpose and method of processing personal data, while the Data Processor processes that data on behalf of the Data Controller.
What are my responsibilities as a Data Controller?
You should refer to your own legal professional for the specific GDPR requirements that apply to your organization.
What data is protected under the GDPR?
The GDPR protects “personal data” — any information relating to an identified or identifiable natural person. This includes obvious identifiers such as name, email address, phone number, and location data, as well as online identifiers and any other information that can be used, directly or indirectly, to identify a person. Certain “special categories” of data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, or health data) receive heightened protection.
When did the GDPR go into effect?
The EU GDPR took effect throughout the EU Member States on May 25, 2018. The United Kingdom maintains an equivalent regime (the UK GDPR) following its exit from the EU.
Is data stored outside the EU GDPR compliant?
The GDPR requires that transfers of personal data outside the EU be made only where an adequate level of protection is ensured — for example, to a country the European Commission has recognized as providing “adequate” data protection, or under an approved transfer mechanism. For transfers to the United States, Crelate relies on the EU-U.S. Data Privacy Framework (and the UK Extension to it), along with the Standard Contractual Clauses where applicable, as described in our Data Processing Addendum.
How does Crelate lawfully transfer EU and UK data to the U.S.?
Crelate complies with the EU-U.S. Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPF as set forth by the U.S. Department of Commerce, and has self-certified its adherence to the DPF Principles. To learn more about the Data Privacy Framework program, visit dataprivacyframework.gov. See our Privacy Policy for full details on how we handle personal data.
Section 04
Additional GDPR resources
Disclaimer: This page and the information herein are provided “as is” without any warranty, express or implied, and do not constitute legal advice. Crelate makes no claim that this information is either complete or accurate. Crelate does not provide legal advice; customers should consult their own legal professional to determine their responsibilities under the GDPR.