Applied’s outbound sourcing tools allow you to add and track prospective candidates for your vacancies from various public platforms like LinkedIn, Indeed and other relevant communities. When you use this suite of sourcing tools, it's important to understand your role as the data controller and our role as the data processor, so you can comply with GDPR and PECR.
As the data controller, you are responsible for collecting and handling the prospective applicant's data in accordance with the General Data Protection Regulation (GDPR) or any other relevant regulations in your territory. This means that you need to make sure that the data you collect is necessary, accurate and used only to offer relevant job opportunities to candidates, not for any other purpose.
On the other hand, as the data processor, Applied is responsible for processing the data on your behalf, based on your instructions. This includes securely storing the data, ensuring that only authorized personnel have access to it, and deleting the data when it's no longer needed - usually in line with our standard retention period of 24 months.
In simple terms, you are responsible for what data you collect and how you use it, and we are responsible for keeping it safe. It's a partnership that ensures that both parties are compliant with privacy regulations and that the prospective applicant's data is protected.
The golden 30-day rule
When you add a prospective applicant to the platform, you should be planning to contact them within 30 days with a relevant job opportunity. If 30 days elapses and you’re no longer intending to invite the prospect to apply for a role, it is good practice to remove their data. Simply select the row in the table and select 'remove' from the action bar that appears.
When you invite a prospect to apply for a specific role, the email they receive contains a link to unsubscribe. If they choose to opt out of future communications by following this unsubscribe link, they will become uncontactable. If you or a colleague should try and add them again, perhaps at a time in the future, you will be prompted to confirm that you have a legitimate basis for doing so. If you choose to proceed with re-adding the prospective candidate's data to Applied, you are accepting responsibility for that data.
Requests to be forgotten
On occasion, a prospect may contact you requesting to be forgotten - meaning that they would like their data to be deleted. This is their right under GDPR and it is your responsibility to remove their information from your list of prospects. You can do this by selecting the prospect from the list and clicking ‘remove’ from the action bar that appears. If you or another member of your team attempts to add this contact to your list of prospects in future, we will flag that the contact has previously requested to be forgotten. If you choose to add them anyway (perhaps they have changed their mind or you have spoken to them directly) then you are accepting responsibility for that data and its handling.
By following the above practices, you're ensuring that you're using the data of prospective applicants in a responsible and ethical way that aligns with privacy regulations.