The GDPR ready
to roll hiring guide.

You may have heard about the General Data Protection Regulation (GDPR) that came into effect May 25th 2018. It’s a positive move that allows candidates to have more control over their data.

What is the GDPR

Read this section if you're new to the GDPR and want to understand the GDPR in general, its definitions and key principles.

The GDPR explained

In essence, the GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed and intended to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.

Please note, if you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, regardless of whether the organization has a physical presence in the EU.

In more detail, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. The concept of personal data is very broad. Personal data means any information relating to a identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR gives Data Subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

Curious how to be GDPR compliant while hiring with Homerun?
We wrote an article about that, explaining how being compliant is simpler than you think.

What is Homerun?

Homerun is full force, beautifully designed recruitment software for companies that care about brand, culture, and personal data. Customers include The Next Web, TBWA/NEBOKO and Geckoboard. Watch the 2 minute video below for an impression.

GDPR definitions

🙋️   Data Subject

A natural person whose personal data is processed by a controller or processor.

🏭   Data Controller

The entity that determines the purposes, conditions and means of the processing of personal data.

🚡   Data Processor

The entity that processes data on behalf of the Data Controller.

🕵️   Data Protection Officer

An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in de GDPR.

📜   Data Processing Agreement

Legal document that governs the sharing of personal data between data controller and data processor.

👮   Data Protection Authority

Independent national authority tasked with the protection of data and privacy as well as monitoring the enforcement of the GDPR within the EU.

✍️   Privacy by Design

A principle that calls for the inclusion of data protection from the onset of the designing of systems or business processes, rather than an addition.

📃   Privacy Impact Assessment

A tool used to identify and reduce the privacy risks by analysing the personal data that is processed and the policies in place to protect the data.

Definitions in regard to recruitment

🙋   Data Subjects: Candidates

Persons who apply for employment with your company, or persons your company would like to consider or approach for employment.

🏭   Data Controllers: That’s you

Homerun customers who determine the purpose of the personal data that is being processed.

🚡   Data Processors: That’s us

Homerun, we process the personal data on behalf of you, our customer (the data controller).

6 Key Principles of the GDPR

These 6 privacy principles form the fundamental conditions which organisations must follow when collecting, processing and managing the personal information data for all European citizens.

1. Lawful, fair and transparent processing

This principle emphasizes on transparency for data subjects in the EU. When you are collecting personal data it must be clear why you are collecting this data and in what way this data will be used. This is why, to remain transparent, you should state what type of data you’re collecting as well as the reason for collecting it in your privacy statement. A privacy statement is intended to inform data subjects. It should be short, understandable, transparent and easily accessible.

2. Purpose limitation

This principle is about collecting data for a specific purpose. Only collect data for a legitimate reason, and then only use that data for that purpose.

3. Data minimization

This principle is about ensuring that you only store the minimum amount of data you need in order to achieve your processing purpose. In short, you should store as little personal data as possible.

4. Accuracy

This principle is about making sure that the information you store is valid, complete and still serves a purpose. You are obliged to actively maintain your database and make sure that every reasonable step must be taken to erase or correct personal data.

5. Storage limitation

This principle limits how and how long your data is stored. In short, you need to delete data that is no longer necessary for you to have. Since it could be argued that there is no way of knowing how long data might be needed, you should implement clear policies about your data retention.

6. Integrity and Confidentiality

This principle deals with security. You must ensure that adequate measures are being taken to protect personal data. In more detail, your data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Actionable GDPR hiring tips

Read this section if you want actionable tips and advice on what you can do to get GDPR ready.

Candidate data retention

Because of the GDPR you are no longer allowed to store candidate data indefinitely. This is why, as the controller, you are responsible for deciding how long you want to keep the personal data.

For inspiration, you may want to have a look at section 5.3 of the Recruitment Code of the Dutch Association for Personnel Management and Organizational Development (NVP), which can be found here (Dutch) or here (English).

Start by defining a retention period for your company first. You can then enforce your retention policy by regularly deleting personal data in bulk through the Homerun customer portal using date filters. We intend to extend and automate this process further in the future.

Your retention period will determine how long you’re storing the profiles of your candidates. This period starts on the day that a candidate applies and ends on the day that the period determined by you expires. After that day you should delete a candidates profile or ask his or her permission to keep his data for another period of time determined by you.

Candidate sourcing

When you, a colleague or a recruiter is sourcing candidates (adding a potential candidate to Homerun), their data is not collected directly from the candidate, but typically from a different source like LinkedIn, Twitter, Dribble, Facebook or GitHub.

However, GDPR Article 14 explains in detail what information your organisation should provide to these persons.

We suggest that your company creates an email template containing the information explained below to contact candidates within a reasonable time, but at the latest within a month after adding them to Homerun. This way you can ensure that you have the right process in place. If a candidate asks to be deleted you should remove all the information you gathered about him or her from Homerun.

  • The name and contact details of your organisation
  • The source from which the data was obtained and whether it came from a public source
  • The purposes for which the data is intended
  • A link to your privacy statement for recruitment
  • How long your organisation intends to store the candidate data
  • How candidates can withdraw their consent to the processing of their personal data
  • How candidates can request corrections or access to their data, or ask for it to be deleted from your system
  • Who candidates should contact should they want to lodge a complaint regarding the processing of their personal data. This could be your Data Protection Officer in case your company is required to have one (GDPR Article 37).

Privacy statements for career pages

Your career page will need a privacy statement to comply with GDPR. Since you are collecting candidate data through your career page, you need to advertise your privacy practices on there as well. The statement should should be short, understandable, transparent and easily accessible. For inspiration, please have a look at our own Jobs website Privacy Statement.

Delivery and Responsibilities

Homerun is a standardised platform in the form of Software as a Service (SaaS). The following overview clarifies the responsibilities of Homerun and its customers:

  • Configure the software to your needs
  • Manage job applications
  • Interact with candidates
  • Manage users
  • Decide on the features of the software
  • Decide on technical implementation (code, systems)
  • Develop and maintain the software
  • Host the software
  • Provide support

Your Responsibility as a Homerun customer

You decide on your own which data you will be collecting from or about candidates. Personal data is then collected either by candidates filling out the application form (which you have customised to include certain fields or questions), by the hire team manually adding a candidate (sourcing), or by the hire team interacting with the candidate through (free-form) email via the Homerun platform. Ultimately, as ‘data controller’ the responsibility for compliance rests with you.

Privacy by Design and Privacy by Default

We develop our services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you, as our customer, to explicitly enable features that collect more information.

More questions?

Any questions how Homerun can help your company achieve compliance with the GDPR? Send us a message at

join 1000+ businesses growing with Homerun
Ready to organize
your hiring?