SeekOut GDPR Compliance

May 28th, 2018

Organizations established in the EU and processing personal data of EU-based individuals are required to comply with the GDPR by May 25, 2018. The GDPR updates and harmonizes the framework for processing personal data in the European Union and brings with it new obligations for organizations and new rights for individuals.

SeekOut is fully committed to complying with the requirements of the GDPR. We have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We have taken these new requirements to heart and made changes to our products, contracts and policies to ensure that we are in compliance with the GDPR. It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance. We are evaluating what possibilities exist for certification in the future. Below we list what SeekOut has done to meet our GDPR obligations and help our customers do the same:

A foundational element of GDPR is a principled approach to privacy and security. SeekOut has pro-actively obtained certification for EU-US and Swiss-US Privacy Shield compliant (check here). SeekOut meets the current privacy requirements of Europe by implementing the following privacy principles:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability

You can find how SeekOut is complying with these principles at our website at https://seekout.io/privacy.

SeekOut is both a controller and a processor of data under GDPR. When it comes to our customers data, we are a processor. Our customers give us information about their recruiting teams, for example, the Boolean-searches they conduct, the profiles they store in projects associated with open roles, and so on, and we are only authorized to use it as that team permit us to do so. If that team decides to no longer be a customer of ours, we lose the permission to use their information.

When we collect candidate information, however, we act in the role of a controller. A controller under GDPR is an entity that has decision making power for how that data will be used and we take this responsibility very seriously. Internally, our team spends a significant portion of our time thinking about the data we license and acquire.

To be a controller that is GDPR compliant, we must have a legal basis for collecting EU data. Processing is lawful if one or more of the following apply:

  • Consent
  • Performance of contract
  • Compliance with a legal obligation
  • Vital interests
  • Public interest
  • Legitimate interest where the individual’s rights are not overridden

SeekOut relies on the legal basis of legitimate interest. Not only do we provide a service to recruiters in helping them find hard to find, qualified candidates, but we believe that we help individuals to be reached for job opportunities. Our interest doesn’t hurt these candidates, in fact it’s quite the opposite. This service goes in hand with fundamental rights to the freedom to work.

Another important element of GDPR is Data Security. SeekOut’s key data sub-processor, i.e. Microsoft Azure Service, all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews. You can review all the measures that SeekOut takes at our website https://seekout.io/security.

SeekOut believes that as a SaaS company, security and privacy is a shared responsibility with our customers. As we mention above, SeekOut acts as a “Data Controller” when it obtains job candidates public profile data and processes it to create a search engine for recruiters. SeekOut acts as a “Data Processor” when searches are conducted by recruiters to match their open job roles. Subsequent access and use of personal data made visible to recruiter/customer (e.g. when customer moves candidate profiles into their ATS or CRM) must be carried out upon your having a valid legal ground, such as legitimate interest to store and process data. In this case, the SeekOut customer becomes a Data Controller and must take the appropriate technical and organizational measures to safeguard the personal data it controls. Controller is responsible for demonstrating compliance with the GDPR (principle of “accountability”). We are committed to partnering with you to help you successfully meet your GDPR, and privacy requirements.