GDPR
GDPR FAQs
Initially we strongly recommend you to consult the general policy about GDPR and its rules and regulations.
We also refer to our Terms & Conditions including our Privacy Policy for additional information that might be of interest.
Whilst HosProMatch is putting everything in place to assist you, as our customer, we are not a law firm and therefore recommend you seek legal advice to ensure you are compliant with the GDPR policy.
What does it mean for your business?
1. What does GDPR stand for?
GDPR is short for the ‘General Data Protection Regulation'. It looks like a law set to overhaul Europe's, and as a result the world's, entire data privacy framework. GDPR policy is applicable since 25th May 2018.
2. What are the GDPR requirements?
GDPR is a key piece of legislation for Europe and subsequently, the rest of the world. All organizations and businesses need to consider the legislation in the whole and conduct an analysis of the impact of GDPR on their activities. Some of the most significant requirements are as follows:
Many organizations and businesses will need to appoint a Data Protection Officer. This applies to those companies who regularly and systematically process personal data or monitor data subjects.
Transparency is vital. You are under a duty to be upfront with customers, employees and others about how their data is processed. This means you have to know what you do and why, and be able to convey that in a clear and comprehensive manner.
Data Privacy Impact Assessments (DPIAs) will become a fact of life. Where any new or existing data processing activity will result in a high risk to the rights and freedoms of individuals, companies will be required to carry out a systematic review of how best to safeguard those rights. Deletion and portability. Businesses and organizations need to be able to delete data when no longer necessary, and transfer it elsewhere if requested by the people it refers to. You will need to ensure that your systems designed to make that possible.
Privacy by design and default. These are safeguards to ensure the protection of personal data is hardwired into your processes and systems.
Accountability. Being compliant isn't enough. You have to show that you are abiding by the rules. This includes maintaining an up-to-date register of data processing activities. In the event of a security breach, it also involves being able to give a full account of what happened and the preventative measures you had in place when reporting that breach.
3. What happens if my company is not compliant with GDPR?
For serious breaches (e.g. a major security breach where the organization had woefully inadequate protective measures in place), the maximum administrative fine is up to 4% of global turnover or EUR 20 million, whichever is higher.
For other breaches (e.g. inadequate record keeping or failure to report a breach), regulators will have the power to issue penalties of up to 2% of global turnover or EUR 10 million.
Also, there is a direct right of action for data subjects to claim compensation from the data controller or processor. So, if data has been incorrectly held or used and the individual has suffered damage, firms could find themselves being hit by legal action.
Finally, there is the possible repetitional repercussions of non-compliance. Sanctions and major fines issued by the regulator will be information in the public domain. Staying compliant is crucial for any business seeking to maintain their reputation as a safe pair of hands in the digital marketplace.
4. Who does GDPR apply to?
GDPR applies to natural or legal persons, public authorities, agencies or other bodies processing personal data (processing in the course of exclusively personal/household activities is excluded).
How GDPR in detail affects you depends on the nature of your processing activities, but regardless of size and shape of your business, chances are you are in scope.
5. How does GDPR impact businesses outside of the EU?
Businesses based outside the EU need to comply with GDPR if they process, manage or store personal data related to data subjects in EU, or if they process personal data on behalf of EU businesses. So, no matter where you are based, if you do business in or with people and organizations in the EU, you need to ensure your business is GDPR compliant.
HosProMatch and GDPR
1. Who is responsible for complying with GDPR?
Initially, HosProMatch is a data controller and we are responsible for the data processing on our website. Candidates search our website and provide us with GDPR-applicable “consent” (by way of contract, legitimate interest or consent) to allow you our customers to contact the candidate for the specific job listing or to access their CV . When you contact the candidate and assist him or her to apply for a job or download their CV from server you become a ‘’data controller’’. At this point you as data controller are required to comply with GDPR and will also have to ensure that you give the individuals their rights. Particularly, you will have to provide certain information to them and, if you would like to use candidate data for any other purpose than filling a specific vacancy, you will have to obtain your own form of GDPR approval to continue to use the candidates' personally identifiable information.
2. Do we have adequate GDPR consent?
There are many grounds of processing. You will see in our Privacy Policy we use contract, consent, legitimate interest and necessary legal reasons. When you use our listings to help candidates get jobs, or you access our server / search engine to see a candidates' CV, you can rely on our grounds of processing to contact the user for the purpose of filling a specific vacancy. For anything beyond this point you need to obtain additional “consent” and request their permission to use their personal information.
3. Where do we store users' data?
All production/users data is stored in a secure web hosting environment with restricted access. We have regular risk reviews, external penetration test on the environments and internal audits.
In case you may have any further questions or require additional information about GDPR, do not hesitate to contact our administration office. However we are not a legal specialist and therefore recommend you to consult a law firm if required so.