Over the past few months, we’ve been asked many questions about the Volcanic GDPR-compliant Compliance Area featuring the self-service candidate dashboard. Our series of blogs sets out to answer the most frequently asked questions.
Here, we respond to questions relating to the self-service candidate dashboard.
How can candidates self-manage their data?
Candidates can manage their data by logging in to their candidate dashboard, where they have live visibility of the status of their data and consents.
How do candidates give or remove consent?
A candidate can give consent by ticking the tick box in the list of consents on the candidate dashboard. By actively ticking a box in the list, a pop-up message will appear. This message must be scrolled through and consented to by clicking the submit button to confirm. By unticking the box, consent is removed in the same way.
Which candidate rights are covered by the GDPR?
- The right to be informed
- The right to rectification ie to update their data
- The right to erasure (the right to be forgotten or RTBF)
- The right to data portability
- The right to restrict processing
- The right to object
- The right of access (Subject Access Requests or SARs)
- Rights in relation to automated decision making
How are these handled in the Volcanic dashboard?
Each right and how it is handled in the Volcanic dashboard is outlined below:
The right to be informed
The right to rectification (ie to update their data)
Personal data can be rectified if it is inaccurate or incomplete. The request must be actioned within one month. The Volcanic approach makes this simple - all data on a candidate is shown in the candidate dashboard area and can be updated by the individual.
The right to erasure (the right to be forgotten or RTBF)
The right to be forgotten (RTBF) process is very clear. When a candidate makes a deletion request for all or part of their data, the Volcanic platform logs this request and sends an email to your business’ Data Protection Officer (DPO), or designated compliance contact. It is up to the DPO or designated contact to validate the request and instruct Volcanic whether or not to delete the data.
There may be legal reasons for you to keep their data, for example if you have placed a candidate in a role and are required by HMRC to keep the data - these reasons supersede the GDPR.
How long do I have to give a candidate the right to be forgotten (RTBF) or the right of data access (subject access request or SAR)?
You have 30 days to deliver the RTBF or SAR. At Volcanic we log the request as soon as it is made, which triggers an email to your DPO or designated compliance contact.
The right to data portability
The candidate can login to the candidate dashboard and download their data as a .csv file.
The right to restrict processing
If a candidate requests this, you must suspend their data from being processed in the system. Search the user in the admin area and click the suspend user button to prevent any further processing of their data.
The right to object
Individuals have the right to object if they have grounds relating to their particular situation and they must be informed of this at the point of first communication, presented separately from other information.
The right of access (Subject Access Requests or SARs)
This allows a data subject the right to confirm that their data is being processed and access to their personal data. The Volcanic platform provides an area where the individual can make a subject access request. The request is recorded and date stamped and the DPO or designated compliance contact notified by email.
Rights in relation to automated decision making
If a candidate requests to delete or amend their data in the candidate dashboard, how do we update our central database?
When a candidate makes a deletion request for all or part of their data, the Volcanic platform sends an email to your business’ Data Protection Officer (DPO), or designated compliance contact. It is up to the DPO or designated contact to instruct Volcanic whether or not to delete the data.
What is candidate profiling?
GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual to predict their performance and behaviour, among other criteria. You must ensure processing is fair and transparent by providing meaningful information about the logic involved as well as the envisaged consequences, and secure data in a way that is proportionate to the risk to the rights of the individual.
How are we alerted to changes that candidates make within the dashboard?
If candidates request the Right To Be Forgotten or The Right Of Access, this generates an email to your designated Data Protection Officer or Compliance contact.
If a candidate is already registered with us and wants to apply for a job, will they have to register and be offered the option to withdraw consent?
If a candidate has registered on your website, they will have already agreed or disagreed to their Preferences (Legal Messages) you have set. Depending on the wording you choose to use, the consents may refer to opting-in to receiving marketing material.
Volcanic is supporting the recruitment industry towards GDPR compliance. Make sure your and your team are trained in GDPR awareness using our free resources: watch our free GDPR awareness training video here.