Connecting linkedin

GDPR FAQs - Candidate dashboard

5 months ago by Alison Owen


Over the past few months, we’ve been asked many questions about the Volcanic GDPR-compliant Compliance Area featuring the self-service candidate dashboard. Our series of blogs sets out to answer the most frequently asked questions.


Here, we respond to questions relating to the self-service candidate dashboard.


How can candidates self-manage their data?

Candidates can manage their data by logging in to their candidate dashboard, where they have live visibility of the status of their data and consents.


How do candidates give or remove consent?

A candidate can give consent by ticking the tick box in the list of consents on the candidate dashboard. By actively ticking a box in the list, a pop-up message will appear. This message must be scrolled through and consented to by clicking the submit button to confirm. By unticking the box, consent is removed in the same way.


Which candidate rights are covered by the GDPR?

  1. The right to be informed

  2. The right to rectification ie to update their data

  3. The right to erasure (the right to be forgotten or RTBF)

  4. The right to data portability

  5. The right to restrict processing

  6. The right to object

  7. The right of access (Subject Access Requests or SARs)

  8. Rights in relation to automated decision making


How are these handled in the Volcanic dashboard?

Each right and how it is handled in the Volcanic dashboard is outlined below:


The right to be informed

This is the recruiter’s obligation to provide ‘fair processing information’, typically through a privacy notice. The Volcanic platform provides for this obligation within an area where the client’s privacy policy exists. You can upload your privacy notices in the Compliance Area and this obligation will be handled by the Volcanic platform.


The right to rectification (ie to update their data)

Personal data can be rectified if it is inaccurate or incomplete. The request must be actioned within one month. The Volcanic approach makes this simple - all data on a candidate is shown in the candidate dashboard area and can be updated by the individual.


The right to erasure (the right to be forgotten or RTBF)

The right to be forgotten (RTBF) process is very clear. When a candidate makes a deletion request for all or part of their data, the Volcanic platform logs this request and sends an email to your business’ Data Protection Officer (DPO), or designated compliance contact. It is up to the DPO or designated contact to validate the request and instruct Volcanic whether or not to delete the data.  

There may be legal reasons for you to keep their data, for example if you have placed a candidate in a role and are required by HMRC to keep the data - these reasons supersede the GDPR.


How long do I have to give a candidate the right to be forgotten (RTBF) or the right of data access (subject access request or SAR)? 

You have 30 days to deliver the RTBF or SAR. At Volcanic we log the request as soon as it is made, which triggers an email to your DPO or designated compliance contact. 


The right to data portability

The candidate can login to the candidate dashboard and download their data as a .csv file.


The right to restrict processing

If a candidate requests this, you must suspend their data from being processed in the system. Search the user in the admin area and click the suspend user button to prevent any further processing of their data.


The right to object

Individuals have the right to object if they have grounds relating to their particular situation and they must be informed of this at the point of first communication, presented separately from other information.


The right of access (Subject Access Requests or SARs)

This allows a data subject the right to confirm that their data is being processed and access to their personal data. The Volcanic platform provides an area where the individual can make a subject access request. The request is recorded and date stamped and the DPO or designated compliance contact notified by email.


Rights in relation to automated decision making

The GDPR allows individuals the right not to be subject to a decision when it is based on automated processing. This needs to be declared as part of the Terms and Conditions or privacy policy. This right does not apply if the decision is necessary for entering into or performance of a contract between you and the individual, is authorised by law or is based on explicit consent.


If a candidate requests to delete or amend their data in the candidate dashboard, how do we update our central database?

When a candidate makes a deletion request for all or part of their data, the Volcanic platform sends an email to your business’ Data Protection Officer (DPO), or designated compliance contact. It is up to the DPO or designated contact to instruct Volcanic whether or not to delete the data.


What is candidate profiling?

GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual to predict their performance and behaviour, among other criteria. You must ensure processing is fair and transparent by providing meaningful information about the logic involved as well as the envisaged consequences, and secure data in a way that is proportionate to the risk to the rights of the individual.


How are we alerted to changes that candidates make within the dashboard?

If candidates request the Right To Be Forgotten or The Right Of Access, this generates an email to your designated Data Protection Officer or Compliance contact.


If a candidate is already registered with us and wants to apply for a job, will they have to register and be offered the option to withdraw consent?

If a candidate has registered on your website, they will have already agreed or disagreed to their Preferences (Legal Messages) you have set. Depending on the wording you choose to use, the consents may refer to opting-in to receiving marketing material.


Volcanic is supporting the recruitment industry towards GDPR compliance. Make sure your and your team are trained in GDPR awareness using our free resources:  watch our free GDPR awarenesss training video here.    





Since the GDPR became law last month, there's still confusion surrounding the more specific terms of the PECR Here, we set out to make things a little clearer for the recruitment industry. To give them their full title, the Privacy and Electronic ...




That’s the little big number so far across the Volcanic platform since last week; and that oxymoron really does sum up the mad rush post 25th May - Friday’s charge totalled 10 with further enthusiasm on the bank holiday being demonstrated by 5 req...




To further support our clients in meeting their GDPR obligations, Volcanic has launched a new integration with Bullhorn. This new service allows all our Bullhorn clients to integrate their GDPR consents directly and automatically from their websit...




In the second in the Volcanic GDPR video series we take a look at GDPR and security. GDPR compliance requires companies to take steps to ensure the ongoing confidentiality, integrity, availability and resilience of their systems, and to document t...