Worried about GDPR? Don’t be – we’ve got you covered!

GDPR EU (EU General Data Protection Regulation) has become a nightmare for anyone who processes personal data. If you are using or collecting personal
Anna Sykut
Anna Sykut
Chief Evangelist in TRAFFIT
Table of content
    Add a header to begin generating the table of contents

    GDPR EU (EU General Data Protection Regulation) has become a nightmare for anyone who processes personal data. If you are using or collecting personal data during your recruitment processes, you’ll be obligated to follow all of the regulations. But don’t worry, your Traffit system is designed to help you through this time of horror. We’re on your side!

    How can you collect all the necessary approvals or candidate’s updated agreements via Traffit?

    First of all, follow the path: Settings -> Adverts and Clauses -> Forms for downloading consents. Here you can create an application form that will not be connected to any recruitment process. You can do it the same way as any other application form and then send it via a link in a message to the candidate. Remember to ask your candidate to confirm/add his email address (as it is his unique ID that we keep in the Traffit system). Sounds simple, right? It is!

    Please check an example of the form.

    After getting all the data, approvals, and agreements directly from a candidate, Traffit will update them in the system. Your form got sent to a new candidate that hasn’t been on your list before? No problem! We’ll create a new record in your database for him or her right away.

    You can easily find all the needed information on your candidate’s profile page, for example, when and under which recruitment process (and client) he/she signed a particular clause:


    You can also check the validation date for each “signed” clause, and you will be able to edit or change the communication channel. At the end of a day, your candidate may decide that he/she wants you to contact him/her only via email, not by phone.

    In case your candidate is in a couple of recruitment processes at the same time, we prepared a summary of the information about all his “signed” clauses on the top of his profile card:



    How do you fulfill the information obligation?

    1. You have all your candidates in your base, and they agreed to all needed clauses. Great! But, that’s only the beginning. You are still obligated to inform them about:
    • How you use and process their data (please remember to add the data processing company’s full name).
    • The option to withdraw consent for data processing.
    • We also recommend you add information about the due date of the candidate’s personal data processing.

    IMPORTANT! Withdrawal of consent for data processing should be as simple as permission to process them. It should not push your candidate to print or send by mail any paperwork if you let him or her tick the checkboxes next to the clauses to consent. The best option is to provide an email address where they can inform you about their withdrawals.

    1. You have some candidates in your database, but they didn’t sign/add any clauses in their CV nor their application forms? Once GDPR comes into effect on May 25, 2018, you will have to erase all of their data from your system. If you want to collect their data ASAP, please use the form described above. It is the most efficient way.
    2. Are you planning to update your old forms or create new ones? Fulfill the information obligation by adding all the needed information so we can “kill two birds with one stone.” How do you make it work? Please stay with us, breathe, and read the information below.

    How to prepare clauses that comply with GDPR?

    Each consent has to be separate, and you’re only allowed to require consent if it’s essential for a given recruitment process. In Traffit each clause has, it’s separate settings, which you should have configured by May 25.

    The type of clause that your candidate agreed to is important information you can find in a candidate’s profile. You can keep any preferred content in the clause; you’re also allowed to choose its language. What is crucial is the type of clause it is, which allows us to determine its meaning. That’s why we’ve created five categories of clauses:


    • information obligation
    • consent as part of the current recruitment
    • consent as part of future recruitment
    • consent for profiling
    • marketing agreement

    (categories of clauses are a type of a dictionary for the system, so you can freely add any clause you want).

    Communication channels are the default channel for a given consent. You can change it in a candidate profile anytime without erasing the whole consent.

    Admin can set the Clauses Settings as preferred. For example, the admin can decide that a recruiter will not have permission to delete a clause from the form (that should work for a consent given for particular recruitment and information obligation).

    Once the form has been filled out, a note that the information obligation has been fulfilled will appear in the candidate’s profile – with the date and its full content.

    There is one specific type of clause we mentioned before: information obligation. Its content will always be visible between the fields of the form that complements the candidate and the clauses visible as a text as you can see here.

    Timeline, deadline and all the “lines” for collecting the consents.

    GDPR does not explicitly specify the time of data processing; everyone should estimate this time for themselves. After discussion with our lawyers, we strongly advise you to keep the due date in between two and three years. As usual, we gave you an option to schedule any due time. In the Settings -> General Settings you can specify in months the validity period of approvals as shown below:


    Based on this scheduled information from the candidate’s profile, we will count and show you if the specific consent is still valid. After that time it will be displayed as inactive. Of course, you will be able to withdraw your chosen consent at the request of the candidate before the deadline.

    Basic GDPR Knowledge – Summary of things you need to know

    To summarize all the GDPR info regarding your recruitment processes, here are a few simple hints and rules:

    • Consent – it must be separate, voluntary, and freely given. Therefore, after May 25 you can no longer collect those where, under one agreement, the candidate agrees to the contact as part of both specific and future recruitment.
    • Security – you should train your employees and make them sensitive to security issues, limit the number of places where candidates’ data are stored (if you have them in digital and paper form) and secure the media on which the data is stored.
    • Purposefulness and data minimization – you can collect from the candidates only that data necessary to carry them through the recruitment process, and you must process them as quickly as possible and only for the stated purpose.
    • The information obligation – in addition to obtaining consent, you must also fulfill the information obligation, i.e., inform the candidate about who will be the administrator of his or her data and how he or she can withdraw his or her consent.
    • Timeliness and deadlines of consents – all consent must be limited by purpose. If the goal is a recruitment and the candidate only agrees to the processing as part of the given recruitment, the approval expires at its completion. If this consent to contact is for future hiring, it must be limited in time.

    Traffit User Checklist

    So you already have a Traffit account, and you’d like to know more about its GDRP compliance superpowers? Here’s a checklist to help you out:

    1. Verify clause.

    You can create your clauses and edit them by following this path: Settings -> Adverts and Clauses -> Clauses. Make sure that each of them has a type set up together with a language (we strongly advise you to have that in mind). When we have that all set up correctly, we can quickly prepare you a summary of your candidate’s profile together with all accepted clauses listed and notify you about any activities on his or her profile in Traffit. It is helpful if you keep every clause separate and keep those that are a “must” as a default. You can create a few versions of the same clause in different languages.

    If you set up any clause as an information obligation type it will be attached as text under the form over all the other clauses you will add.

    1. Check your forms.

    Make sure that all of your shared application forms have the information obligation and all updated clauses attached.

    1. Verify the candidate profile.

    Remember that you need to collect only the data you need to gather regarding a specific recruitment path. Delete any profile fields that might provide too much personal information. It would be better to change a question about the candidate’s location to a question about where the candidate would like to work.

    1. Set up the default due date for consent validation.

    You can do that in Settings -> General Settings bookmark. This enables us to show you the expiration date of all the consents and alert you when you need to update them.

    1. Modify group rights

    Go to the Settings tab and choose Rights. This is where you can limit access to selected features for selected groups of users. Pay special attention to:

    • Candidates –> Deleting candidates – not all of the users should have such an option, as the candidate’s data is deleted completely, and it’s not possible to undo this action.
    • Candidates –> Exporting candidate’s data to an .xlsx file – this option should also be available only for selected users. This will allow you to control a candidate’s data and protect yourself from a potential leak.
    • Other –> Files download – restrict users from downloading files. To view candidate’s data they can always log in to Traffit and view them in a secure environment. Whenever a candidate withdraws his consent and requires you to delete his data, you’ll be sure that no copy is stored locally on users’ computers.
    • Other –> Deleting files – you can also block a user’s option to delete files from candidate profiles.
    • Restrictions –> Allows for deleting of clauses – grant this right only to the admins.
    1. Verify your user list

    Make sure that all of your current employees are on the list, and that their access to personal data is up to date. If it isn’t, deactivate their accounts (please note that it will also block their access to Traffit).

    1. Sign an appropriate authorization with your employees who have access to personal data.

    Next steps

    That’s not all! We’re working on some further improvements for you, including an option to withdraw a single consent and the ability to filter candidates depending on the type of consent they’ve given. Next, we’ll give you options to enable system notifications each time your candidate’s consent is about to expire, an option of excluding candidates from profiling, and a list of clauses that you can add automatically each time a new candidate’s profile is created manually.

    Once the GDPR is in effect, we’ll start working on features that will make your life even easier. More info soon, so stay tuned!

    Try TRAFFIT for free
    Over 5,000 successful recruiters in 15 countries use Traffit. Now it’s your turn to join them.