Skip to content
  • There are no suggestions because the search field is empty.

Data Privacy & Security of the Referral Programm

This article is dedicated to provide readers with the most necessary information regarding data privacy & security at CleverConnect

Here are the questions that are being answered in this article:

What is the basis of CleverConnect's data protection?
Does the GDPR apply to every customer?
Does CleverConnect ensure that their customers follow the GDPR?
Does CleverConnect have a data protection officer?
What is the legal ground of processing data?
How does CleverConnect ensure a high level of IT Security and data protection?
How does CleverConnect ensure the security of the platform?
What happens in the case of a data leak?

 

What is the basis of CleverConnect's data protection? 

The employee referral program focuses on compliance with the strict requirements of the GDPR. The possibility of compliance with the data protection laws of other countries outside the EU can be examined on a case-by-case basis. As a rule, the level of data protection regulations of the GDPR is very high so that other legislations often can be covered.

Does the GDPR apply to every of customer of CleverConnect?

The GDPR is an EU-wide data protection standard that applies to all companies that process personal data of data subjects residing in the EU. The actual company headquarters or the place of processing is irrelevant. Since the data is being processed in Europe we have to abide the according regulations. Therefore, all of CleverConnects' services are GDPR conform. 

Does CleverConnect ensure that their customers follow the GDPR? 

All the different features that the Referral Program offers (e.g. automated consent management, profile blocking, automated deletion functions, etc.) make it easy for all of our customers to abide by the GDPR. Every template provided by CleverConnect is GDPR conform as instructed by §28 GDPR

Want to find out how to enable and how the GDPR is being used? Click here to read our article dedicated to enabling GDPR.

Does CleverConnect appoint a data protection officer? 

Yes, the CleverConnect has appointed an external data protection officer. We work continuously with them to ensure a high level of data protection and to answer individual customer inquiries.

What is the legal ground of processing data?

For recruiter:

The processing of (recruiter-) data is based on the employment contract between the controller and the respective employee (Art. 6 para. 1 lit. b) GDPR within the scope of the employment as a recruiter. 

For employees:

The processing of (employee-) data is based on the legitimate interest of the controller [CleverConnect customer] (Art. 6 para. 1 lit. f) GDPR. The justified interest (of the controller) is to win the best candidates for the company and to offer an employee recommendation programme for them. In this case, the predominant interests of the employees are not taken into consideration; in particular, the controller as employer is permitted at any time to communicate with his employees on a service-related basis via the e-mail account made available for business purposes without being able to reject this from the outset.

An objection right for the employee, which is necessary in the case of justified interest, is given, since he can delete his account at any time (or opt-out possibility in the case of the "Jobs Newsletter", which regularly informs employees about current positions in the company).

For talents:

With regard to the legal basis, we refer here to the legitimate interest for a one-time contact for a job offer. I.e. no product is sold but it is the opportunity to leave your data with a reputable company, which promotes a professional advancement of the person concerned. In addition, in this first step only the contact data is given, no further data. The talent has - as also legally provided - the possibility to object to the further use of the data for this purpose.

Within the scope of this direct referral, the employee must confirm that he or she has the consent of the respective candidate by checking a box.
It is correct that the customer has no control over the type of consent and the scope and nature of the information.

However, this is also not necessary, as this is not a data protection consent. Rather, this protection is intended to safeguard the (presumed) legitimate interest of the talent.

The request for consent (from the employee) thus has two functions:
1. the employee should be encouraged to be aware that he/she is transferring the personal data of the talent to a third party (the CleverConnect customer)
2. the CleverConnect customer can be assured by the employee that there are no legitimate interests of the talent that prevent him/her from contacting the third party.
 
How does CleverConnect ensure a high level of IT Security and data protection?
A series of internal policies regulates all important organizational issues regarding data protection and IT security. All employees are required to attend an annual mandatory data protection training course, in which our data protection officer trains both legislation and specific behavior. In addition, all employees sign a data protection declaration in which they commit themselves to specific conduct and rules that are conducive to data protection.
 
How does CleverConnect ensure the security of the platform?
CleverConnect applies a variety of security concepts both for the platform on which the software is operated and during the development of that software. These are explained in CleverConnect's Operations And System Architecture" "Software Development Process" documents that customers can receive upon request. 
 
What happens in the event of a security incident involving personal data?

If a security incident occurs that affects personal data (this has never happened before), the affected customers will be informed immediately (latest within 24 hours). In addition, appropriate countermeasures will be initiated immediately to eliminate the cause. If necessary, short-term workarounds will ensure that no more personal data is disclosed. If it should indeed be a data protection-relevant incident, the relevant supervisory authorities are informed immediately in consultation with the customer. 

If you have any more questions, don't hesitate to contact our support team