GDPR
Amended April 23, 2024
This is the Cookie Policy for EmployeeReferrals, Inc., accessible from employeereferrals.com
This policy sets forth the policies and procedures used by EmployeeReferrals, Inc. in accordance with the General Data Protection Regulation (GDPR), https://www.eugdpr.org/. EmployeeReferrals, Inc. will be mentioned as “Company” through this document. Company is a GDPR data processor for client data relating to employee referrals.
The European Union’s General Data Protection Regulation (GDPR) governs the use, sharing, transfer and processing of personal data originating from the European Union. In this framework the role of EmployeeReferrals is that of Data Processor and our client who owns the data is the Data Controller.
EmployeeReferrals assists our clients with their GDPR responsibilities, including fulfilling their role in the management of personal information, providing and deleting personal information, responding to breaches, etc. Further, we hold our subcontractors to applicable GDPR standards.
Various Security Measures
EmployeeReferrals takes data security very seriously, and has implemented security measures to safeguard our customers’ information. Such measures include the encryption of all data stored at EmployeeReferrals, as well as encryption and confidentiality of communication between EmployeeReferrals and customers and between EmployeeReferrals and sub processors. We hold our sub processors to the same standard. Our team has undergone data protection awareness training, focusing on how we can ensure customers’ security and confidentiality, while providing the best service.
Storage and Transfer of Data
Data stored by EmployeeReferrals, including from data subjects in the EU, is hosted in data centers within the United States. We access, use, store or distribute the data in accordance with both ISO270001 and current GDPR regulations. GDPR does not require our customers to obtain permission from data users concerning the transfer of their information from the EU to the US, as noted in Article 46.
Consent of Data Subject
The GDPR Article 6 includes “legitimate interest” as one of the legal grounds for processing personal data – “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”. The processing we perform under contract with the client is necessary in their task of obtaining new employees. The processing of referral candidate/applicant data is in the legitimate interest of the candidate/applicant.
Declining Service, Erase Upon Request and Erase When No Longer Necessary
The data subject has the right to decline service and the right to have their personal data removed. Our client, the Data Controller, may initiate the removal of the data subject from future communications concerning the position they were referred to or we will remove the subject’s personal information from our databases. Please note that these actions do not prevent this individual from being referred in the future by an employee of this or another client.
A further requirement is that personal data be removed when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” We remove the personal data of unresponsive candidates after six months and for other candidates after twelve months.
Customization
Clients may have different GDRP requirements or may view the requirements differently. Please contact us to arrange for customization if required.
Sub Contractors
EmployeeReferrals retains the use of Amazon Web Services (AWS) as our primary Sub Processor. You can find more information about AWS’ compliance to GDPR here. Please contact us at privacy@employeereferrals.comto ascertain whether any other Sub Processors are used in your instance and, if so, for information on their GDPR compliance.
Data Protection by Design
Company offers data protection as a standard to all clients in the following standards:
Data encrypted in transit
Data encrypted at rest
Infrastructure is all secured behind an industry standard virtual private cloud (VPC). Access to the data is allows only to approved personnel within the Company.
Access to data is limited to only approved personnel within Company.
Access to client data is scoped by the web application to only permit access by the client to the data by those individuals who have either created the data or who have stewardship over the data.
Right to Erasure Including Retention and Disposal
Company offers to all clients the ability to request removal of referral data.
Company allows all candidates and users the ability to request individual data removal.
Company will retain a deleted user’s email address only for the purpose of preventing future notifications from being sent to the deleted user.
Data Security
Company maintains a Data Security Policy with is regularly reviewed and updated.
Company shows a GDPR privacy policy to all users who visit our website or who receive a communication from Company. Company allows every client to customize the GDPR privacy policy shown to candidates on the clients’ individual referral portal or through Company communications.
Company shows a cookie policy to all users who visit our website. Company allows every client to customize the cookie policy shown to candidates on the clients’ individual referral portal.
Contact Us
We hope that this statement has clarified any questions about our new Privacy Policy. Any further questions can be answered by reaching out to privacy@employeereferrals.com.