Privacy Policy

Privacy Policy

Amended March 09, 2024


Referral candidates are invited by a friend or associate to consider applying for a specific position at the friend’s employer. EmployeeReferrals contracts with the employer to provide the platform used to facilitate this referral process. The data we collect and process is owned by our client, the employer.

We collect only the minimum information needed, share it only with those directly involved in the referral process and purge the information when it is no longer needed. Of course, we will also remove data upon request. We will not collect information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

As outlined below we comply with the EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles and with GDPR privacy regulations.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, EmployeeReferrals commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

The table below identifies the data we collect from our client company, its employee, the referral candidate and the job applicant:

Data Collection and Usage

Custom Table
Data Source Data Elements Source and Usage GDPR Basis - Reason for Using the Data Retention
Client Company
  • Contact Name
  • Contact Phone
  • Contact Email
This information is provided by the client and is used by EmployeeReferrals to fulfill our contract with the client. Contract
The processing is necessary to fulfill the contract we have in place with the client.
Contract Term
Client Company or its Employee
  • Employee Name
  • Position
  • Department
  • Location
  • Employee ID
  • Email
  • Phone
  • Login
  • Site Usage
  • IP address
This information is provided by the client or its employee and is used to present relevant referral opportunities to the employee, to track referrals made by the employee, to compensate the employee for referrals, to present internal mobility opportunities to the employee, and is used in aggregate, anonymous form in company monitoring of its referral program. Legitimate Interest
Providing this information is in the employee’s interest to provide job opportunities to their acquaintances and to earn rewards for referring their friends who are hired. Providing this information is in the client company’s interest in filling vacancies.
Contract Term
Referral Candidate
  • Name
  • Email
This information is provided by the referring employee and is used in an email from the referring employee to the referral candidate inviting them to consider a particular position at the employer. Legitimate Interest
It is in the interest of the referral candidate to receive information on job openings from a person they know at the company.
6 months
Job Applicant
  • Name
  • Email
  • Phone
This information is provided by the Job Applicant and is used by the potential employer in considering their application. Legitimate Interest
It is in the interest of a job applicant to provide contact and resume information in connection with the job application.
12 months
We may collect information about you whenever you interact with us. For example, when you contact regarding our activities, register as a supporter, send or receive information or sign a petition, you specifically and knowingly provide us with your personal information. We may also receive information about you from third parties – but only if you have given them permission to share your information.

Information from Social Sites

If you choose to link your EmployeeReferrals account with Facebook or LinkedIn we will collect your name and email address.

Your email address will be used by your employer for internal communication related to the employee referral program. You can unsubscribe from these emails at any time by either clicking the unsubscribe link included in each email or by logging into the system and updating your email preferences.

You have the right purge your personal information from our platform. To perform this you must log in, click your [username] (found at the top-right corner of the screen), select [settings], then [privacy]. From there you can click [DELETE ACCOUNT] to delete your account and purge all your information, including name and email, from our system.

Your company’s system admin can also purge your data upon request.

Continuing Accountability

EmployeeReferrals remains accountable if third-party agents that it engages to process personal data do so in a manner inconsistent with our Privacy Policy, the EU-U.S. Data Privacy Framework Principles, the Swiss-U.S. Data Privacy Framework Principles, or GDPR regulations unless EmployeeReferrals proves that we are not responsible for the event giving rise to the damage.

Complaint Resolution

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), EmployeeReferrals commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact EmployeeReferrals at

EmployeeReferrals has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See

Federal Trade Commission

EmployeeReferrals is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Disclosure of Information to Third Parties

We pass to our hosting service, Amazon Web Services, personal and other information on employees, referred individuals and job applicants. Also, if the employer uses a third-party rewards provider, we supply information to that provider necessary for them to process referral bonus rewards to employees, generally the employee’s name, email and reward earned. We will disclose personal information in response to court order or other legal process, including to meet national security or law enforcement requirements. If we were to merge or be acquired by another entity the collection and processing functions we perform would be transferred to them. We contract with third parties to provide application development services and in this role they may have access to personal information. In the above transfers we supply only the minimum necessary information and the third parties we work with operate under privacy policies similar to this one. Even though we do not transfer data to non-agent third parties, if we were to, individuals would be able to opt out of having their data shared by emailing If we were to sell your data, EmployeeReferrals would continue to be liable for the misuse of such data. Again, we confirm that we do not sell or transfer data to non-agent third parties. In other words, we won’t sell your data.

Transfer to Other Countries

We may transfer data from the country where it was collected to a country with different data protection regulations. In doing so we will protect the data according to this privacy policy and under EU model clauses signed with our client the employer.


We and our sub processors use industry standard security measures to protect information from unauthorized access.

EU-U.S. Data Privacy Framework Principles and the Swiss-U.S. Data Privacy Framework Principles

EmployeeReferrals complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. EmployeeReferrals has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.EmployeeReferrals has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit

Applicability of Article 1.f of GDPR (Legitimate Interest)

A discussion of Article 1.f (Legitimate Interest) can be found at An email from the employee to his friend/associate inviting him/her to consider a specific job at his company meets the requirements of 1.f because: First, this is a one-to-one and friend-to-friend communication, where the sender has implicit permission to communicate, with a purpose clearly in the interest of the recipient, and with no follow-on/repetition unless the friend applies for the job. Recital 47 of the DGPR addresses our situation with “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller…” And second, the GDPR is explicit that opt-in is required where there is the potential for opt-in, with the example of a pizza parlor which collects an address for the purpose of delivery and could at this time request an opt-in for marketing purposes, but in our case there is no opportunity for getting opt-in prior to sending the invitation email.

Questions or Data Removal

You have the right to access your personal data which resides in our system. Should you have any questions, complaints, or wish to correct or amend inaccurate information, or wish to have your information deleted from our system, please use Removing your name and email address from our system will also remove the ability of the potential employer to see your name or to contact you. However, please recognize that if you proceed to apply for a job with this employer you will be supplying to the employer additional personal information which is not entered into our system and cannot be deleted by us. If requested to remove data, we will respond within a reasonable timeframe.

Future Policy Amendment

This Policy may be amended from time to time, consistent with EU GDPR regulations, with the EU-U.S. Data Privacy Framework Principles, the Swiss-U.S. Data Privacy Framework Principles, and with other applicable data protection and privacy laws and principles.  We will make users of our application aware of changes to this policy either by posting to our website, through email, or other means.  We will notify those who share personal data with us if we make changes that materially affect the way we handle personal data previously collected, and we will allow them to choose whether their data may be used in any materially different manner.