GDPR Compliance

The General Data Protection Regulation (GDPR) is EU regulation that aims to protect personal data and provide a level of online privacy to EU citizens. Whistling Duck LLC, the company behind CVSelection, considers this piece of legislation to be incredibly important and supports the provisions set forth in the GDPR. This document outlines how personal data is handled on CVSelection, and how compliance with the GDPR is made possible.

General principles

CVSelection is built around a number of general principles that aim to balance flexibility with privacy concerns.

We only collect data that are necessary When job application forms are published, CVSelection has to collect certain personal information. After all, personal data are at the core of a job application. However, unlike other platforms that may gather a lot of data behind the scenes, CVSelection only gathers personal data that the candidate actively supplies. CVSelection does not use cookies or other technologies to track candidates.

We allow companies to define their own data expiration policies CVSelection has customers throughout the world and data retention policies across the world. For this reason, CVSelection does not force a specific data retention policy. Instead, each client can set their own data retention policy. This means that every customer can define how long CVs and candidate profiles should be stored for.

Main GDPR guidelines

Privacy by Design As explained above, CVSelection was made with privacy concerns taken into consideration from the start. Rather than a "collect all that we can" approach, we opted to only collect data that are required. CVSelection has been developed a number of years before the GDPR came into force, and there are a number of structural changes that the team is making to make certain parts of managing personal data easier (see list of Future Changes below), but we have always taken privacy concerns into account from the ground up.

Data transparency Through this policy, published on our website, CVSelection makes it clear how it handles personal information. When CVSelection collects data, this is clearly asked from the user and there is no additional personal information collected other than what is being asked. The information collected from a candidate may include the following *: -Name(s) -Contact information (e-mail, phone, Skype address, etc.) -Job history -Education history -CV -Motivation letter -Additional information defined by the company that the candidate is applying to

For security purposes, CVSelection stores the following information when a candidate records an application: -Time and date of the application -IP address -Browser

This information is recorded for security purposes, and part of recommended security practices.

Right of access As defined in the GDPR, EU users have a right to access their personal information and receive details about how this information is being used. CVSelection facilitates this process. Our company does not process candidate information directly. Our company stores candidate information and makes it available to our clients (the companies that publish an application form). Therefore, to understand how information of an individual is being used, EU users can submit their request directly to the company they are applying to. All information that CVSelection collects is the same information that is available to the company running the recruitment process. CVSelection does not store any additional information on candidates.

Rectification and erasure EU users have a right that their data be erased within 30 days. CVSelection facilitates this process. Within our website, companies can delete individual candidates from their recruitment process. For EU companies, profiles will be removed immediately with no option to recover the information (for clients located outside of the EU, there are options to restore this information if they need to). From a data integrity point of view, information about the fact that a candidate applied and moved through the recruitment process can not be erased. In order to erase the personal data, the name of the candidate in activity logs is replaced by a generic name, after the profile itself is removed.

It is important to note that backups are made of our databases - and it is not possible to retroactively change these backups. That means that personal information is still stored within these databases. However, backups are updated on a rolling basis, with only 30 days being retained.

Security of personal data Data uploaded to CVSelection is protected as best we can, taking into account recommended security practices and measures to limit and control server and data access. Measures include the following:

Information on the server itself is furthermore protected by: -One-way encryption of any access credentials (access keys, passwords, etc.) -Software on the server is kept up-to-date and firewalls and other protective measures have been put in place. - Access to the server and database is restricted and monitored. - Daily backups are made and stored remotely.

Our servers are located in the Netherlands

Breach Notification

If we become aware of any breach, we will notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

External services CVSelection uses Google Analytics to gather data on website visits. No information is gathered that can personally identify a candidate. Furthermore, this information is in no way linked to individual website users. Instead, it is aggregated to provide a general idea of how the website is performing, how long visitors stay on the website, etc. Google has a separate privacy disclaimer for this service, which is outside the scope of this document. However, if visitors decide to turn off external cookies or Google Analytics specifically, our website will work exactly the same for the user.

Recent changes

This section describes a number of changes that are being made to CVSelection and that related to personal data storage and protection.

Database storage consent CVSelection will allow for a dedicated "Candidate Database" that allows organizations to store information on candidates for a longer period of time. This feature can now be used by companies as we made an easy system to request permission from candidates for this longer-term storage option.

Tracking of individual viewing access At the moment, we log details of CVs being downloaded and other actions by users who have access to the candidates. These logs are available to each client. However, in addition to logging changes and downloads, we also register when candidate profiles are being viewed and by whom.

Login functionality for candidates Currently, candidates apply once-off for a vacancy by filling out an application form. We do not create a user profile or store cookies. That means that they have to fill out the same information if they apply to another job at the same company. In order to improve this experience, we created an option for candidates to create an account and apply to different positions without having to enter the same information. This would, however, mean that additional profiles and information is being stored on candidates. We have implemented additional features for them to also ensure GDPR compliance (and, for instance, allow them to remove or export their own profile).

Google Analytics CVSelection is looking at alternative options to monitor visitor statistics for our website. This would allow us to no longer use Google Analytics, and thus have no longer any external cookies being used on our website.