GDPR Compliance at
HireNext
Management of personal data and GDPR compliance — HireNext is fully compliant with the General Data Protection Regulation (GDPR). Privacy and security of personal data is a primary, not an afterthought.
Table of Contents
GDPR Overview
The General Data Protection Regulation is a data protection law that describes the process when processing personal data about people in the European Union (EU) and European Economic Area (EEA), UK GDPR for [...]
HireNext acts as both a Data Controller (fem data that we get straight from users) and a Data Processor (when handling candidate data on behalf of our clients). We have policies, technical controls and contractual safeguards in place to execute both roles responsibly. HireNext acts as both a Data Controller (for data you directly provide to us) and a Data Processor (when processing candidate data on behalf of our customers). To fulfill both roles responsibly, we have put in place policies, technical controls, and contractual safeguards.
Lawful Basis for Processing
HireNext relies on the following lawful bases under GDPR Article 6 when processing personal data:
- Contractual Necessity: Processing necessary to fulfill our service agreement with customers and users.
- Legitimate Interests: Processing for fraud prevention, platform security, and service improvement, where our legitimate interests are not overridden by the rights of the data subject.
- Consent: Where needed (e.g., marketing communications), we obtain clear, freely given, and revocable consent.
- Legal Obligation: Processing required to comply with applicable laws, regulations, or court orders.
Data Subject Rights
The GDPR provides individuals with several key rights related to the processing of their personal data. HireNext supports the exercise of all these rights:
To exercise any of these rights, please contact our Data Protection Officer at [email protected] [email protected].We will respond as needed within 30 days as required by GDPR.
International Data Transfers
Where personal data is transferred outside the EU/EEA, HireNext ensures appropriate safeguards are in place in accordance with GDPR Chapter V:
- Standard Contractual Clauses (SCCs): For transfers to third countries without an adequacy decision, we use EU Commission-approved Standard Contractual Clauses (SCCs).
- Adequacy Decisions: It allows for transfers to countries with an adequacy decision from the EU without any additional safeguards.
- Binding Corporate Rules: Where applicable for intra-group transfers.
- Transfer Impact Assessments: We conduct TIAs for all high-risk transfers to ensure we can provide effective protection.
Data Retention
HireNext retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Active account data | The age of account + 90 days after termination |
| Candidate application data | As configured by employer (default: 12 months) |
| Billing & transaction records | 7 years (legal/tax obligation) |
| Security & audit logs | 12 months |
| Marketing consent records | 3 years from last interaction |
Breach Notification
HireNext maintains an incident response procedure, effective in case of a personal data breach:
- Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms.
- Data Subject Notification: Where a breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay.
- Customer Notification: We notify affected customers promptly in their capacity as Data Controllers, so they can fulfill their own notification obligations.
- Incident Documentation: All breaches are recorded and documented, regardless of whether notification is required.
Data Processing Agreement
In accordance with GDPR Article 28, HireNext provides a Data Processing Agreement (DPA) to all customers who process the personal data of EU/EEA data subjects through our platform.
Our DPA covers:
- Subject matter, duration, and nature of processing
- Purpose and type of personal data processed
- Obligations and rights of the Data Controller
- Sub-processor management and approval process
- Security measures and audit rights
- Data deletion and return procedures
To request a DPA, contact [email protected].
Contact Our DPO
To contact us regarding any GDPR-related inquiries or data subject requests or to request a copy of our DPA, contact our Data Protection Officer:
Questions about GDPR compliance?
Our Data Protection Officer is available to answer any questions about how HireNext handles personal data under GDPR.
Contact DPO