GDPR Compliance

GDPR Compliance at
HireNext

Management of personal data and GDPR compliance — HireNext is fully compliant with the General Data Protection Regulation (GDPR). Privacy and security of personal data is a primary, not an afterthought.

Last updated: February 20, 2026
EU & UK GDPR Compliant
1

GDPR Overview

The General Data Protection Regulation is a data protection law that describes the process when processing personal data about people in the European Union (EU) and European Economic Area (EEA), UK GDPR for [...]

HireNext acts as both a Data Controller (fem data that we get straight from users) and a Data Processor (when handling candidate data on behalf of our clients). We have policies, technical controls and contractual safeguards in place to execute both roles responsibly. HireNext acts as both a Data Controller (for data you directly provide to us) and a Data Processor (when processing candidate data on behalf of our customers). To fulfill both roles responsibly, we have put in place policies, technical controls, and contractual safeguards.

Data Controller
Billing data and platform usage data for HireNext account holders that we collect directly.
Data Processor
Hiring Data: For candidate data processed on behalf of employer customers using the HireNext platform.
Lawful Processing
All personal data is processed on at least one valid lawful basis as defined under GDPR Article 6.
Privacy by Design
The platform architecture is built around data minimization, purpose limitation, and privacy controls.
2

Lawful Basis for Processing

HireNext relies on the following lawful bases under GDPR Article 6 when processing personal data:

  • Contractual Necessity: Processing necessary to fulfill our service agreement with customers and users.
  • Legitimate Interests: Processing for fraud prevention, platform security, and service improvement, where our legitimate interests are not overridden by the rights of the data subject.
  • Consent: Where needed (e.g., marketing communications), we obtain clear, freely given, and revocable consent.
  • Legal Obligation: Processing required to comply with applicable laws, regulations, or court orders.
3

Data Subject Rights

The GDPR provides individuals with several key rights related to the processing of their personal data. HireNext supports the exercise of all these rights:

Right of Access
Ask us for a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Where applicable, request the deletion of your personal data (the "right to be forgotten").
Right to Restrict Processing
In certain cases, you can request us to restrict the processing of your data.
Right to Data Portability
Get your data delivered in a structured, machine-readable format
Right to Object
Right to object to automated individual decision-making based on legitimate interests or for direct marketing.
Rights re: Automated Decisions
You will not be subject to solely automated decisions with significant effects without human review.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact our Data Protection Officer at [email protected] [email protected].We will respond as needed within 30 days as required by GDPR.

4

International Data Transfers

Where personal data is transferred outside the EU/EEA, HireNext ensures appropriate safeguards are in place in accordance with GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): For transfers to third countries without an adequacy decision, we use EU Commission-approved Standard Contractual Clauses (SCCs).
  • Adequacy Decisions: It allows for transfers to countries with an adequacy decision from the EU without any additional safeguards.
  • Binding Corporate Rules: Where applicable for intra-group transfers.
  • Transfer Impact Assessments: We conduct TIAs for all high-risk transfers to ensure we can provide effective protection.
5

Data Retention

HireNext retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Data CategoryRetention Period
Active account dataThe age of account + 90 days after termination
Candidate application dataAs configured by employer (default: 12 months)
Billing & transaction records7 years (legal/tax obligation)
Security & audit logs12 months
Marketing consent records3 years from last interaction
6

Breach Notification

HireNext maintains an incident response procedure, effective in case of a personal data breach:

  • Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms.
  • Data Subject Notification: Where a breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay.
  • Customer Notification: We notify affected customers promptly in their capacity as Data Controllers, so they can fulfill their own notification obligations.
  • Incident Documentation: All breaches are recorded and documented, regardless of whether notification is required.
7

Data Processing Agreement

In accordance with GDPR Article 28, HireNext provides a Data Processing Agreement (DPA) to all customers who process the personal data of EU/EEA data subjects through our platform.

Our DPA covers:

  • Subject matter, duration, and nature of processing
  • Purpose and type of personal data processed
  • Obligations and rights of the Data Controller
  • Sub-processor management and approval process
  • Security measures and audit rights
  • Data deletion and return procedures

To request a DPA, contact [email protected].

8

Contact Our DPO

To contact us regarding any GDPR-related inquiries or data subject requests or to request a copy of our DPA, contact our Data Protection Officer:

Data Subject Requests
[email protected]
Legal / DPA Requests
[email protected]
Security Incidents
[email protected]
General Privacy
[email protected]

Questions about GDPR compliance?

Our Data Protection Officer is available to answer any questions about how HireNext handles personal data under GDPR.

Contact DPO