chapter six

Rights and Obligations

What are the specific obligations for data processing?


Previously, under the DPR, data processing obligations were primarily the responsibility of the Data Controller, only. This has changed under the new GDPR, which now applies to both Data Controllers and Data Processors. Each have separate obligations that must be met to be compliant in the processing of personal data. As such, we recommend familiarizing your organization with Chapter 4 of the GDPR and accompanying recitals, which speak to these obligations. Below, we’ve provided a high-level summary as a guideline for you and your team to get organized.

The Rights of Data Subjects

Obligations of Data Controllers - Our Customers

As discussed earlier in this paper, a Data Controller is the entity that determines what personal data of a data subject, is processed. At SmartRecruiters our customers – meaning YOU – are the Data Controller because you decide what data to collectfrom job applicants, leveraging our platform, that is necessary for qualifying, evaluating, and hiring candidates who participate in your recruitment processes. As such, our customers are responsible for demonstrating the following under the GDPR:

  • Compliance with GDPR Data Protection Principles (Referenced above in Section 4 of this paper)
  • Incorporates ‘Privacy by Design’
    • Compliance measures are a standard considered of both the planning and implementing of any new product or service that involves data processing activities. In other words, always be thinking “Does this help facilitate compliance?” (e.g. implementing a product like SmartRecruiters, which provides features to enable compliance in your hiring process)
  • Minimum Amount of Personal Data Processed
  • Data Protection Officer Appointed (to the extent GDPR required)
  • Written Data Processing Agreement for Data Processors
  • Maintain Proper Records of Data Processing Activities
  • Report Data Breaches without Undue Delay (within 72hrs)
  • Notify Data Subjects of Breaches without Delay

Obligations of Data Processors - SmartRecruiters

According to the GDPR, and as discussed previously, SmartRecruiters is a Data Processor, meaning we process personal data (job applicants) on behalf of a data controller (YOU). Although different from data controllers, data processors also have obligations under the GDPR. As such, SmartRecruiters is responsible for the following under the GDPR:

  • Acts on the Data Controllers Written Instructions (generally in the form of a contract know as a DPA or Data Processing Agreement)
  • Imposes Confidentiality on Personnel Processing Data
  • Ensure Confidentiality of Data Processing Activities
  • Implements Measures to Assist Data Controllers with Compliance
  • Return or Destroy Personal Data at Data Controller’s Election or Contract End
  • Provide Data Controller the Information Necessary to Demonstrate GDPR Compliance
  • Sub-Processors Appointed Only with Permission from Data Controller
  • Maintain records of data processing activity, available on request
  • Appoint Data Privacy Officer (to the extent required under the GDPR)
  • Implement measures for data security and data protection
  • Appropriate measures for cross-border data transfers

Many Data Processors meet these obligations through the existence of a written data processing agreement (DPA). SmartRecruiters is no exception – a data processing agreement is a formality that is executed between SmartRecruiters and our customers as part of our GDPR compliance obligations. In addition, SmartRecruiters also executes DPAs with our sub processors to provide additional protections. Specific to our customer DPA, this agreement is reviewed, agreed upon and executed with our customers at contract signing and immediately prior to implementation getting underway.

That said, the GDPR ultimately imposes the duty of care on the Data Controller for selecting a Data Processor who can appropriately assist and facilitate compliance with GDPR principles.