Skip to main content
Release Center

Using the Talent Acquisition Functionality in Whoz: Privacy Obligations and Best Practices

Required modules:

Disclaimer

The information provided on this website does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials available on this page are strictly for general informational purposes only. You must not rely on this information as a substitute for professional legal advice tailored to your individual circumstances. Any decisions or actions you make—or refrain from making—based on the content of this site are strictly at your own risk. We strongly recommend that you seek proper legal advice from a qualified professional before making or refraining from making any decisions or taking any action. By continuing to read, you expressly agree that under no circumstances will Whoz be liable for any direct, indirect, incidental, or consequential loss or damage that results from your use of, or reliance on, any information provided herein.

 

 

Overview

The Talent Acquisition functionality (Applicant Tracking System – ATS) provided by Whoz allows users to store and track information related to job applicants and sourced candidates. While this feature can support your recruitment operations, it’s important to note that you remain fully responsible, as the data controller, for ensuring that your use of the ATS complies with applicable data protection laws, including the General Data Protection Regulation (GDPR).

In accordance with our obligations as a data processor under Article 28 of the GDPR, we are providing this information to inform you of the potential risks of non-compliance when using this functionality without proper internal governance.

This document summarizes key obligations under the GDPR, as interpreted in particular by the French Data Protection Authority (CNIL), our lead supervisory authority. It is your responsibility to determine whether national regulations in the country where you operate, or where your candidates are located, impose additional or differing requirements.

Key Compliance Obligations for Candidate Data

1. Information at the Time of Data Collection

You must inform all candidates whose data you collect—whether directly or indirectly—of the following:

  • Your identity as the data controller
  • The purposes of processing (e.g., recruitment, future job opportunities)
  • The legal basis for processing
  • The recipients of the data (if applicable)
  • The data retention period
  • The data subject’s rights (access, rectification, erasure, etc.)
  • The right to lodge a complaint with a supervisory authority

This information must be provided at the time of collection or, if the data is obtained from another source, no later than one month after collection. It can be made accessible, for example, via your careers page.

You must establish a clear and accessible candidate data protection policy, available at the point of data collection, that covers the above information.

2. Consent for Inclusion in a CV Database

If you wish to retain candidate data for future hiring opportunities beyond the current recruitment process, you must obtain the candidate’s consent.

Consent must be:

  • Freely given
  • Specific and informed
  • Explicit, where required

This applies particularly to so-called “CV libraries” or talent pools used for future hiring campaigns.

3. Retention and Deletion of Candidate Data

In accordance with CNIL guidance (Recruitment Guide, September 2023), personal data relating to candidates must be:

  • Deleted after 2 years of inactivity, unless the candidate has consented to a longer retention period
  • Deleted earlier if the candidate requests it
  • Stored securely and accessible only to authorized personnel

Our Customer Success Managers are available to discuss automation possibilities.

What You Should Do

  • Review your current practices and identify any gaps in candidate information, consent collection, or data retention
  • Ensure that your teams provide appropriate notices at the point of candidate data collection (including for sourced candidates)
  • Collect and record consent for any long-term retention in a CV library
  • Delete outdated candidate records, and set up manual reminders or review points to ensure regular updates
  • If your main establishment is in France, ensure that your use of the ATS section in Whoz aligns with the guidance published by the CNIL in its Recruitment Guide (September 2023)

Was this article helpful?

0 out of 0 found this helpful
Return to top

Comments

0 comments

Article is closed for comments.