Reach out to support to enable GDPR on your account. Be sure to consult with your legal team before implementing any process changes.

Once support has enabled GDPR on your account you will be able to turn it on by navigating to the Settings page under the gear icon, then GDPR under My Agency.

Note: Only Admins will have the ability to access the GDPR settings page.

Once you turn GDPR on you will not be able to turn it off without reaching out to support.

Configuring your GDPR Settings

The first step after turning on GDPR is to determine who you want to apply these regulations to. Your options are either All Candidates, Candidates in the EU, or Candidates in the EU and unknown locations.

Loxo uses the IP address of the candidates at the time they apply for a role to determine their location. This means candidates who are added to your database through another method will need to have their location updated manually in order for these settings to apply.

The next step to select a lawful basis for your archived candidates. The GDPR requires that companies have a 'lawful basis' to process an individual's data. Within Loxo you have the option of either Candidate Consent or Legitimate Interest.

  • Checking this box means you are explicitly asking the candidates for their consent to store their data and contact them.

  • When someone applies for a role they’ll see a checkbox asking “yes this agency can contact me about future job opportunities for up to 1 year” and they have the option to check or uncheck this box.

Rely on Legitimate Interest

  • Checking this box means you are not explicitly asking the candidates for their consent, but instead are assuming any active candidates in your database are opting into you collecting and storing their data.

  • The system determines if a candidate is active based on events, so any email sent, person added to a job, a note saved, etc. will mark them as active.

Once you select your Lawful Basis you will need to choose a timeframe for how long the consent and retention period lasts.

  • This starts the moment the candidate provides consent, and ends when your set timeframe expires.

Additional Retention Period

  • Once the consent timeframe expires, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.

  • If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into the Additional Retention Period.

The last step in configuring your GDPR settings is to copy over your Privacy Policy link, which will be presented to candidates when they apply for your jobs.

There will also be a notice of cookies presented at the bottom of the webpage if GDPR compliance is turned on. This link to the privacy policy added previously, and will only be visible to candidates who are detected as being protected by GDPR when they apply (based on your settings).

Managing your Candidates

Once you turn on GDPR, your candidates with a location that you have configured to be protected by GDPR will automatically have a GDPR section added in the bottom right-hand corner of their profile.

You will be able to manage their GDPR requests, as well as view any action items that need to be taken like updating their name for example.

You can also email a GDPR Consent Link to your candidates through the Person Merge Tags dropdown.

Once sent, your candidates will receive a link to a form to fill out their preferences such as:

  1. If they want to be contacted about job opportunities

  2. If they want to receive a copy of their data

  3. If they want to update their information in your database

  4. If they want to be removed from your database

Once they make a request on the GDPR Consent Link, that request will be recorded on their profile in the GDPR section in the bottom right-hand corner.

You can click on the yellow buttons to take actions such as sending the customer a copy of their data, updating their information on their profile, etc.

GDPR Search Page

To access the GDPR Search page navigate to the gear icon in the upper right-hand corner, then GDPR Search.

The GDPR Search page will show the candidates and their consent status. The column headings will vary depending on whether your Lawful Basis is Candidate Consent or Legitimate Interest.

Note: The columns on the GDPR Search page are customizable on the backend, so if you want to see more or fewer columns please reach out to

If you have any questions about how the GDPR works in Loxo please reach out to or use the blue chat icon in the bottom right-hand corner!

Did this answer your question?