The General Data Protection Regulation (GDPR) is an EU law on data protection in the European Union and the European Economic Area. Loxo is committed to partnering with our customers and users to understand and prepare for GDPR.
Be sure to consult with your legal team before implementing any process changes around GDPR.
Turn on GDPR in Loxo
Note: Only admins will have the ability to access the GDPR Settings Page.
Once you have turned on GDPR, it can not be turned off without reaching out to Loxo Support.
To turn on GDPR in Loxo, please follow the steps below:
Reach out to Loxo Support if GDPR is not already enabled for the account.
Once GDPR is enabled for your account, you will be able to turn it on for your database by navigating to the Settings page and selecting "Compliance," found under the Workspace Section.
Once you turn GDPR on, you will not be able to turn it off without reaching out to Loxo Support.
Configure Your GDPR Settings
The first step after turning on GDPR is to determine who these regulations apply to. Your options are either All Candidates, Candidates in the EU, or Candidates in the EU and unknown locations.
Loxo uses the IP address of the candidates at the time they apply for a role to determine their location. This means candidates who are added to your database through another method will need to have their location updated manually for these settings to apply.
The next step is to select a lawful basis for your archived candidates. The GDPR requires that companies have a 'lawful basis' to process an individual's data. Within Loxo, you have the option of either Candidate Consent or Legitimate Interest.
Use Candidate Consent
Checking this box means you are explicitly asking the candidates for their consent to store their data and contact them.
When someone applies for a role, they’ll see a checkbox asking something along the lines of, “Yes, this agency can contact me about future job opportunities for up to 1 year,” and they will have the option to check or uncheck this box.
Rely on Legitimate Interest
Checking this box means you are not explicitly asking the candidates for their consent, but instead are assuming any active candidates in your database are opting into you collecting and storing their data.
The system determines if a candidate is active based on events, so any email sent, person added to a job, a note saved, etc., will mark them as "active."
Once you select your Lawful Basis, you will need to choose a timeframe for how long the consent and retention period lasts.
Collecting Consent
This starts from the moment the candidate provides consent and ends when your set timeframe expires.
Additional Retention Period
Once the consent timeframe expires, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.
If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into the Additional Retention Period.
The last step in configuring your GDPR settings is to copy over your Privacy Policy link, which will be presented to candidates when they apply for your jobs.
There will also be a notice of cookies presented at the bottom of the webpage if GDPR compliance is turned on. The link to the privacy policy will be listed and will only be visible to candidates who are detected as being protected by GDPR when they apply (based on your settings).
