GDPR Compliance with Ashby
Last updated May 31, 2023
The GDPR is a law that gives people in the European Union control of their own personal data. Data privacy can be intimidating, but Ashby offers our customers the tools to be confidently GDPR compliant.
Your candidates are data subjects. They have the right to decide how their personal data is used.
Your business is the controller of your candidates’ data. You have the obligation to handle their data responsibly, and to allow them to exercise their rights over it.
Ashby is a data processor. We process personal information on your behalf as directed by your Data Processing Agreement with Ashby.
Data Subject Rights
The GDPR grants a number of specific rights to data subjects. As a data controller, you’re responsible for ensuring your candidates can exercise their rights over their personal information. Here’s how Ashby helps:
Candidates have the right to be notified of data collection, and to object to how their data is used.
Ashby’s data privacy tools provide custom data retention periods using activity or consent-based rules. Our customizable consent forms let you easily notify candidates of their rights and record their consent at the time of application, renew their consent, or anonymize their data when their consent lapses.
You can also easily mark a candidate as “do not contact” to prevent any future sourcing outreach across your organization.
Candidates have the right to request a copy of their information, or request that it be deleted.
Ashby supports exporting or deleting any candidate's personal information. We also allow you to anonymize data, which strips it of identifiable information without affecting the accuracy of your aggregate reporting.
Candidates have the right to special handling of sensitive demographic information.
Ashby’s diversity survey tools prevent sensitive demographic data from being combined with any other identifying information, helping you make sure it isn’t used as a part of your hiring decision.
You can find more information about these and other data subject rights under the GDPR on the European Commission’s official website.
One of your responsibilities as a data controller is to make sure your sub-processors handle your data appropriately. Ashby offers a Data Processing Agreement on request, which includes the “standard contractual clauses” typically recommended for sub-processor agreements.
Data Transfer and Storage
Ashby stores and processes data in the United States. The GDPR places special scrutiny on data transfers outside of the EU. To help you document that those requirements are met, Ashby can provide a Transfer Impact Assessment on request.
For more information about Ashby’s security policies, see our Security page.