SeekOut & GDPR

The European Union’s (“EU”) wide-ranging data privacy law, the General Data Protection Regulation (“GDPR”), became applicable on 25 May 2018. It updated and harmonized the EU framework for processing personal data, as well as introduced fresh obligations for organizations and new rights for individuals.

SeekOut is fully committed to complying with the requirements of the GDPR. We have closely analyzed the law and continue to monitor new regulatory guidance. Consequently, amongst other steps, we have made changes to our products, contracts and policies to reflect the GDPR’s obligations.

These FAQs answer the most common questions we are asked about our privacy and security practices – but, if you have further questions then please e-mail privacy@seekout.io.

Is SeekOut a “controller” or a “processor” of personal information?

The GDPR distinguishes between the role of “controller” and “processor” under the GDPR. The difference between these roles is important, because each has slightly different responsibilities and liabilities. In simple terms, a “controller” is an entity that makes decisions about data – it decides “how” and “why” data are processed. By contrast, a “processor” only processes data on behalf of a controller – it is a service provider, and only processes the data as instructed by its controller.

When providing its services, SeekOut acts as both a controller and a processor of personal information. We act as a controller in respect of the “candidate information” in our platform (e.g. the candidate CVs and profiles which we make available to our customers), because we determine what information to collect, where to source it, and how to present it to our customers. We are responsible for ensuring we collect and process this data lawfully in accordance with the GDPR.

By contrast, we are a processor in respect of the “customer information” that our customers provide to us, such as candidate profiles provided by customers in connection with open roles they are looking to fill. We process that data only as instructed by our customers, who are the controllers of this personal information.

How does SeekOut satisfy the GDPR’s transparency obligations?

The GDPR mandates that personal information must be processed in a transparent manner and, accordingly, imposes some specific disclosure requirements.

We updated our privacy notice to include all necessary GDPR disclosures.

What is SeekOut’s lawful ground for processing candidate information?

The GDPR requires a controller to have a legal ground for processing personal information. The potential grounds are as follows:

  • Consent

  • Performance of contract

  • Compliance with a legal obligation

  • Vital interests

  • Public interest

  • Legitimate interests

We rely on legitimate interests as our lawful basis when we process candidate information as a controller. A copy of our legitimate interests assessment is available to customers on request.

How can users exercise their GDPR data protection rights?

Individuals are entitled to certain data protection rights under the GDPR. These can include rights to access, correct, delete, and port their personal data, and to restrict or object to processing of their personal data.

As a matter of law, these rights can only be exercised against controllers rather than processors. Accordingly, we have an approach in place to handle data subject rights requests made to SeekOut, whether in its capacity as a controller (where we handle the requests directly) or a processor (where we will refer the request back to our customer, the controller).

How does SeekOut comply with EU data export rules?

The GDPR prohibits the export of personal data outside of the European Economic Area (“EEA“) to non-EEA recipients, like SeekOut, unless one of a limited number of legal solutions is in place. This requirement may apply where, for example, you use our SaaS solution and your data is stored on our US servers.

Historically, one of these data export solutions, for US-based recipients, was to certify compliance with the EU-US Privacy Shield framework. This is a privacy certification scheme agreed between the US Department of Commerce and the European Commission. Under this scheme, participants self-certify that they comply with certain agreed privacy principles and, if they do, they can lawfully receive personal data from the EEA.

SeekOut has certified its compliance with the EU-US and Swiss-US Privacy Shield regimes. Details of our certification are available on the Privacy Shield website.

However, on July 16, 2020, the Court of Justice of the European Union declared the EU-US Privacy Shield Framework invalid. From now on, SeekOut will be making use of the European Commission standard contractual clauses (“SCCs”) to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR. We have updated our standard customer data processing addendum (“DPA”) so that the SCCs will be incorporated automatically in all future agreements. For further information, please request from your SeekOut point of contact or email privacy@seekout.io

How does SeekOut maintain the security of personal information?

The GDPR requires that SeekOut must implement appropriate technical and organisational measures to protect the personal information that it processes. In layperson’s terms, these measures must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals.

To this end, SeekOut has in place a number of robust measures to protect personal information. These include:

  • Engaging a reputable storage / hosting vendor in Microsoft Azure Service, which adheres to rigorous security standards (SOC 1, 2 and 3 and/or ISO 27001 certifications, where possible), and undergoes annual reviews; and Deploying encryption at rest and strong access controls.

  • Further information on our security measures is available on our security page and the Microsoft Azure Trust Center.

How does SeekOut comply with the GDPR’s principle of accountability?

The GDPR sets out that controllers and processors are responsible for complying with law’s requirements and, crucially, that they must be able to demonstrate such compliance.

We are committed to adhere to the accountability principle and so have undertaken appropriate steps, including having in place an internal team with responsibility for privacy issues, maintaining records of our data processing, and having a documented data protection impact assessment of our services.

What other measures has SeekOut undertaken to achieve GDPR compliance?

We refreshed our contracts with customers and vendors to incorporate terms required by the GDPR. In addition, we have updated our internal data protection policies to address GDPR requirements.

Where can I get more information?

If you have any further questions about SeekOut’s data protection compliance, please feel free to contact privacy@seekout.io.