At BrightMove, our mission is to provide a secure, flexible platform that supports the compliance needs of our customers worldwide. Many employers must meet international data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
This article explains how each regulation works, the role of controller vs. processor, and how BrightMove helps you configure your ATS in a way that supports compliance.
Controllers vs. Processors
Data Controller: You, the employer or in-house recruiter. As controller, you determine the purposes and means of processing candidate data. You are responsible for ensuring compliance with applicable laws.
Data Processor: BrightMove. We process candidate data on your behalf, following your documented instructions. Our job is to provide the tools and safeguards you need to operate compliantly.
GDPR (European Union)
Who Must Comply
GDPR applies to any company that processes personal data of individuals located in the EU, regardless of where the company itself is based.
Key GDPR Obligations
Establish a lawful basis for processing (e.g., consent, contract).
Obtain informed, freely given consent.
Limit collection, retention, and use to explicit purposes.
Allow individuals to access, correct, and delete their data (“right to be forgotten”).
Secure data with encryption and organizational safeguards.
Notify regulators of data breaches within 72 hours (if risk exists).
Maintain records of processing and apply privacy by design.
BrightMove GDPR Checklist
BrightMove provides the following tools to help you meet your obligations:
Candidate Self-Service Access – Enable candidates to view and edit their own profile and resume.
Terms & Conditions / Consent Capture – Add GDPR language to your candidate portals and use BrightForms to collect consent.
Consent Campaigns – Run email campaigns to gain opt-in or opt-out from candidates.
Legal Basis Tab – Record the legal basis for processing within Candidate and Manager profiles.
Data Hygiene – Use search and deletion tools to remove outdated or incomplete records.
Security Measures – BrightMove data is hosted on AWS RDS with encryption at rest, private VPC, and Multi-AZ failover.
Note: Accounts are not GDPR compliant “out of the box.” Compliance depends on how you configure these settings.
PIPEDA (Canada)
Who Must Comply
PIPEDA applies to most private-sector organizations in Canada that collect, use, or disclose personal information during commercial activities.
Key PIPEDA Principles
PIPEDA is based on ten “fair information principles,” including:
Accountability – designate a privacy officer.
Identifying Purposes – inform individuals why you are collecting their data.
Consent – obtain meaningful consent to collect, use, or disclose personal information.
Limiting Collection – gather only what you need for hiring purposes.
Limiting Use, Disclosure, Retention – use only for the stated purpose, keep only as long as needed, securely dispose when done.
Accuracy – keep personal information up to date.
Safeguards – use appropriate security measures.
Openness – maintain transparent privacy policies.
Individual Access – allow individuals to see and correct their personal data.
Challenging Compliance – provide a way to raise complaints.
How BrightMove Supports PIPEDA
BrightMove provides:
Data Security – encryption, access controls, secure hosting.
Candidate Access Features – configurable portals that let individuals review or update their data.
Retention Controls – tools for deleting candidate records when no longer needed.
Audit Trails – logs that document activity for accountability.
Employers remain responsible for obtaining consent and applying retention rules appropriate to their policies.
Our Stance on Compliance
BrightMove does not independently certify GDPR or PIPEDA compliance.
For GDPR: You, the controller, are responsible for account configuration. BrightMove provides the checklist and tools.
For PIPEDA: You, the employer, are responsible for consent, access, and retention practices. BrightMove provides the technical foundation.
In both cases:
BrightMove is the processor, enabling compliance through secure infrastructure and configurable features.
Customers are the controllers, responsible for ensuring their policies and account setup align with applicable laws.
Summary
GDPR (EU) and PIPEDA (Canada) both regulate how employers collect, use, and protect candidate data.
BrightMove gives you the security measures, consent features, and retention controls needed to operate compliantly.
Employers remain responsible for enabling these features and meeting their own legal obligations.
Our platform is designed with global privacy principles in mind so you can recruit confidently, wherever you operate.