General Data Protection Regulation (GDPR)


GDPR: General Data Protection Regulation

Data Controller: This is you, the in-house recruiter/employer. You control the purposes for which the Candidate data is processed. It is your responsibility to ensure that the ATS you work with can be configured to be GDPR compliant and to ensure your account is configured in a way that is GDPR compliant. BrightMove is supplying our customers with a checklist (below) to allow you to confirm your account settings are GDPR complaint.

Data Processor: This is the ATS provider, in this case BrightMove, since we process Candidate data on your behalf.

GDPR Compliance

Our technology is flexible enough for our customers to make adjustments to existing accounts so they can be GDPR compliant. Accounts are not necessarily GDPR compliant "out-of-the-box". You should review the compliance rules and features inside your account to ensure the proper settings are enabled. The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

While BrightMove can't provide legal guidance on the GDPR rules, we do support customers with questions on how to achieve certain settings or account preferences. You can contact us at for assistance if needed.

Below is an ATS checklist of how to achieve account settings that enable you to be GDPR compliant from an ATS perspective. GDPR went into effect on May 28th 2018.

GDPR Compliance Checklist for BrightMove Customers

We have compiled some items we know you will need to manage within your account in order to be GDPR compliant. This checklist is not necessarily a complete list and is not legal advice so please consult your Legal resources to ensure your compliance. 

  1. Give Candidates access to self- serve (manage/edit their profile information).  You can allow this by going to Settings> Career Portals> "Security" column.  This is where you decide what the Candidate is allowed to see and what they can manage about themselves. You should enable the following permissions to allow Candidates to edit their own info and all other permissions in the list are optional if you wish to grant them access to those areas.
    • Access Candidate Module
    • View Candidate
    • View Candidate Resume
    • Add Candidate Resume
    • Edit Candidate Resume
    • Candidate EEOC (if you ask this)
    • Access Tools Module
    • View My Profile
    • Upload Applicant Attachment
    • View Applicant Attachments

Click Save at the bottom or top right to save your settings.


2. Create Terms & Conditions (T&C) for your portal application & user added Candidates. There are two steps (a,b) you need to follow to complete this requirement. 

    1. You can do this in Settings> Career Portals> click the Portal Title link (far left) and scroll down to the section titled "Applicant Terms and Conditions".  This is where you place your Terms & Conditions and GDPR verbiage you need so when a Candidate applies to a job, they must click the box agreeing to those terms to submit the application. However any Candidates your users/recruiters/sourcers created and/or match to a job have not agreed to the T&C so see step "b" below on how to satisfy that scenario.

    2. Create a BrightForm that contains your Terms & Conditions on it. BrightForms are a drag n drop create-your-own custom form builder that can be assigned manually to Candidates and/or can be automated into your submittal workflow statuses. 
      BrightForm assignment will email the Candidate that they have a form to fill out, they log into your job portal and fill out/ agree to the form. When they save it, the form is saved to the Candidates profile as a PDF attachment automatically for you. If the Candidate is submitted to a job, once the form is completed, we can even automatically change their submittal status to your specified "Next Step" to help your users/recruiters know the Candidate has consented and continue them through your workflow.
      A single BrightForm only costs $29.00 per month and will allow you to gain the Candidate consent you need. Please email to add a BrightForm if you need this compliance proof.
    3. You could perform an email campaign with an Email Template to gain Opt-In or Opt-Out from Candidates who qualify under the GDPR protections. This option is free and you use Power Search to identify these people, put them into a Folder and mass email the entire folder. As people respond, you can set the correct answers in their profile and remove them from the folder so over time, only people who have not responded remain in the folder for follow up emails to try to obtain the information.

3. We've added a new Legal Basis tab on the Candidate and Manager profiles for you, the Controller, where you can indicate your legal basis for having the Personal and Sensitive Personal data sets.

4. Identify and Delete bad data like old candidate records, incomplete records, or people you no longer work with. If you keep people who qualify for GDPR protections for who you do not have consent, you can see Step 2b and 2c above to gain consent from them to use their data otherwise you must delete them.  

5. Processor Security Measures- Nothing to do here but an FYI for you. Our database resides in Amazon Web Services (AWS) RDS in the US East (N. Virginia) data center, utilizes a private VPC and is not publicly accessible. Data is encrypted at rest ( using AWS Key Management Services. ( and the  Database has Multi AZ failover. (


This is not a complete list of your legal responsibilities so please review your settings and compliance to ensure you meet the requirements if applicable. If you need help setting something up, please don't hesitate to contact and we'll be happy to advise you on how to create any of the items listed above!


Below are some websites that you may find helpful to understand the full scope of the GDPR rules and expectations:


Information Commissioners Office (UK):


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.