Data privacy and GDPR compliance of PitchYou
Applications must be thoroughly considered in terms of data protection, especially if external messenger tools are to be used. The applicant's personal data is highly protected. Your company can rely on us as a service provider; 100% guaranteed. Below we have summarised all the measures we take to handle personal data responsibly.
If you have any questions, please do not hesitate to contact our data protection officer Ms Joelle Hirsch of LGD Datenschutz GmbH, Rogätzer Straße 8, 39106 Magdeburg, Tel.: 0391 55686325, e-mail: firstname.lastname@example.org.
Please download the official statement on GDPR compliance here (german language).
1. Application process
1.2 Application via webchat
The web browser on the applicant's device opens up. The dialogue is immediately initiated.
No application without consent
Before the first substantive questions are asked, we obtain the applicant's consent for the processing of personal data as part of the application. This includes forwarding the data to your company. If the consent question is not answered with "I agree", the interview will be terminated, and the data collected up to that point will be deleted.
Total control for the applicant
During the interview, the applicant has the option to cancel the dialogue at any time. A simple stop instruction is sufficient. All data collected up until this point will be deleted. If the applicant does not continue with the interview, we consider it to have finalised 24 hours after the last message has been sent. In this case, the data will also be deleted automatically.
2. Recruiting process
Once an application has been completed, it goes to your company's PitchYou recruiting app. The app runs entirely in the web browser. There is no need for software to be installed. Access to the application is encrypted via https protocol and protected by login (username and password). The applicants and their interviews can only be viewed by authorised users.
No profiling - total control for the Recruiter
PitchYou qualifies each applicant based on the criteria you set beforehand and creates matching assessment (0% - 100%). Important: No profiling is performed, i.e. the matching percentage is an indication for the recruiter. No automated decisions (rejection or acceptance) are made on the basis of the matching. The decision as to whether an applicant is interesting or not is left to the recruiter.
Internal transfer of data
Obviously, you can pass on applicant data within your company. You can export your applicants' data via PDF or share it directly in the system.
We recommend the sharing functionality. This ensures that the data remains within the PitchYou system. The recipient receives an email with a link to the application in PitchYou. He or she will also receive a PIN. Only with this PIN can the recipient view the (single) application.
This saves you the trouble of distributing applications by e-mail in your company, which is often impossible to get on top of from a GDPR point of view.
The deletion of applications in PitchYou takes place in several stages.
Stage 1: Rejection area
An area for rejections is available. You can move applications to this area by selecting "Rejections" in the applicant profile.
Stage 2: Deletion and rejection
You can permanently delete applications from the rejection area. You can choose whether you want to “permanently delete” or “permanently delete with rejection”.
Companies are not obliged to send rejection letters. Nevertheless, it is good manners to do so. The system can do it for you.
What happens after the permanent deletion?
The application is no longer visible to recruiters. But we do not delete it from the database just yet. This means that technically PitchYou can still access the data. It is recommended to keep applicant data for at least 6 months from the date of rejection in order to still have the possibility to recover data in case of complaints and lawsuits under the General Equal Treatment Act.
Stage 3: Final deletion
6 months after permanent deletion, PitchYou irretrievably deletes all applicant data from the database.
3. Order processing and external service providers
None of your company’s employees have to use WhatsApp
As a service, we handle all communication via WhatsApp. For the storage and transfer of the personal data collected with this service, we will sign a GDPR-compliant processing agreement with you.
This also means that you only have one contractual partner, namely PitchYou.
WhatsApp Business API
Communication between the PitchYou Bot and the applicant takes place via the WhatsApp Business API, which is intended precisely for communication between businesses and consumers (in our case, applicants).
We adhere to all the regulations set by WhatsApp:
- Consent of the user via a website
- Communication is initiated exclusively by the user
For the usage of the WhatsApp Business API, we have signed a contract with a WhatsApp-certified provider of the Business API based in Germany (MessengerPeople GmbH, Munich).
In the interests of data economy, all messages and media files are deleted from MessengerPeople immediately after they have been processed and stored in PitchYou.
Using a mobile phone in your company to communicate via WhatsApp would not be GDPR-compliant due to the all-inclusive transfer of all phone book entries. The WhatsApp Business API, on the other hand, does not run on an end device and therefore does not have a phone or contact book. A transfer is therefore technically impossible.
Data storage and development in Germany
We only use servers that are operated in Germany. Our hosting partner is the company Hetzner in Ansbach.
The software has been fully developed in Germany. All employees who might have access to personal data (e.g. through support tasks) are sworn to secrecy in writing.
WhatsApp uses servers outside the EU. Communication via WhatsApp is end-to-end encrypted. The contents of the communication are therefore protected. Only the information that a connection between the applicant's number and the number of the PitchYou Bot has taken place is transferred to WhatsApp. The candidate has already agreed to this by accepting the WhatsApp terms and conditions when installing WhatsApp.
The storage of communication metadata in the USA was previously regulated by the Privacy Shield agreement between the USA and the EU. This agreement was declared insufficient by a new EU Court of Justice ruling. In order to be on the safe side in terms of data protection law, until a new political agreement is achieved, we also obtain explicit consent from WhatsApp for the storage of data in the USA and third countries for each application.
What other external services do we use?
We use the Google Maps API to determine the distance between the applicant and the potential job location. The applicant's postcode is transferred, without any reference to personal data.
For the automatic translation of messages from other languages into German and vice versa, we use the Google Translate API. Only texts are transferred, without reference to a person or a conversation thread.