Under GDPR, CCPA, and other data privacy regulations, Gem is the data processor, which means we store and process an individual’s data only at the request of our customers, who are the data controllers. One of the requirements under many of the data privacy regulations is that the data controller has consent from the individual to keep and use their data. Gem customers and prospects will then often have questions for us on whether we solicit consent from the individuals, or how they can solicit consent when they add individuals to their Gem accounts.
It is important to remind customer’s that we are not able to offer them legal advice or interpret their requirements under data privacy regulations for them. The following is text that you can offer to them as our view on consent and what we have seen other customer do to solicit consent from an individual.
Gem is not directly notifying individuals of our processing or storing of their data. We are only storing candidate data upon request of our customers, with the bulk of that data being their publicly available LinkedIn profile. The additional supplementary data that we are adding to enrich that profile, most notably the email addresses and potentially phone numbers, are being requested from our data providers when a Gem user adds the candidate to their Gem account. That data is collected by our data providers from publicly available sources, or in limited instances, via data sources where the individual has provided consent for their data to be onsold for recruiting purposes.
Many Gem customers rely on the concept of Legitimate Interest as their basis for keeping and asking Gem to process customer data on their behalf. Because the data Gem is processing is largely public data available on a candidates LinkedIn profile, the candidate would have the reasonable expectation that this data would be used for recruiting purposes, and it is to their benefit to have that data processed by Gem as it may result in an offer of employment for them.
For our customers, in their role as data controller, that would like to receive direct consent from an individual to store and process their data via Gem, we recommend that you include a footer in all outgoing sequences that informs individuals of their rights and how they can opt out of that processing. This would normally include a link to a customer’s privacy policy in addition to highlighting that individuals right to access all of the data that you have for them, including any data sources that may exist within your systems outside of Gem, as well as informing them of their right to opt out of any future storage or processing of their data by you.
If an individual has reached out to you specifically about an email they received as part of a Gem sequence, you can also direct them to our public privacy policy that will explain who Gem is and why we are processing their data on behalf of our customers. That page is available here: https://www.gem.com/compliance/privacy.
Additionally, for customers who are very concerned about the proposed solution of notifying an individual via an email footer as part of their initial sequence, you can share the following:
Because it is not possible for an individual to know that Gem is holding and processing their data on behalf of our customers until they have been notified that this is happening, you could also refrain from adding EU candidates to Gem if you do not intend on messaging them within a month. GDPR does provide for a grace period for notifying an individual that you have their data but most interpretations of this provision would require you to obtain consent within a month.
You may also consider building a sequence specifically designed for use with a long-term talent pool, informing the candidate that they have found their profile online and think they may be a good fit for future roles with the company, and solicit their consent to retain their data to be processed in the future for outreach tied to specific roles.