eBoss Recruitment Software Statement on GDPR Compliance

General Data Protection Regulation (GDPR) will be enforced from May 25th of this year. As a business which acts diligently to supply secure and effective software solutions to the recruitment industry, eBoss recruitment software ensures GDPR compliance across all of its platforms and operations.

This assurance also extends to cover third-party providers and subcontractors that we may choose to carry out parts of our service.

The following statement therefore seeks to clarify several aspects of GDPR compliance, as well as specific concerns of clients and partners.

1. Clarifications on International service providers

GDPR requires organisations that process the data of EU citizens to demonstrate compliance, regardless of their location.

Where eBoss employs the services of a third party, we will ensure GDPR compliance prior to the May 25th deadline. As per GDPR, eBoss remains liable to data controllers for all sub-processor activity.

A specific point of concern for some of our clients has been the compliance status of larger, overseas SaaS firms and cloud storage platforms.

Ongoing legal actions (for example, the Microsoft Ireland case, and Privacy Shield framework) present a challenge to data controllers using cross-border services. In some instances, an overseas body may struggle to demonstrate full GDPR compliance until after an outstanding legal ruling has been delivered. Naturally, some of these verdicts could remain outstanding after the May 25th deadline for GDPR compliance. Some data controllers have therefore questioned whether their data chain can achieve full compliance if they utilise these services.

In fact, GDPR Art. 45(1) states that:

Article 45
Transfers on the basis of an adequacy decision
1.

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

In this instance, a cross-border data transfer may automatically be considered compliant under GDPR, when the destination for processing “ensures an adequate level of protection”. (Art 45(1), GDPR).

Why is this important?

eBoss will not implement products or services from providers who lack adequate safeguards according to EU standards. Our service providers are governed by Binding Corporate Rules (BCR) and Privacy Shield framework, permitting cross-border transfers of data. Consequently, eBoss may continue to employ effective solutions from all of our globally-acting partners. Our provision of existing services will also remain unaffected.

eBoss will never engage a sub-processor without the written authorisation of the data controller, As per Article 28.2 of GDPR. Where appropriate, we will seek to achieve this with updated controller-processor agreements (see section below).

In addition, eBoss will revise our service policy on an on-going basis. We will also address any future changes or revisions to the existing framework.

2. Updates to Terms of Service and Processor Agreements

In some instances, GDPR compliance may require fresh agreements between data processors and controllers. Your current service agreement may need updating to ensure GDPR compliance. You will be informed about this in the coming weeks. eBoss will provide new agreements at least 14 days before any changes to service come into effect. The terms of your existing service agreement will not be affected by the update.

eBoss will also act to obtain fresh terms from our data sub-processors. This will help our clients acting as data controllers to achieve full GDPR compliance reporting across their data chain.

3. The eBoss Pledge

eBoss has pledged to ensure full compliance by the time new regulations come into effect. We will also continue to share our compliance processes and resources via our website. Our intention is to assist you – our customers and clients – with your own GDPR readiness programmes.

If you have further questions relating to GDPR compliance or eBoss products, please do not hesitate to contact us.

4. Online Resources for GDPR Compliance

  • Visit our GDPR Knowledge Base for all news and resources relating to your online data security.
  • The eBoss Definitive GDPR Compliance For Recruiters handbook is free, and available Here.
  • Our initial GDPR Compliance white paper was published in early 2017. It can be read Here.
  • We regularly update our website with news and developments concerning GDPR. Bookmark our news pages, or subscribe to our mailing list.
  • Docular is the online database for fully-customisable contracts and templates. It provides several GDPR-specific templates at varying fees.
  • General Data Protection Regulation | [pdf] (full text).
  • Index of recitals on GDPR.
  • Guidelines and judgements on data controller and processor agreements, by the UK Information Commissioner’s Office.
  • The UK Information Commissioner’s Office also provides an example of a Controller-processor agreement.
  • Article 29 Working Party (WP29) Report on EU-US Privacy Shield framework.
  • This page will be updated on a regular basis as we continue to add GDPR-related resources and announcements to the site. Kindly bookmark this page and check back regularly to stay up to date with GDPR compliance developments.