Firefish makes GDPR compliance easier by providing tools to manage consent, reprocess or delete candidates, and track data retention. With flexible filtering and automation features, you can ensure your recruitment processes remain legally compliant.
Contents
Candidate GDPR Compliance Status
Understanding Candidate Compliance
To ensure your database remains fully GDPR-compliant, Firefish clearly indicates each candidate's compliance status within their record.
A candidate will appear as non-compliant if:
- There is no ‘Candidate Agreement’ accepted action for that candidate e.g. 'Not Applicable' may have been selected as the Legal Basis when the candidate was added to your database.
- Their consent request has expired.
If candidates are non-compliant, you should try to gain their consent for your Candidate Agreement. If they do not respond, consider removing their data.
Super Users can send the Candidate Agreement to Non-Compliant candidates in bulk using the Legal Plugin, while all users can send it individually via the Subscriptions tab on the candidate's record.
Awaiting Compliance
Candidates with an Awaiting Compliance status have received the agreement but have not yet agreed within the first 14 days. However, they are still within the full 28-day expiry period.
Excluding Non-Compliant Candidates
Super Users and Compliance Users can exclude non-compliant candidates from bulk emails and job alerts via Settings > People Configuration > General to ensure GDPR compliance in communications.
Managing Candidate Compliance
Firefish helps keep your candidate database fully compliant with GDPR regulations. With built-in tools for managing consent and data retention, Firefish simplifies compliance tasks and ensures your processes are still legally sound.
Super User's can manage compliance permissions in the User Permissions section. Once enabled, a dedicated Compliance section appears in the Dashboard To-Do List, providing full oversight of candidate compliance.
Managing Consent
Tracking candidate consent is essential for compliance. Firefish organises candidates into three categories:
- Consent Never Requested: Candidates who have not yet received a consent request.
- Consent Follow-Up: Candidates who received the request but have not responded within 14 days (still within the 28-day limit).
- Consent Expired: Candidates who did not respond within the 28-day limit. Even after resending the request, these candidates will remain in this status until they respond.
Filtering Compliance Data
Firefish allows users to apply filters to refine compliance views, including:
- Owner
- Candidate Name
- Registration Details
- Candidate Source
- Created Date
The filter button displays the number of active filters to maintain transparency.
Actions Available
From each consent category, you can:
- Reprocess Candidates: Select a legal basis for processing (Request Consent, Provided Consent, or Legitimate Interest).
- Mark for Deletion: Remove Non-Compliant candidates to maintain GDPR compliance.
Processing or Deleting Candidates
Reprocessing Candidates
If a candidate has not agreed to your consent request, you can reprocess their data by selecting a legal basis (e.g., Legitimate Interest). If you resend a consent request, the day counter resets, keeping the candidate on the list until they respond.
Deleting Candidates
If a candidate declines or ignores a consent request, you should remove them from your database to maintain compliance. Non-consenting candidates cannot legally remain in the system.
When you remove a candidate:
- The system will permanently remove the candidate’s details and documents.
- Users can remove candidates individually via the three dots menu or in bulk using the Delete button.
- If the delete option is unavailable, check with your Super User for permission settings.
For more details on deletions, refer to Firefish’s in-system guide.
Data Retention
The Data Retention section of your Compliance To-Do List helps you manage archived candidates who have exceeded your organisation’s retention period.
By default, the retention period is two years, but Super Users can adjust this in: Settings > People Configuration > General.
Key Information in Data Retention:
- Candidate Name: Identifies the individual.
- Consent Status:
- ✅ Green Tick: Compliant
- ❌ Red Cross: Non-Compliant or Awaiting Compliance
- Archived Date: The date you archived the candidate.
- Expiry Date: When the archive expires, based on retention settings.
- Notes: Any information attached to the candidate’s archive action.
- Actions: Use the ... Menu to delete a single candidate or access additional options.
Example of Data Retention
If you archive a candidate on October 28, 2021, and the retention period is two years, their archive expires on October 28, 2023.
Filtering the Data Retention List
Filtering options include:
- Owner
- Candidate Name
- Expired Status
- Consent (Compliant/Non-Compliant)
- Created Date
- Source
- Archive Date
Deleting Archived Candidates
- Single Deletion: Use the three dots menu.
- Bulk Deletion: Select multiple candidates and click Delete in the header.
See Also: