Candidate Compliance
      Back to home
      1. Firefish Software Help Centre
      2. Compliance
      3. Candidate Compliance

      Managing Candidate GDPR Compliance

      Firefish makes GDPR compliance easier by providing tools to manage consent, reprocess or delete candidates, and track data retention. With flexible filtering and automation features, you can ensure your recruitment processes remain legally compliant.

      Contents

      Candidate GDPR Compliance Status

      Understanding Candidate Compliance

      To ensure your database remains fully GDPR-compliant, Firefish clearly indicates each candidate's compliance status within their record.

      non_compliant_record

      A candidate will appear as non-compliant if:

      • There is no ‘Candidate Agreement’ accepted action for that candidate e.g. 'Not Applicable' may have been selected as the Legal Basis when the candidate was added to your database. 
      • Their consent request has expired.

      If candidates are non-compliant, you should try to gain their consent for your Candidate Agreement. If they do not respond, consider removing their data.

      Super Users can send the Candidate Agreement to Non-Compliant candidates in bulk using the Legal Plugin, while all users can send it individually via the Subscriptions tab on the candidate's record.

      Awaiting Compliance

      Candidates with an Awaiting Compliance status have received the agreement but have not yet agreed within the first 14 days. However, they are still within the full 28-day expiry period.

      Excluding Non-Compliant Candidates

      Super Users and Compliance Users can exclude non-compliant candidates from bulk emails and job alerts via Settings > People Configuration > General to ensure GDPR compliance in communications.

      exclude_non_compliant

      Managing Candidate Compliance

      Firefish helps keep your candidate database fully compliant with GDPR regulations. With built-in tools for managing consent and data retention, Firefish simplifies compliance tasks and ensures your processes are still legally sound.

      Super User's can manage compliance permissions in the User Permissions section. Once enabled, a dedicated Compliance section appears in the Dashboard To-Do List, providing full oversight of candidate compliance.

      Managing Consent

      Tracking candidate consent is essential for compliance. Firefish organises candidates into three categories:

      • Consent Never Requested: Candidates who have not yet received a consent request.
      • Consent Follow-Up: Candidates who received the request but have not responded within 14 days (still within the 28-day limit).
      • Consent Expired: Candidates who did not respond within the 28-day limit. Even after resending the request, these candidates will remain in this status until they respond.

      todolist

      Filtering Compliance Data

      Firefish allows users to apply filters to refine compliance views, including:

      • Owner
      • Candidate Name
      • Registration Details
      • Candidate Source
      • Created Date

      filter_expired

      The filter button displays the number of active filters to maintain transparency.

      Actions Available

      From each consent category, you can:

      reprocess_expired

      • Reprocess Candidates: Select a legal basis for processing (Request Consent, Provided Consent, or Legitimate Interest).
      • Mark for Deletion: Remove Non-Compliant candidates to maintain GDPR compliance.

      Processing or Deleting Candidates

      Reprocessing Candidates

      If a candidate has not agreed to your consent request, you can reprocess their data by selecting a legal basis (e.g., Legitimate Interest). If you resend a consent request, the day counter resets, keeping the candidate on the list until they respond.

      Deleting Candidates

      If a candidate declines or ignores a consent request, you should remove them from your database to maintain compliance. Non-consenting candidates cannot legally remain in the system.

      When you remove a candidate:

      • The system will permanently remove the candidate’s details and documents.
      • Users can remove candidates individually via the three dots menu or in bulk using the Delete button.
      • If the delete option is unavailable, check with your Super User for permission settings.

      For more details on deletions, refer to Firefish’s in-system guide.

       

      Data Retention

      The Data Retention section of your Compliance To-Do List helps you manage archived candidates who have exceeded your organisation’s retention period.

      By default, the retention period is two years, but Super Users can adjust this in: Settings > People Configuration > General.

      retention_period

      Key Information in Data Retention:

      • Candidate Name: Identifies the individual.
      • Consent Status:
        • ✅ Green Tick: Compliant
        • ❌ Red Cross: Non-Compliant or Awaiting Compliance
      • Archived Date: The date you archived the candidate.
      • Expiry Date: When the archive expires, based on retention settings.
      • Notes: Any information attached to the candidate’s archive action.
      • Actions: Use the ... Menu to delete a single candidate or access additional options.

      compliance_page

      Example of Data Retention

      If you archive a candidate on October 28, 2021, and the retention period is two years, their archive expires on October 28, 2023.

      Filtering the Data Retention List

      Filtering options include:

      • Owner
      • Candidate Name
      • Expired Status
      • Consent (Compliant/Non-Compliant)
      • Created Date
      • Source
      • Archive Date

      data_retention_filter_options

      Deleting Archived Candidates

      • Single Deletion: Use the three dots menu.
        single_delete
      • Bulk Deletion: Select multiple candidates and click Delete in the header.
        bulk_delete

       

      See Also:

      GDPR Legal Basis for Processing Candidates