Since May 25, 2018, the General Data Protection Regulation (GDPR) has governed how personal data is acquired, stored, and shared among digital service providers.

As a product where recommendations are sent to other users, Circular takes data privacy and GDPR compliance very seriously. We also believe that respecting privacy and maintaining transparency presents a great opportunity for companies like ours, which are built on trust. That’s why we have worked—and continue to work—with privacy experts at PwC to design a solid, GDPR-compliant product experience.

We operate like any other recommendation program, and in short, here’s how we comply with GDPR:

When you recommend users to Circular, whether by email or by sharing your referral link, they must give their consent and register to join the Circular community and start receiving job offers (i.e., candidates decide whether to register or not).

If you recommend them by email and they choose not to register, we will not contact them again. We wouldn’t be able to contact them even if we wanted to, as we do not store the recommended candidate’s email address for more than 24 hours. We only keep the randomly generated unique link of their recommendation to Circular.

If you shared your referral link with them (outside our platform) and they choose not to register, we will obviously never have any information about these users.

The GDPR regulation (you can see the full details on its website) covers more elements than we can discuss in an article like this, but we will focus on the two areas that most impact Circular: user consent and data and account modification.

Circular helps recruiters recommend candidates to the platform so they can be interviewed by other companies. However, it is impossible to obtain the recommended candidate’s explicit consent for the use of their data before the recommendation is made. After all, it is not the data owner but another person (the recruiter sending the invitation) who uses their email address to send a recommendation.

Therefore, when designing Circular, we faced two main challenges regarding consent:

• The storage of recommended candidates’ data before they accept the recommendation (or if they do not accept it)

• Obtaining permission once candidates accept the recommendation.

Let’s see how we resolved these challenges depending on how the candidate is recommended, either by email or by sharing a referral link:

When we refer candidates by email, we use a third-party email source (the hiring team) to recommend the data owner (candidate) to Circular.

We send the user an email on behalf of the recruiter who is inviting them, with a randomly generated referral link. We do not store the user’s email address after 24 hours, so we will never send them any additional emails.

If they decide to register, they accept the privacy policy and terms and conditions, giving us their consent to be part of the Circular community.

Your referral link leads to a user registration form that is uniquely linked to you as a recruiter. When a candidate registers through it, we send you an email so you can write them a brief recommendation.

There are many ways to share the referral link with the user outside the platform. For example, it is very common to include it in the email where you inform them that they are no longer in the selection process. Obviously, in these cases, we do not store any of their information because we have no visibility into who you share the link with (until they eventually register). If they decide to register, they accept the privacy policy and terms and conditions, giving us their consent to be part of the Circular community.

We give candidates extensive control over their data: allowing them to delete recommendations from their profile, change their status to “unavailable” to stop receiving interview offers, unsubscribe from any communications, decide the channels through which they wish to be contacted, etc.

More importantly, candidates (and recruiters) can delete their account from the platform at any time. This option completely removes not only all their data but also the activity they have generated in Circular from our database.

Note: This article is not intended to have any contractual value. For detailed information on privacy policy and the platform, please refer to the Privacy Policy and Terms and Conditions.