GDPR Compliance
GDPR Compliance with Pinpoint
How Pinpoint helps our customers comply with the GDPR
Our CEO was previously Chief Digital Officer at a cloud computing company that focussed on serving customers with stringent security needs, and complex data protection and data residency requirements. So it’s not surprising that we take privacy and security incredibly seriously at Pinpoint.
We have years of experience helping customers navigate the changes to data protection laws in the UK and Europe. Customers that choose Pinpoint as their ATS get access to enterprise-grade security and privacy features for their recruitment teams.
How Pinpoint helps our customers comply with GDPR requirements
The right to be informed
- Create and customize a privacy policy you can add to your careers site
- Ensure candidates provide consent to join your talent pool
Consent
- Ensure candidates provide consent to join your talent pool
- Collect explicit candidate consent on application forms
- Allow candidates to see the types of nonessential cookies used on Pinpoint careers sites and opt out of any of them
- Allow candidates to manage their data though a dedicated portal (including revoking their application)
Access & portability
- Export data from the system in CSV format using the custom report builder
- Get an export of your data from Pinpoint at the end of your contract
Modification
- Allow candidates to manage their data though a dedicated portal (including revoking their application)
Security measures
- Your data is protected by our security, privacy, and business continuity practices
Limitation of purpose, data and storage
- Automatically set data retention periods and remove candidates’ personal data after a set period of time
The right of access
- Allow candidates to manage their data though a dedicated portal (including revoking their application)
- Export the information you hold about a candidate in a CSV format that you can send to them
The right to erasure
- Allow candidates to manage their data though a dedicated portal (including revoking their application)
- Delete an application by clicking a button on a user profile
Does the GDPR apply to our organization?
The GDPR applies to all companies that process the personal data of European Union (EU) citizens or residents, even if the companies are based outside of the EU. If you have any applicants, candidates, or employees located in the EU, then the GDPR will apply to you.
Is Pinpoint a data controller, or a data processor?
Pinpoint is a data processor, and our Customers are data controllers. This means we are responsible for complying with the GDPR and helping our customers comply as well.
What is the geographical location of the site where data is stored?
Data is stored exclusively in our production infrastructure, split across our two hyperscale cloud service partners (AWS and Digital Ocean) across three data centre locations (Amsterdam, Dublin and London).
All data centres have been accredited under at least ISO/IEC 27001:2023 or ISO/IEC 27001:2013 and SOC 1,2.
Does the GDPR require personal data to be stored in the EU/EEA?
Does Pinpoint transfer any data to sub-processors?
Pinpoint uses sub-processors, a list of which can be found here: https://www.pinpointhq.com/security-privacy/sub-processors/
We have terms in place with all sub-processors and adequate provisions (such as Standard Contractual Clauses) to keep data protected when it is processed outside of the EEA.
What does Pinpoint do to ensure lawful data transfers outside of the EU/EEA?
We have terms in place with all sub-processors and adequate provisions (such as Standard Contractual Clauses) that are up-to-date with the latest requirements for data transfer outside the EEA.
How does the July 2020 European Union Court of Justice ruling (also called Schrems II) affect data transfer under the EU-US privacy shield?
The July 2020 European Union Court of Justice ruling put new requirements in place for transferring data outside the EEA.
Currently, the European Commission maintains a list of countries outside the EU that meet their requirements for importing data safely with no additional security measures needed. The United States is not on the European Commission’s list as of April 2022, however, data can still be transferred to the US as long as additional privacy measures are in place.
Pinpoint does put additional privacy measures in place to meet the GDPR’s requirements for data transfer outside the EU. For example, these include Standard Contractual Clauses with all our sub-processors.
Security & Privacy at Pinpoint
See our full list of related resources about how we keep your data secure.