Main Sequenceâs guiding principles in regards to EU Data Protection Laws are to:
The pertinent law, scheduled for full-effect 25 May, 2018, is EU Directive 016/679, headed âGeneral Data Protection Regulationâ. The now-standard acronym is âGDPRâ. The GDPR law is presented as lengthy assembly of principles related to nearly every aspect of handling information.
The GDPR is structured around detailed and defined roles for the various parties involved with handling information. The persons that are the subjects of information (candidates, clients) are called Data Subjects. The parties that process data (recruiters) are called Data Processors, and the parties that collect and use the data (such as Main Sequence) are Data Controllers.
The GDPR rule developed in light of the previous rule, and from a political process that unfolded over the previous decade. The political sticking points involved with international data protection are inescapable when subjecting firms with varying interests, assets, and exposures to various sovereigns, and arriving at dispute enforcement mechanisms that are actually compelling of good behavior.
So far, these structures have taken the form of quasi-treaties. One that was heavily relied on by Data Processors was known as âSafe Harborâ. Safe Harbor was built around a memo of understanding between vendors and US government agencies that the vendors would reasonably respond to EU data protection authority demands.
Eventually, the EU judiciary did not find that protection to be adequate, and in ruling C-362/14, the EU Court of Justice determined that Safe Harbor would no longer suffice for compliance with EU Data Authority rules.
This decision created immediate disruption and uncertainty for hundreds of cloud vendors and thousands of customers. In response to that pressure, the EU executive body (EU Commission) issued COM 566 (November 2015), stating that Data Exporters who had executed contracts with Data Importers containing unmodified EU provided standard Model Contract Terms (and appropriate appendices) would be compliant until further notice. These contract terms are explicit and comprehensive, although enforcement remains situational.
Main Sequence interprets section (106) of Directive 016/79 (âThe Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organization, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.â) as authorizing us to continue offering EU Model Contract Terms until at least 25 May 2018 or such time as the EU Commission no longer recognizes the Model Contract Terms as sufficient safeguards under Directive 016/679.
Along with GDPR, a successor to Safe Harbor was created. Itâs called Privacy Shield. Main Sequence is a certified participant in Privacy Shield as of 20 November, 2017. That certification may be found here.
In EU Commission COM(2017) 611 (final), the Commission states that: âIn its Decision of 12 July 2016 (âthe adequacy decisionâ), the Commission found that the EU-U.S. Privacy Shield (âPrivacy Shieldâ) ensures an adequate level of protection for personal data that has been transferred from the European Union to organisations in the U.S.â
Main Sequence is satisfied that Data Controllers may use our services in the reasonable expectation that they will be found adequate under GDPR.
A key open question of enforcement for Data Processors appears to be the question of where data must be hosted. On 16 October, 2017, The United States Supreme Court granted certiorari in the case United States v. Microsoft, which turns on the question presented to the court:
Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that providerâs control, even if the provider has decided to store that material abroad.
On 23 March, 2018, The Clarifying Lawful Overseas Use of Data Act, commonly known as the CLOUD Act, was signed into law. The CLOUD act contains a provision that requires email service providers to disclose emails within their âpossession, custody, or control,â even when those emails are located outside the United States. This law rendered moot United States v. Microsoft, which was dismissed by the Supreme Court on 17 April, 2018.
This development removes a significant potential incentive for the EU to demand in-region hosting services.
In addition to the model contract terms, Main Sequence notes the following in regard to compliance with Directive 016/679:
The following capabilities will be available upon request in the first week of May, 2018:
A GDPR tab on all name records, which contains new fields for tracking the Consent Date and Consent Purposes.
Records with Consent Purpose set to Awaiting Consent or Revoked Consent are flagged in orange and are automatically opted out of all list-based email. Names that exist in the database at the time of activation will be automatically set to Awaiting Consent.
Consent Form Letters are generated, which include âInsert Fieldâ merge tags leading the recipient to affirm or revoke consent. Selecting Deny sets the Consent Purpose field on the name to Requested Deletion.
A configurable consent agreement is added to the PCR Job Board so that all online applicants are prompted to affirm consent before proceeding to submit information.
The system adds New Activity types for tracking consent activity, and also adds a dedicated “Consent Log” panel for retaining all details and notes pertaining to consent collection.
An EUC Consent Purpose filter is added to the Identify Inactive Records panel, facilitating the location of inactive records and adding them to a list for Forgetting or other handling.
A new Global Change option allows admin to apply consent setting to multiple records at once, such as all names that have Requested Deletion. All changes are recorded to the Consent Log.
New Forget and Download action items appear for admin-level users, allowing them to relegate any single contact to the Forget Bin or to back up the recordâs fields and attachments locally. An option also exists for âauto-forgettingâ records that remain without consent for a given period of time.
Once ‘forgotten,’ a record is given an ID and sent to the Forget Bin admin area. The email remains visible in the bin only. The ID takes the place of the record in Position Pipeline history.
PCR 9 is getting a few end-of-year enhancements in this week’s release, including some stylistic updates as well as updates and improvements to our integration with SEEK.
Read moreAs mail service providers use increasingly sophisticated tools, including AI, to detect suspicious activity, and Microsoft begins placing tighter restrictions on Exchange and 365 accounts, recruiters need to be well-informed on how to reach their intended recipients without breaking the rules.
Read moreFor the 26th year, PCRecruiter extends our holiday wishes to customers, team members, and the worldwide recruiting community.
Read moreFind out more about who we and what we do.
how to update this? No button or click available? I would like to make some tests for preparing my staff …. but I cannot find anywhere the update click to “make my database” up to date?
Hello Lieve – the feature can be enabled by contacting us. We didn’t make it a simple button click due to the complexity of the change and the need to discuss it with the users before turning it on. We’ll have someone from our team reach out to you.