Information on the General Data Protection Regulation (GDPR)

From Onlinehelp
Jump to navigation Jump to search

The European Union’s General Data Protection Regulation (GDPR) establishes stronger regulatory control over personally-identifiable data. This regulation has been in force since May 2016. The deadline for implementing this regulation falls on May 25, 2018; after that date, companies must ensure that they are in compliance with its provisions.

This page presents all the important information relating to the Umantis applications Applicant Management and Employee Management in this regard.

Several different pages in our Online Help refer to the General Data Protection Regulation. These sections contain either functional descriptions or further information relating to the General Data Protection Regulation, and are marked with the “GDPR” icon (General Data Protection Regulation).

Scope of application

The General Data Protection Regulation applies to all EU member states.

Compliance and responsibility

The Umantis applications (Applicant Management and Employee Management) will offer all the necessary functionalities to configure the solution for GDPR compliance no later than the deadline for implementation of the GDPR (May 25, 2018). Compliance with the relevant legal provisions can only be ensured by the customer, i.e.: It is the customer's responsibility to ensure that the solution is correctly configured in accordance with the new regulations. Umantis provides the underlying functional capabilities and provides all the necessary configuration options. Solutions are configured by each individual customer (provided that they have the necessary user role) in accordance with locally applicable law.

Important notes

Please take note of the following guidelines, implement them in consultation with your company's data protection officer, and ensure compliance with them in the long term:

As a company, you must ensure that the following rights are protected at all times for the affected parties:

  • the right to information,
  • the right to rectification,
  • the right to deletion / right to be forgotten,
  • the right to restrict processing,
  • the right of objection and
  • the right to data portability.

In accordance with Art. 6 EU GDPR, the processing of personal data is lawful if:

  • the data subject has given their consent,
  • the data processing is necessary for the performance of a contract,
  • the data processing is necessary to comply with a legal obligation,
  • the processing is necessary to protect legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, or
  • another exception mentioned in the regulation applies.

Please note that as the person responsible for the processing of personal data, you must confirm which of these justifications you are invoking. This could be either the execution of the employment contract or direct consent from the employee.

  • Please note that (in Germany, for example) each company’s works council generally has to approve the legality of using analyses/reports that contain personally-identifiable data.
  • The Umantis application offers various configuration options. Among other things, specific free-text fields can be defined independently by the customer, or renamings can be configured. The responsibility for these configurations lies with the customer, and should be reviewed for conformity with the GDPR. We recommend that you only make changes of this type if they do not lead to the storage of personally-identifiable data.
  • Compliance and responsibility

GDPR requirements and implementation in Umantis

The following table provides helpful information about relevant requirements from the General Data Protection Regulation, and how each of them is implemented in Umantis Applicant Management (AM) and Employee Management (EM).

Requirement Implementation Notes
It must be checked whether information about a person’s racial origin can be assigned to them in the system. These data require special protection, and such protection is provided by Umantis Applicant Management. The responsible customer administrator will find a legal notice in the application process settings for each branch office (/Administration/Agency/[ID]/Profile/ApplicationProcessConfiguration). From here, he or she can activate the required questions (EEOC questions) if required by applicable law (e.g. in the United States of America).
  • Review your local data privacy laws and activate these questions (EEOC questions) only if legally required (e.g. in the United States, where these questions are relevant to the application process).
  • If you activate the EEOC questions for branch offices outside the United States, please make sure that collecting this data does not violate local data privacy laws.
  • The data is stored at the application level, not at the level of the individual person.
  • Free-text fields or renaming of fields are the responsibility of the customer.
It should be possible to restrict access to personal data. Applicant Management Access to application documents can be blocked with a corresponding action. This prevents read and write access for everyone with access permissions (except for administrators).

Employee management: Access to a person profile can be blocked with the corresponding action in the settings in the employee file. This prevents read and write access to the person profile (except for administrators) on all profile views.

When you execute the “Block access to person” action (in either Applicant or Employee Management), a confirmation dialog box is displayed. Click “Block access” to complete the action. This action can be undone by the administrator at any time.
Related documentation

AM:

EM:

There should be an appropriate function for applicants and employees/former employees to delete their personal data (by legitimate request). Delete functions are provided for:

If an applicant deletes their profile in Applicant Management, it will automatically be displayed for the HR expert/administrator with the following message: “This applicant has marked their profile for deletion.” It then falls to the responsible HR expert or administrator to completely delete the profile. This should be checked and carried out regularly.
Related documentation

AM:

EM:

It must be possible to anonymize/delete applications. Applications can be anonymized in Umantis Applicant Management. This is done either directly with the relevant action in the application documents, or as a multiple action in the applicant overview.
Related documentation
If processing of user data depends on consent, then it must be ensured that the affected person is informed of their option to refuse. In Umantis Applicant Management, applicants can indicate directly in the application form whether they agree to the privacy policy statement and consent to the release of their data (default text for data release consent: I accept that my data will be saved even after this specific job is filled, and that I will be notified of other interesting job offers.) This consent can be revoked by the applicant in his or her profile. Applicants also see a link to the privacy policy statement for the specific branch office in (each of) their application(s).

In Umantis Employee Management, external individuals (event participants) can indicate when registering whether they agree to the privacy policy statement and consent to the release of their data (default text for data release consent: Yes, I agree that my data may be saved even after the end of my specific participation, and that I may be informed of other interesting offers.) This consent can be revoked by the external individual in his or her profile.

For Umantis solutions in which this extension is not yet available (standalone environments), the data release consent and the agreement to the privacy policy statement should be implemented with additional, manually configured selection lists.

Related documentation

AM:

EM:

Fields must be appropriately marked as optional or required. In both Umantis Applicant Management and Employee Management, user input fields can be marked as required fields. The settings to mark fields as required are found in configuration mode under “Error correction during entry”. Users will see an asterisk next to the fields that you mark as required; these fields must be filled out in order to complete the process in which they appear. Configuration mode > Error correction during entry.
A function must be implemented that makes it possible to respond to information requests from affected individuals. One possibility would be to add a template for information requests to the existing export functions. Umantis applications have an export function that customers can use (based on their specific configuration) to generate their own exports based on export templates.
Related documentation

Checklist: Which settings should be checked in Umantis

The following is a list (not necessarily exhaustive) of GDPR-related settings in Umantis. We recommend that you review this list with your company’s data protection officer, since you are responsible for configuring your Umantis solution in accordance with all applicable data privacy regulations.

  1. Please take note of the information provided under Compliance and responsibility, as well as the notes.
  2. Check that your privacy policy rules are up to date.
  3. Privacy policy statement:
    Check the settings for the privacy policy statement & data release.
  4. EEOC questions: (Applicant Management)
    Activate these questions (EEOC questions) only if legally required (e.g. in the United States, where these questions are relevant to the application process).
    Check this under: Settings > Branch offices > Select branch office > Settings tab > Application process configuration
  5. Enable Block access to person:
    Check whether the links for “Block access to person” are displayed, so that they can be used if needed:
  6. Data release settings:
    Applicant Management
    • Enable the “Data release” container for display on the home page.
    This container includes important search links and helps the people in charge of data privacy policy to keep track of the relevant settings.
    Employee management
    • Enable the “Data release” container for display on the home page.
    This container includes important search links and helps the people in charge of data privacy policy to keep track of the relevant settings.
    Important note for standalone solutions: For Umantis solutions in which this extension is not yet available (standalone environments), the data release consent and the agreement to the privacy policy statement should be implemented with additional, manually configured selection lists. For more information, see the section on: Settings for data release via manually-configured selection lists
    • In general, it is recommended that you obtain the employee's consent to the release of their data as part of their employment contract. If you want to get your employees’ data release consent through Umantis Employee Management, you can do this by using manually-configured selection lists, as described in the lower section (paragraph on “Displaying in person profile”).
  7. Search functions
    The search functions provided in Umantis help you to search on the data release settings of applicants or external individuals/event participants. Check whether these search filters are displayed in the advanced search area.
  8. Clarity and sustainability:
    • Ensure that your data protection officer (or other responsible person) performs a final review of all settings that are relevant for your company.
    • Raise awareness within your company about processes relating to data protection by talking with all relevant personnel (managers, employees, HR experts, etc.) about the GDPR and the associated requirements.
    • Make sure that your Umantis solution is configured to ensure sustainable GDPR compliance (if required), and that no subsequent processes conflict with this configuration.

Please note: Each individual company is responsible for its own compliance with the GDPR. Umantis provides GDPR information to its customers as a service. However, this information does not constitute legal advice. Each company must take responsibility for its own implementation of and compliance with the requirements of the GDPR.

Settings for data release via manually-configured selection lists

Configure selection list and make it available (Employee Management)

The following configuration is only necessary for Umantis applications with a version older than 23.1.0.0 (standalone solutions). To see the version/version number of your Umantis application, hover your mouse here.

Instructions: Configure selection list and make it available     (Click on “Expand”)

For Umantis applications with a version older than 23.1.0.0, it is strictly required that you obtain the data release with a manually-configured selection list. The following is a detailed step-by-step guide on how to configure this list and make it available.

Configure selection list

  1. Log in to your Umantis Employee Management solution as an administrator.
  2. Navigate to the selection lists via: Settings > Main settings > Selection lists tab
    (or alternatively, with the /Administration/Dropdown URL extension).
  3. In the “Employee profile” section, search for a selection list that has not yet been used
    (in the following example: Personal data user-defined List 24) and click on .
  4. You are now in the view for this selection list. Under “Actions”, click on +Add selection value.
  5. Now enter the first selection list value with the text to approve the data release (in German and English in this example):
    • Ja, ich bin damit einverstanden, dass meine Daten auch über eine konkrete Teilnahme hinaus gespeichert werden und ich auf weitere interessante Angebote hingewiesen werden kann.
    • Yes, I agree that my data may be saved even after the end of my specific participation, and that I may be informed of other interesting offers.
  6. Save your changes.
  7. Click + Add selection value again to create the second selection value with the text to decline the data release:
    • Nein, ich möchte, dass meine Daten nach den aktuellen Teilnahmen gelöscht werden
    • No, I want my data to be deleted after my current participations are completed.
  8. Save your changes.
You have successfully configured the selection list:

Notes:

  • Do not enter a “Meta-information” or “Parent category” value for the newly created selection values; leave them blank.
  • The texts for consent and refusal of consent are merely examples. You should decide on the exact wording of these selection values in consultation with your company's data protection officer.

Integrate selection list / make it available

Once the selection list is configured, you must integrate it into the relevant forms/screens. To do this, follow the steps below:

Displaying in the registration form for external individuals

To enable this field for display in registration forms, you need a published event for which you then register as an external individual:

  1. Stay logged in as an administrator in your normal browser session.
  2. Open an additional private browser window or “incognito” window.
  3. In this incognito window, open the Event overview for your Umantis Employee Management solution and click on “I want to register for this event” next to a published event.
  4. The registration form will now be displayed. Copy this URL (which is based on the following pattern:https://employeeapp-CUSTOMER-ID.umantis.com/Public/Courses/ID/Profile/RegisterAsExternal/NextTargetID/ID) and paste it into your “normal” (non-incognito) browser session, where you are still logged in as an administrator.
  5. In configuration mode, scroll down to the Personal data user-defined List 24 field and click on .
    There, set the following settings:
    • Visibility: Uncheck the box to display this field.
    • Original content label (names): Enter the name for each language you use, e.g. for
    German: Datenfreigabe and
    English: Data release.
    • Type of input field: Select SingleSelect RadioButton so that only a single radio button selection is allowed.
    • Error correction during entry: Select must. This makes it mandatory for the external individual to indicate whether they agree to the data release or not.
  6. Save your settings. The following new field is now displayed with two selection values:
  7. Exit configuration mode and follow the rest of the instructions.
Displaying in person profile
  1. Enter the URL extension /MyPublic/Profile/Personal to access the profile view.
  2. In configuration mode, scroll down to the Personal data user-defined List 24 field and click on .
    There, set the following settings:
    • Visibility: Uncheck the box to display this field.
    • Original content label (names): Enter the name for each language you use, e.g. for
    German: Datenfreigabe and
    English: Data release.
    • Type of input field: Select SingleSelect RadioButton so that only a single radio button selection is allowed.
  3. Save your settings. The following new field is now displayed with two selection values:

You have successfully configured the data release settings using a selection list.

Search by data release settings

Observe the following guidelines to enable internal search for external individuals and the corresponding data release settings:

  1. Navigate to the people directory through Employees > people directory (or alternatively, by directly using the URL extension /ExternalParticipants)
  2. Start configuration mode and then click on “Advanced search”.
  3. Scroll down to the Personal data user-defined List 24 field and click on .
    There, set the following settings:
    • Visibility: Uncheck the box to display this field.
    • Original content label (names): Enter the name for each language you use, e.g. for
    German: Datenfreigabe and
    English: Data release.
    • Type of input field: You can leave this setting set to default. (This lets users search on one or both selection values simultaneously.)
  4. Save your settings. The following new search field is now displayed with two selection values:


Email template (obtain data release)

If you have applicants who have submitted their applications via email or similar, rather than through Umantis Applicant Management, and have therefore not given their consent to the release of their data, you can request it later via email. To do this, set up access to the applicant profile and use the following email template to contact the applicant about the data release: 

[Empfaenger.AnredeFormell]
[Empfaenger.Name]
You now have access to your applicant profile.
You can now edit your applications online.

Your login data is as follows:
Link to solution: https://[Special.Hostname]/SelfService?customer=[Special.Customer]&lang=eng
Your login data is as follows:
Login: [Empfaenger.Login]

Follow the link to set your password: https://recruitingapp-[YourCustomerID].umantis.com/Password/PWForgotten

After setting your password, please do not forget to read our privacy policy rules and accept them if you agree.

The following link will take you directly to the privacy policy confirmation: https://[Special.Hostname]/SelfService/MyProfile/Profile/DataAgree?lang=eng

Kind regards,
[Unternehmen.Name]

Related topics

All sections of the Online Help that relate to the GDPR: “GDPR icon > File usage”

General:

Applicant Management:

Employee Management:

Retrieved from "https://en.onlinehelp.umantis.com/index.php?title=Information_on_the_General_Data_Protection_Regulation_(GDPR)&oldid=8576"