Qualified takes the privacy of our customers, partners and their end-users seriously. We know that user data is important to our values and operations. That is why we are taking measures to support our customers and partners’ compliance with EU data protection requirements, including those set forth in the General Data Protection Regulation (“GDPR”), effective May 25, 2018 . For more information, we encourage our customers to read through the resources provided below.
GDPR FAQ
What is GDPR?
The General Data Protection Regulation (“GDPR”) is a new European privacy law that is set to replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR is intended to strengthen the security and protection of personal data in the EU.
To whom does the GDPR apply?
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
Is Qualified a controller or processor?
Qualified is a processor with regard to the personal data that Qualified processes on the Qualified platform on behalf of its customers (the controller).
Qualified is a controller with regard to the personal data that it collects and for which it determines the purposes for which and the manner in which the personal data is to be processed. We have a dedicated team working on GDPR compliance to implement appropriate measures by May 25th, 2018.
What data does Qualified collect through its platform service?
Qualified collects contact information, payment information, website tracking, and product usage information. Refer to our Privacy Policy for additional information.
Do you involve processors to process user data?
Qualified maintains an up-to-date list of the names and locations of all processors used for hosting or other processing of Service data. We are ensuring Data Processing Agreements (DPAs) are in place with all involved processors. You can also review the list of Sub-Processors used by Qualified.
Do you have a Data Processing Agreement?
We do. Contact us at [email protected] to request a copy of our agreement. Please provide your company name, address and company number (if applicable). Once we have that information we will send you a document ready for signing.
What should you do?
As a customer of Qualified, you are a data controller and Qualified is acting as your data processor for your candidates. In this respect, you’ll want to take the following steps as we approach May 25th:
- Ensure your Terms of Service and/or Privacy Policy are up to date
- If you are based in the EU, or are assessing candidates within the EU, please email us at [email protected] for more information on signing our DPA.
- Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
- Watch for updates from Qualified related to product functionality or T&C changes.
How we are preparing for GDPR?
Our security and compliance team is going through all the necessary steps to ensure we are GDPR compliant by the May 25 enforcement date. All Qualified customer data (and marketing data) is treated in a way that conforms with GDPR.
In addition to its commitment to GDPR, Qualified will be offering a data processing agreement (DPA) for customers processing information on behalf of EU and Swiss citizens.
As we all work to understand and apply GDPR concepts to our own businesses, we’ve created the below outline to keep you informed of our efforts.
What steps are we taking to comply with GDPR?
Completed
Vendor/Subprocessor audit
We have reviewed all vendors who act as sub-processors for Qualified data, auditing their approach to GDPR, and entering into DPAs where necessary. You can view our subprocessors here.
Remove Candidates (Right to be forgotten)
We currently have the ability to remove any personally identifiable information about a candidate within the system. Either the candidate or the team that controls that candidate's data can make a request.
To request a candidate to be removed, please email us at [email protected]. Once a candidate is removed, any remaining non-personal data is anonymized within all of our systems.
Updated DPA
Our DPA has been revised to reflect both regulatory and operational changes related to GDPR.
Updated Privacy Policy
Our Privacy Policy has been updated to better detail how we use the personal data that we collect. Canididates/Students who are invited to an assessment are now clearly asked to read and agree to the privacy policy.
Continuing Efforts
Ongoing Product strategy
While we have an initial set of product changes related to GDPR, we will continually be evaluating and adding new security and privacy functionality into our products.
Research
- Consult with internal and external counsel to understand legal interpretations of the GDPR requirements as they evolve.
- Work with other leading technology firms to understand the market’s general interpretation and best practices.
- Perform a Data Protection Impact Assessment as a security review to determine compliance with GDPR security requirements and industry best standards.
Modeling
Based on our research, we’re developing our working interpretative model as a reference and guide for internal processes
Product & Process implementation
We are actively implementing pieces of the compliance roadmap within our product offering.