Our commitment to help you with data protection and compliance

WhiteCrow enables GDPR support for all customers worldwide

What is GDPR?

GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Who is affected by the GDPR?

In relation to WhiteCrow Research, persons affected by the GDPR are those EU data subjects whose personal data is being collected with consent and utilized in our business. Parties include talent who are registered on our platform, active employers who use or have used WhiteCrow services, and our EU based employees.

What rights do talent have under GDPR?

  • Right of access by the data subject
  • Right to rectification
  • Right to erasure (‘right to be forgotten’)
  • Right to restriction of processing
  • Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Right to data portability
  • Right to object
  • Automated individual decision-making, including profiling

What we have done at WhiteCrow to be GDPR compliant?

  • Clarity of information sharing with the platform users
  • Transparent demonstration of consent, storage and transfer of information
  • Data accessibility for professionals with the ability to modify, remove or complexly deactivate at will
  • Professionals are empowered in choosing which client should be seeing their profile
  • Platform Opt-out, email unsubscribe options for the professionals at any time
  • Opt-In and processing purposes are clearly shared with professionals and clients
Privacy by Design

Privacy by Design

From consent capture, data processing and data transfer, the data flow principles are made to be in line with the GDPR and instilled in the conception of this platform’s design

Data Retention and Minimization

Data Retention and Minimization

Data is only retained for the assigned purpose and automatically deleted or pseudonymized via the platform after the purpose is completed or 30 days post data creation whichever is sooner.

Data Transfer

Data Transfer

Consented data is securely transferred to the client via an exclusive access of the client platform. Minimizing any unintended accidental data transfer via emails or other medium. Protecting the professional’s data and securely disclosing the data to the end user.

Full Transparency and Confidentiality for Professionals

Full Transparency and Confidentiality for Professionals

The platform provides the professionals a bird’s eye view of their application statuses. Allow the professionals to choose preferred company they aspire to be a part of which is securely revealed only to the chosen company

Control and Risk-free transaction for Clients

Control and Risk-free transaction for Clients

The client platform allows exclusive access to the business clients with risk free data, notifying the clients on the validity of the shared data and deletion time which are managed by the platform algorithms for worry free business data transactions.

Frequently asked questions

On a recruitment mandate, only consented and screened candidates are shared with the client on the client platform. On a research mandate, candidates whose data has been collected/shared under the legitimate interest on behalf of the client, would be available to the client for 30 days or until the requirement of the mandate whichever comes sooner, and pseudonymized thereafter. The platform protects the rights of the candidates under the GDPR articles.

For research mandates-Long List identification for European candidates, we act as a data processor and the client is the data controller & owner of that candidate data. On a recruitment mandate or roles that required qualified candidates, both client and us act as data controllers.

The data would have indication of the number of days that are remaining for it to be pseudonymized automatically. The platform’s algorithm determines the number of days and pseudonymizes the data upon completion of 30 days of publishing it to the client.

The platform technology automatically deletes the personally identifiable information of the GDPR effected candidates and retains the non-personal or business data for aggregation and statistical purposes. data would have indication of the number of days that are remaining for it to be pseudonymized automatically. The platform’s algorithm determines the number of days and pseudonymizes the data upon completion of 30 days of publishing it to the client.

No. Once the GDPR candidate data is pseudonymized, it cannot be reversed. The candidate would then have to be remapped.

Yes. Once the GDPR candidate is published to the client, the data subject could be downloaded. Post the download the control of the data remains with the client and client assumes compliance responsibility of adhering to GDPR norms i.e. seeking consent from the data subject on holding their data, deletion of data beyond intended use, storage, transfer, etc...

No. The insights have been made to provide an eagle eye view of the progress on the mandate, summarizing the data and make it meaningful to derive inference and take decisions.

No. The client contact is represented by the client company. The candidate does not see any personal information of the client contact.

Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Processor
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Controller
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Pseudonymization
‘Pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person