GDPR Compliance

Last Updated: January 2025

1. Introduction to GDPR

Interview Platform is committed to complying with the General Data Protection Regulation (GDPR), the European Union's comprehensive data protection law. This page explains how we comply with GDPR requirements and protect the rights of individuals in the European Economic Area (EEA).

The GDPR applies to any organization that processes personal data of individuals located in the EEA, regardless of where the organization is located. As we serve clients and candidates globally, we adhere to GDPR standards for all users.

2. Our Role Under GDPR

2.1 Data Controller

For candidate and interviewer data we collect directly, Interview Platform acts as the data controller. We determine the purposes and means of processing this personal data.

2.2 Data Processor

When processing candidate data on behalf of our clients (hiring companies), we act as a data processor. Our clients are the data controllers and provide instructions on how to process this data.

2.3 Data Processing Agreement (DPA)

We enter into Data Processing Agreements with all clients to ensure GDPR-compliant data processing. Our DPA includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Security measures and data protection safeguards
  • Sub-processor provisions
  • Data breach notification procedures

3. Legal Bases for Processing

We process personal data only when we have a valid legal basis under GDPR Article 6:

Contractual Necessity (Article 6(1)(b))

Processing necessary to perform our contract with you, including providing interview services, scheduling, and generating reports.

Consent (Article 6(1)(a))

For interview recordings, marketing communications, and optional features. Consent is freely given, specific, informed, and unambiguous.

Legitimate Interests (Article 6(1)(f))

For fraud prevention, security measures, and improving our services, provided your rights and freedoms are not overridden.

Legal Obligation (Article 6(1)(c))

To comply with legal requirements such as tax laws, data retention laws, and court orders.

4. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

4.1 Right to be Informed (Article 13-14)

You have the right to clear, transparent information about how we collect and use your personal data. Our Privacy Policy and this page provide this information.

4.2 Right of Access (Article 15)

You can request confirmation of whether we process your personal data and obtain:

  • A copy of your personal data
  • Information about processing purposes
  • Categories of data being processed
  • Recipients of your data
  • Retention periods
  • Your other GDPR rights

Response time: Within 1 month (extendable by 2 months for complex requests)

4.3 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will notify relevant third parties of corrections unless impossible or involves disproportionate effort.

Response time: Within 1 month

4.4 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent and there's no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Exceptions apply when we must retain data for legal compliance, legal claims, or public interest purposes.

Response time: Within 1 month

4.5 Right to Restriction of Processing (Article 18)

You can request we restrict (but not delete) your data when:

  • You contest the accuracy of data (restricted while we verify)
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing (restricted while we verify overriding grounds)

Response time: Within 1 month

4.6 Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

This right applies only to data you provided to us, not derived or inferred data.

Response time: Within 1 month

4.7 Right to Object (Article 21)

You can object to processing based on:

  • Legitimate interests: We must stop unless we demonstrate compelling legitimate grounds that override your interests
  • Direct marketing: We must stop immediately upon objection
  • Research purposes: Unless processing is necessary for public interest tasks

Response time: Within 1 month

4.8 Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless:

  • Necessary for contract performance
  • Authorized by EU or Member State law
  • Based on your explicit consent

Note: Our interview evaluations are conducted by human interviewers, not automated systems. Any AI-assisted features are clearly disclosed and do not make final hiring decisions.

4.9 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw it at any time. Withdrawal doesn't affect the lawfulness of processing before withdrawal.

Effect: Immediate upon receipt of withdrawal

4.10 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State where you reside, work, or where an alleged infringement occurred.

While we hope to resolve concerns directly, you can contact:

  • Your local data protection authority
  • The Irish Data Protection Commission (our lead supervisory authority in the EU)

5. How to Exercise Your Rights

To exercise any of your GDPR rights:

Submit a Request:

  • Email: [email protected]
  • Online Form: Use our Data Subject Request Form
  • Account Settings: Some rights can be exercised directly through your account settings
  • Mail: Interview Platform Inc., GDPR Requests, 123 Tech Street, San Francisco, CA 94105

Identity Verification:

To protect your privacy, we verify your identity before processing requests. Please provide:

  • Full name and email address associated with your account
  • Specific details about your request
  • Additional verification information if needed (government ID, account information, etc.)

Response Timeline

We will:

  • Acknowledge your request within 72 hours
  • Respond substantively within 1 month
  • Extend by up to 2 additional months for complex requests (with explanation)
  • Provide responses free of charge (unless requests are manifestly unfounded or excessive)

6. Data Protection Principles

We adhere to all GDPR data protection principles (Article 5):

1. Lawfulness, Fairness, Transparency

Process data lawfully, fairly, and transparently

2. Purpose Limitation

Collect for specified, explicit, legitimate purposes only

3. Data Minimization

Collect only adequate, relevant, and necessary data

4. Accuracy

Keep data accurate and up to date

5. Storage Limitation

Retain only as long as necessary

6. Integrity and Confidentiality

Ensure appropriate security and protection

7. International Data Transfers

When transferring personal data outside the EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs)

We use EU Commission-approved Standard Contractual Clauses (2021/914) for transfers to countries without adequacy decisions.

Adequacy Decisions

We prioritize transfers to countries with EU adequacy decisions (UK, Switzerland, Japan, etc.).

Additional Safeguards

We implement supplementary measures including encryption, pseudonymization, and strict access controls.

8. Data Breach Notification

In the event of a personal data breach:

1

Detection and Assessment

We detect and assess the breach within hours using automated monitoring and security protocols.

2

Supervisory Authority Notification (Article 33)

We notify relevant supervisory authorities within 72 hours of becoming aware of the breach (unless unlikely to result in risk to rights and freedoms).

3

Individual Notification (Article 34)

We notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms.

4

Documentation

We maintain records of all data breaches, including facts, effects, and remedial actions taken.

9. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee GDPR compliance:

Name: Sarah Johnson, CIPP/E, CIPM

Email: [email protected]

Responsibilities:

  • Monitoring GDPR compliance
  • Advising on data protection obligations
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Serving as contact point for supervisory authorities
  • Handling data subject requests

10. Certifications and Compliance

We maintain the following certifications and compliance standards:

SOC 2 Type II

Annual security and privacy audits

ISO 27001

Information security management certification

GDPR Compliant

Full compliance with EU data protection laws

Privacy Shield (Legacy)

Now using Standard Contractual Clauses

11. Contact Information

For GDPR-related inquiries, please contact:

Data Protection Officer: [email protected]

GDPR Requests: [email protected]

General Privacy: [email protected]

EU Representative: Interview Platform Ireland Ltd., Dublin, Ireland