Privacy Policy

Amended November 18, 2019

General

Referral candidates are invited by a friend or associate to consider applying for a specific position at the friend’s employer. EmployeeReferrals contracts with the employer to provide the platform used to facilitate this referral process. The data we collect and process is owned by our client, the employer.


We collect only the minimum information needed, share it only with those directly involved in the referral process and purge the information when it is no longer needed. Of course, we will also remove data upon request.


As outlined below we comply EU-US Privacy Shield Program requirements and with GDPR privacy regulations.


The table below identifies the data we collect from our client company, its employee, the referral candidate and the job applicant:


Data Collection and Usage

Data Source Data Elements Source and Usage GDPR Basis - Reason for Using the Data Retention
Client Company

Contact Name

Contact Phone

Contact Email

This information is provided by the client and is used by EmployeeReferrals to fulfill our contract with the client. Contract – The processing is necessary to fulfill the contract we have in place with the client. Contract Term
Client Company or its Employee

Employee Name

Position

Department

Location

Employee ID

Email

Phone

Login

Site Usage

IP address

This information is provided by the client or its employee and is used to present relevant referral opportunities to the employee, to track referrals made by the employee, to compensate the employee for referrals, to present internal mobility opportunities to the employee, and is used in aggregate, anonymous form in company monitoring of its referral program. Legitimate Interest – Providing this information is in the employee’s interest to provide job opportunities to their acquaintances and to earn rewards for referring their friends who are hired. Providing this information is in the client company’s interest in filling vacancies. Contract Term
Referral Candidate

Name

Email

This information is provided by the referring employee and is used in an email from the referring employee to the referral candidate inviting them to consider a particular position at the employer. Legitimate Interest – It is in the interest of the referral candidate to receive information on job openings from a person they know at the company. 6 months
Job Applicant

Name

Email

Phone

This information is provided by the Job Applicant and is used by the potential employer in considering their application. Legitimate Interest – It is in the interest of a job applicant to provide contact and resume information in connection with the job application. 12 months

Information from Cookies, Emails and Links

We collect information via cookies on browser type, operating system, IP address, usage dates and times. We also collect information about email and link openings.


Information from Social Sites

If the Employee chooses to link our service with their social media account (e.g., Facebook or LinkedIn) then we may pull information from that account which will help the employee identify which of their acquaintances may fit particular job openings. This may include information on the acquaintance’s education, employment history and qualifications.


Continuing Accountability

EmployeeReferrals remains accountable if third-party agents that it engages to process personal data do so in a manner inconsistent with our Privacy Policy, Privacy Shield principles or GDPR regulations unless EmployeeReferrals proves that we are not responsible for the event giving rise to the damage.


Complaint Resolution

EmployeeReferrals commits to resolve complaints about your privacy and our collection or use of your personal information. All individuals with inquiries or complaints regarding this privacy policy should first contact EmployeeReferrals at privacy@employeereferrals.com . EmployeeReferrals has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you are an individual in the EU and do not receive timely acknowledgment of your Privacy Shield complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. For more information on binding arbitration, see US Department of Commerce's Privacy Shield Framework: Annex I (Binding Arbitration).


Disclosure of Information to Third Parties

We pass to our hosting service, Amazon Web Services, personal and other information on employees, referred individuals and job applicants. Also, if the employer uses a third-party rewards provider, we supply information to that provider necessary for them to process referral bonus rewards to employees, generally the employee’s name, email and reward earned. We will disclose personal information in response to court order or other legal process, including to meet national security or law enforcement requirements. If we were to merge or be acquired by another entity the collection and processing functions we perform would be transferred to them. We contract with third parties to provide application development services and in this role they may have access to personal information. In the above transfers we supply only the minimum necessary information and the third parties we work with operate under privacy policies similar to this one. Even though we do not transfer data to non-agent third parties, if we were to, we will also provide individuals with opt-out before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.


Transfer to Other Countries

We may transfer your data from the country where it was collected to a country with different data protection regulations. In doing so we will protect the data according to this privacy policy and under EU model clauses signed with our Client the Employer.


Security

We and our sub processors use industry standard security measures to protect information from unauthorized access.


EU-US Privacy Shield Framework

EmployeeReferrals complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries or the United Kingdom transferred to the United States pursuant to Privacy Shield. EmployeeReferrals has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. EmployeeReferrals commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. By participating in the Privacy Shield program EmployeeReferrals is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.


Applicability of Article 1.f of GDPR (Legitimate Interest)

A discussion of Article 1.f (Legitimate Interest) can be found at https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/ An email from the employee to his friend/associate inviting him/her to consider a specific job at his company meets the requirements of 1.f because: First, this is a one-to-one and friend-to-friend communication, where the sender has implicit permission to communicate, with a purpose clearly in the interest of the recipient, and with no follow-on/repetition unless the friend applies for the job. Recital 47 of the DGPR addresses our situation with “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller…” And second, the GDPR is explicit that opt-in is required where there is the potential for opt-in, with the example of a pizza parlor which collects an address for the purpose of delivery and could at this time request an opt-in for marketing purposes, but in our case there is no opportunity for getting opt-in prior to sending the invitation email.


Future Policy Amendment

This Policy may be amended from time to time, consistent with EU GDPR regulations, with the Privacy Shield Principles and with other applicable data protection and privacy laws and principles.  We will make users of our application aware of changes to this policy either by posting to our website, through email, or other means.  We will notify those who share personal data with us if we make changes that materially affect the way we handle personal data previously collected, and we will allow them to choose whether their data may be used in any materially different manner.