The General Data Protection Regulation, or GDPR, was passed by the European Union in 2016 to update and replace the EU Data Protection Directive of 1995. It regulates the way in which companies handle, store and / or process personal data, and harmonizes data protection regulations across EU member countries.

The GDPR’s reach is not restricted to the geographical location of your business or your data subjects. It also applies to any person with EU citizenship, and therefore touches on all recruitment processes in which personal data of EU citizens are involved. The GDPR applies to all companies which collect, store, and process the data of EU citizens, even if the company has no established place of business inside the EU. Furthermore, GDPR for the first time introduces significant sanctions for non-compliance which came into final effect on May, 25th, 2018.

Recruiting and marketing programs depend on collecting and using personal data, and now face big challenges. Although of an organizational nature per se, the new GDPR requirements in most cases also entail a new set of requirements for the technology on which your business relies. Using only an Excel spreadsheet, for example, to manage personal data of your candidates or talents will quite likely not be sufficient anymore to satisfy the GDPR’s extended requirements.

Companies are well-advised now not to automatically assume, for example, that a candidate has at some point in the past given their consent to the processing of their data just on the fact that there is a record for them in the program database. As a consequence of the principle of transparency, for example, data subjects need to be able to see the types of data processing to which they consented, and to modify or revoke their consent.

How IntraWorlds Helps You Keep In Touch With Talents in a GDPR Compliant Fashion*

Data Security and GDPR Compliance: Managing the data and rights of candidates under GDPR can become a huge administrative task. So it is important to know how IntraWorlds can help you achieve and maintain GDPR compliance on an ongoing basis offering different technical features within the platform.

Flexible and Extensive Rights & Roles System: Several dimensions are available for controlling user rights. Rights and privileges for viewing and editing profiles, viewing and editing content, and for using the portal’s features, can be assigned and revoked individually and in any combination, allowing maximum control. In conjunction with the workflow engine (see below), rights and privileges can also be revoked automatically if an individual is no longer entitled to them. Conversely, users may be granted additional privileges based on certain profile criteria or level of interaction with your platform if so desired.


Elaborate Privacy Control: Users have full control over which data they want to share with whom. Privacy settings operate on the level of both profile field sections and individual fields, and exceptions can be created for defined groups and other individuals. Additional privacy control layers are available for administrators.


Business Automation using Triggers (an event to trigger a customizable workflow), Filters (to target specific candidates) and Actions (what actually happens when above criteria is met) that automate consent process (see above), and other use case scenarios configured to your specific data model.


Extended Notification Options so candidates can adjust their Email preferences or unsubscribe.

Consent Management Module: This feature is at the heart of our platforms’ options for meeting the control and transparency stipulations of GDPR. Individuals’ consent can be obtained automatically, and can be evaluated and demonstrated for each and every platform user at any time and in full detail (timestamp, consent option/checkbox, version etc.). Can include specified regular checks of the CRM database to automatically delete or anonymize profiles of individuals who have not consented/opted out, or to run reminder campaigns for designated profiles.

Additionally, users can be flagged for review and further action depending on their consent or non-consent, thus helping you make sure that your active sourcing process only includes individuals who have consented. In the context of automation (see below), various triggers, user profile filters, and automated actions are available to react to candidates’ consent or non-consent and so automate the consent process.

Therefore IntraWorlds’ consent management module meets concrete GDPR requirements:

  • The data controller needs to be able to demonstrate that the data subject has given their consent.
  • Data subjects, for example, candidates and talents, must be able to revoke any consent given,
  • and finally, much in opposition to widespread longstanding marketing practice, consent may not be conditional but must be freely given, that is, you may not demand consent to a type of data processing in exchange for a service which is unrelated to the types of data you collect. In practice, this means that you must provide separate consent options if you intend to process data for separate purposes (e.g. different types of marketing e-mails).

Read more


Full data export and reporting function allowing administrators complete control and insight into which information is stored for which candidate. Under GDPR, individuals may request to see the data stored for them. Our reporting and exporting features allow meeting these requests at any level of detail.


And finally, there is a dedicated Support Team helping you set up the technical requirements and implementing your processes to be able to work with the platform in a GDPR compliant way, and according to the guidelines of your legal department.

The GDPR explicitly demands not only adherence to the data protection principles set out in article 5, it also mandates that organizations must meet strict IT security standards. Companies must be sure to protect the confidentiality, integrity and availability of personal data at all times. Therefore, IntraWorlds, as a data processor, makes sure to prevent unauthorized physical and virtual access to organizational assets such as computers, networks, and sensible data.

Intraworlds’ security controls and the management system which governs them meet the highest standards and have been certified according to ISO 27001 since 2013. This state-of the art security standard also applies to our German Hosting Partner PlusServer, who has been ISO 27001 certified since 2016. The certificate and the information security management system certified under it have helped numerous companies with very high security standards such as SAP, Deutsche Bahn, PwC, and many more put their trust in and collaborate with IntraWorlds.

Behind the user interface, we implement technical and organizational security measures such as:

  • 100% compliant and secure data centers, Amazon Web Services in the US and Plus Server GmbH in Germany using Firewall, Encryption, and other state-of-the-art Technologies to protect the data
  • Separate backup location
  • Annual Third-Party Review & Audit of the IT Security Management System (external audits & certification)
  • Annual penetration tests with vastly structured analyses to identify and remedy potential technical vulnerabilities
  • Strict role segregation so that only IntraWorlds employees who need to access your data are able to view it.

For further reading on the IntraWorlds Information Security Management System (ISMS) an IT Security Reading Package is available upon request.

Therefore, IntraWorlds will help you engage with your candidates

and achieve a higher conversion rate due to personalised content with a maximum of business automation.

Guiding Principles

In order to be prepared for GDPR, your company must comply with the following principles:

  • Lawfulness, Fairness and Transparency: These principles existed before but are now extended and made more concrete by the following.
  • Legitimate Purpose: Your business or program must have legitimate grounds (or “legitimate interest”) for collecting a person’s data, and you are required to provide full transparency about how you will use your candidates’ data.
  • Explicit and Transparent: You must only use your candidates’ personal data for the purpose you originally specified and shared to the candidate. Among others, this means that in most cases, privacy notices must be clearer than before.
  • Minimization: The data which you collect on your candidates must be limited to the defined purpose, and be adequate and relevant to that purpose.
  • Accuracy: You must provide for the accuracy of the data which you possess of individuals. In practice this means, for example, that your data subjects need to know where and how to keep their data up to date.
  • Limited Retention: If the purposes for which you collected the data cease to exist, so does your right to hold onto these data in a form which allows identifying an individual. In practice, this means that you can only keep a candidate’s data in an anonymized form after the original purpose ceased to exist.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Under GDPR, individuals have enhanced rights to access the information that companies have about them, and businesses have new obligations for data management. Noncompliant companies may be charged penalties of up to 4% of worldwide turnover or € 20 million, whichever is greater.

* While IntraWorlds offers functionalities to support compliant processes, we are not a law firm and do not provide legal advice. The data controller is, within his or her domain, fully responsible for protecting the data and is solely responsible for working with and handling data in the platform in accordance with the GDPR. Intraworlds’ consultants have supported the implementation of many talent relationship management programs for EU and Non-EU customers, following their requirements in accordance with EU privacy laws. We strongly recommend you consult with your legal counsel to decide upon compliance processes.