GDPR
      Back to home
      1. Help & Learning
      2. GDPR

      FAQ GDPR

      Processing of Personal Data by SmartyMeet Please familiarize yourself with the basic information about the principles of personal data processing in SmartyMeet.

      General Information

       

      SmartyMeet offers a Software as a Service (SaaS) solution. It is a tool designed to optimize the recruitment process and assess a candidate's suitability for a specific job position. To this end, it utilizes algorithms that check the alignment of a candidate's experience with specific requirements (defined by the recruiter). This means that a candidate applying for multiple positions can be evaluated differently in relation to each position.

      Special Category Data

       

      SmartyMeet does not collect or process data that could be considered special category data, in accordance with Article 9 of the GDPR (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health, sexuality, or sexual orientation). The data verified is strictly related to the candidate's experience in the context of the position for which they are applying.

       

      Does SmartyMeet Enable Automated Decision-Making, Including Profiling?

       

      SmartyMeet does not allow for solely automated decision-making, including profiling, that has legal effects or similarly significantly affects the individual concerned.

      The candidate's experience is verified by algorithms that check the fit for a specific position and allow for the determination of their suitability. However, this is not an assessment of the candidate's characteristics, but of their fit for the position.

       

      Clarification of the Terms "Profiling" and "Automated Processing"



      As a general rule, the terms "profiling" and "automated processing" should not be conflated.

      Profiling, as defined in Article 4(4) of the GDPR, means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects of a natural person. Profiling can be used to analyze or predict aspects such as work performance, economic situation, health, etc. Therefore, profiling occurs when a data controller infers characteristics of an individual based on information held about them using any tool for automated decision-making. Profiling is thus a type of automated data processing.

      Automated processing is a broader concept and does not evaluate the personal factors of the data subject. The GDPR does not specify what is meant by automated processing of personal data (APD). According to the guidelines of the Article 29 Working Party (WP 251), it refers to data processing carried out by technical means, i.e., at every stage, performed without human aid/support. In the case of full automation of processing, there is no possibility of influencing the process - one cannot turn to a person making a decision, because the resolution is made "by the machine". Automated procedures may not take into account circumstances important for evaluating a person as the algorithms may not anticipate special or exceptional situations.

      However, what is most important is that an organization may profile (obviously, while adhering to all traditional GDPR principles). You do not need to obtain additional consents or meet other special criteria for this purpose. All this, provided that the profiling does not meet the conditions of so-called qualified profiling. In practice, distinguishing ordinary profiling from qualified profiling will be key.

      So, what is qualified profiling (Article 22(1) of the GDPR)? It is a process where:

      • The decision is based solely on automated decision-making, i.e., without human involvement at any stage.
      • The process has legal effects concerning the profiled person or similarly significantly affects them.

       

      Is SmartyMeet the Data Controller for Job Candidates?

      No. SmartyMeet is a tool provided to organizations conducting recruitment. The purposes and means of processing personal data are determined by the organization, and SmartyMeet acts as a processor of personal data.

       

      Why Is Using SmartyMeet Completely Legal Under GDPR?



      In SmartyMeet, we do not process special category data; nonetheless, safeguards have been implemented to ensure that personal data are secure and processed legally.

      The implementation of principles indicated in Article 5 of the GDPR has been ensured through:
      • Lawfulness, Fairness, and Transparency. The rules for data processing by SmartyMeet have been defined and described in the Privacy Policy document.
      • Purpose Limitation
      Personal data obtained by SmartyMeet are processed only for the purpose defined in the contract for using our system and the contract for the processing of personal data. We do not process data for other purposes.
      • Data Minimization
      We collect only as much data as we truly need.
      • Accuracy, Integrity, Confidentiality, and Availability of Data
      SmartyMeet uses measures that guarantee the fundamental characteristics of data security, including:
      • Secure login: Users can log in using a username and password or through SSO (single sign-on).
      • Redundant backup system.
      • Access control to the systems used (dedicated user for each system, possibility of identification, recording of activities performed).
      • Use of TLS encryption for transmitted data, as well as other cryptographic data protection measures.
      • Use of multi-layered login methods (JWT tokens, 2FA).
      • Strict control over API access (based on clientId and clientSecret and generation of API-KEY).
      • SSL certificate for the web layer.
      • Logs are collected for 30 days and then deleted.
      • Dedicated AWS servers - Amazon Web Services located in two regions - European and USA.
      • Storage Limitation
      SmartyMeet does not act as the data controller for candidates' personal data. It is the recruiting entity that sets the data retention period.
      • Accountability
      Actions taken in the system are accountable through system logs and user access controls.

      Do We Enter Into Data Processing Agreements?



      Yes, an integral part of the agreement you enter into with SmartyMeet is a personal data processing agreement. It is included in the SmartyMeet terms and conditions. You do not need to sign any additional documents for this purpose. Upon entering into an agreement, SmartyMeet becomes the entity processing personal data of your candidates, for which you are the Controller.

      Does SmartyMeet Sell My Data to Third Parties?



      No, SmartyMeet does not sell your data to third parties.

      How Can I Safely Integrate with SmartyMeet?



      Use the integration option through Zapier. When using SmartyMeet services and integrating with other applications via Zapier, Zapier, as a tool supporting integration, processes various types of personal data entered by our clients while using their Services.

      Zapier ensures compliance with EU law regarding international data transfers.



      Zapier processes personal data subject to European data protection regulations as a data processor. Zapier fulfills its obligations under the Zapier Data Processing Addendum, including certification in accordance with the EU-US Data Privacy Framework and adoption of the EU Standard Contractual Clauses defined in the European Commission Decision 2021/914 of June 4, 2021.