This uncompromising commitment to data protection is the reason why renowned companies from highly regulated sectors, such as the financial and insurance industries, place their trust in us. We see ourselves as partners to our customers’ data protection officers and provide all relevant information to enable a swift review. In practice, the following questions regularly arise:
1. Does skillconomy meet all GDPR requirements?
Yes. We base our processing on clear legal grounds (Art. 6 GDPR), inform data subjects in a timely manner (Art. 13/14), ensure technical and organizational measures according to Art. 32, and maintain documented deletion and rights management.2. Is this a data processing agreement according to Art. 28 GDPR?
No. We process personal data as an independent controller within the meaning of Art. 4 No. 7 GDPR and independently decide on the purposes and means of processing. The entire selection and approach up to the transmission of applications is carried out by us as a service provider and exclusively in our systems; we determine the specific form of approach as well as the sources and networks used. Therefore, a data processing agreement according to Art. 28 GDPR does not apply.3. Is there “joint controllership”?
No. Our customers and we each act as independent controllers within a processing chain (“Controller-to-Controller”), but not as joint controllers within the meaning of Art. 26 GDPR. The EDPB Guidelines 07/2020 (page 3) specify the assessment criteria for joint controllership as follows: “An important criterion is that the processing would not be possible without the participation of both parties, in the sense that the processing activities of each party are inextricably, i.e., inseparably linked.” In addition to the fact that there is no joint decision on the essential purposes and means of data processing, there is in particular no coordinated or jointly managed processing procedure. skillconomy acts as an independent controller with its own purpose (matching and placement) during the candidate search and approach phase. The transfer of data to you is controlled and voluntary, based on the consent of the data subject.4. Does “solely automated processing” as defined by Art. 22 GDPR take place?
No. The final selection of which individuals are contacted is always made under human supervision (“Human-in-the-Loop”). Solely automated decision-making as defined by Art. 22 GDPR does not take place.5. How can applicant data be handled in the ATS?
An application that is transferred directly into your ATS via skillconomy can be treated by you in terms of data protection just like any other application. The reason is that we integrate your company-specific data protection regulations into the chatbot dialog, and applicants give their explicit consent according to Art. 6(1)(a) before the data becomes visible in your ATS.6. Can industry-specific requirements be met?
Yes. Individual requirements or additional guidelines can be integrated at any time if needed. If industry-specific documentation is required—such as the Code of Conduct for the insurance industry—these can be implemented in consultation.Do you have further questions?
Feel free to contact us at any time.
We have over ten years of experience in efficiently and effectively resolving all relevant compliance issues.