GDPR Readiness Summary

Introduction 

The GDPR (General Data Protection Regulation) is an EU Regulation which replaced the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It came into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security. but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

The GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business.

Talview's Initiative

The GDPR applies not only to EU-based businesses but also to any business that controls or processes data of EU citizens. At Talview, our entire organization is working hard to ensure that our practices are GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own. A big piece of that is ensuring that the Talview platform sets you up for GDPR compliance. In full transparency, while the existing product can be used in a way that helps to comply with the GDPR, doing so can be difficult and involve complex data management. 

We are fully committed to enhancing the Talview platform to enable easier compliance with the GDPR. Talview CISO function has validated the GDPR readiness of the various services internally. Legal experts have been utilized to vet the privacy policy, terms and conditions, consent, and opt-in clauses to ensure compliance. 

Platform Readiness

We keep enhancing the platform's data handling capability to comply with the guidelines stated for Data Processors, under which the platform’s functionalities are delivered as per the guidelines stated in GDPR.

The information and data available at Talview during the partnership with any Client is basis the Service Level Agreement that is put into place at the time of contract execution. This information is used by the Client for External Recruitment, Internal Fulfilment, Learning & Development activities, or any other scope for assessing and evaluating individuals for a specific pre-defined purpose stated in the Scope of Work. The following points highlight the current platform readiness with the GDPR guidelines.

• The Client in all cases will be the data controller of the data collected and processed on the platform. Talview will only act as the Data Processor on behalf of the client, delivering features and functionalities as per Scope of Work.

• Live Video Interviews, Interview Recording, and Proctoring using the Candidate’s microphone and camera during Assessments are an inherent part of the Talview feature and functionality offering to most Clients. During the audio and video recordings of the Candidate, Talview does not capture unique device IDs identifiers like UDID, MAC addresses, IMEI and IMSI numbers.

• We may capture the data subjects’ personal information on behalf of the client such as name, email id, photo, voice sample, etc. depending upon the scope of the work and the client’s requirement. The data collected will be encrypted at rest and at transit and will only be used for the purpose specified in the contract.

• Geographically, data for Talview’s Clients who are based in the EU and/or require GDPR compliance is hosted and processed within the EU. Talview leverages Microsoft Azure Cloud Computing Platform and Services which has a comprehensive enterprise compliance coverage in the form of ISO/IES, CSA/CCM, ITAR, CJIS, HIPAA, IRS 1075 certifications to name a few. Talview undergoes periodical security and privacy reviews, tests and audits.

• Additionally, data may be accessed from Bengaluru, India where the Talview back-office is located. Talview’s database engineers, development and customer support teams may remotely access the data centres to maintain the data for product development and customer support purposes.

• The data collected and processed by Talview on behalf of the Clients are not shared with any other person, company, or organization other than the one collecting it.

• Individuals accessing the platform are made aware of the data that will be collected and processed from them. This information is displayed as part of the Privacy Policy and the Terms & Conditions to the users. Individuals must agree to the Terms & Conditions at the time of login.

• Data protection laws give individuals certain rights in relation to their personal information. Talview provides individuals with an easy means to exercise rights as follows:

  • Request rectification/updating of data: Available, at Client’s discretion

  • Withdraw consent: Available, at Client’s discretion

  • Request erasure of data (i.e. the right to be forgotten): Available, at Client’s discretion

  • Request restriction of processing: Available, at Client’s discretion 

  • Portability of data: Available, at Client’s discretion

  • Complain to the relevant supervisory authority: Available, at Client’s discretion

• Individuals can refuse communication from Talview. They will be able to opt-out of any email communication being sent by Talview for the Interview and Assessment detail.

• Talview’s Data retention policy of the Client Data is as per Contract and the Service Level Agreements. The default duration is 6 months for data retention which is specified in the SLA as well. No data at Talview is stored indefinitely. Post-termination of any contract any data shared and processed on behalf of the Client is destroyed and evidence of the same is shared.

• As per Talview’s data lifecycle policy, data is safely destroyed by removing all references to the objects and overwriting data-blocks with random numbers and/or zeros.

• Individuals are provided clear and prominent notice about the purpose for processing of their personal data which includes all the information a Processor of Data is required to give.

• The processing of data by Talview is legitimized in compliance with the guidelines specified by GDPR for consent-based processing, which includes but is not limited to:

  • Specific, informed and unambiguous consent is obtained

  • Consent is given through clear affirmative action

  • Consent is clearly distinguished from other information

  • The data subject is provided with a means of withdrawing consent

• The Individual’s personal information is collected only for specific purposes for processing on Talview. Data is not and cannot be used for purposes that are not disclosed to individuals.

• Certain platform features like Proctored Objective Tests and Behavioral Analytics involve automated decision making, including profiling, which have the criteria for automated decision making covered through the following:

  • Consent to the processing is obtained

  • Necessary to enter into or perform a contract with the data subject

  • The processing is specifically compliant under EU laws

As part of Talview’s approach to the GDPR, we’re strengthening our security controls across the board. In addition to industry-standard practices around encryption, Talview's infrastructure teams are also improving our systems for authentication, authorization, and auditing at a massive scale to better protect our Customers' data.

Data Privacy Office

You can contact Talview's DPO at dpo@talview.com