GDPR Compliance

Interview HR is fully committed to complying with the General Data Protection Regulation (GDPR) and protecting the data rights of all individuals whose personal information we process. This page explains our GDPR compliance approach and how we uphold your data protection rights.

1. Our Commitment to GDPR

Interview HR processes personal data in accordance with GDPR requirements. We recognise the importance of protecting personal data and have implemented comprehensive technical and organisational measures to ensure compliance. As a recruitment platform, we process both customer data (recruiters and hiring teams) and candidate data on behalf of our customers.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: Processing necessary to provide our recruitment platform services to you
• Legitimate Interests: Processing necessary for our legitimate business interests (service improvement, security, fraud prevention) balanced against your rights
• Consent: Where you have given clear consent for specific processing activities (e.g., marketing communications)
• Legal Obligation: Processing necessary to comply with legal requirements (e.g., tax, accounting)

3. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

3.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge in a commonly used electronic format within 30 days of your request.

3.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification of the correct data.

3.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. We will comply within 30 days unless we have a legal obligation to retain the data.

3.4 Right to Restriction of Processing

You have the right to request that we limit how we use your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You can also request that we transfer this data to another service provider where technically feasible.

3.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

3.7 Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing carried out before withdrawal.

3.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have not handled your personal data appropriately. In the UK, this is the Information Commissioner's Office (ICO).

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

• Email: gdpr@interviewhr.com or dpo@interviewhr.com
• Subject Line: Include "GDPR Request" followed by the specific right you wish to exercise
• Response Time: We will respond within 30 days of receiving your request

We may need to verify your identity before processing your request to protect your personal data from unauthorised access.

5. Data Controller and Processor Roles

5.1 Interview HR as Data Controller

For account holder data (recruiters and hiring teams), Interview HR acts as the data controller. We determine the purposes and means of processing your personal data and are responsible for compliance with GDPR.

5.2 Interview HR as Data Processor

For candidate data processed through our platform, Interview HR acts as a data processor on behalf of our customers (the data controllers). Our customers determine the purposes and means of processing candidate data. We process this data solely according to their instructions and our Data Processing Agreement (DPA).

6. Data Processing Agreement (DPA)

We provide a comprehensive Data Processing Agreement to all customers who process candidate data through our platform. Our DPA includes:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data processed
• Categories of data subjects
• Rights and obligations of both parties
• Security measures and data breach procedures
• Sub-processor arrangements
• Data subject rights assistance procedures

Our DPA incorporates the Standard Contractual Clauses (SCCs) approved by the European Commission for any data transfers outside the EEA.

7. Data Security Measures

We implement appropriate technical and organisational measures to protect personal data:

• Encryption: All data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Data Minimisation: We only collect and process data necessary for specified purposes
• Pseudonymisation: Where appropriate, we pseudonymise personal data to reduce privacy risks
• Regular Testing: Security assessments, penetration testing, and vulnerability scanning
• Incident Response: Documented procedures for detecting, reporting, and responding to data breaches
• Staff Training: Regular data protection and security training for all staff

8. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
• Document all data breaches, including facts, effects, and remedial actions taken
• Notify customers (data controllers) promptly so they can fulfil their own notification obligations

9. International Data Transfers

All personal data is stored and processed within the European Economic Area (EEA), specifically in AWS data centres in the eu-west-2 region (London). This ensures full GDPR compliance without requiring additional safeguards for international transfers. If we need to transfer data outside the EEA in the future, we will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account Data: Retained while your account is active and for a reasonable period after closure (typically 30 days unless legal obligations require longer retention)
• Candidate Data: Retention controlled by customers (data controllers) according to their policies and legal requirements
• Billing Records: Retained for 7 years to comply with tax and accounting regulations
• Aggregated Analytics: Anonymised data may be retained indefinitely as it no longer constitutes personal data

11. Third-Party Sub-Processors

We use carefully selected third-party sub-processors to provide our services. All sub-processors are GDPR-compliant and bound by appropriate data processing agreements:

• AWS (Amazon Web Services): Cloud infrastructure and storage (EU region)
• Clerk: Authentication and identity management (GDPR-compliant)
• Stripe: Payment processing (GDPR-compliant, PCI-DSS certified)
• AWS Bedrock: AI processing for candidate scoring (EU region)

We maintain a complete list of sub-processors and will notify customers of any changes with reasonable notice.

12. Privacy by Design and Default

We implement privacy by design and by default principles throughout our platform. This means we consider data protection from the earliest stages of development and ensure that privacy-friendly settings are the default. Examples include data minimisation in our forms, automatic encryption, limited data access, and regular privacy impact assessments for new features.

13. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments for processing activities that pose high risks to individuals' rights and freedoms, particularly when introducing new technologies or processing methods. Our AI-assisted candidate scoring feature has undergone a DPIA to ensure it does not result in discriminatory or unfair outcomes.

14. Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it immediately.

15. Automated Decision-Making and Profiling

Our AI candidate scoring feature assists recruiters by providing compatibility scores based on CV and job description analysis. However, this does not constitute automated decision-making under GDPR because:

• Scores are advisory only and do not automatically reject candidates
• All hiring decisions are made by human recruiters
• Candidates are not subject to decisions based solely on automated processing
• Recruiters retain full control over the hiring process

16. Contact Information

For any GDPR-related questions, concerns, or to exercise your data protection rights, please contact:

• Data Protection Officer: dpo@interviewhr.com
• GDPR Enquiries: gdpr@interviewhr.com
• General Privacy: privacy@interviewhr.com
• Phone: +44 (0) 20 1234 5678
• Address: Interview HR Ltd, 123 Tech Street, London, SW1A 1AA, United Kingdom

17. Supervisory Authority

Our lead supervisory authority is the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

18. Updates to This Page

We may update this GDPR compliance page to reflect changes in our practices, legal requirements, or regulatory guidance. Significant changes will be communicated via email or through a prominent notice on our platform. The "Last updated" date at the top indicates when this page was last revised.

Interview HR is committed to full GDPR compliance and protecting the fundamental rights and freedoms of all individuals whose personal data we process. We continuously review and improve our data protection practices to maintain the highest standards.