GDPR Compliance

BSI 10012 Data Protection

GDPR Compliance

GDPR Commitment Statement

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

Ceipal is compliant with applicable GDPR regulations as a data processor. Working in conjunction with our clients, we have begun to explore opportunities within our services offerings to assist our customers to meet their GDPR obligations, where applicable. These efforts have been critical in our ongoing preparations for the GDPR:

Data processing: Our ability to fulfill our commitments as a data processor where applicable to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using a third-party (like us) to process personal data. Because of this requirement, we at Ceipal have worked extensively to provide that our Master Subscription Agreement and related agreements contain appropriate provisions for personal data we store and balance the risks and responsibilities between data controllers and data processors.

Third-party audits and certifications: Ceipal has the distinction of being one of the applicant tracking systems (ATS) to be SOC 2 audited. See our Security Information for details.

International data transfers: Ceipal Corp. is committed to comply where applicable with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Ceipal Corp. is committed to subjecting all personal data it receives from data exporters in any European Union (EU) or European Economic Areas (EEA) member state, under the Privacy Shield Framework, to its applicable Privacy Shield Principles. To learn more about the Privacy Shield Framework and the Privacy Shield Principles, please visit the U.S. Department of Commerce’s Privacy Shield website at

Data portability: The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in Ceipal is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities.

What this means for you

As a current or future client of Ceipal, now is a great time for you to begin preparing for the GDPR as a data controller. Consider these tips:

  • Get to know GDPR: Familiarize yourself with the provisions of the new regulation, particularly how it may differ from your current data protection obligations, and consider the relationships you have with both your clients and candidates. Also, note the variance of local provisions which may be superseded by new regulations. Be aware that new requirements may require new solutions that meet the stringent requirements ahead.
  • Audit your data and processes for data capture: Consider creating an updated and precise inventory of personal information that you control. Review your current controls and processes to ensure that they’re adequate and build a plan to address any gaps. Here are some steps you can take today:
    • Review your field maps
    • Review your process documentation
    • Ensure you have a lawful basis for processing the data
  • Stay informed: Stay ahead of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you. We recommend regular review of the Information Commissioner’s website, which is the UK representative within the EU working group: Article 29.

At Ceipal, we strive to deliver an incredible customer experience, earning the trust of hundreds of thousands of users globally. We will continue to make additional required operational changes resulting from the new legislation and will keep our clients, partners, and regulatory authorities informed throughout this process. We have an internal cross-functional team who continues to monitor GDPR as it moves to become more clearly defined over the next few months, and who will continue to inform our strategy for GDPR.