Version 1.1 - 24 May 2018
You’re receiving this document because you’ve recently submitted personal data – as described by GDPR to Open Source Careers / Perl Careers – or because you’ve asked for it! The latest copy is also available on our website, which is where you might be right now: https://perl.careers/community/gdpr
GDPR is a most excellent piece of privacy legislation from the EU, and as geeks and privacy advocates, we at Open Source Careers (of which Perl Careers is the largest brand) are huge fans. We will endeavour to treat everyone’s data with the care with which we are required to treat the data of EU citizens.
What Data We Have
In the general case, the only data we have about you is data that you’ve explicitly given directly to us. We get this data when you email it to us or send it to us via a form on the website. Very occasionally we put up job adverts on traditional job sites, and we get your CV if you apply via that. Occasionally, after we’ve received your data, we’ll attempt to find you on LinkedIn or on Google, and add relevant social media links to your profile (Twitter, GitHub, etc).
What We Do With That Data
We only use this data to help you get a job, with our clients. Nothing else. We will occasionally directly email you with roles we think are a uniquely good fit, for you, at most once a year, if they come up.
We may have separately asked for your consent to occasionally email you more generally, but again personally, to see how your career is progressing, and if you’d be interested in hearing about our roles. This is unlikely to be more frequently than every six months.
How Long We Keep That Data
Our legal basis for processing your data is legitimate interest. We believe that if you contact us about a job, you’re engaging our expertise to help you find any relevant roles. Most of our candidates apply for jobs with us more than once, so we’ll retain details we have about your previous job searches for up to six years after the last time you contacted us. We also have legal and financial reporting requirements to retain these records.
Who Else Gets That Data
We will share your data outside of Open Source Careers only at your express direction, and with specified clients. While we will usually email you to ask your permission, if you’ve applied for a specific role online with us, we will occasionally use that as explicit consent to share your details with that one client only.
Open Source Careers recruitment is performed by full-time staff, although some are employed as independent contractors. All understand the ramifications of GDPR and the need to keep your data private. Open Source Careers staff are usually outside the EU – there’s more data below on how we protect your data, and prevent it leaving the EU.
You can ask us for a copy of all data we have about you. We will require a £10 processing fee and proof of identification to process this. We may (will probably?) waive that fee at our discretion, and will generally do so if we believe you have a good faith concern about your data. There’s a list of the type of data you might expect below.
We will remove your data from your systems whenever you ask us to, and may (but plan not to) charge you a processing fee for this. We maintain a list of people who have asked us not to store their data ever, or whose data we choose not to hold, and you can ask us to put you on this.
In any case, all requests should be directed to: email@example.com
Who We Are
Perl Careers is a trading name of Open Source Careers Ltd, Isle of Man registered company 013288V, registered office: 11 Hope Street Douglas IM1 1AQ, and we are the Data Controller for the personal data you send us. We do not believe we are required to have a Data Protection Officer, as we’re not processing enough data, nor do we believe the data we’re processing is sensitive.
Contacting Us Regarding Your Data
The person at Open Source Careers who is in charge of compliance with GDPR is Peter Sergeant, and you can email him at firstname.lastname@example.org.
If we have an ongoing relationship with you, and you have possession of an email address we recognize and have in our system, we’ll probably consider that sufficient identification to process your request. If we don’t, or you are no longer in control of the email address we associate with you, we’ll require a notarized copy of your passport or other legal identification.
What Data We Have and in What Systems
A Note On How Our Systems Are Accessed
Open Source Careers recruitment staff generally are not in the EU. All access to systems with recruitment data is strictly only allowed via AWS WorkSpaces, a remote desktop solution. Our AWS WorkSpaces are based in AWS’s EU region. Your data is never stored or written to the disk of our staff’s machine, nor is it transferred to them except for the ephemeral screen viewing that remote desktop entails.
File or data transfer between a staff member’s AWS WorkSpace and their personal machine / email / whatever is strictly forbidden, and any possible breach is dealt with severely. All passwords for accessing the below systems are stored in a password manager only accessible on the AWS WorkSpace.
In short, should a staff member lose a machine, have a machine compromised, or have a machine seized, no candidate data is on it and no credentials for accessing systems with candidate data are on it either.
Google Mail / Apps
We use Google Mail as our primary mail system. We retain emails for six years in Google Mail. Generally, we do not store candidate data in Google Drive, although that may change in the future, without notice. Emails will have data you’ve sent us, and exchanges between us and companies concerning your data – we don’t believe we’re required to provide you with copies of the later, even if you ask for them.
We maintain a list of candidates for whom we have decided not to (or have been asked not to) store data about. This list contains name, email address, the date they were added to the list, and whether we decided to add them to the list, or they requested it. There is no expiration date on that data, and we will not accept requests to delete that data.
If you start an application process on our website, an email is sent to our primary email address with your email address, which page you started from, and your Google Analytics (see below) ID. We store this data for five years.
Google’s Privacy and Security documents: https://privacy.google.com/businesses/
Some of our records still live in an Excel document, called “Recruitment Numbers.xls”. Specifically this lists jobs we put you forward for, and the status of those applications. Against your name is the company, and date, and final status of the submission. We store this data for six years from our last recruitment-related contact with you.
Connecting a non AWS WorkSpace desktop to the company Dropbox is an offense for which staff should expect instant termination.
Dropbox’s Privacy and Security documents: https://www.dropbox.com/security/GDPR
Recruitee and Bullhorn
Recruitee and Bullhorn are recruitment CRMs, which we use to hold your CV data, and some information about roles we’ve submitted you to, data we’ve derived from your CV (such as your location), and occasionally relevant technical social media links. We are transitioning data from Recruitee to Bullhorn, but you should assume your data is currently held in both.
We store this data for six years from our last recruitment-related contact with you.
Recruitee’s Privacy and Security documents: http://support.recruitee.com/privacy-and-security/recruitees-data-center-and-gdpr
Bullhorn’s Privacy and Security documents: https://www.bullhorn.com/gdpr-commitment-statement/
When you submit an application on our website, it’s handled by a service called Cognito Forms. This stores all the information you’ve sent us, by email, to our Google Mail account (see above). Cognito Forms also retains this data. We remove data from Cognito Forms at least every 90 days. Cognito Forms may also record your browser and IP address.
Cognito Form’s Privacy and Security documents: https://www.cognitoforms.com/features/security
Google Analytics and Clicky
On our primary websites, we use Google Analytics and Clicky to track customer data, anonymously. We don’t believe this constitutes Personal Information under GDPR. Regardless, both services have GDPR statements:
Google’s Privacy and Security documents: https://privacy.google.com/businesses/compliance/
Clicky’s Privacy and Security documents: https://clicky.com/help/faq/privacy/gdpr
Uf we’ve placed you in a role, your name will appear on an invoice along with the salary for which you were placed in our accounting system. We are required to keep this data for accountancy purposes for at least six years. Separately from other data we hold, this data may be access by members of our accountancy firm, and FreeAgent is usually accessed from outside AWS WorkSpaces.
We maintain a mailing list for Perl Developers in the UK, for which you would have had to explicitly sign up, if you’re on it: £5 Mailing List. If you’ve signed up to that, your details will be retained in that list until you unsubscribe.
When you start applying for a role on the Perl Careers site, you’re prompted to start with your email address. If you enter it, this is sent, via a custom Perl script on HostGator, to our Gmail account. Your email address transits HostGator’s systems during that time, but is not retained or stored there.
HostGator’s Security policies can be found here: https://support.hostgator.com/articles/what-security-measures-are-used-to-protect-my-server
If you use our Live Chat feature on the Perl Careers site, this process is kicked off by entering your email address. This is then sent to Intercom, who run our Live Chat, as part of starting your Live Chat session. Intercom stores that, and any communication you have with us via Live Chat. This data is retained for six years.
Intercom’s Privacy and Security documents: https://www.intercom.com/security