πŸ‡ͺπŸ‡Ί European Compliance

GDPR (Europe)

Last updated: May 29, 2024  Β·  Talcura Technologies Inc. β€” Pursuitly

Pursuitly supports GDPR rights for users and candidates in the European Economic Area (EEA). While Pursuitly is primarily a Canadian product subject to PIPEDA, we respect GDPR requirements for any EEA-based individuals whose data is processed through our platform.

About the GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that applies to the processing of personal data of individuals in the European Economic Area (EEA), regardless of where the processing organisation is located. The GDPR came into effect on May 25, 2018.

Talcura Technologies Inc. is a Canadian company primarily subject to Canada's PIPEDA. However, if your organisation uses Pursuitly to process personal data of individuals located in the EEA β€” such as European candidates applying to positions β€” GDPR requirements may apply to that processing, and we support compliance accordingly.

Roles Under the GDPR

Talcura as Data Processor

When your organisation uses Pursuitly to collect and manage personal data of EEA-based individuals, your organisation is typically the data controller β€” you determine the purposes and means of processing. Talcura Technologies, as the operator of Pursuitly, acts as the data processor, processing data only on your instructions.

Data Processing Agreement (DPA)

GDPR Article 28 requires a Data Processing Agreement between controllers and processors. Talcura Technologies provides a signed DPA to any customer that requires one. Contact privacy@pursuitly.com to request a DPA.

Legal Bases for Processing

Under the GDPR, processing of personal data must be based on a lawful legal basis. When Pursuitly is used to process EEA personal data, the applicable legal bases typically include:

  • Contract: Processing necessary for the performance of a contract (e.g., employment application processing)
  • Legitimate interests: Processing for legitimate business purposes such as evaluating candidates, provided those interests are not overridden by individuals' rights
  • Legal obligation: Processing required to comply with applicable employment or immigration law
  • Consent: Where required, with a lawful consent mechanism in place that permits withdrawal at any time

Your Rights Under the GDPR

If you are an individual located in the EEA whose personal information is processed through Pursuitly, you have the following rights:

πŸ“‹ Right to Access
Request a copy of your personal data and information about how it is processed.
✏️ Right to Rectification
Request correction of inaccurate or incomplete personal data.
πŸ—‘οΈ Right to Erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal obligations.
⏸️ Right to Restriction
Request that processing be limited in certain circumstances.
πŸ“¦ Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
🚫 Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
πŸ€– Automated Decisions
Not be subject to solely automated decisions that produce significant legal effects, without human review.
↩️ Withdraw Consent
Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

To exercise any of these rights, contact us at privacy@pursuitly.com. We will respond within 30 days. Note that some rights may be fulfilled by the data controller (your employer or the organisation using Pursuitly) rather than directly by Talcura.

International Data Transfers

Pursuitly stores all data on Microsoft Azure Canada servers. When EEA personal data is processed through Pursuitly, it is stored in Canada. Canada has been recognised by the European Commission as providing an adequate level of protection for personal data under the EU-Canada adequacy decision, which means data transfers from the EEA to Canada are permitted without additional transfer mechanisms in most circumstances.

We do not transfer EEA personal data to any country that has not been recognised as providing an adequate level of protection without appropriate safeguards such as Standard Contractual Clauses (SCCs).

Breach Notification

Under GDPR Article 33, data controllers must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. Under Article 34, affected individuals must be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

As a data processor, Talcura Technologies will notify affected customers (data controllers) of any breach involving EEA personal data within 24 hours of discovery, providing sufficient information to enable controllers to fulfil their notification obligations.

Supervisory Authority

If you are located in the EEA and believe your GDPR rights have not been respected, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

We encourage you to contact us first at privacy@pursuitly.com β€” we aim to resolve all privacy concerns promptly and fairly.

Special Category Data

The GDPR applies heightened protections to "special category" personal data, including information relating to racial or ethnic origin, political opinions, religious beliefs, health data, and sexual orientation. Pursuitly's standard features do not require or encourage the collection of special category data. If your organisation collects such data through the platform, you are responsible for ensuring a valid legal basis exists under Article 9 GDPR.

Need a Data Processing Agreement (DPA)? Contact privacy@pursuitly.com and we will provide a signed DPA within two business days. We also respond to security questionnaires and vendor compliance reviews within two business days.

GDPR questions or DPA requests?

Our privacy team responds within one business day.

Contact Privacy Team