GDPR
GDPR/UK GDPR Annex — Information for Users in the EEA and United Kingdom
Last updated: August 16, 2025 This annex consolidates all information related to the EU’s General Data Protection Regulation (GDPR) and its UK equivalent (UK GDPR), and it complements our main Privacy Policy.
1. Data Controller, DPO, and Representative
- Data Controller: Hiringbe. You can find our contact details in the Privacy Policy.
- Data Protection Officer (DPO): We have not appointed a DPO, as our activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data (Art. 37 GDPR).
- Representative in the EU/UK (Art. 27 GDPR): We have not currently appointed a representative, as our offering of services to individuals in these regions is occasional and not on a large scale. We commit to appointing one if circumstances or legal requirements change.
2. Legal Bases and Purposes of Processing
We process your personal data based on the following legal bases of the GDPR:
- Performance of a contract or pre-contractual measures (Art. 6.1.b): This is the primary basis for evaluating applications, coordinating interviews, and presenting professional profiles to potential employers who are our clients. It also applies when we respond to inquiries from companies interested in our services.
- Legitimate interest (Art. 6.1.f): We use this to ensure the security of our service and prevent fraud or abuse. We have conducted a balancing test concluding that our measures are necessary, proportionate, and respect your reasonable expectations. You have the right to object to this processing.
- Consent (Art. 6.1.a): We request your explicit consent for the use of non-essential cookies (analytics, advertising), as well as for unsolicited B2B marketing communications.
Record of Processing Activities (Excerpt - Art. 30 GDPR)
| Activity | Data Subjects | Categories of Data | Purpose | Legal Basis (GDPR) | Recipients/Processors | Retention |
|---|---|---|---|---|---|---|
| B2B Lead Management | Company representatives | Identification, contact, technical metadata. | Business prospecting and handling inquiries. | 6.1.b (pre-contractual) and 6.1.a (consent for cookies/communications). | Brevo, Google Workspace/Drive. | 12 months. |
| Selection Processes | Candidates | Identification, CV/portfolio, interview notes. | Profile evaluation and proposal to employer clients. | 6.1.b (pre-contractual) and 6.1.f (security/fraud). | Clients (summaries), Google, Tally. | 24 months. |
| Analytics and Measurement | Website visitors | Online identifiers, browsing events. | Performance measurement and optimization of the website and campaigns. | 6.1.a (consent) + ePrivacy Directive 5(3). | Google, Hotjar, Google Ads, LinkedIn, Meta. | See /cookies. |
3. Cookies and Similar Technologies (ePrivacy Directive)
- In the EEA and United Kingdom, non-essential cookies and SDKs (analytics, advertising, preferences) are activated only after you grant your prior and explicit consent.
- Our consent management platform (CMP) offers the options “Accept all”, “Reject all”, and “Configure” with the same visual prominence.
- Google Tag Manager (GTM) acts as a tag manager that keeps third-party scripts blocked until you make a decision.
- You can change or withdraw your consent at any time from the Preference Center, accessible in our Cookie Policy. If you withdraw your consent, you may need to delete the already installed cookies from your browser settings.
4. Recipients and Data Processors (Art. 28 GDPR)
We maintain data processing agreements that guarantee security and confidentiality with our processors:
- Infrastructure and productivity: Hostinger (hosting), Cloudflare (security/CDN), Google Workspace/Drive (storage and office suite), Tally (forms).
- Communication: Brevo (email marketing).
- Analytics and measurement (subject to consent): Google Analytics 4, Hotjar, Google Ads/gtag, LinkedIn Insight, Meta Pixel.
Employers (our clients) act as independent data controllers. They receive profile summaries and will only receive your full CV if you grant us your express authorization for that specific purpose.
5. International Data Transfers (Ch. V GDPR)
To transfer data outside the EEA or United Kingdom, we use the following safeguards:
- From the EEA to the US: We rely on the European Commission’s adequacy decision for companies certified under the EU-US Data Privacy Framework (DPF). In other cases, we use the Standard Contractual Clauses (SCC 2021/914), supplemented with a Transfer Impact Assessment (TIA) and additional security measures such as encryption in transit and at rest.
- From the United Kingdom: We use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- Derogations (Art. 49 GDPR): They will only be used exceptionally, for example, with your explicit consent for a specific transfer or if necessary for the performance of a contract.
6. Data Retention
- B2B Leads: 12 months from the last contact.
- Candidates in processes: 24 months from the end of the process, to consider your profile for future opportunities (unless you request erasure sooner).
- Once the periods have ended, the data is blocked and subsequently securely deleted or anonymized for non-reversible statistical purposes.
7. Data Security (Art. 32 GDPR) and Breach Management
We implement administrative, technical, and physical security measures to protect your data, including:
- Principle of least privilege and access control.
- Two-factor authentication (2FA) on critical systems.
- Encryption of data in transit (TLS) and at rest.
- Activity logs and periodic reviews.
- Incident response plan: in the event of a security breach, we will notify the competent supervisory authority and the affected individuals when legally required according to the risk level, maintaining an internal record of such incidents.
8. Your Rights as a Data Subject (Arts. 15-22 GDPR)
You have the right to:
- Access: Know what data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure (right to be forgotten): Request that we delete your data.
- Restriction of processing: Ask us to temporarily suspend processing.
- Objection: Object to processing based on legitimate interest.
- Portability: Receive your data in a structured, commonly used format.
- To not be subject to automated individual decision-making that produces legal effects on you (we confirm that we do not perform this type of processing).
How to exercise them: You can send your request to privacy@hiringbe.com. Response time: We will respond within one month, which may be extended by up to two additional months in particularly complex cases, in which case we will inform you of the extension.
9. Impact Assessment (DPIA - Art. 35 GDPR)
With our current data processing setup, a Data Protection Impact Assessment (DPIA) is not required, as we do not carry out processing considered high risk (e.g., large-scale use of new technologies, processing of special categories, or mass profiling). We will conduct a DPIA if we introduce this type of processing in the future.
10. Supervisory Authorities
If you believe your rights have not been duly addressed, you have the right to lodge a complaint with your local supervisory authority (e.g., the AEPD in Spain, the CNIL in France, or the ICO in the United Kingdom), without prejudice to other administrative or judicial remedies available to you.
Professional Scope: This document is for informational purposes and does not substitute for personalized legal advice.