Tommy' Commitment to the GDPR
At Tommy, we are fully committed to preserving our users’ rights to data privacy and data protection. To that end, we have implemented both technical and organizational measures to ensure full compliance with the GDPR.
Data Processing and Ownership
Throughout the hiring process, our customers will collect Personally Identifiable Information (PII) from their candidates. This information is used to build candidate profiles and to administer pre-employment interviews and assessments with our software. When a candidate is invited to an assessment on Tommy, we store the following PII on behalf of our customer:
Name (first and last)
Email address
This data comes under the purview of the GDPR. Tommy ensures that we obtain consent from candidates as they sign up (using their invited emails to access our assessment). Our privacy policy clearly states how we process information, and all candidate information we receive or collect is handled securely and with adequate data protection measures in place.
Data Subject Rights
Under the GDPR, individuals may exercise their rights to data portability, data rectification, and their right to be forgotten at any organization where they apply for employment. A simple way to think of this is as Candidate Data Rights under the GDPR.
We collect candidate data on behalf of our customers, and any requests regarding accessing, editing, or deletion of candidate data will be forwarded to our customers. We allow our customers to access their candidate data and comply with requests from their candidates in-app. This way, our customers are always in control of their candidate data.
The customer can determine if their candidate’s request is valid and can be fulfilled. We will take action based on the direction provided by our customer on how to proceed with any such request.
As a processor, Tommy provides flexibility to our customers to determine their own data policies and how they may offer these rights to their candidates. This includes the ability to access, edit, and delete information regarding a candidate. We also provide the ability to set a routine data deletion process at a cadence determined by the customer.
Data Management
Data within Tommy is secured using industry-standard encryption. Data can be transferred outside EU borders if our customer and Tommy have entered into a contract that includes contractual clauses specified by the EU. Tommy uses a standard EU-specific data transfer and processing agreement to ensure compliance with the GDPR.
The GDPR also stipulates that personally identifiable data should not be stored indefinitely. Tommy' data retention policy provides flexibility to our customers to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our customer, as well as a grace period thereafter.
Data Breach Prevention and Mitigation
We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications per our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our customers to convey the breach to the respective authorities.
Additionally, we will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.
At Tommy, we are committed to the security and privacy of your data. We’re glad to comply and help you to comply with the GDPR. If you have any questions about your rights under the GDPR as a user, or how Tommy can help you with compliance as a customer, please get in touch with hello@tommymacarena.com.
Frequently Asked GDPR Questions:
What data do we collect?
When a candidate begins an assessment on Tommy, we store the following candidate information on behalf of our customer:
Name
Email address
If the hiring manager uses a Tommy account for inviting candidates to assessments, then we store the following information:
Name
Email address
Where is candidate data stored?
Tommy candidate data is stored in Frankfurt, Germany.
Who is responsible for candidate data?
Tommy customers own the data of all candidates. The responsibility of updating and deleting all candidate data when requested by a candidate lies with the customer. Tommy is happy to provide our customers with the necessary support to carry out such requests.
How long is candidate data stored?
It depends on the customer. For customers located within the EU, we provide a GDRP setting that, when enabled, ensures the deletion of candidate data 6 months following the hiring decision. In addition, we always support data deletion through requests sent to hello@tommymacarena.com for all of our users.
Who has access to candidate data?
The following people have access to candidate data on Tommy:
Hiring managers who administer the assessment.
Reviewers who review the assessment.
Candidates themselves upon request to the customer.
The Tommy internal team when a support request is raised by the customer and data access is necessary to support the request.
Does Tommy maintain any subprocessor relationships?
Tommy is a data processor and engages certain onward subprocessors that may process personal data submitted to Tommy' services by the customer. These subprocessors are listed below with a description of the service and the location where data is hosted. This list may be updated from time to time:
Amazon Web Services, Inc. for hosting infrastructure, databases, and file storage, as well as log files (Frankfurt, Germany)
Stripe, Inc. for payment processing (USA)
How can a customer request the deletion of candidate data?
Customers may "archive" candidates themselves at any time in-app, and this data will be marked for deletion. Furthermore, you can email us at hello@tommymacarena.com with a list of candidate data to be deleted.
Can deleted data be reinstated?
No, we cannot retrieve or reinstate deleted data.
If you accidentally clicked an "archive" button, please write us at hello@tommymacarena.com to see if it is possible to restore.