GDPR Compliance

GDPR Compliance at
HireNext

HireNext is committed to full compliance with the General Data Protection Regulation (GDPR). We treat the privacy and security of personal data as a core responsibility — not an afterthought.

Last updated: February 20, 2026
EU & UK GDPR Compliant
1

GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Union (EU) and European Economic Area (EEA), as well as the United Kingdom under UK GDPR.

HireNext acts as both a Data Controller (for data we collect directly from users) and a Data Processor (when processing candidate data on behalf of our customers). We have implemented policies, technical controls, and contractual safeguards to fulfill both roles responsibly.

Data Controller
For HireNext account holders, billing data, and platform usage data we collect directly.
Data Processor
For candidate data processed on behalf of our employer customers using the HireNext platform.
Lawful Processing
All personal data is processed on a valid lawful basis as defined under GDPR Article 6.
Privacy by Design
Data minimization, purpose limitation, and privacy controls are built into the platform architecture.
2

Lawful Basis for Processing

HireNext relies on the following lawful bases under GDPR Article 6 when processing personal data:

  • Contractual Necessity: Processing required to fulfill our service agreement with customers and users.
  • Legitimate Interests: Processing for fraud prevention, platform security, and service improvement where our interests are not overridden by data subject rights.
  • Consent: Where required (e.g., marketing communications), we obtain explicit, freely given, and withdrawable consent.
  • Legal Obligation: Processing required to comply with applicable laws, regulations, or court orders.
3

Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data. HireNext supports the exercise of all these rights:

Right of Access
Request a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where applicable.
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Rights re: Automated Decisions
Not be subject to solely automated decisions with significant effects without human review.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact our Data Protection Officer at dpo@hirenext.io. We will respond within 30 days as required by GDPR.

4

International Data Transfers

Where personal data is transferred outside the EU/EEA, HireNext ensures appropriate safeguards are in place in accordance with GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for transfers to third countries without an adequacy decision.
  • Adequacy Decisions: Transfers to countries with an EU adequacy decision are permitted without additional safeguards.
  • Binding Corporate Rules: Where applicable for intra-group transfers.
  • Transfer Impact Assessments: We conduct TIAs for high-risk transfers to ensure effective protection.
5

Data Retention

HireNext retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Data CategoryRetention Period
Active account dataDuration of account + 90 days post-termination
Candidate application dataAs configured by employer (default: 12 months)
Billing & transaction records7 years (legal/tax obligation)
Security & audit logs12 months
Marketing consent records3 years from last interaction
6

Breach Notification

In the event of a personal data breach, HireNext follows a documented incident response procedure:

  • Supervisory Authority Notification: We notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms.
  • Data Subject Notification: Where a breach is likely to result in high risk to individuals, we notify affected data subjects without undue delay.
  • Customer Notification: We notify affected customers (as Data Controllers) promptly to enable them to fulfill their own notification obligations.
  • Incident Documentation: All breaches are documented regardless of whether notification is required.
7

Data Processing Agreement

As required by GDPR Article 28, HireNext provides a Data Processing Agreement (DPA) to all customers who process personal data of EU/EEA data subjects through our platform.

Our DPA covers:

  • Subject matter, duration, and nature of processing
  • Purpose and type of personal data processed
  • Obligations and rights of the Data Controller
  • Sub-processor management and approval process
  • Security measures and audit rights
  • Data deletion and return procedures

To request a DPA, contact legal@hirenext.io.

8

Contact Our DPO

For any GDPR-related inquiries, data subject requests, or to request our DPA, contact our Data Protection Officer:

Data Subject Requests
dpo@hirenext.io
Legal / DPA Requests
legal@hirenext.io
Security Incidents
security@hirenext.io
General Privacy
privacy@hirenext.io

Questions about GDPR compliance?

Our Data Protection Officer is available to answer any questions about how HireNext handles personal data under GDPR.

Contact DPO