Managing applicants' personal data in compliance with the GDPR

This file sets out the actions you can take when using Lucca Recruitment to help ensure your compliance with the GDPR. In particular, it provides details on the Management of personal data module.

The information set out in this document does not constitute legal advice. Please contact your advisor for any questions or requests regarding these subjects.

ℹ️ Details

You, as a Lucca client, continue to be the data controller for the processing of personal data of applicants entered into the solution.
Lucca is your data processor.

This namely means that your applicants' data is stored in our solution for you, and that you alone determine aspects such as the purposes and legal bases for the data processing.

⚖️ Legal framework

The General Data Protection Regulation —A.K.A. the GDPR— establishes the framework for the processing of personal data in the European Union. This is the legal framework within which Lucca Recruitment operates, in the aim of helping you process your applicants' data.

💡The CNIL (the French Data Protection Authority) specifies the basic elements that must be respected when processing personal data for recruitment purposes in its recruitment guide, which we encourage you to consult.

Using the Management of Personal Data module

For each profile, the Management of personal data module allows you to keep track of the legal basis for data retention, as well as the various dates involved (collection date, information date, retention period end date).

Collection date: The date on which you received or entered the applicant's information.
Information date: The date on which you shared your privacy policy with the applicant.
Retention end date: This corresponds to a maximum of two years after the collection date.

💡 The CNIL (the French Data Protection Agency) specifies the lawful bases on which personal data can be processed in file #4 of its recruitment guide. The primary legal bases that may apply when creating a CV database are consent and legitimate interest.

The Management of personal data module can be accessed by clicking on the shield icon to the right of the applicant's name. This module is completed according to one of two cases:

Capture d’écran 2025-04-01 à 14.43.34.png

1️⃣ Applicants who applied via a career page on Lucca Recruitment

For applicants who have applied on a Lucca Recruitment career page, the process is simpler: During their application process, the applicant gives their consent to their personal data being retained for two years (*). All of the fields in the personal data module are then automatically completed.

The shield icon for the module will automatically turn orange and then red when the data retention period comes to an end. You then have to either delete or archive the applicant.

For applicants who don't check the box saying "I consent to being contacted about future opportunities": Archiving the job will result in the data retention end date being updated to the closing date of the job.

(*) At present, this two-year duration is not configurable. You can enter the URL of your privacy policy in the General settings section of Lucca Recruitment.

2️⃣ Applicants created manually in Lucca Recruitment

For applicants who were created manually in Lucca Recruitment (e.g. through a CV import), only the personal information collection date is known. By default, the data retention end date is set at one month after the collection date.

In this case, the management of personal data module's shield will turn orange, and it you will have to manually enter the information in the management of personal data module.

Other features related to personal data

For a higher level of confidentiality, you can add private notes that will be visible only to you and to people with the required permissions.

Coming later in 2025: You'll be able to identify profiles with a retention period that's about to expire in a single click, so that you can send automatic reminders or delete the profiles.

❓ Frequently asked questions

I'm a Lucca Recruitment user. How do I process a request to exercise rights?

If you use Lucca Recruitment, your applicants can contact you to exercise any of their rights under the GDPR. Lucca Recruitment can help you respond to their requests through the following features

Right to access: Administrators have access to a single page with all of the applicant information stored on the solution, and can send that information to the applicant in the format of their choice. Please note that profile pages can be printed as PDFs using the native features of your browser (File > Print)
Right to rectification: Administrators can manually edit any field in an applicant's file
Right to erasure: Administrators can archive or delete a profile at any time
Right to object: Administrators can delete the profile of the applicant in question at any time
Right to restrict processing: Administrators can archive the profile of the applicant in question at any time

How can Lucca Recruitment help me comply with the GDPR?

You have control over what data you collect: You are free to choose which data items you want to collect from your applicants. There are no mandatory required fields. As a result, the data collected will depend on the data contained in your applicants' CVs or the data entered directly into the solution by users.
You have control over access management: As with all our solutions, you can easily manage people's access rights and other permissions within the solution
You have control over informing applicants about the processing of their data: You can directly enter the URL of your privacy policy in the solution so that it will appear at the bottom of all your job offers. You can also configure the texts you use to obtain applicants' consent to the retention of their data and the contact email address to be used for any requests to exercise rights.