fbpx

Honeit GDPR Compliance

GDPR Compliance and Data Privacy at Honeit
Last Updated: June 3, 2025

INTRODUCTION:

Honeit is committed to protecting personal data and ensuring transparency and accountability in our data practices. This page outlines how Honeit complies with the EU General Data Protection Regulation (GDPR) and supports our Customers in meeting their compliance obligations when using the Honeit platform. Honeit also aligns with relevant data protection laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), to ensure transparency and data rights for all users. 

For full details on how we process data, please review our Privacy Policy and Terms of Service.

HONEIT’S GDPR APPROACH:

This document provides an overview of the GDPR and outlines the steps Honeit is taking. However, this information is not meant to be legal advice in any way, and we suggest that you consult a legal professional if you have any questions about GDPR for your business.

TABLE OF CONTENTS:

  • About GDPR
  • What Is Honeit Doing About the GDPR
  • Honeit’s Role Under GDPR
  • Supporting GDPR Rights and Responsibilities
  • Client Responsibilities
  • General GDPR Information (FAQ)
  • Data Breach Response
  • International Data Transfers
  • Contact and Opt-Out

ABOUT GDPR:

The General Data Protection Regulation (GDPR) took effect on May 25, 2018. It harmonizes data protection laws across the European Economic Area (EEA) and strengthens privacy rights for individuals. GDPR applies to all organizations that process personal data of individuals in the EEA, regardless of where those organizations are located. Honeit supports these strict privacy standards and is committed to ongoing compliance. The regulation is intended to attract and strengthen data protection law for all businesses in the European Union, as well as foreign companies that offer services for EU–based clients.

WHAT IS HONEIT DOING ABOUT THE GDPR?

Honeit is fully committed to complying with the European Union’s General Data Protection Regulation (GDPR) and protecting the personal data of both our Customers and their Candidates. Since early 2017, we have worked closely with legal and data privacy experts to ensure that our platform meets the technical and organizational requirements of GDPR, including transparency, accountability, security, and support for individual data rights.

HONEIT’S ROLE UNDER GDPR:

Honeit operates under two distinct roles when processing personal data:

  • As a Data Controller: Honeit is the data controller for personal data we collect directly from our Customers, such as when companies create accounts, manage subscriptions, or contact us for support.
  • As a Data Processor: Honeit is the data processor for personal data collected and shared by Customers through the Honeit platform, such as Candidate interview recordings, call transcriptions, scheduling data, and communication logs.

These roles are defined under GDPR Article 4 and referenced in our Privacy Policy and Terms of Service.

SUPPORTING GDPR RIGHTS AND RESPONSIBILITIES:

To support compliance, Honeit has implemented features and internal processes to:

  • Enable Customers to manage and delete Candidate interview data on request
  • Assist Customers in responding to data subject access or erasure requests
  • Sign Data Processing Agreements (DPAs) with Customers upon request. Honeit offers a standard Data Processing Agreement (DPA) to help Customers meet their obligations as data controllers under the GDPR and other applicable privacy laws.
  • Ensure subprocessors meet GDPR-equivalent obligations through contracts and Standard Contractual Clauses (SCCs)
  • Maintain internal data breach response procedures to notify Customers without undue delay

We view GDPR as an opportunity to reinforce trust, improve transparency, and help our Customers operate in compliance with global data protection standards.

CLIENT RESPONSIBILITIES:

Every Honeit Client also has the responsibility to ensure that they are acting in accordance with the new GDPR legislation. As data controllers also, Honeit Clients are responsible for maintaining the lawful processing of personal data belonging to their data subjects or candidates. To meet these standards, we recommend (at minimum) following these steps:

  1. Make sure your terms of service, privacy, and your cookie policy are up to date, and you inform individuals clearly which of their personal data you intend to use and for what purposes.
  2. Ensure those who provide you with access to their data give you the opportunity to receive a copy of their personal data or, under certain circumstances, allow you to correct or delete their personal information.
  3. You are required to sign an agreement for the processing of all parties who process personal data on behalf of your company to agree on the purposes for which these processors may use the personal information, including Honeit.
  4. You must ensure that stored personal information is accurate and protected.
  5. You must not track personal information for longer than necessary, or the period stipulated in any agreement.
  6. Be prepared to notify the appropriate data protection authorities within 72 hours in the event of a personal data breach, as required under GDPR.

Please note that the above is not comprehensive, and we recommend you seek legal advice for more information on any implications of the GDPR that may affect your business.

GENERAL GDPR INFORMATION (FAQ):

What is GDPR?
The GDPR is a comprehensive data privacy regulation that went into effect on May 25, 2018. It is designed to give individuals in the European Union greater control over their personal data and governs how organizations collect, process, store, and share that information. It replaced the 1995 Data Protection Directive and applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is based.

Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU citizens. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What is personal data?
Under GDPR, personal data is any information relating to an identified or identifiable natural person. This person is referred to as the “data subject”. This includes the obvious data, such as name, address, email address, and phone number, but also IP address or data specific to the physical, physiological, genetic, economic, cultural, or social identity of that natural person.

What is the processing of personal data?
Processing refers to any operation performed on personal data, including collecting, viewing, storing, modifying, transferring, or deleting it.

What is the difference between a controller and a processor of personal data?
The controller is the person who determines the purpose and means of processing personal data. The processor is a person who processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have jointly agreed upon. Under GDPR, Honeit is the controller of the personal data of its employees and the personal data that directly concerns the contact persons of the brands we work with. Honeit is a processor of the personal data that clients are receiving from its customers.

What are Honeit’s Clients’ obligations under GDPR?
Under GDPR, the Clients are the controller of the personal data of their candidates, users, or other data subjects. This means that as controllers, they are required to process data in accordance with GDPR. Some of the key points are:

  1. Determine what personal data is processed and for what purposes
  2. Accommodate Clients’ rights in relation to the processed data
  3. Ensure that the processed personal data is protected adequately
  4. Establish a straightforward process to identify and report data breaches within the timeframes set out in GDPR
  5. Conclude a data processing agreement with all third parties who process personal data on Honeit’s behalf
  6. Inform the Clients, by means of a privacy policy, in a clear and understandable way, on how their data is processed and what has been done to be compliant under GDPR.

What is in the GDPR about processing personal data?
GDPR prescribes that in processing personal data, the following principles should be taken into account:

  1. Personal data must be processed in a manner that is fair and transparent towards the data subject
  2. Personal data may be collected for purposes that have been communicated to the data subject and for which you have a legitimate purpose.
  3. Personal data must be accurate and kept up to date; inaccurate data must be corrected or erased without delay.
  4. Personal data must be kept no longer than necessary
  5. Personal data must be handled in a secure way

What are Honeit’s obligations towards its Clients under GDPR?
Companies have chosen Honeit as their interview platform and processor of the personal data of their candidates. This means that Honeit will assist them with their obligations as a controller. In addition, Honeit is the controller of any personal data that relates to our direct clients (employers and companies who use Honeit). For more information on how we process the personal data relating to our direct clients, please refer to the privacy policy located on our website.

What specific rights do individuals have in relation to the personal data that is processed under GDPR?
An individual has the following rights (each of which is explained later in this document):

  • Right of information and access
  • Right to rectification
  • Right of portability
  • Right to object
  • Right to erasure
  • Right to restriction of processing

The controller of the personal data is responsible for addressing these requests, but Honeit, as a processor, will assist its Clients in that regard. Any request from a Client in relation to the above-listed rights should be followed up within one (1) month of the request. If it concerns complex or substantial requests, the term might be extended by an additional month.

What does the right to information and access to personal data mean?
Upon request, individuals must be informed about the personal data that is being processed. A copy of the personal data undergoing processing shall be provided, free of charge. In addition, the following information must be provided:

  • The purposes of processing
  • The categories of data processed
  • The recipients or categories of recipients
  • The envisaged retention period, or, if not possible, the criteria used to determine this period
  • The individual’s rights in relation to personal data

What does the right to rectification of personal data mean?
An individual may require incorrect personal data to be rectified.

What does the right of portability of personal data mean?
An individual may require personal data to be provided in a structured, commonly used, and machine-readable form so that it may be transferred to another data controller without undue burden.

What does the right to object to the processing of personal data mean?
An individual does not have the right to object to the processing of personal data in general, but may object to the following processing activities:

  • Processing for direct marketing purposes
  • Processing for scientific, historical, research, or statistical purposes

What does the right to erasure of personal data mean?
It means that an individual may require a controller to have personal data deleted if the processing fails to satisfy the requirements of GDPR. This may be the case under the following circumstances:

  • When the personal data is no longer necessary for the purpose for which it was collected
  • Where an individual withdraws prior consent, and there is no justification for the processing
  • Where an individual objects to the controller’s basis for processing data
  • When the data is otherwise unlawfully processed

What does the right to restriction of processing of personal data mean?
This right gives an individual an alternative to the right of erasure and allows the individual to require data to be restricted from further processing when the processing is challenged. Such a challenge may occur if the individual disputes the accuracy of the data or has objected to the processing. Restriction means that the controller may only store the data and may not further process it unless the individual gives consent, or the processing is necessary for legal claims.

How is Honeit helping its Clients with the data subject rights of customers?
Honeit will assist Clients with appropriate technical and organizational measures in responding to requests. This means that if a request is received from a customer, Clients can easily redirect it to Honeit for additional assistance.

How is Honeit protecting the personal data it processes?
Honeit has taken both technical and organizational measures to ensure that all the data that we process is adequately protected.

What is a data breach?
Any incident where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

What does Honeit do in the event it suffers a data breach?
Honeit has an internal data breach policy in place, which enables it to adequately respond in the event of a data breach. Honeit’s actions are, briefly, the following:

  1. Identify the source of the data breach
  2. Contain the breach and take all necessary measures to protect data
  3. Notify the involved data controller without undue delay after becoming aware of the data breach
  4. Assess the extent to which measures need to be taken to prevent a similar data breach in the future.

It is the controller’s obligation to notify the supervisory authorities without undue delay and, where feasible, within 72 hours after becoming aware of the breach. A notification is not necessary if the breach is unlikely to result in a risk to the rights and freedoms of EU citizens. It is also the controller’s obligation to notify the individuals who are affected by the data breach. The notification is not necessary if the breach is unlikely to result in a high risk for the rights and freedoms of the individuals or if appropriate technical and organizational protection was in place at the time of the incident.

Does Honeit use sub-processors?
Honeit uses several subprocessors such as AWS and SendGrid to process transactions and communications and to store (and protect) our data.

Is Honeit transferring data outside the European Economic Area?
Honeit uses AWS servers in the United States to store interview and communication data collected through the platform. Where personal data is transferred outside the European Economic Area (EEA), Honeit relies on Standard Contractual Clauses (SCCs) approved by the European Commission. Additionally, Honeit ensures that all subprocessors are contractually obligated to implement GDPR-equivalent safeguards through enforceable agreements.

How long can personal data be kept?
GDPR does not give a specific term regarding keeping the personal data, but indicates that personal data should be retained no longer than necessary in relation to the purpose for which such data is processed. There is also an exception to keep specific personal data longer if it is required to do so by law.

CONTACT AND OPT-OUT:

To opt out or purge any of your data, please contact support@honeit.com.

This page is intended to summarize Honeit’s approach to data privacy and is not a substitute for legal advice or contractual commitments outlined in our agreements.

For full legal terms and data practices, please see our Privacy Policy and Terms of Service.

© 2014-2025 Honeit, Inc. All rights reserved.
Last updated: June 3, 2025