GDPR Compliance

Last updated: 1/11/2025

1. Our Commitment to GDPR

CVshelf is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR). As an AI-powered recruitment platform, we process personal data with the utmost care and transparency.

2. Data Controller and Processor Roles

In the context of our Service:

  • Our customers (employers/recruiters) are the Data Controllers
  • CVshelf acts as a Data Processor
  • We process data only on documented instructions from controllers
  • We maintain records of all processing activities

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent from data subjects (candidates)
  • Legitimate interests for recruitment purposes
  • Contractual necessity for service provision
  • Legal obligations where applicable

4. Data Subject Rights

We support the following GDPR rights for candidates:

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

5. AI Processing and Automated Decisions

Regarding our AI-powered features:

  • Candidates are informed about automated processing
  • Human review is available for automated decisions
  • Scoring algorithms are regularly tested for bias
  • Transparency about AI decision-making criteria

6. Data Protection Measures

We implement appropriate technical and organizational measures:

  • End-to-end encryption of personal data
  • Regular security assessments and updates
  • Access controls and authentication
  • Data minimization practices
  • Employee training on data protection

7. International Data Transfers

For data transfers outside the EEA:

  • We use Standard Contractual Clauses (SCCs)
  • Ensure adequate levels of protection
  • Monitor international data protection requirements
  • Maintain transparency about data locations

8. Data Retention

Our data retention policies ensure:

  • Personal data is kept only as long as necessary
  • Regular review of retention periods
  • Secure deletion when purpose is fulfilled
  • Documentation of retention decisions

9. Data Breach Procedures

In case of a data breach:

  • Notification to authorities within 72 hours
  • Prompt notification to affected individuals
  • Documentation of all breach incidents
  • Implementation of remedial measures

10. Data Protection Impact Assessments

We conduct DPIAs for:

  • New AI processing features
  • Large-scale processing operations
  • Automated decision-making systems
  • Processing of sensitive data

11. Data Protection Officer

Our DPO oversees GDPR compliance:

  • Monitors compliance with GDPR
  • Provides advice on data protection
  • Acts as contact point for supervisory authorities
  • Handles data subject requests

12. Contact Information

For GDPR-related inquiries:

Data Protection Officer

Email: [email protected]

Address: Dhaka, Bangladesh

CVshelf maintains this GDPR compliance statement as part of our commitment to protecting personal data. This document is regularly reviewed and updated to ensure continued compliance with GDPR requirements.