Wepow: a GDPR compliant platform by design

Need a Data Processing Addendum? Contact us to receive your DPA by email.

What is the GDPR?

On May 25, 2018, a new data privacy law called the General Data Protection Regulation (GDPR) came into force, impacting how business collect and process data from individuals who live in the European Union (EU).

What data is covered by the GDPR?

The regulation applies to the act of processing personal data, defined as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”

Who should care about the GDPR?

All companies that conduct business in the EU are legally required to comply with the GDPR. So if you are hiring within the EU, thereby processing personal data of EU citizens, this applies to you.

Who is impacted by the GDPR?

The GDPR identifies and governs three groups that fall within business transactions, that either has personal data rights or personal data obligations under this regulation.

Data subjects:

Data subjects are your candidates, who supply their personal data when pursuing employment opportunities with your company.

Data controllers:

You are the data controller because you determine purpose, reason and, type of information collected from your candidates.

Data processors:

Wepow is your data processor. Our platform servers to process the data you control and instruct us to collect as part of the selection process.

What are the GDPR’s requirements?

Any of your data processing activities involving personal data of EU citizens must comply with these key GDPR principles to be lawful permitted:

  • Fair and lawful with transparency
  • Explicitly specified
  • Only what is necessary
  • Current and accurate
  • Limited retention

Wepow is your partner for data privacy

As your video interviewing solution and designated data processor, we strive to offer innovative recruiting tools to manage your candidates in a way that supports your compliance objectives.

Data storage

Wepow offers European hosting centers for reducing the exposure of cross-border data transfer, providing our customers peace of mind for securely protecting their candidate data.

Data Protection Officer (DPO)

We’ve designated a DPO here at Wepow whose role will include protecting our customers’ and data subjects’ information by ensuring best practices in data privacy. If you would like an introduction, reach out to our CS team and they will introduce you!

Right to be forgotten

Article 17 enables data subjects to withdraw consent to data processing and have their information erased. Anytime a data subject reaches out to you with a valid right to be forgotten request, you can reach out to our Customer Support team to have your candidate(s) deleted within 30 days.

Lawful basis of processing

Article 6 requires a lawful basis of processing. If you’re collecting candidate data with Wepow, consent will most likely be the basis of processing you’ll need to rely on. As the data controller, you can insert an opt-in checkbox and include a link to your privacy policy.


According to article 17, the data subject has the right to have their data erased when data processing is no longer required. If you need to automatically remove candidate data from your account you can enable a data retention policy in Wepow. If you cancel your Wepow account, all candidate data will be automatically deleted within 12 months.

Data Processing Agreement (DPA)

Sub-processor DPAs:

Sub-processors are legally bound to manage our clients’ data in a GDPR compliant manner.

We have taken steps to ensure that Wepow’s customer data is secure by signing data processing agreements with each of our sub-processors. A list of sub-processors can be provided upon request.

Data processor DPA:

When you use Wepow, we act as your data processor. By signing a DPA with us (per GDPR Article 28.3), Wepow legally commits to manage your customer candidate data in a GDPR compliant manner.

Contact us to receive your DPA by email.


Customers can easily configure user permissions in the platform for access to their candidate data, providing visibility only where needed.

Secure data processing

Article 32 requires all data processing to be done securely. As your data processor, the privacy, security, and integrity, of your data are our number one priority. We’ve taken the necessary steps to secure our clients’ data. If you wish to know more about our data security framework, reach out to our CS team and they’ll be able to provide you with more information.

Data breach and mitigation process

Article 33 says that for any potential data breach, the supervisory authority must be notified within 72 hours of occurrence. Wepow has sufficient data monitoring mechanism in place to become aware of any such breach. On discovery of a breach, Wepow will notify the customer of the occurrence immediately, not exceeding 24 hours after the occurrence.

Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (GDPR) is the most comprehensive update to the European Union’s data privacy regime since 1995, replacing the Data Protection Directive, and implementing a single regulatory system for all EU Member States. This means that there will be new rules to follow when it comes to collecting, tracking, or handling EU-based prospects’ and customers’ personal data.

What are the key changes brought by GDPR?

  • Harsher penalties
    Organizations that violate the GDPR can be fined up to 4% of their annual global turnover or €20 million (whichever is greater).
  • Extended user consent
    Consent must be given in an easily understandable way, and it must be as easy for people to withdraw consent as it is to give it.
  • Right to access
    The right for a person to transmit their data to another data controller (such as another business).
  • Data portability
    The right for people to seek confirmation as to whether or not their data is being processed, where, and for what purpose.
  • Breach notification
    It will be mandatory to notify their national Data Protection Authorities of a breach wherever a data breach is likely to “result in a risk for the rights and freedoms of individuals,” and companies must do this within 72 hours of becoming aware of the breach.
  • Privacy by design
    Businesses that handle EU data must only collect information from people when it’s absolutely necessary, must integrate technical safeguards, and must limit third parties’ access to personal data in their data processing.
  • Right to be forgotten
    People are entitled to have their personal data erased if they withdraw consent, or if their data is no longer relevant to the original purposes for which it was collected.
  • Territorial scope
    The GDPR applies to all companies that control and process EU data, regardless of their physical location.

Does GDPR affect me?

If you are processing EU job applicants or candidates, the GDPR may apply to you.

What do I need to do to become GDPR compliant?

There may be a few things you need to do to ensure you comply with the GDPR. We recommend you check out the official EDPS (European Data Protection Supervisor) website, which provides a comprehensive overview of the GDPR and steps you need to take to become GDPR compliant.

How will the GDPR impact UK-based business?

Until March of 2019, the UK remains an EU member state, so GDPR compliance applies to business based in the UK, or those collecting and processing data from the UK.

Wepow Service Subprocessors

Amazon Web Services, Inc.Cloud Computing, Data Warehouse ServicesUnited States
Google LLCEmail Services, Cloud StorageUnited States
Twilio, Inc. / SendGridSMS and Live Phone Support, Email DeliveryUnited States
Brightcove Inc. / ZencoderVideo TranscodingUnited States
Nexmo, Inc. / TokBoxLive Video StreamingUnited States
Zendesk, Inc.Customer Support ServicesUnited States
Intercom, Inc.Customer Support ServicesUnited States
SnapEngage, LLC.Customer Support ServicesUnited States
Salesforce.com, Inc.Sales CRMUnited States