European Union General Data Protection Regulation (GDPR)/California Consumer Privacy Act (CCPA)

Why are the GDPR and CCPA important?

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) regulate how companies “process” (e.g., collect, use, share, and retain) and protect personal data. Core features of the GDPR and CCPA are to give individuals control over the processing of their persona data. For covered entities both laws significantly raise the stakes for noncompliance and data breaches through hefty fines and private rights of action. We at Gem agree with the principle that individuals should have the right to have their personal data protected and control over that data. We have put in place robust security and privacy practices.


What is GDPR?

The GDPR is a data privacy and protection legal framework for EU member states and countries in the European Economic Area (“EEA”). Based on the premise that privacy is a fundamental human right, the GDPR gives “data subjects” (individuals whose data is processed in the EEA, not just EU citizens) control over their personal data through robust compliance obligations for organizations that are “established” in the EEA, market products or services to European data subjects or monitor their behavior in the EEA , including through cookies and similar tools.

What is “personal data” under GDPR?

The GDPR defines “personal data” as any information that can be used to directly or indirectly identify a person, such as a name, unique identifier, photograph, email address, or IP address.

What requirements does the GDPR impose on organizations that do business in the EU?

The GDPR imposes the following principles-based requirements:

  • Personal data must be processed in a fair, legal, and transparent way for the purpose(s) that the data subject reasonably expected at the time of collection.
  • Organizations must be transparent and specify at the time of collection what personal data they collect, how it will be used and shared, and how long it will be retained.
  • Personal data should be held no longer than necessary to fulfill its purpose.
  • Data subjects have specific rights regarding their personal data. They include the right to request access, deletion, or correction of their personal data; the right to restrict processing of their data; and the right obtain their data in a format that will enable the data subject to transport their data to another organization.

What roles are assigned to organizations under the GDPR?

Organizations are assigned the role of data controller or data processor. Many organizations will qualify as both, depending on the relationship of the parties and specific data processing activities. This is how Gem views those roles and associated responsibilities:

Data Controller

A “data controller” is the party that alone or jointly with others determines the purposes and means of the processing of personal data, and processes the personal data for its own purposes. While using Gem, you are the data controller because you determine the purpose (recruiting a candidate) and the means (using Gem) of processing the personal data. Separately, Gem is a data controller for the personal data associated with your Gem account (e.g., your business contact information) because we control the means and purposes of this processing for our use: invoicing, to communicate information about your account and for other administrative functions.

Data Processor

Gem is the “data processor” because we process personal data on your behalf under an agreement in which you tell us what data to process, for what purpose(s), how long we can keep the data, and any restrictions you impose on our use of the data.


What is the CCPA?

The CCPA is a new California privacy law. The California Attorney General is authorized to begin enforcement on July 1, 2020. The CCPA applies to companies doing business in California that meet certain statutory thresholds. The CCPA empowers California residents (“consumers”) to control their personal information through the grant of consumer rights, including the right to sue for data breaches.

Like the GDPR, the CCPA requires businesses to provide detailed privacy notices with prescribed content, including transparent disclosures about information collection and use practices, sharing of personal information, and consumers’ privacy rights. Consumers are granted access and deletion rights, the right to opt-out of the “sale” of their personal information, and the right to sue for data breaches. Consumers also have the right to be free from discrimination for exercising these rights. Privacy notices must also be accessible to individuals with disabilities.

What is “personal information” under CCPA?

Personal information is any information that directly identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, either directly or indirectly, with a particular individual or household. This includes, for example, names; aliases; unique personal identifiers (such as social security number, driver’s license number, passport number, etc.); account or user names; IP addresses; unique device or cookie identifier, biometric data; educational, professional, or employment data; behavioral data; Internet activity data; and inferences drawn about an individual based on the foregoing or online activity.

What constitutes a “sale” of personal information?

A “sale” of personal information is any disclosure of or grant of access to personal information in exchange for money or other valuable consideration. These sales are regulated by requiring businesses that sell personal information to provide consumers detailed notice and the opportunity to opt out of these sales.

What roles are assigned to companies under the CCPA?

Companies can be a “business,” “service provider,” or “third party.” Many companies will qualify as one or more depending on the relationship of the parties and the nature of their data processing activities. This is how Gem views these roles in relation to our services and associated responsibilities:


A business is a for-profit entity that (a) does business in California, regardless of whether it has any physical presence in the state; (b) processes personal information of California residents or on whose behalf such personal information is processed;(c) alone, or jointly with others, determines the means and purposes of the processing; and (d) either: (i) has more than $25 million in annual gross revenue; (ii) annually buys, sells, receives or shares for a commercial purpose the personal information of at least 50,000 consumers, whether alone or in combination with other businesses; or (iii) derives at least 50% of its annual revenue from the sale of consumers’ personal information. If you satisfy this definition, you are a likely a business while using Gem.

Service Provider(s)

Gem is a “service provider” because we process personal information on your behalf pursuant to a written agreement. The CCPA requires that this agreement limit our ability to use the personal information we process on your behalf solely to what is needed to perform the services or as may otherwise be permitted by the CCPA. We offer our customers subject to the CCPA an addendum incorporating these terms.

Third Party

Companies with whom personal information is shared but which use the information for their own uses, including sharing with other parties, are “third parties.” Sharing with third parties must be disclosed in a business’s privacy policy and may constitute a ”sale” if performed in exchange for money or valuable consideration, with attendant obligations for the third party.

Gem’s commitment to GDPR/CCPA compliance and data privacy

Data Processing Addendum / Service Provider Addendum

We offer a data processing addendum (DPA) in accordance with the GDPR’s privacy and security requirements for our customers who process personal data for candidates located in the EEA. In turn, Gem processes or stores all personal data with vendors we have vetted and with whom we have a DPA in place. The CCPA also requires businesses to sign agreements with their service providers, so we offer our customers subject to the CCPA a CCPA compliant addendum, and have executed CCPA-compliant addenda with all our vendors.

Data inventory

We reviewed and identified all the areas of Gem where we collect and process customer data, validating with our own legal team our basis for collecting and processing personal data. We ensured that we apply the appropriate security and privacy safeguards across our infrastructure and software ecosystem. Our Privacy Policy identifies what we do with the data we collect and how we manage consent.

Individual data subjects’ rights – data access, portability and deletion

As noted above, the GDPR and the CCPA give data subjects/consumers the right to request access to, correction of, or deletion of their personal data in certain rights over their data in certain circumstances. When using Gem you can comply with deletion requests by deleting the candidates’ data from your Gem account, as well as designate the supplementary data Gem provides as excluded future use by your team. For individuals who want to access their personal data, you can export all of the relevant data from your Gem account in a computer-readable CSV format. Gem can also assist you if needed.

Records of processing activities

A requirement of GDPR is having a managed data protection impact assessment (DPIA) process. A DPIA process is a way to help identify and minimize the data protection risks of a project by ensuring that proper security and privacy due diligence is conducted when choosing tools and making implementation decisions. Gem has always developed our services with the goal of mitigating any risk to data privacy or security so we have and will continue to meet these obligations.

Data breach notifications

Under the GDPR, organizations are required to provide notifications of data breaches to authorities without undue delay. Our policies and timeframes for breach notifications based on severity can be found in our MSA and meet industry standards.


Gem has implemented what we believe to be an industry-leading security and compliance program for our product infrastructure.

Cross-border data transfers under the GDPR

To help meet the legal requirements to transfer data from the EU and Switzerland to the U.S., Gem will include the Standard Contractual Clauses in our Data Processing Addendums with customers.