Reimbi
Candidate Reimbursement Reimagined

GDPR Compliance

Reimbi GDPR Compliance

Organizations established in the EU and processing personal data of EU-based individuals are required to comply with the GDPR by May 25, 2018. The GDPR updates and harmonizes the framework for processing personal data in the European Union and brings with it new obligations for organizations and new rights for individuals.

Reimbi is fully committed to complying with the requirements of the GDPR. We have analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We have taken these requirements to heart and made changes to our products, contracts and policies to ensure that we are in compliance with the GDPR. It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance.

A foundational element of GDPR is a principled approach to privacy and security. Reimbi has pro-actively submitted a certification request for EU-US and Swiss-US Privacy Shield compliance. Reimbi meets the current privacy requirements of Europe by implementing the following privacy principles:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability

You can find how Reimbi is complying with these principles at our website at https://www.reimbi.com/privacy-policy.

Reimbi is both a controller and a processor of data under GDPR. When it comes to our customer’s data, we are a processor. Our customers give us information about their recruiting teams, for example, the candidate data they store associated with open roles, and so on, and we are only authorized to use it as that team permit us to do so. If that team decides to no longer be a customer of ours, we lose the permission to use their information.

When we collect candidate information, however, we act in the role of a controller. A controller under GDPR is an entity that has decision making power for how that data will be used and we take this responsibility very seriously. Internally, our team spends a significant portion of our time thinking about the data we license and acquire.

To be a controller that is GDPR compliant, we must have a legal basis for collecting EU data. Processing is lawful if one or more of the following apply:

  • Consent
  • Performance of contract
  • Compliance with a legal obligation
  • Vital interests
  • Public interest
  • Legitimate interest where the individual’s rights are not overridden

Reimbi relies on the legal basis of legitimate interest. Not only do we provide a service to our customers in helping them process expense reports, but we help individuals receive their funds very quickly. Our interest doesn’t hurt these requesters, in fact it’s quite the opposite.

Another important element of GDPR is Data Security. Reimbi’s key data sub-processor, i.e. Digital Ocean, maintains rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.

Reimbi believes that as a SaaS company, security and privacy is a shared responsibility with our customers. As we mention above, Reimbi acts as a “Data Controller” when it obtains job candidates profile data and processes it to issue expense reimbursements. Reimbi acts as a “Data Processor” when reimbursements are issued to candidates. Subsequent access and use of personal data made visible to the recruiter/customer (e.g. when our customer moves candidate profiles into their ATS) must be carried out upon your having a valid legal ground, such as legitimate interest to store and process data. In this case, the Reimbi customer becomes a Data Controller and must take the appropriate technical and organizational measures to safeguard the personal data it controls. Controller is responsible for demonstrating compliance with the GDPR (principle of “accountability”). We are committed to partnering with you to help you successfully meet your GDPR, and privacy requirements.