urlcv .com
Back to Documentation

GDPR Audit Trail

Overview

The GDPR Audit Trail records key candidate and submission events so agencies can evidence lawful processing when sharing profiles with clients.

What Is Tracked

  • Candidate lifecycle: creation, updates to core fields (name, contact details, anonymisation, status), deletion/restoration
  • Submission lifecycle: creation and status changes (sent, viewed, shortlisted, rejected, on hold, hired, withdrawn)
  • Submission notifications: outbound client emails for new submissions
  • Consent events: consent granted/withdrawn when recorded via the consent model
  • LIA actions: Legitimate Interest Assessments created or reviewed/approved
  • Not tracked here: submission or CV views; use submission analytics for engagement data

    • Data Captured

  • Timestamped event type
  • Candidate, submission, and client company links when available
  • User and agency context (or “System” when automated)
  • IP address and user agent from the request
  • Before/after values for tracked candidate field changes
  • Event details payload (e.g., status change or email recipient)

    • Admin Console

  • Access under Admin → GDPR Audit Log
  • Filter by event type, date range, candidate, user, or agency
  • Search IP address or event details
  • CSV export respects applied filters
  • Detail view for each entry shows context and payload

    • Usage Guide

  • Open Admin → GDPR Audit Log to review recent activity.
  • Apply filters to isolate specific candidates, event types, or dates.
  • Click an entry to see who performed the action and what changed.
  • Use Export to CSV when auditors request evidence.

    • How It Works

  • Observers and listeners automatically create audit entries when the tracked events occur.
  • Entries store a created timestamp only; day-to-day use is append-only, and updates are not part of the workflow.
  • IP addresses are retained for accountability; no geolocation or device fingerprinting is performed.
  • No automated retention window is enforced—set and execute your own audit-log retention policy.

    • Best Practices

  • Review key events when sharing sensitive candidates.
  • Export filtered logs for audit requests instead of sharing the full history.
  • Pair anonymisation and NDAs with audit logging so you can evidence how data was shared.

    • Related Features

  • Legitimate Interest Assessments
  • Consent Management