GDPR Compliance

GDPR is a comprehensive set of rules that will replace the existing Data protection directive or Directive 95/46/EC, which will be enforced across the EU. It is designed to empower EU citizens by putting them directly in control of how they want their data to be processed and protect their data privacy due to the increasingly complex nature of personal data transmission across the world.

  • The content presented herein is not to be construed as legal advice. Please contact your legal advisor to know how GDPR impacts your organization and what you need to do to comply with the GDPR.

  • The following changes to the API are applicable only for modules that have GDPR Compliance enabled.

Organization API

A new key privacy_settings is added in the Organization API. The data type of this field is boolean, i.e true/false.

  • If privacy_settings=true, GDPR Compliance is enabled for the Org.

  • If privacy_settings=false, GDPR Compliance is disabled.

Fields API

A new field in Recruit named Data Processing Basis Details will carry the lawful data processing basis for the particular record. You can determine the values in this field based on how you want to process your customer's data.

Currently, this field is supported only in Candidates, Contacts, Vendors, and Custom Modules.

A new key named private is added to the APIs, to mark the field as a protected field. The value of the key is either a JSON Object or null.

Fields can be set to be private by enabling the option in the Layout editor. If the user creates a protected field but does not select the sensitivity of the data(sensitive/normal), then the private key is null.

The type attribute can be either High or Low, based on the sensitivity of the data. Once the privacy settings is enabled for the Org, the private field value to be shown in records GET API will be based on the Preferences settings.

The High and Low values correspond to the Sensitive and Normal values as in the Personal Fields in the Recruit UI.

If restricted in the private key is true, then the values of a field will not be exposed in any record related APIs.

Records API - INSERT

When Inserting or adding a record, the Data Processing Basis Details key must be given in the POST request. This new key contains the details of the consent form that is accepted by a customer. In another sense, within a request, this key can be used to add consent details to a particular record.

The values in this key are in the form of a JSON Object.

  • The same request pattern is to be followed for Update and Upsert records APIs.

  • If the Data Processing Basis Details are not specified when inserting a record, Data_Processing_Basis_Details key becomes null.

Records API - GET

This API retrieves all the data of a record along with the Consent Details. In "Sample Request: To get a record from Candidates module", the Email field is marked as a private field. Hence, the value of the field becomes null.

  • The example is also applicable for bulk operations (Bulk Get, Bulk Insert, etc).

  • In the sample response, the Email field is privacy protected. Hence, the field has the value as "null", even if the email for the record exists. Add include=private_fields in the params section of the Request URL to include the "private_fields" key in any GET APIs.

  • If the $stop_processing key for a particular record is true, then any Update, Upsert or Convert Lead process cannot be used on the record.

Search APIs

The Data Processing Basis (Lawful Basis) details are shown along with the record details in the Search APIs.

In "Sample Request: To search for records in Candidates module based on criteria", the email field is marked as private (restricted=true) and hence, the value is null.

The following error is thrown when the record with the said email is searched through Criteria:

"code": "INVALID_QUERY",
"details": {
"reason": "Cannot use the restricted field.",
"api_name": "Email"
"message": "invalid query formed",
"status": "error"
  • The output responses of Search APIs are similar to the GET APIs.

  • A restricted private field cannot be searched through Criteria.

Sample Response: To get Organization Data

Copiedcurl ""
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"