Last updated: 10th March 2026

Introduction

This guide is here to help you get the most out of our Extended Sourcing service. You’ll find information about how it works, how responsibilities are shared, and the best practices we recommend.

Important: This guide is for informational and practical purposes only. For any specific legal questions regarding your own GDPR compliance, please consult your DPO or legal counsel. The legal and contractual obligations applicable to you are detailed in your contract and the associated DPA.

1. Understanding the service — General questions

What is Extended Sourcing?

The Extended Sourcing service gives you access to an expanded database of professional profiles located across France and the United Kingdom. This database was built in partnership with a data provider specialised in collecting and aggregating publicly available professional data.

The purpose of this service is to help you identify and contact profiles that match your recruitment needs. These profiles include both active and passive candidates, some of whom may not be actively looking for a new role but may be interested in the opportunities you offer.

How does the service work?

The Extended Sourcing service is integrated directly into your Welcome to the Jungle interface and works in four main steps.

Step 1 — Search
Use our advanced search engine to filter profiles based on your specific criteria: technical skills, years of experience, industry, education level, geographic location, languages spoken, and many other parameters.

Step 2 — View profiles
After running your search, you can view professional profiles that match your criteria. At this stage, you can only access the candidate’s public information: detailed professional background (roles, companies, dates), skills and areas of expertise, education and qualifications, and general location (city or region).

Step 3 — Access contact details
When you identify a profile that matches your needs and you want to contact the candidate, click the dedicated button to access their full contact details. This action unlocks the candidate’s email and/or phone number, allowing you to reach out directly.

Step 4 — Automatic notification
As soon as you access a candidate’s contact details, the candidate automatically receives a notification email sent by Welcome to the Jungle. This email informs them that a recruiter using our platform is interested in their profile and has accessed their contact details. The message also includes a direct opt-out link enabling the candidate to be removed from the sourcing database if they do not wish to be contacted in this context. This notification ensures transparency and respects candidates’ right to object.

Where does this data come from?

The profiles in our Extended Sourcing database come from professional information that is publicly available online, collected and aggregated by our partner People Data Labs.

These sources include:

• Public professional profiles on professional social networks
• Personal professional websites and online portfolios
• Public professional directories and industry databases

The categories of collected data are strictly limited to professional information: identity (first and last name), detailed professional background (roles, employers, employment periods), declared skills and expertise, education and qualifications, contact details, and geographic location at city or region level.

Important: We do not collect any special categories of personal data as defined under Article 9 of the GDPR.

How do you ensure GDPR compliance for this service?

GDPR compliance was built into the service from the start, following a privacy-by-design approach. We have implemented several safeguards to ensure lawful and transparent processing:

• In-depth legal and risk analysis. We conducted a comprehensive legal and risk assessment with our Data Protection Officer, identifying risks to candidates’ rights and defining the necessary protective measures.
• Thorough partner selection. We carried out an in-depth legal audit of our data provider, reviewing collection practices, legal bases, security measures, and GDPR compliance before selecting them.
• Strengthened contract. We negotiated a contract including strict protection clauses: warranties on the lawfulness of collection, indemnification clauses, the possibility of immediate termination in case of breach, and audit rights.
• Transparent information. We created a dedicated Privacy Center that is publicly accessible. In addition, each candidate receives a personalised email notification as soon as a recruiter accesses their contact details.
• Easy-to-exercise right to object. Candidates can opt out easily via the link in the notification email, via our Privacy Center, or by contacting our Privacy team.
• Enhanced security. Data encryption, strict access controls, continuous monitoring, regular backups, and periodic security audits by independent experts.
• Continuous improvement. Monthly review of the database to remove outdated profiles and process objections. Ongoing assessment of our processes in light of regulatory developments.

Have candidates consented to be included in this database?

Processing of data within the Extended Sourcing service is based on the legal basis of legitimate interest, in accordance with Article 6(1)(f) of the GDPR.

Our legitimate interest, as well as that of our recruiter customers, lies in the ability to identify and contact qualified candidates to meet specific recruitment needs. We carried out a thorough balancing test to ensure that this legitimate interest does not override candidates’ interests or fundamental rights and freedoms.

In parallel, we have implemented strong safeguards to protect candidates’ rights:

• Transparent information via our Privacy Center and individual notifications
• An absolute and easy-to-exercise right to object
• Strict limitation to necessary professional data
• Enhanced data security
• Limited retention periods with regular reviews

How are candidates informed about the use of their data?

We have put in place a two-level information framework to ensure maximum transparency:

General information, permanently available. Our Privacy Center contains a complete notice written in clear language explaining how the service works, the origin of the data, the categories processed, the legal basis, the purposes, retention periods, and how to exercise rights and opt out.

Individual notification at the time of access. In addition to the general information, each candidate automatically receives a personalised email as soon as a recruiter accesses their contact details. This message explains the context, reminds the candidate of the origin of the data, and includes a direct opt-out link.

This dual approach enables us to comply fully with our transparency obligations under Article 14 of the GDPR (information where data has not been obtained from the data subject), while giving candidates real, effective control over how their data is used.

How long do you keep this data?

We apply clearly defined retention periods aligned with the GDPR data minimisation principle:

• Profiles not viewed: Maximum 3 years from the date the data was first included in our database. This period helps keep the database relevant while avoiding excessive retention. After that, profiles are automatically deleted.
• Profiles viewed: Maximum 2 years from the last access by a recruiter, in line with CNIL recommendations and ICO guidance on recruitment. This allows for potential re-contact for future opportunities within a reasonable timeframe.
• Automated monthly review. The database and associated personal data are updated monthly. We identify and automatically delete profiles that exceed the defined retention periods, obsolete profiles, and all profiles for which candidates have exercised their right to object.

What happens in practice if a candidate opts out?

When a candidate exercises their right to object, several actions are automatically triggered:

• Removal from the database. The candidate’s profile is removed from our Extended Sourcing database and will no longer be visible after 7 days. It will no longer appear in recruiters’ search results and contact details will no longer be accessible.
• Notification to concerned recruiters. If you had already accessed the candidate’s contact details before the opt-out, you receive a notification informing you that the candidate has objected to the processing of their data in the context of sourcing.
• Traceability and compliance. We keep a record of this objection in our systems to ensure the candidate is not re-imported by mistake during later database updates. This traceability also allows us to demonstrate compliance in the event of an investigation by a data protection authority.

How is the data secured?

We have implemented a multi-layer security strategy combining technical and organisational measures:

• From a technical standpoint, we deploy robust encryption (AES-256) to protect data in transit (TLS) and at rest. Strict access controls based on the principle of least privilege ensure that only authorised individuals can access data, with all access logged and audited. Our infrastructure benefits from continuous security monitoring with intrusion and anomaly detection. We perform regular encrypted backups with periodic restoration tests, and our network architecture is segmented with advanced firewalls.
• From an organisational standpoint, we have established documented procedures for managing security incidents. Our teams receive regular training on data protection and cybersecurity. All employees and service providers are bound by strict confidentiality clauses. We carry out periodic security audits internally and with independent experts, and we maintain active monitoring of emerging threats.

2. Responsibilities and obligations — Legal questions

Who is responsible under the GDPR?

Welcome to the Jungle acts as the Data Controller for everything related to building, managing, and making the sourcing database available.

You act as an independent Data Controller as soon as you access a candidate’s contact details and contact the candidate as part of your recruitment process. Your responsibility covers:

• How you use the candidates’ contact details
• Your entire recruitment and assessment process
• Retention of candidate data within your own internal systems (ATS, recruitment CRM, spreadsheets, emails, interview notes)
• All communications and interactions you have directly with the contacted candidates (emails, phone calls, meetings)

Important: This clear allocation of responsibilities means there is no processor relationship between you and Welcome to the Jungle regarding your use of our sourcing tool.

What does this mean for your GDPR compliance?

As an independent Data Controller for your recruitment process, you have your own direct obligations under the GDPR towards the candidates you contact. In particular, you must:

• Define an appropriate legal basis for your processing purposes
• Inform candidates about the characteristics of your processing
• Respect and facilitate the exercise of candidates’ rights
• Ensure data security within your own systems
• Define and apply retention periods appropriate to your processing purpose

These obligations are complex and evolve with regulation. We strongly recommend that you consult your Data Protection Officer (DPO) or specialised legal counsel to ensure your recruitment practices are compliant. Welcome to the Jungle cannot substitute for tailored legal advice.

Where can you find your contractual obligations with WTTJ?

Your legal and contractual obligations towards Welcome to the Jungle are set out in several contractual documents you have signed or accepted when subscribing:

• General Terms and Conditions, including financial terms, mutual commitments, and termination cases.
• The DPA (Data Processing Agreement), including data protection aspects, allocation of responsibilities, security measures, and procedures in the event of a breach.
• Terms of Use, including rules for using the platform, expected best practices, and prohibited behaviour.

These documents form the complete contractual framework of our business relationship and define your rights and obligations in detail. We encourage you to review them carefully and to contact your Account Manager or our support team if you have questions.

3. Using the service — Best practices

What should you do before accessing a candidate’s contact details?

• Check whether the profile is relevant. Each access to contact details triggers a notification to the candidate. Take the time to verify that the profile truly matches your need by reviewing their professional background, skills, education, and location. Only access contact details when you have a real and immediate intention to contact the candidate about a concrete opportunity. Do not access contact details out of curiosity or to build a general database without a specific purpose.
• Prepare your outreach. Before contacting a candidate, clearly identify the specific role, prepare a personalised message showing you have reviewed their profile, and make sure you have the information needed to present the opportunity clearly.

What should your first contact with a candidate include?

• Be transparent. State who you are, your company, how you obtained the contact details (via Welcome to the Jungle), and the opportunity you are offering. Also inform the candidate that they can exercise their right to object.
• Respect preferences. If a candidate does not respond or declines your proposal, respect their decision. If the candidate asks not to be contacted again, comply immediately.

How should you handle data during and after the recruitment process?

• Handle data appropriately. Limit data sharing to those involved in the recruitment process, document exchanges proportionately, and promptly handle candidates’ rights requests.
• Respect retention obligations. Define suitable retention periods for successful and unsuccessful candidates, in line with recommendations from your DPO, the CNIL, or the ICO.

Important: These recommendations are general. As a Data Controller, you must comply with the GDPR and follow your own internal data protection policies. We recommend that you:

• Consult your DPO for any compliance questions
• Follow the guidance of your legal and compliance teams
• Refer to CNIL and ICO resources relevant to recruitment

Welcome to the Jungle cannot substitute for your internal or external legal advice.

4. Rules of use — Do’s and don’ts

For what purposes may you use the service?

Permitted uses:

• Use the service only for legitimate recruitment with real, current needs
• Access contact details only for truly relevant profiles
• Contact candidates in a professional and respectful manner
• Personalise messages and clearly explain the opportunity
• Be transparent about the source of the contact details (Welcome to the Jungle)

Prohibited uses:

• Access contact details out of curiosity or without a clear recruitment purpose
• Use the data for commercial prospecting or advertising
• Build a general database without a concrete recruitment project
• Share or resell data to third parties
• Use the data to contact candidates for purposes other than recruitment

How should you respect candidates’ rights?

Do:

• Clearly inform candidates from the first contact
• Immediately respect requests to object or to have data deleted
• Respond to rights requests within the legal time limits
• Facilitate the exercise of rights (simple form, dedicated email)

Don’t:

• Ignore candidates’ rights requests
• Exceed the legal response deadlines
• Refuse a legitimate request to delete or object
• Make it difficult or complex to exercise rights

What communication practices should you avoid?

Don’t:

• Harass candidates with excessive follow-ups
• Use an aggressive or inappropriate tone
• Misrepresent the origin of the contact details or the purpose of the outreach
• Contact a candidate who has explicitly asked not to be contacted

5. Practical situations — FAQ

A candidate asks where their contact details came from. What should you answer?

Be transparent:

• Explain that you found the candidate’s profile via the Welcome to the Jungle sourcing tool
• Specify that the data comes from publicly available professional sources
• Mention that the candidate received a notification email from WTTJ when you accessed their contact details
• Inform the candidate that they can opt out via the link in the email or by contacting WTTJ directly at privacy@welcometothejungle.com

I see a “greyed out” profile in my interface. What does that mean?

The candidate has exercised their right to object and asked to be removed from the sourcing database.

What this means for you:

• The profile will be automatically deleted and no longer visible after 7 days
• If you previously exported the candidate’s data and the candidate never responded to your outreach, delete all of their personal data from your systems
• Do not contact this candidate again through this channel

6. Updates to this guide

This guide is updated regularly to reflect:

• Regulatory changes (GDPR, Labour Code, ICO guidance)
• New service features
• Feedback and best practices

7. Contact

For questions about this guide or the Extended Sourcing service:

• Your Account Manager
• Support team: https://help.welcometothejungle.com/en/kb-tickets/new

For data protection questions:

• Privacy team: privacy@welcometothejungle.com