Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Zoho Recruit is an applicant tracking and recruitment platform from Zoho Corporation. When its career page widgets or embedded application forms are placed on a website, the service drops first party and third party cookies, collects CV data, names, addresses and email identifiers, and may transfer recruitment data to data centres in the United States, India or Australia depending on the tenant configuration.
Zoho Recruit is the applicant tracking and recruitment system published by Zoho Corporation, an Indian company with regional offices in the United States, the European Union, the United Arab Emirates, Japan and Australia. Most European websites integrate Zoho Recruit in three ways: a hosted career site under a recruit.zoho.eu or recruit.zoho.com subdomain, a JavaScript widget that injects application forms into the corporate website, and a direct embed of an iframe pointing to the Zoho job page.
Whichever integration is chosen, the candidate browser ends up exchanging requests directly with Zoho infrastructure, which makes the platform a non strictly necessary third party from the perspective of Article 5(3) of the ePrivacy Directive.
Zoho Recruit sets persistent and session cookies under the zoho.com, zoho.eu and zohopublic.com domains, typically including CSRF tokens, JSESSIONID, ZCAMPAIGN_CSRF_TOKEN and the iamcsr authentication cookie. It also reads the IP address, user agent, referrer and approximate geolocation of every visitor that loads a job listing or opens an application form.
As soon as a candidate submits an application, Zoho processes the full curriculum vitae, the contact details, work history, references and any document the candidate decides to upload. Some of these documents (such as copies of passports or work permits) can include special category data within the meaning of Article 9 GDPR.
Because Zoho Recruit cookies are not strictly necessary for the corporate website itself, Article 5(3) of the ePrivacy Directive requires prior, informed and freely given consent before the widget loads. In parallel, the processing of applicant data falls under Article 6(1)(b) GDPR (steps prior to entering into a contract) and Article 88 GDPR, which allows Member States and collective agreements to set additional safeguards in the employment context.
Controllers must publish a candidate privacy notice that lists Zoho Corporation as a processor, names the data centre region, sets a retention period for rejected applications (CNIL recommends two years) and describes any automated decision logic.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Load the Zoho Recruit script only after the visitor accepts the recruitment or functional category in your consent management platform. The script tag must be wrapped in a conditional loader, with a type attribute such as text/plain swapped to text/javascript on opt in. Do not pre check the application form box and do not present the cookie banner as a continued browsing wall, which both the CNIL and the AEPD treat as invalid consent.
Zoho operates an EU data centre (Dublin and Amsterdam) since 2017. European customers should select this region when creating the tenant; this keeps applicant records inside the EEA at rest. Even so, support engineers in India and the United States can access tenant data for incident handling, which qualifies as an onward transfer.
Sign the Zoho Data Processing Addendum, rely on the Standard Contractual Clauses 2021 and document supplementary measures such as encryption at rest, role based access, and a transfer impact assessment in line with the EDPB Schrems II recommendations.
List Zoho Recruit in your record of processing activities and your cookie register, expose a candidate privacy notice on every job page, and block the widget by default behind a CMP category labelled Recruitment. Configure the retention rules inside Zoho Recruit so rejected applications are deleted or anonymised after two years, enable two factor authentication on every recruiter account, and review the audit log monthly.
Websites using Zoho Recruit must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advised when Zoho Recruit is used at scale, when it is combined with automated screening or scoring of candidates, when sensitive data such as identity documents or background checks are uploaded, or when applicant data is transferred outside the EEA. Document the Zoho data centre region, the retention period applied to rejected candidates, the categories of HR staff with access, and the logic of any automated filtering under Art. 22 GDPR.
Sample consent text
We use Zoho Recruit to display our application form and manage your job application. With your consent, Zoho will set cookies, receive your CV and contact details, and may transfer this data to its data centres outside the European Union. You can withdraw your consent at any time via the cookie settings link in the footer.
Third-party domains contacted
zoho.comzoho.eurecruit.zoho.comrecruit.zoho.euzohopublic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| iamcsr | Persistent | 1 year | Identity and access management CSRF token used by the Zoho authentication layer to protect form submissions on Zoho Recruit pages. |
| JSESSIONID | Session | Browser session | Java application server session identifier used by Zoho Recruit to bind candidate requests to the same backend session during a visit. |
| zccpn | Persistent | 1 year | Anti CSRF token deposited by Zoho on its public job pages and embedded widgets to prevent cross site request forgery on application forms. |
| ZCAMPAIGN_CSRF_TOKEN | Persistent | 1 year | CSRF protection token used when the careers page exposes Zoho Campaigns sign up to receive future job alerts. |
| _zcsr_tmp | Session | Browser session | Temporary session token used to authenticate candidate interactions with embedded Zoho Recruit forms. |
Zoho Recruit uses cookies for user preferences — inform visitors with a consent banner.
When the Zoho Recruit widget loads on a website, it sets first party and third party cookies on the zoho.com, zoho.eu and zohopublic.com domains, typically including CSRF tokens, JSESSIONID, ZCAMPAIGN_CSRF_TOKEN and the iamcsr authentication cookie. The platform also reads the visitor IP, user agent and referrer. When a candidate submits an application, Zoho processes the full curriculum vitae, contact details, work history, references and any uploaded files. Some documents, such as a passport or work permit, can include special category data within the meaning of Article 9 GDPR.
Yes. The cookies and remote resources loaded by Zoho Recruit are not strictly necessary for the corporate website, so Article 5(3) of the ePrivacy Directive, the CNIL Guidelines on cookies and the German TDDDG all require prior, freely given and informed consent. The script tag must stay blocked until the visitor actively accepts a Recruiting or Functional consent category. Pre ticked boxes or continued browsing do not qualify as valid consent, and the consent must be as easy to withdraw as it was to give.
The cookies and tracking layer rely on Article 6(1)(a) GDPR (consent), in combination with Article 5(3) ePrivacy. The recruitment processing itself usually rests on Article 6(1)(b) GDPR (steps prior to entering into a contract). In the employment context, Article 88 GDPR allows Member States and collective agreements to add specific safeguards, and Article 9 applies if the candidate uploads health or biometric data. If the recruiter wants to keep a CV in a talent pool beyond a single vacancy, explicit consent under Article 6(1)(a) is the most defensible basis.
It can. Zoho Corporation is headquartered in India and runs data centres in the United States, India, Australia and the European Union (Dublin and Amsterdam). The tenant administrator chooses the region at sign up. Even when the EU region is selected, support engineers based outside the EEA may access tenant data for incident handling. Such access counts as an onward transfer under Schrems II. Sign the Zoho Data Processing Addendum, rely on the Standard Contractual Clauses 2021 and complete a transfer impact assessment that documents encryption, access controls and audit logging.
A DPIA is recommended whenever Zoho Recruit is used at scale, when it is combined with automated screening, scoring or AI assisted matching, when sensitive documents are uploaded, or when applicant data leaves the EEA. The CNIL high risk list and the EDPB criteria treat automated evaluation of personal aspects, large scale processing and innovative technology as DPIA triggers. The assessment must document the data flows, the lawful basis, retention periods, recipient categories, the role of human review and the safeguards applied to international transfers.
Block the widget by default in your consent management platform under a Recruiting category. Load the script tag only after the visitor actively accepts that category. Publish a candidate privacy notice on every job page that lists Zoho Corporation as a processor, names the data centre region, sets a retention period for rejected applications and explains any automated filtering logic. Inside Zoho, enable two factor authentication on every recruiter account, restrict export permissions, and configure retention rules so rejected CVs are deleted or anonymised after the chosen period.
European hosted applicant tracking systems include Teamtailor (Sweden), Recruitee (Netherlands), SmartRecruiters EU instance, Greenhouse with an EU data residency option, Personio (Germany) and Welcome to the Jungle ATS (France). Each option keeps applicant data inside the EEA at rest, signs a GDPR aligned data processing agreement and offers role based access. The compliance gain depends mainly on choosing a vendor with EU storage, transparent sub processors and a Schrems II compatible transfer mechanism for any support access from outside the EEA.
Add a dedicated section that names Zoho Corporation as the third party, lists the cookie families set on zoho.com, zoho.eu and zohopublic.com with their purpose and lifetime, and explains that loading the widget is blocked until consent is granted. The candidate privacy notice must also state the lawful basis (Art. 6(1)(b) and Art. 88 GDPR), the categories of recipients inside Zoho, the data centre region, the retention period, the international transfer mechanism (SCCs plus supplementary measures) and the candidate rights of access, rectification, erasure and objection.