Table of Contents:
1 Data Controller
2 What do we mean by different terms?
3 For what purposes do we process your personal data?
4 What types of data can we process?
5 How do we collect Personal Data?
6 Who can we share your Personal Data with?
7 Do we transfer your Personal Data outside the European Union?
8 How long do we process your Personal Data for?
9 How can you use your rights relating to your Personal Data?
10 Other terms
11 How can we update this privacy notice?
1 Data Controller
Ellun Kanat Oy (business ID: 2201275-8) [”Data Controller”]
Address: Käenkuja 3a, 00500 Helsinki
Telephone: +358 45 878 6557.
Email: tietosuoja@ellunkanat.fi
Contact person for queries relating to data protection:
Olli Karppinen, olli.karppinen@ellunkanat.fi
2 What do we mean by different terms?
”Data Subject” refers to the natural person whose Personal Data the Data Controller processes in the manner set out in this privacy notice.
”Personal Data” refers to any information relating to an identified or identifiable Data Subject, such as name, address, email address, phone number and educational and/or professional background.
“processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3 For what purposes do we process your Personal Data?
We process the Personal Data for the following purposes (one or several may apply):
We use your Personal Data to conduct the recruitment process and associated communications relating to your job application
We may use your Personal data to develop our business activities, such as improving our recruitment processes
The grounds for processing pursuant to Article 6 of the General Data Protection Regulation (“GDPR”) are:
- You have given your consent to the processing of your Personal Data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which you, or the organization you represent, is a party;
- Processing is necessary for compliance with a legal obligation to which the Data Controller is subject
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data
We have certain rights relating to the legitimate interest of our business, such as the right to develop our business and recruitment processes.
Where the grounds for processing are not based on the performance of a contract or legitimate interests, we may ask for your consent to other kinds of processing.
We may also process your Personal Data in order to fulfil regulatory obligations, such as those relating non-discrimination legislation.
In addition to the above, we may process your Personal Data where we consider doing so necessary for security reasons.
4 What types of data can we process?
The Personal Data we process may contain the following types of data and modifications made therein:
A. Basic information
• first and last names
• contact information (address, email address, phone numbers)
• sex
• date of birth or identity number
• photo
• language proficiency
• nationality
• communications directed to the Data Subject and activity relating to such communications
• information relating to health- and drug testing (where applicable)
• the use of rights relating to personal data
B. Information relating to employment
• employment history
• education
• received certificates
• knowledge, skills and expertise (such as IT skills)
• job application and curriculum vitae
• requests for salary and employee benefits
• results of personality- or aptitude testing (through recruitment consultants for example)
• samples of previous work or presentations (such as a portfolio of creative works)
• contents of social media (with consent)
• other information received over the course of recruitment interviews and checking of references
• work permit (if applicable)
• credit information (if applicable)
• criminal record (if applicable)
5 How do we collect Personal Data?
We collect Personal Data from you directly, including from the following sources
• forms on our web page
• physical (paper) forms
• telephone conversations during which you give us Personal Data
• email messages in which you give us Personal Data
• personal conversations
• job application videos
We may, with your consent, collect Personal Data from third parties, such as the following:
• persons you specify as references
• organisations that provide recruitment consulting and personality- and aptitude testing for the Data Controller
We may collect Personal Data from third parties without your consent, if:
• a public authority discloses information to the Data Controller in order for the latter to comply with legal obligations
• the employer procures personal credit information or criminal records in order to assess the aptitude or suitability of the employee
The Data Controller may receive and update into its database Personal Data from public authorities and organisations that provide information on private persons.
6 Who can we share your Personal Data with?
We do not hand over, sell, or in any other way disclose your Personal Data to third parties, unless otherwise specified below.
We share your personal data with our third-party service providers (“Data Processors”). These services may for example include conducting aptitude testing. We do not permit such third parties to use your data for any other purpose than providing the agreed services in compliance with this privacy notice and applicable legislation.
We may share your Personal Data in connection with a merger, acquisition, or other form of restructuring, or when a service is transferred to another service provider. We may disclose your Personal Data where compelled to do so by a court of competent jurisdiction or other legal authority.
7 Do we transfer Personal Data outside the European Union?
In providing our services, we may use resources and servers located in different parts of the world. In doing so, we may transfer your Personal Data outside the country in which the services are used, including to countries outside the European Union where different data protection legislation applies.
In such cases, we will ensure the lawfulness of the transfer and protect your data using, where necessary, data processing agreements and/or model contracts approved by relevant public authorities, along with requiring the recipient of personal data to comply with the relevant technical and other information security requirements.
8 How long do we process your Personal Data?
We may process your Personal Data for the 2 calendar years following the year in which you applied. For example, we may retain an application received on 1.4.2019 until 31.12.2021. We may process your Personal Data for as long as you consent to such processing, should you for example wish to leave an application waiting for potential open positions in the future.
We may process your Personal Data as long as permitted by applicable law, such as non-discrimination legislation.
Should your job application lead to employment, your Personal Data will be processed in our employee database in accordance with the privacy notice applicable to that database.
9 How can you use your rights relating to your data?
As a Data Subject, you have a number of rights to influence the processing of your data. We aim to fulfil your request within 1 month of receiving it. To use your rights, you can get in touch using the contact information specified in section 1 of this notice.
Your rights are listed below. Please note that the extent to which these rights are applicable to you depends on the grounds for processing your data, meaning that not all of the rights listed below are applicable in all situations.
a) Right to information and access to Personal Data. This means that following a suitable request, we will deliver to you a report about Personal Data concerning you that is held by us.
b) Right to rectification. If you notice that the Personal Data concerning you held in our databases is inaccurate, you can request to rectify it.
c) Right to erasure. We are obligated to erase from our databases the categories of Personal Data concerning you that you request, if one of the following grounds applies, and applicable legislation or other orders of competent authorities, do not create an obligation to retain such data:
1. Your Personal Data is no longer needed for the purposes for which it was processed;
2. You withdraw the consent you have given, and there are no other legal grounds for processing;
3. You object to the processing for reasons relating to your particular personal situation, and there are no other grounds for processing, or you object to the use of your Personal Data for direct marketing purposes;
4. Your Personal Data has been processed unlawfully;
5. Your Personal Data must be erased in order to comply with a legal obligation that applies to the Data Controller under European Union or Finnish national legislation;
6. Your Personal Data has been collected in connection with providing information society services, such as digital information services provided by the Data Controller;
d) Right to restriction of processing. You may request that we restrict the processing of your Personal Data, if:
1. You contest the accuracy of the Personal Data we have;
2. The processing is unlawful, and you oppose the erasure of the Personal Data and request the restriction of their use instead;
3. We no longer need the Personal Data in question for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;
4. You have objected to processing pending the verification whether our legitimate grounds override yours;
e) Right to object to processing of your Personal Data. If we process your data on the basis of a legitimate interest, you have a right to object to the processing of your Personal Data on grounds relating to your particular situation. All Data Subjects whose Personal Data is contained in databases covered by this privacy notice have a right to object to the processing of their data for direct marketing purposes.
f) Right to data portability. If the automatic processing of your Personal Data is done on the grounds of your consent or a contract, you have a right to receive the Personal Data concerning you in a structured, commonly used and machine readable format, and a right to transmit those data to another data controller.
g) Right to withdraw consent. If a section or all of your Personal Data is processed within the databases covered by this privacy notice on the grounds of your consent, you have a right to withdraw your consent.
h) Right to lodge a complaint with a supervisory authority. If a potential dispute between the you and the Data Controller relating to the processing of your Personal Data is not resolved amicably, you have a right to lodge a complaint to a supervisory authority for the resolution of the dispute.
10 Other terms
In order to fulfil the obligations relating to the contractual relationship between us, it is necessary for us to process your Personal Data. Without the necessary Personal Data, we cannot perform the recruitment process.
We are a Finnish company. The Personal Data to which this privacy notice applies is governed by the national legislation of Finland and applicable EU legislation, such as the General Data Protection Regulation.
11 How can we update this privacy notice?
We are constantly developing our business which may lead to changes relating to our processing of Personal Data. We will update this privacy notice to reflect any such changes made. Changes may also be based on changes in applicable legislation. We recommend that you review this privacy notice regularly.
