OIKIO’s Privacy Policy for Jobseekers
30.1.2023
Controller
OIKIO Digital Performance Agency Oy (“OIKIO”)
Business ID: 2754417-1
Eerikinkatu 27
00180 Helsinki
Contact person for registry matters
Jari Puhakka, Data Protection Officer
Fonecta Oy
Firdonkatu 2T 151, 00520 Helsinki, Finland
tietosuoja@fonecta.com
Purpose and legal basis for processing personal data
The purpose of processing personal data is to receive and process job applications and manage recruitment processes. We process data relating to the job application process of persons who have applied for our services in order to enable the necessary contacts to be made and to make decisions when filling vacancies. The jobseeker register also processes information about potential employees for business development purposes. In addition, personal data contained in the register of jobseekers may be processed for the purpose of complying with legal obligations relating to the selection of employees and for the purpose of responding to a legal claim.
The processing of personal data is based on:
- Legitimate interest to process personal data for recruitment purposes, for business development and to comply with legal obligations and to respond to a legal claim.
- Consent to the collection of personal data from referees, to the processing of personal data for aptitude tests and to the processing of personal data in connection with the performance of medical tests.
- Taking steps prior to the conclusion of the employment contract and implementing the employment contract for the persons selected for the post.
What data we process
We process the following personal data in connection with the jobseeker register:
- basic information such as name and date of birth;
- contact information, such as email address, phone number and address;
- information relating to the job applied for, such as the type and nature of the employment relationship and the person in charge of the job search process, salary requirements, starting date and any other information contained in the job advertisement and job application;
- information provided by the jobseeker about him/herself, his/her background and suitability, such as work history (e.g. employers, starting dates and duration of employment, nature of work), photograph, educational background, language skills, other specific skills, description of personal qualities, references, various certificates and assessments, references to portfolios, profiles or other sources on the internet;
- data generated during the recruitment process, such as information about the upcoming follow-up interview, interview notes, data related to the personal assessment and aptitude test carried out with the consent of the data subject and information about the end of the recruitment process;
- any other information voluntarily provided by the data subject in the context of the job search process or otherwise explicitly made public for professional purposes, such as a Linkedin profile, or, with the data subject’s consent, information collected by the controller.
The basic data of the person selected for the post and the data related to the job application are transferred to the OIKIO personnel register.
Where do we get the information
As a rule, the information is obtained from the jobseeker himself or from public sources.
In addition, information may be collected, with the consent of the jobseeker, from potential referees or service providers carrying out aptitude assessments. Where appropriate, recruitment consultants may also be used as a source of information.
Information is also generated during the application process by observing the person’s activities.
By submitting a job application, the jobseeker gives his/her consent to the collection of his/her data from his/her profile published for professional purposes, to the extent that the collection of data is necessary and related to his/her job performance, taking into account the job vacancy.
Recipients of personal data and transfer of data outside the EU or EEA
As a rule, OIKIO does not disclose the data in the register to third parties, unless the data subject’s consent has been obtained, for example, for suitability assessment. In addition, personal data may be disclosed as required by law to parties who have a legal or contractual right to obtain information from the register, such as TE Offices or to respond to a request from a public authority. Data may also be disclosed in the context of company reorganisations.
We mainly process the data ourselves, but we also use service providers who process personal data on our behalf. Such service providers include IT service providers who provide technical maintenance of systems and servers. We have ensured data protection with our service providers, for example by drawing up processing agreements for the processing of personal data.
Personal data may be stored and processed both in the EU/EEA and outside the EU/EEA, for example on the service provider’s servers in the United States. Where personal data is processed outside the EU/EEA, we will ensure that the service provider is committed to the safeguards required by data protection legislation, such as standard clauses adopted by the EU Commission.
Principles of personal data protection and retention period
Personal data is treated confidentially and the processors are bound by confidentiality.
Access to systems containing personal data is restricted to those employees whose job description requires it.
The personal data of job applicants is protected by the necessary technical and organisational measures, including access control, software security updates and backups. Each user has his/her own username and password for the systems. Data is processed in databases protected by firewalls, passwords and other technical means.
Access to the databases and their backups is restricted to certain predefined persons.
We retain personal data for no longer than is necessary for the purpose for which it is collected. As a general rule, the retention period will not exceed two (2) years. On average, open applications are kept for a maximum of 2 years. Personal data may also be kept longer than the above-mentioned retention periods on the basis of legitimate interest, based, inter alia, on the duration of the pending process and the time limits for appeals and complaints under the law. If the job applicant becomes our employee, we will keep the data related to the job application as part of his/her employee data in accordance with the Human Resources Data Protection Policy.
We regularly assess the need to retain data, taking into account applicable legislation. In addition, we will take reasonable steps to ensure that no personal data relating to data subjects which are incompatible with the purposes of the processing, outdated or inaccurate are kept in the register. We will correct or destroy such data without undue delay.
Rights of the data subject
The data subject has the right to inspect the personal data stored in the personal register concerning him or her and to request the rectification of inaccurate or incorrect data or the erasure of his or her personal data, if there are grounds for doing so provided by law. Where the processing of personal data is based on consent, the data subject has the right to withdraw his or her consent.
The controller may, on its own initiative or at the request of the data subject, supplement, correct or delete incomplete, inaccurate or outdated personal data.
To the extent that the data subject has himself/herself provided data to the register which are processed on the basis of consent or a contract, the data subject has the right to receive such data in a machine-readable format and the right to transfer such data to another controller.
For specific personal reasons, the data subject has the right to object to the processing of personal data concerning him or her where the processing is based on a legitimate interest of the controller or where the processing is necessary for the performance of a task carried out in the public interest. When making a request, the data subject must identify the particular situation on the basis of which he or she objects to the processing.
The controller may refuse to comply with the request only on the grounds laid down by law.
Data subjects have the right to request restriction of the processing of their personal data and the right to lodge a complaint with a supervisory authority. The supervisory authority in Finland is the Office of the Data Protection Ombudsman (tietosuoja(at)om.fi).
Automated decisions and profiling
The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject.
The personal data contained in the register of jobseekers are not subject to automated decision-making and are not used for profiling.
Who you can contact
Inquiries and requests concerning the processing of personal data described in this Privacy Policy can be addressed to the contact person indicated at the beginning of this Privacy Policy. Contact should be made in writing or in person.
Changes to the Privacy Policy
OIKIO may update the Privacy Policy regarding the personal data of job applicants due to changes in its operations or legislation. The date of the most recent update is indicated at the beginning of the Privacy Policy.