Privacy statement for the job applicant register of Moovy Oy
This privacy statement pursuant to Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how the Controller processes personal data of job applicants.
1. Contact details of the Controller
Moovy Oy
P.O. Box 15, FI-33211 Tampere
Business ID: 3375902-1
Email: asiakaspalvelu@finnpark.fi
2. Personal data processed
Personal data necessary for recruitment is collected and processed, including for example:
Identification and contact details of the data subject, such as name, personal identity number, nationality, address, telephone number, email address, bank account details and next-of-kin information
Professional qualifications and competence information, such as education and study history, language skills, IT skills and other job-related special skills or competencies
Information related to the work history of the data subject, such as work history and references
Information related to the recruitment process, such as the start and end time and method of the application process, information related to the management of the application process and communication, memoranda and notes made from applications and interviews, information related to personal assessments where necessary for the position applied for, information on availability, credit information where permitted by law, job preferences and areas of interest, secondary occupations and positions of trust, and changes to such information
The job application, CV and attachments submitted by the applicant
3. Purpose of processing personal data and legal bases
The Controller processes personal data of job applicants for the purpose of managing the recruitment process and related activities.
The legal bases for processing personal data are:
Pre-contractual measures at the request of the data subject (Article 6(1)(b) of the General Data Protection Regulation (GDPR)) when a person applies for a job and provides their personal data to the employer so that the employer can assess the conclusion of a possible employment contract. In such cases, the employer processes, for example, the application, CV, education details, work experience and interview notes in order to assess the conclusion of an employment contract
The legitimate interest of the Controller (Article 6(1)(f) GDPR), for example for documenting the recruitment process, for the management of potential discrimination situations or for comparing applicants
The consent of the data subject (Article 6(1)(a) GDPR), when data is retained for future recruitment processes or processed for the purpose of recruitment-related communication
No automatic decision-making is used in the processing of personal data and the data is not used for profiling.
4. Regular sources of personal data
The register mainly contains data provided by the applicant themselves.
With the consent of the data subject, data may also be collected from services used by the applicant, such as LinkedIn, and from the Controller’s partners, such as companies providing recruitment-related services, or from authorities.
Data may also be collected from publicly available sources without the consent of the data subject.
5. Disclosure and transfer of personal data
Personal data contained in the register is not regularly disclosed to third parties.
Personal data may be transferred to partners of the Controller who process personal data on behalf of the Controller in accordance with the Controller’s instructions. The processor does not have the right to process personal data for its own purposes.
Personal data is not disclosed otherwise than for the purposes described above unless required by legislation.
6. Transfer of data outside the EU or the EEA
Personal data contained in the register is stored on a server located within the European Union.
If personal data is transferred outside the European Union/European Economic Area (EU/EEA), for example if a service provider is located outside the EU/EEA, the Controller ensures that the transfer is carried out in accordance with applicable data protection legislation, such as decisions on an adequate level of protection adopted by the European Commission.
7. Principles of data protection
The protection and processing of personal data complies with the provisions and principles of the General Data Protection Regulation and other applicable data protection legislation, as well as with instructions issued by authorities and good data processing practices.
The electronic data contained in the register is stored in databases protected against misuse and unauthorised access by firewalls, passwords and other technical and application-level solutions commonly used in business operations.
The electronic register data is located in access-controlled, locked and monitored facilities. Access to the register is monitored by means of personal user IDs and passwords. Only persons whose duties require access to the register have access to it. The Controller’s personnel and subcontractors are bound by confidentiality obligations.
8. Data retention period
Personal data is retained only for as long as necessary to fulfil the purposes defined in this privacy statement or for as long as required by law.
Data is retained for a maximum of 2 years after the end of the recruitment process. Open applications are retained for 1 year from their receipt.
If, during the retention period, it becomes necessary to retain the data for the investigation of suspected misuse or for legal proceedings, personal data will be retained for as long as required for such purposes or until the matter has been finally resolved and enforced.
9. Rights of the data subject
The data subject has the right to access their personal data in the register free of charge once per year.
For more frequent requests, the Controller may charge a reasonable fee covering the direct costs. A written request must be submitted to the Controller using the contact details provided above. Before disclosing the data, the identity of the data subject will be verified to ensure that the data is not disclosed to unauthorised persons.
If the data subject notices that the personal data in the register is inaccurate, incomplete or has been processed in violation of the purpose of the register or applicable legislation, they may request that the Controller rectify, restrict or erase the personal data by contacting the Controller using the provided contact details.
In addition, a person who considers that their rights under the GDPR have been infringed has the right to lodge a complaint with a supervisory authority. The Finnish national supervisory authority is the Office of the Data Protection Ombudsman, whose contact details are:
Office of the Data Protection Ombudsman
P.O. Box 800, Lintulahdenkuja 4, FI-00530 Helsinki
Tel. +358 29 56 66700
tietosuoja@om.fi
www.tietosuoja.fi
10. Changes to the privacy statement
The Controller continuously develops its operations and therefore reserves the right to amend this privacy statement. Changes may also be based on changes in legislation. The Controller recommends reviewing the content of the privacy statement regularly.
