Published July 11, 2018

Privacy policy for the Finnish Innovation Fund’s (Sitra) job applicant register

1 Controller 

The controller of the register is the Finnish Innovation Fund Sitra (business ID 0202132-3). 

Contact person in matters concerning the register:
Pirta Karlsson

Personnel Chef

Finnish Innovation Fund Sitra
Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki
Tel: +358 294 618 991
Email: kirjaamo@sitra.fi 

Data Protection Officer:
Janika Skaffari
Administration specialist

kirjaamo@sitra.fi

2 Name of the register 

The name of the register is Sitra’s job applicant register. 

3 Purpose of personal data processing 

Personal data shall be processed for purposes related to the conduct and administration of the controller’s recruitment activities. Accordingly, personal data shall be processed for the purpose of maintaining the personal data, application data and recruitment data of job applicants (data subjects) who have applied for employment in the service of the controller, to fulfil the controller’s statutory obligations related to employee selection and to carry out other measures related to recruiting employees and establishing employment relationships as well as to enable contacts related to application and selection procedures. The data in the register shall not be processed by means of automated decision-making. The controller shall process data itself and use subcontractors for processing personal data on behalf of the controller. 

The legal basis for personal data processing consists of the following legal grounds pursuant to the EU’s General Data Protection Regulation: 

(a) processing is necessary for compliance with a legal obligation to which the controller is subject or, if the personal data belongs to a special category of personal data, processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law, in so far as it is authorised by Union or national law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject; 

(b) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 

(c) the data subject has given consent to the processing of his or her personal data for one or more specific purposes or, if the personal data belongs to a special category of personal data, the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or national law provide that the legal prohibition of data processing may not be lifted by the data subject; 

(d) the processing of data is necessary for the performance of a contract of employment; 

(e) the processing of data relates to personal data, including personal data that belongs to a special category of personal data, which are manifestly made public by the data subject; 

(f) the processing of data, including personal data that belongs to a special category of personal data, is necessary for the establishment, exercise or defence of legal claims; 

5 Data content of the register (processed personal data categories) 

In principle, the register contains the following personal data on all data subjects: 

(a) the job applicant’s (data subject’s) basic data, such as name and contact information; 

(b) information regarding the positions the job applicant (data subject) has applied for, including the nature and type of the employment relationship and the date from which the employee is available; 

(c) information regarding work experience; 

(d) information on whether the applicant’s data can be retained for use in relation to other vacancies. 

The register contains the following personal data on those data subjects who have voluntarily entered said information in the information systems used by the controller for recruitment purposes: 

(a) information on the job applicant’s (data subject’s) education and training; 

(b) the job applicant’s (data subject’s) language skills;  (c) information describing the job applicant’s (data subject’s) special skills and, if the job applicant has provided references as part of a recruitment process, the names and contact information of such persons (data subjects); 

(d) the job applicant’s (data subject’s) expected salary;(e) other information provided by the job applicant (data subject) as part of a recruitment process; this includes, among other things, information that the job applicant may have voluntarily provided in a document submitted as an attachment to the controller’s application form (such as a CV, photograph, work history, diplomas, certificates and assessments of work performance).The following additional information shall also be collected in the register in relation to the recruitment process: 

(f) the job code and title identifying the position the job applicant (data subject) has applied for; 

(g) the name of the person who is assigned responsibility for the job applicant’s (data subject’s) recruitment process; 

(h) information regarding the progress of the job applicant’s (data subject’s) recruitment process (such as an upcoming follow-up interview or the suspension of the recruitment process). 

6 Regular data sources 

Personal data is primarily collected from data subjects themselves. 

The data subject providing the controller with the personal data collected from the data subject by the controller, as described in items (a)–(d) of section 5, is a requirement for the data subject’s participation in the application and selection procedure and the potential signing of an employment contract because the collection of said data is necessary for the fulfilment of the controller’s statutory obligations as an employer. The data subject shall provide the controller with said personal data upon the controller’s request without delay, and failure to provide said personal data may affect the creation of the contract and the controller’s ability to fulfil its statutory obligations, which may also affect the enforcement of the data subject’s rights related to the application and selection procedure and potential employment. 

7 Personal data retention period 

The collected data shall be retained only for the duration and to the extent necessary for the original or compatible purposes for which the data was compiled. In any case, the personal data shall be retained as per the legally required retention period, if any. 

Data provided to the controller by a job applicant (data subject) in connection with a recruitment process shall be retained in the controller’s information systems for a period of six (6) months. 

The controller shall perform all possible and required measures to ensure that such personal data that are inaccurate, erroneous or outdated for the purposes of processing are deleted or corrected without delay. 

8 Recipients of personal data (recipient categories) and the regular disclosure of data 

The data contained in the register shall not be disclosed to third parties. 

9 Transferring data outside of the EU or the EEA 

The data contained in the register shall be transferred outside of the EU or the EEA. When transferring personal data, the controller shall observe the model contract clauses approved by the European Commission concerning the transfer of personal data to third countries. 

10 Register protection principles 

Any physical data material containing personal data shall be retained in a locked facility that can only be accessed by appointed persons whose duties require access authority. 

The databases containing personal data are on servers which are kept in locked facilities that can only be accessed by appointed persons whose duties require access authority. The servers are protected by an appropriate firewall and technical protection. 

The databases and systems can only be accessed with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who need to access the data with regard to lawful processing. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems. 

Sitra’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing. 

Processing sensitive personal data shall only be permitted and technically enabled by means of user administration to a selected and limited group of persons, who need to process such data on Sitra’s behalf because of their work duties, for example, in connection with travel arrangements. 

The database containing personal data is on a server that is kept in a locked facility that can only be accessed by appointed persons whose duties require access authority. The server is protected by an appropriate firewall and technical protection. 

11 Rights of the data subject 

The job applicant (data subject) shall have the following rights laid down in the EU’s General Data Protection Regulation. 

(a) The right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, when that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or recipient groups to whom personal data have been disclosed or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source; 

(b) The right to cancel consent at any time without this affecting the lawfulness of the processing performed based on the consent. 

(c) The right to demand that the controller rectify without undue delay any inaccurate and erroneous personal data on the data subject and the right to have incomplete personal data completed, for example, by supplying clarifying information, taking into consideration the purposes for which the data are processed. 

(d) The right to obtain from the controller the erasure of personal data concerning him or her without undue delay, provided that: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based, and where there are no other legal grounds for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for the processing; (iv) 

the personal data have been unlawfully processed; or (v) the personal data must be erased for compliance with a legal obligation in Union or national law to which the controller is subject; 

(e) The right to obtain from the controller restriction of processing if: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to his or her particular situation, pending the verification of whether the legitimate grounds of the controller override those of the data subject. 

(f) The right to receive the personal data concerning him or her, which the data subject has provided to the controller, in a structured, commonly-used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if such processing is based on consent pursuant to the GDPR and the processing is carried out by automated means. 

(g) The right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation. 

Requests concerning the realisation of the data subject’s rights shall be addressed to the controller’s contact person mentioned in Section 1.