Data privacy notice for recruitment

Processing of personal data related to recruitment by VTT.

Data controller:

Name: Technical Research Centre of Finland Ltd (”VTT”), Business ID: 2647375-4
Address: Tekniikantie 21, 02150 Espoo, Finland

Data Protection Officer:

Address: VTT Technical Research Centre of Finland Ltd., Register Office, P.O. Box 1000, FI-02044 VTT, Finland 
E-mail: [email protected] or [email protected] (DPO, data security and their substitutes)

The data controller may collect and process following personal data directly needed in connection with the recruitment process and the possible employment of the applicant by VTT: 

• Names and contact details, such as e-mail
• Job application and other information related to the recruitment process, such as language skills, education and qualifications, information provided in the applicant’s CV
• Information from personal assessment and aptitude assessment tests, a possible video interview and the data contained therein, data from a standard security clearance
• Information provided by the references nominated by the applicant
• Information related to the progress of recruitment and the selection for or elimination from further processing
• Start and end date of employment
• Work contract including the terms and conditions therein, such as salary and other compensation and benefits.

Personal data is processed for purposes of VTT’s recruitment process. The process includes: evaluation and selection of candidates, communication related to the recruitment with applicants, organisation of interviews and assessment tests, evaluation of interviews and reviewing the results of assessment tests, carrying out a standard security clearance, gathering data for recruitment related reporting, and responding to legal claims and defending against litigation in the event of potential disputes between VTT and the job seeker. VTT has an obligation to ensure that a foreign person has the right to work in Finland. VTT must also retain data on foreign employees and the basis for rights to work. In addition, VTT may invite applicant to VTT’s Talent community, where news and updates related to new positions may be shared.

Personal data is being processed on the basis of one or more of the following:

Statutory obligation

The legal basis for processing personal data is a statutory obligation under the GDPR when processing is necessary to comply with the statutory obligations of the controller. This is the case, for example, when the controller processes personal data for the provision of the statutory obligations of the employer, such as ensuring that a foreign person has the right to work in Finland.

Contract

The processing of personal data is necessary in order to take steps at the request of the applicant prior to entering into a contract between VTT and the applicant. 

Legitimate interest

The legal basis for the processing is in part a legitimate interest under the GDPR. An applicant and an employee can reasonably expect his/her personal data to be processed for the purposes described above in section 4, and based on the balanced interests of the data subject and the controller, the processing is justified, as the envisaged effects of such processing are favourable to the data subject, and, as the processing is subject to measures protecting the interests of the data subject (such as ensuring information security in accordance with section 11). The controller has the right to process personal data under a legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

Consent

Processing of personal data is based on the consent given by the data. The data subject has the right to withdraw his/her consent at any time. Exercise of the right does not affect the lawfulness of the processing carried out prior to the withdrawal of consent.

Personal data is mainly collected from the data subject him/herself.

Data may also be collected from references nominated by the data subject or from a recruitment consultant.

The data controller may with the consent of the data subject collect personal data also from other sources, excluding, however, personal credit data or criminal records data for the purpose of determining the candidate’s/employee's reliability, in which case the consent of the data subject is not required.

VTT may disclose personal data to a third party if it is necessary for service related technical reasons and/or appropriate legislation requires disclosure.

The processing of personal data has been outsourced to the following service providers who deal with personal data on behalf of the controller: 

• Providers of IT-systems used in HR administration
• Storage service providers
• Recruitment consultants
• Aptitude assessment providers
• Video interview service providers 

In addition, the controller may disclose information to the competent authorities in order to implement statutory obligations. The information will be provided under appropriate contractual arrangements in accordance with the requirements of the GDPR and applicable legislation.

List of data sub processors:

List of TalentAdore VRA sub-processors

Personal data may be transferred outside the EU and EEA. Transfer shall be carried out in compliance with GDPR. If the commission’s decision on the adequacy of data protection covering the target country is not available, VTT may, among other things, use commission’s standard contractual clauses for international data transfers.

Personal information mentioned above in section 2 is not subject to automated decision-making.

Personal is stored as long as it is necessary for the purposes of processing personal data or for complying with the statutory obligations of the controller. The data shall thereafter be destroyed or anonymized, unless legal basis for their continued processing remains. The retention periods take into account, for example, the limitation of action based on legislation and the obligations of the employer. VTT retains applications in the recruitment system for two years after the expiration of the application deadline. Open applications are retained for two years after the last update to the application. The applicants information in Talent community is retained for 12 months and can be deleted upon the applicants request.

Personal data is protected by appropriate technical and organizational measures against unauthorized processing and access. Personal data is stored in the recruitment system and is protected by, inter alia, the following procedures: access control, firewalls, password arrangements. Access to personal data is restricted to persons who are bound by confidentiality.

In addition, employment contracts are stored in paper by VTT Human Resources. Personal data is stored in a technically secure location. Physical access to information is limited by access rights and security measures. Access to personal data is limited to certain named persons who are bound by confidentiality.

The data subject has the following rights (section 11), which may be restricted according to the GDPR and applicable legislation. The data subject may exercise these rights by contacting the controller, preferably in writing and by e-mail using the contact information provided in section 1.3, and/or by contacting VTT recruitment team at [email protected]

11.1    The right of access 

The data subject has the right to obtain from the controller, upon request, confirmation as to whether or not personal data concerning him/her is being processed, and access to his/her personal data, and information concerning the processing of his/her personal data.

11.2    Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning him/her, and the completion of incomplete personal data. During the application period, the data subject may correct his or her own data. After the application period has ended, the data subject may request the data correction by sending a message to [email protected].

11.3    Right to erasure

The data subject may ask the data controller to remove personal data related to the them, for instance, in following situations: (i) they are no longer required for the purposes for which they were collected or otherwise processed, (ii) the data subject withdraws consent of processing and no other grounds for processing exist; (iii) personal data has been unlawfully processed; (iv) the personal data must be removed in order to comply with statutory obligations applicable to the controller; or (v) the data subject objects to processing under the legitimate interest of the data controller. The request should be addressed to [email protected].

11.4    Right to restriction of processing

The data subject has the right to obtain from the controller a restriction of the processing of personal data where one of following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defend of a legal claim; (iv) the data subject has objected to the processing of personal data. The request should be addressed to [email protected].

11.5    Right to data portability 

If the data subject has provided his/her personal data to the data controller, the data subject has the right to receive and to transfer such personal data to another data controller if:

• processing is carried out by automated means; and
• the processing is based either on the data subject’s consent or the processing of personal data is necessary for the execution of a contract, such as a contract of employment, or for the implementation of pre-contractual measures at the request of the data subject. 

The data subject does not have the right to transfer data from one system to another if such personal data is processed on the basis of the legitimate interest or statutory obligation of the controller. 

11.6    Right to object

The data subject has the right to object, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her, which is based on the legitimate interest of the controller. 

11.7    The right to lodge a complaint with supervisory authority 

The data subject has the right to lodge a complaint with a supervisory authority, if he/she considers that the processing of personal data beaches his/her rights pursuant to applicable law. Office of the Data Protection Ombudsman, Ratapihantie 9, 00520 Helsinki, [email protected].