In accordance with EU General Data Protection Regulation (2016/679, “GDPR”) and applicable national legislation (including Finnish Data Protection Act 1050/2018).
1. Description of processing
Processing of personal data related to recruitment by VTT.
2. Data controller, data protection officer
Name: Technical Research Centre of Finland Ltd (”VTT”), Business ID: 2647375-4
Address: Vuorimiehentie 3, 02150 Espoo, Finland
Data Protection Officer:
Name: Seppo Viinikainen
Address: Technical Research Centre of Finland Ltd, Koivurannantie 1 Jyväskylä, Finland
3. Categories of the personal data
The data controller may collect and process following personal data directly needed in connection with the recruitment process and the possible employment of the applicant by VTT:
- Names and contact details, such as e-maiL
- Job application and other information related to the recruitment process, such as language skills, education and qualifications, information provided in the applicant’s CV
- Information from personal assessment and aptitude tests, a possible video interview and the data contained therein, data from a standard security clearance
- Information provided by the references nominated by the applicant
- Information related to the progress of recruitment and the selection for or elimination from further processing
- Start and end date of employment
- Work contract including the terms and conditions therein, such as salary and other compensation and benefits.
4. Purposes of processing personal data
Personal data is processed for purposes of VTT’s recruitment process. The process includes: evaluation and selection of candidates, communication related to the recruitment with applicants, organisation of interviews and assessment tests, evaluation of interviews and reviewing the results of assessment tests, carrying out a standard security clearance, gathering data for recruitment related reporting, and responding to legal claims and defending against litigation in the event of potential disputes between VTT and the job seeker. VTT has an obligation to ensure that a foreign person has the right to work in Finland. VTT must also retain data on foreign employees and the basis for rights to work.
5. Legal basis for processing
Personal data is being processed on the basis of one or more of the following:
The legal basis for processing personal data is a statutory obligation under the GDPR when processing is necessary to comply with the statutory obligations of the controller. This is the case, for example, when the controller processes personal data for the provision of the statutory obligations of the employer, such as ensuring that a foreign person has the right to work in Finland.
The processing of personal data is necessary in order to take steps at the request of the applicant prior to entering into a contract between VTT and the applicant.
The legal basis for the processing is in part a legitimate interest under the GDPR. An applicant and an employee can reasonably expect his/her personal data to be processed for the purposes described above in section 4, and based on the balanced interests of the data subject and the controller, the processing is justified, as the envisaged effects of such processing are favourable to the data subject, and, as the processing is subject to measures protecting the interests of the data subject (such as ensuring information security in accordance with section 11). The controller has the right to process personal data under a legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
Processing of personal data is based on the consent given by the data. The data subject has the right to withdraw his/her consent at any time. Exercise of the right does not affect the lawfulness of the processing carried out prior to the withdrawal of consent.
6. Regular sources of information
Personal data is mainly collected from the data subject him/herself.
Data may also be collected from references nominated by the data subject or from a recruitment consultant.
The data controller may with the consent of the data subject collect personal data also from other sources, excluding, however, personal credit data or criminal records data for the purpose of determining the candidate’s/employee's reliability, in which case the consent of the data subject is not required.
7. Recipients or categories of recipients of personal data
VTT may disclose personal data to a third party if it is necessary for service related technical reasons and/or appropriate legislation requires disclosure.
The processing of personal data has been outsourced to the following service providers who deal with personal data on behalf of the controller:
- Providers of IT-systems used in HR administration
- Storage service providers
- Recruitment consultants
- Aptitude assessment providers
- Video interview service providers
In addition, the controller may disclose information to the competent authorities in order to implement statutory obligations. The information will be provided under appropriate contractual arrangements in accordance with the requirements of the GDPR and applicable legislation.
8. Transfer of personal data outside the EU and the EEA
If it is necessary for the technical implementation of personal data processing, personal data may be transferred outside the EU and EEA, in which case the data transfer is be subject to the requirements of the GDPR. The controller may use, inter alia, the current standard contractual clauses for the international data transfers approved by the competent authorities.
9. Automated decision-making, including profiling
Personal information mentioned above in section 3 is not subject to automated decision-making.
10. The period for which personal data is stored or the criteria used to determine the period
Personal is stored as long as it is necessary for the purposes of processing personal data or for complying with the statutory obligations of the controller. The data shall thereafter be destroyed or anonymized, unless legal basis for their continued processing remains. The retention periods take into account, for example, the limitation of action based on legislation and the obligations of the employer. VTT retains applications in the recruitment system for two years after the expiration of the application deadline. Open applications are retained for two years after the last update to the application.
11. Principles of data protection
Personal data is protected by appropriate technical and organizational measures against unauthorized processing and access. Personal data is stored in the recruitment system and is protected by, inter alia, the following procedures: access control, firewalls, password arrangements. Access to personal data is restricted to persons who are bound by confidentiality.
In addition, employment contracts are stored in paper by VTT Human Resources. Personal data is stored in a technically secure location. Physical access to information is limited by access rights and security measures. Access to personal data is limited to certain named persons who are bound by confidentiality.
12. Rights of the data subject
The data subject has the following rights, which may be restricted according to the GDPR and applicable legislation. The data subject may exercise these rights by contacting the controller, preferably in writing and by e-mail using the contact information provided in section 2.
The right of access
The data subject has the right to obtain from the controller, upon request, confirmation as to whether or not personal data concerning him/her is being processed, and access to his/her personal data, and information concerning the processing of his/her personal data.
Right to rectification
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning him/her, and the completion of incomplete personal data.
Right to erasure
The data subject may ask the data controller to remove personal data related to the them, for instance, in following situations: (i) they are no longer required for the purposes for which they were collected or otherwise processed, (ii) the data subject withdraws consent of processing and no other grounds for processing exist; (iii) personal data has been unlawfully processed; (iv) the personal data must be removed in order to comply with statutory obligations applicable to the controller; or (v) the data subject objects to processing under the legitimate interest of the data controller.
Right to restriction of processing
The data subject has the right to obtain from the controller a restriction of the processing of personal data where one of following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defend of a legal claim; (iv) the data subject has objected to the processing of personal data.
Right to data portability
If the data subject has provided his/her personal data to the data controller, the data subject has the right to receive and to transfer such personal data to another data controller if:
- processing is carried out by automated means; and
- the processing is based either on the data subject’s consent or the processing of personal data is necessary for the execution of a contract, such as a contract of employment, or for the implementation of pre-contractual measures at the request of the data subject.
The data subject does not have the right to transfer data from one system to another if such personal data is processed on the basis of the legitimate interest or statutory obligation of the controller.
Right to object
The data subject has the right to object, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her, which is based on the legitimate interest of the controller.
The right to lodge a complaint with supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority, if he/she considers that the processing of personal data beaches his/her rights pursuant to applicable law. Office of the Data Protection Ombudsman, Ratapihantie 9, 00520 Helsinki,