We are the controller in accordance with current privacy legislations. The job applicants' personal data is processed with the purpose of managing and facilitating recruitment of employees to Taaleri.
When reference is made to Taaleri or the Taaleri Group in this policy, it refers to all the companies in the Group.
1. Name of the register
Recruitment register of the Taaleri Group.
2. Data Controller
Business ID: 2234823-5
Address: Kasarmikatu 21 B, 00130 Helsinki
3. Contact Person
Name: Merja Kouznetsov
Address: Kasarmikatu 21 B, 00130 Helsinki
Tel: 040-591 7629
4. The purpose and lawfulness for processing information
The purpose of the collecting and processing of personal data is to manage recruiting.
The Data Subject’s Personal Data may be processed for the following purposes:
•conducting recruitments (processing job applications, mapping potential employees, etc.)
•analysis and statistics
The person's data is entered in the register at the time of application.
The legal basis of the processing is the consent of an applicant or our legitimate interest to simplify and facilitate recruitment, as applicable.
No automated decision-making is made based on the data, nor are Data Subject’s profiled on the basis of the data within the meaning of Article 22 of the EU General Data Protection Regulation. The data will also not be used for direct marketing. Personal Data that is processed with the purpose of aggregated analysis or market research is always made unidentifiable. Such Personal Data cannot be used to identify a certain Data Subject. Thus, such data is not considered Personal Data.
Taaleri processes the Personal Data of the Data Subjects in accordance with the applicable legislation and good data processing practice.
5. Users of the data
The persons involved in the recruitment process are entitled to process the data of the Data Subject. (Such as supervisor, representative of HR, or an external partner involved in recruitment).
Access to the register requires an user ID and a Personal password, which are only given to persons involved in recruitment. Access rights are recruitment specific. Users of the application have been trained to use the register. At the final stage of the recruitment process, Taaleri may also involve future colleagues in the recruitment process, and therefore the application and CV can be sent to them as well, if considered appropriate.
6. Data content of the register
The categories of personal data that can be collected, can be used to identify natural persons from names, e-mails, pictures and videos, information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, titles, education and other information that the Data Subject has provided to us. The register may contain the following information:
- name, contact details, date of birth
- free-form application cover text and additional information
- information on education and professional experience
- information on experience and skills
- preferences for the future job
- any attachments submitted with the application
- notes taken during the interview
- any other information collected with the Data Subject’s consent.
Only data that is relevant for the recruitment process is collected and processed.
7. Regular sources of information
The data concerning the Data Subject is usually obtained from the Data Subject himself/herself, e.g. through an application form or through the Data Subject’s own entries in a public data source (e.g. LinkedIn). Data may also be obtained from other sources, e.g. from Suomen Asiakastieto Oy (credit data) within the limits permitted by law.
We may collect data from third parties, such as Facebook, LinkedIn and through other public sources. This is referred to as “Sourcing” and be manually performed by our employees or automatically in the recruitment portal Team Tailor.
8. The consent of the Data Subject
The Data Subject consents to the processing of his/her Personal Data with the purpose of Controller’s recruitment. The Data Subject consents that Personal Data is collected when Data Subjects:
- make an application, adding Personal Data about themselves either personally or by using a third-party source as Facebook or LinkedIn, and that Controller may use external sourcing-tools to add additional information; and
- when they contact Controller’s staff in relation to recruitment, adding Personal Data about themselves either personally or by using a third-party source such as Facebook or LinkedIn.
The Data Subject also consents to the Controller collecting publicly available information about the Data Subject and compiling them for use in recruitment purposes.
The Data Subject consents to the Personal Data being collected in accordance with the above will be processed according to the below paragraph “Storage”.
The Data Subject has the right to withdraw his or her consent at any time, by contacting Controller using the contact details listed in paragraph 3. Using this right may however, mean that the Data Subject cannot apply for a specific job.
Personal Data is entered into the recruitment system when the application is received. The Personal Data will be stored and processed by us as long as we deem it necessary with regards to the purposes stated above, nevertheless, max. 24 months from the date of application, after which it is automatically deleted. The Controller may delete the Data Subject’s Personal Data itself before this time, or the Data Subject may request deletion as described in more detail in paragraph 11.
10. Regular disclosures and transfers of Data
Personal Data of the Data Subject will not be sold or otherwise disclosed to third parties, except otherwise described in this policy.
We may disclose or transfer Users’ Personal Data to our contractors and sub-contractors, acting as our Processors and Sub-Processors in accordance with our instructions.
Personal Data of the Data Subject’s may be disclosed to authorities or legal advisors in case criminal or improper behavior is suspected or if it is required according to law or authority’s injunction.
The data is processed using systems of an external operator, within the framework of which Personal Data is stored on external servers. Personal Data of the Data Subject’s is transferred solely to trustworthy third parties. Partners are carefully chosen to ensure that the Data Subject’s Personal Data is processed in accordance with current privacy legislations.
Data may be transferred to the employee register when a person enters an employment relationship with the Taaleri Group.
Data may be transferred outside the EU or EEA in accordance with the transfer mechanisms set out in the EU General Data Protection Regulation.
11. Data Subject’s rights
Right to access the Data
Data Subjects’ have the right to request information about the Personal Data that is processed by Taaleri. The request shall be made in writing to the e-mail address mentioned in paragraph 3.
Data Subjects have the right to one (1) copy of the processed Personal Data which belongs to them without any charge. For further demanded copies, Controller has a right to charge a reasonable fee on the basis of the administrative costs for such demand.
Taaleri has the right to verify the identity of the requester to the extent necessary and to decide on the means of disclosure.
Right of rectification
The Data Subject has the right to demand rectification, without undue delay, of inaccurate or erroneous Personal Data concerning him or her. If the Data Subject discovers errors in the data, the Data Subject may submit a request for correction to the person responsible for the register mentioned in paragraph 3. The Controller shall correct the data in accordance with the data protection rules and, where appropriate, inform the party to whom the data have been disclosed.
Right to restrict the processing of data
In situations covered by the GDPR, the Data Subject has the right to request the restriction of the processing of his or her Personal Data. In this case, the Data Subject should contact the e-mail address mentioned in paragraph 3, after which the Controller will assess whether there are grounds for restricting the processing and, if necessary, restrict the processing in accordance with the request and, where appropriate, inform the party to whom the data have been disclosed.
Right to demand deletion of Personal Data
The Data Subject has the right to demand the erasure of his or her Personal Data in the circumstances specified in the GDPR. In this case, the Data Subject should contact the e-mail address mentioned in paragraph 3, after which the Controller will assess whether the processing and storage of the Personal Data is justified under the GDPR or whether the data should be deleted. If the Personal Data is deleted, the Controller will inform the party to whom the data have been disclosed.
The right to transfer data from one system to another
The Data Subject has the right to demand the Personal Data concerning him or her which he or she has provided to the Controller, and which are processed in an automated, structured, commonly used and machine-readable format, and the right to transfer such data to another Controller. In this case, the Data Subject should contact the e-mail address mentioned in paragraph 3, after which the Controller will provide the data within 30 days.
Right to lodge a complaint with a supervisory authority
The Data Subject has the right to lodge a complaint with the competent supervisory authority if the Data Subject considers that the Controller has not complied with the applicable data protection regulation.
Right to revoke consent to processing of Personal Data
The Data Subject has the right to revoke any consent to processing that has been given by the Data Subject to Controller. Using this right may however, mean that the Data Subject cannot apply for a specific job.
12. Principles of register protection
There is no manual data. Printouts from the system are securely destroyed after use.
Data stored electronically
Only employees whose job entitles them to process job-seeker data are entitled to use the recruitment system. Each user has his/her own username and password for the system. The data is stored in databases protected by firewalls, passwords, and other technical means.
However, transfers of information over the internet and mobile networks can never occur without any risk, so all transfers are made on the own risk of the person transferring the data. It is important that Data Subjects’ also take responsibility to ensure that their data is protected.
14. Aggregated data (non-identifiable Personal Data)
Aggregated data may be shared to third parties. The aggregated data has in such instances been compiled from information that has been collected through the recruitment portal. The aggregated data does not contain any information that can be used to identify individual persons and is thus not Personal Data.
For questions, further information about our handling of Personal Data or for contact with us in other matters, please use the contact details stated in paragraph 3.