Recruiting Consent Agreement
Date: 25 May 2018
EU General Data Protection Regulation (GDPR), Articles 13 and 14
1. Data controller
I.S. Mäkinen Oy
Business ID: 1860318-4
Address: Tammitie 14, 21410 Vanhalinna
Phone: 02-274 4444
2. Contact person(s) for issues related to the privacy statement
Katja Viitala, CFO
Address: Tammitie 14, 21410 Vanhalinna
Mobile: +35840 535 2995
3. Name of the register
I.S Mäkinen Oy job applicant register
4. The purpose of and grounds for processing personal data
The purpose of the register is to store and maintain personal data of the job applicants of I.S. Mäkinen Oy, for the purposes of any on-going recruitment processes and any future recruitment processes that may follow within reasonable timeframe after the original recruitment process.
The personal data of the job applicants i.e. the data subjects are processed for receiving and processing job applications, evaluating and selecting applicants and for fulfilling other needs related to the recruitment process.
The processing of personal data is based on the legitimate interest of I.S. Mäkinen Oy to process personal data as required by the recruitment process in a relevant context between I.S. Mäkinen Oy and the job applicant.
In certain cases, the processing of personal data is also necessary for carrying out measures preceding the entering into an employment agreement between I.S. Mäkinen Oy and the job applicant and performing the employment agreement.
The data subject has given their consent to process personal data during the recruitment process and to store the personal data for the purpose of any future recruitment processes starting within reasonable timeframe from the original recruitment process.
If the job applicant does not disclose his or her personal data to I.S. Mäkinen Oy, it may not necessarily be possible to take that applicant into consideration in the recruitment process.
5. Recipients of personal data
I.S. Mäkinen Oy discloses personal data collected in the register to the following recipients:
- outsourced data processor HR / HR Partner Oy
- outsourced payroll/accounting by Tilitoimisto Kaikumäki Ky
I.S. Mäkinen Oy uses agreements to ensure that the aforementioned parties do not process personal data in any other ways than in compliance with instructions issued by I.S. Mäkinen Oy and this privacy statement.
I.S. Mäkinen does not disclose data for commercial purposes.
6. Data content of the register
The following data required in the recruitment processes will be collected:
- name and contact details such as name, address, email address, phone number (for identification and communication purposes)
- date of birth
- information used to evaluate competence and suitability of the job applicant (e.g. work experience, educational background, language skills, other skills)
- attachment documents (e.g. CV, cover letter, letters of reference, diplomas, recommendations)
- other data related to the recruitment process e.g. emails
- notes made by the employer
7. Sources of data
As a rule, the data are collected from data subjects themselves through the job applications submitted with the recruitment form at web page www.ismakinen.com or by other means.
The personal data collected during the recruitment process contain for example email messages and their attachments and the notes made by the employer.
8. Transfers or disclosures of data outside the EU or EEA
Personal data at the job applicant register is not transferred or disclosed outside the European Union or the European Economic Area.
9. Storage period of personal data
I.S. Mäkinen Oy stores the personal data contained in the register in accordance with the legislation in force and only as long as necessary for the implementing of the purpose of the register as set out in this privacy statement, however, no more than twenty four (24) months after the recruitment process has ended.
Personal data can also be stored for a longer period if this is necessary to fulfil the obligations of I.S. Mäkinen Oy under applicable legislation.
We aim, to a reasonable extent, to maintain the validity of the personal data in our possession by deleting unnecessary data and updating outdated data from time to time. The data are entered to the register as they are received from the data subject and they are updated based on data subject’s notifications.
10. Principles of data security
The personal data contained in this register are protected with technical and organizational measures against unauthorized/unlawful entering, alternating, erasing or other processing including unauthorized disclosure or transfer of the data contained in this register.
The data are stored in electronical servers which are protected by firewalls, passwords and other appropriate technical solutions. The access to the data is only with certain individuals working for I.S. Mäkinen Oy and with other individuals who need the data to perform their duties. Such individuals with an access to the data are bound by confidentiality obligation.
The individuals who process the data contained in this register as a part of their work duties are trained and instructed on data protection and data security on a regular basis.
11. Right to access the data, and right to transfer data between systems
The data subject has the right to find out, after identifying the information required, which data about the data subject has been stored in this register or that no such data is stored. The data controller shall at the same time inform the data subject on the regular sources of data and to which purposes such data are used and as a rule, disclosed. The data subject who wishes to check the data concerning themselves as described above, shall make such request to the contact person as set out in the section 2 of this privacy statement by providing a personally signed or otherwise certified document.
The data subject has the right to receive the personal data that he/she has submitted to the data controller, in a structured, generally used and manually readable form, and the right to transfer such data to another data controller, if the processing is based on consent or an agreement between the data subject and the data controller and the processing is performed automatically, if such transfer is technically possible.
12. Right to withdraw consent
If personal data are processed based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time. The request to withdraw consent shall be submitted via email to the contact person as set out in section 2 of this privacy statement by providing a personally signed or otherwise certified document. The former processing of personal data prior withdrawal of the consent shall not become unlawful in case of a withdrawal of the consent.
13. Rectification, erasure or restriction of processing of personal data
The data controller must, without undue delay, after becoming aware of an error by data subject’s demand or, after having observed the error themselves on their own initiative rectify, erase or supplement data contained in the register and that conflicts with the purpose of the register and that is incorrect, unnecessary, incomplete or outdated. The data controller must also prevent the spreading of such data if such data may endanger the privacy protection or the rights of the data subject.
The data controller must restrict the processing of personal data, if the data subject has challenged the accuracy of their personal data or if the data subject has presented a claim of unlawful processing and objected of erasing the data and instead demanded of restriction on the use of such data. The data controller must restrict the processing of personal data also in such case where the data controller does not need to store the personal data for the purposes of processing but the data subject notifies the need of storing such data to preparing, presenting or defending a legal claim. In addition, the data controller must restrict the processing when the data subject has objected such processing due to the general data protection regulation while waiting for confirmation on whether the legitimate interest of the data controller to process such data prevails the grounds presented by the data subject. If the data controller has restricted the processing based on the aforementioned grounds, the data controller must notify the data subject before such restriction is removed.
The correction requests shall be presented to the contact person as set out in the section 2 of this statement.
14. Right to lodge a complaint
The data subject has the right to lodge a complaint with the competent supervisory authority if I.S. Mäkinen Oy has not complied with the data protection regulations applicable to its operations.
In case of any requests related to the exercise of the data subject’s rights, the data subject should contact the person as set out in section 2 of this privacy statement in writing or via email.
I.S. Mäkinen Oy may ask the data subject to specify their request and certify their identity before processing their request. I.S. Mäkinen Oy may refuse to fulfil the request based on grounds in applicable legislation.
I.S. Mäkinen Oy aims to answer the requests within one (1) month of the request unless there are any special grounds to lengthen the response time.
16. Automated decision-making and profiling
Personal data will not be used for automated decision-making or profiling of the data subjects.
17. Changes to the description of the statement
I.S. Mäkinen Oy develops its business on a continuous basis and reserves the right to change this privacy statement. The changes may also be based on changes in the legislation. I.S. Mäkinen Oy recommends the data subjects to check the content of the statement on a regular basis.