GDPR: Job seekers and the information used in the recruitment processes

Job seekers and recruitment information

1 Common

The purpose of this privacy statement is to provide a comprehensive picture of InHunt Group’s recruitment service jobseekers and potential jobseekers about what personal information is collected from them, for what purposes the information is used and to whom the information may be disclosed. This also applies to jobseekers applying to the InHunt Group. This Privacy Statement also provides information on the obligations and legislation that the InHunt Group complies with in processing personal data. The InHunt Group includes the following companies: InHunt Group Oy, InHunt Executive Oy, InHunt Law Oy and InHunt World Oy (hereinafter: the “Company”).

The purpose of processing personal data is to enable the jobseeker to bring the CV, training and work experience data and interests to the attention of the InHunt Group as a basis for finding a new job, so that the right employees can find the right employers as efficiently as possible. For this purpose, the InHunt Group collects information about people who register as jobseekers that serve their employment and their correct placement. The aim of systematizing the collection and use of data is to increase the efficiency of the InHunt Group’s operations and provide customers with a faster and better service so that a satisfied employer has a satisfied employee.

The company thus offers recruitment services where it connects job seekers and employers. In addition, the Company recruits for its own service. The Privacy Statement applies to all persons who have applied or are applying for either through the Company’s recruitment service to the Company’s clients or to the Company’s service (hereinafter: “registered” or “job seeker”).

Personal data means all data relating to an identifiable or identifiable person (data subject), as defined in the General EU Data Protection Regulation (2016/679) (the “Data Protection Regulation”).

In processing personal data, the Company complies with the Data Protection Regulation and the Act on the Protection of Privacy in Employment (759/2004, as amended) (hereinafter: the “Employment Data Protection Act”) as well as other applicable legislation and good data processing practices.

2 Registrar and Data Protection Officer

Registrar: InHunt Group

Data Protection Officer: Kari Juutilainen

Contact information:

InHunt Group Oy, Äyritie 12 C, 01510 Vantaa

kari.juutilainen@inhunt.fi

3 Purposes and legal basis of the processing of personal data

Personal data of jobseekers and potential jobseekers are processed for recruitment purposes only. In addition, personal information may be used to ensure compliance with the law applicable to the relationship between the Company and the data subject.

The legal basis for the processing of registered personal data is the realization of the legitimate interests of the Company or its customer and the data subject with regard to the recruitment procedure. In addition, the data subject may, if he so wishes, consent to the retention of data for the period after the recruitment procedure.

If the jobseeker is selected, the processing of personal data at the time of recruitment will be subject to a data protection statement for employees.

4 Categories of personal data to be processed and data content

The company collects and processes information from registrants that is necessary for recruitment. This applies to data provided by the data subjects themselves and to data collected from other sources.

Personal data collected in connection with recruitment (targeted and open applications):

Name, contact details, date of birth, language skills, educational background, employment history, referrals and salary aspirations of the registered person and a picture of the person.
Job applications and resumes for job seekers, including the LinkedIn profile URL.
Information gathered from interviews and possible aptitude tests.
Any other material accumulated in connection with the recruitment processes and information provided to the Company by job seekers on their own initiative.
The company may collect information from referrals provided by the job seeker.

The following personal data is collected from potential job seekers:

Name, contact details, language skills, educational background, work history and referrers of the registered person and a picture of the person.
Job applications and resumes for job seekers, including the LinkedIn profile URL.

5 Information sources

With regard to jobseekers, the primary source of information is always registered itself, and unless otherwise required by law binding on the Company, information will not be collected without the consent of a third party.

Sources of information regarding potential job seekers include, for example, career-related networking services, such as LinkedIn, to which a person has published their CV. The data subject will be informed in more detail where the personal data concerning him / her come from.

Job seekers provide information by filling out the Company’s electronic application form and then at a later stage in the recruitment process in various ways, such as in a psychological assessment.

6 Retention of personal information

The Company will retain personal information for as long as is necessary to fulfill the purposes set forth in this Privacy Statement, unless required by law to retain personal information for a longer period (e.g., special laws, accounting or reporting responsibilities and obligations), or required by the Company to

The personal data of potential jobseekers will be retained until it is established that they will not be contacted or will be contacted. Upon contact, the person either declares his / her interest and becomes a job seeker or his / her personal data in this regard is deleted.

The personal data of jobseekers will be kept during the recruitment process until a suitable jobseeker has been selected for the position. Thereafter, the personal data of jobseekers who were not selected in connection with that recruitment process will be retained for 2 years after the selection has been made and notified to the jobseeker. During the first 6 months after the selected jobseeker has started, the data of the other jobseeker may be processed if another person is required to replace the place during the statutory probationary period. Thereafter, personal data will be retained without further use due to possible legal claims.

The processing of the recruitment data of a job seeker who will be elected to the Company will continue after the recruitment on the basis of the employment relationship. This treatment is described in a separate employee privacy statement. Following the company’s own recruitment process, the data of jobseekers who participated in the recruitment process will be retained for a maximum of two years, in which case personal data will not be used for anything other than retention, unless a legal claim arises.

Open applications will be retained for 24 months of receipt, unless the jobseeker at that time is involved in the recruitment process for the vacancy or gives permission to keep their personal information for a longer period. The company may request permission from the data subject to retain his or her recruitment information for longer periods of time for open positions.

The data subject has the right to request that his or her data be deleted earlier than specified above (see below on the data subject’s rights).

When the retention period for personal data has expired, the data shall be deleted within a reasonable time.

7 Recipients of personal information

Companies belonging to the Group may process personal data in accordance with data protection legislation. In addition, under InHunt Group, personal data may be processed by entrepreneurial and franchised companies in the position of processor.

The data subject’s personal data is disclosed to InHunt Group customers who are recruiting through the InHunt recruitment service. The more specific party will be indicated either in the vacancy notice or notified to the data subject. The InHunt Group instructs its customers to delete job seekers’ personal information whenever it becomes unnecessary.

The personal data of the data subject may be disclosed to the service provider participating in the recruitment on a case-by-case basis. Companies vary, so they are reported on a case-by-case basis.

In addition, the personal data of the data subjects may be processed by the service providers providing the Company’s information systems and other services, but only to the extent necessary for the performance of the agreement.

More detailed information on the recipients to whom personal data is transferred can be obtained from the Company, if necessary (contact information in Chapter 2 Registrar).

The company may also be required to disclose the personal data of data subjects in the event of an emergency or other unexpected situation in order to protect people’s lives and health and property. In addition, the Company may be required to disclose the personal data of data subjects if the Company is involved in litigation or other dispute resolution proceedings.

If the Company is involved in a merger, business transaction or other corporate reorganization, it may have to disclose the personal data of the registrants to third parties.

The transfer of data to a third party takes place mainly by means of electronic data transmission connections, but the data may also be disclosed in other ways, such as by telephone or letter.

8 Transfer of personal data outside the European Union or the European Economic Area or to international organizations

Data will not normally be transferred outside the European Union or the European Economic Area or to international organizations. If personal data is transferred, the person will be notified in advance.

9 Principles of protection of personal data and security of processing

The Company processes personal information in a manner that seeks to ensure the proper security of personal information, including protection against unauthorized processing and accidental loss, destruction or damage.

The company’s network and servers are protected by a firewall and other technical measures. The rights to read, send and delete data are limited by access rights and passwords. Staff are instructed in the secure use of passwords.

As a rule, the company stores the data of the registered persons in electronic form. Data is printed only when necessary, and paper prints are securely destroyed immediately after processing. The staff has been instructed that the personal identification number of the registered persons should not be unnecessarily entered in the documents.

The personal data of the data subjects are processed by the persons in charge of the Company’s recruitment data register, as well as by the Company’s personnel participating in the recruitment and the persons in charge of the recipients of the personal data mentioned in this data protection statement.

All parties processing personal data have a duty of confidentiality under the Employment Contracts Act and the confidentiality provisions of the agreements regarding matters related to the processing of registered personal data.

In accordance with this Privacy Statement, the Company may outsource the processing of personal data to service providers or subcontractors, but the Company will ensure, with adequate contractual obligations, that personal data is processed properly and lawfully.

10 Data subjects’ rights and enforcement

Data subjects have rights guaranteed by data protection law.

Right of access to data and right of inspection

The data subject has the right to receive confirmation as to whether the data subject’s personal data will be processed.

The data subject also has the right to check and see information about himself and, upon request, the right to receive the information in writing or electronically.

Right of rectification and erasure

The data subject has the right to demand the correction of incorrect or inaccurate information. In addition, the data subject has the right under applicable data protection law to request the deletion of his or her data.

The company also removes, corrects and supplements personal data that it detects on its own initiative that is incorrect, unnecessary, incomplete or out of date for the purpose of the processing.

The right to transfer data and to restrict and oppose processing

The data subject has the right to request the transfer of his or her data to another controller in accordance with data protection legislation.

In addition, the data subject has the right to request a restriction on the processing of personal data in accordance with the conditions set out in data protection law. In addition, in a situation where personal information suspected to be incorrect cannot be corrected or deleted or there is ambiguity about the request for deletion, the company will restrict access to the information.

The data subject has the right to object to the use of the data for a certain type of processing. The data subject has the right to refuse the disclosure and processing of his data for direct marketing purposes.

Right to withdraw consent

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time. The cancellation has no effect on the processing previously performed.

Exercise of rights

Requests for data subjects’ rights will be made by post or electronically and will be addressed to the controller mentioned in this privacy statement (contact details in section 2 Data controller). Identity is verified before providing information. The request shall be answered within a reasonable time and, if possible, within one month of the request and verification of identity.

The request must state that it is a request for the processing of personal data related to recruitment. The request shall be answered within a reasonable time and, where possible, no later than one month from the submission of the request and the verification of identity.

If the data subject’s request cannot be accepted, the data subject shall be notified of the refusal in writing. The company may refuse upon request (such as deletion of data), due to a statutory obligation or the company’s statutory right, e.g. an obligation or claim related to services.

11 Right to appeal to the supervisory authority

The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that his or her personal data have been processed in breach of applicable law. In the European Union, a complaint may be lodged, in particular, in the State where the data subject has his habitual residence or place of employment or where the alleged infringement has taken place.

12 Changes to the Privacy Statement

The Company may amend and update this Privacy Statement as necessary. Changes may also be based on changes in data protection legislation.