Recruitment Process Data Protection Notice
1. GENERAL
The purpose of this notice is to provide privacy information required by the EU General Data Protection Regulation (hereinafter “GDPR”) to the data subject.
2. THE DATA CONTROLLER AND CONTACT DETAILS
Normet Group Oy acts as the data controller in accordance with this data protection notice.
3. THE NAME OF THE REGISTER
This notice describes the processing activities relating to recruitment processes of Normet. Data subjects with regard to this processing are the persons who have applied for a job at Normet.
4. THE PURPOSE OF PROCESSING AND APPLICABLE LEGAL BASIS FOR PROCESSING
Purpose of Use: Recruitment
Legal Basis: Performance of employment contract, legitimate interests of Normet and/or consent of the data subject
Categories of Personal Data: “The name and contact details (email, phone number, address), age, title, current employment, employment history, education, other information related to the job application that the applicant has voluntarily given to the data controller, such as a salary request. Based on the applicants consent, suitability assessments, references and other additional information may be obtained about the applicant.”
5. RETENTION PERIOD OR THE CRITERIA USED TO DETERMINE THAT PERIOD
The recruitment material and documentation is stored for the duration of the entire recruitment process and for one year from closing the recruitment process. If candidate applies another position or updates own candidate profile before the end of this period, the duration re-starts from that moment. If the applicant is selected for the open position, the retention times are further described in a separate Normet’s HR data protection notice.
6. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Subject to applicable laws, personal data may be transferred or disclosed within Normet Group to other group companies, some of which may be located outside the European Economic Area (“EEA”). Prior to transferring personal data outside the EEA, the relevant group companies will enter into a data transfer agreement incorporating the EU Commission Standard Contractual Clauses (see further information at EU Commission’s website).
Additionally, Normet may transfer or disclose personal data to authorities, where required to do so by applicable laws.
7. TRANSFERS OF PERSONAL DATA
The data controller uses subcontractors in the processing of personal data, some of which are located outside the EEA. Where personal data is transferred to subcontractors located outside the EEA, Normet will enter into a data transfer agreement incorporating the EU Commission Standard Contractual Clauses with the subcontractor (see further information at EU Commission’s website).
In order to ensure the protection and security of data, the controller makes the appropriate contract required by the GDPR with the subcontractors used for processing data.
8. SOURCES OF COLLECTING PERSONAL DATA
Personal data is collected in the recruitment process from the data subject him or herself and also from other sources if the data subject consents to this.
9. RIGHTS OF THE DATA SUBJECT
9.1. Right of Access and Data Portability
The data subject has the right to receive confirmation from the data controller as to whether or not personal data concerning him or her is being processed, or whether personal data has been processed. Where the data controller processes personal data concerning the data subject, the data subject has the right to receive the information contained in this document and a copy of the processed personal data. The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject makes the request by electronic, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject.
9.2. Right of Rectification, Right of Erasure and the Right to Object to Processing
The data subject also has the right to obtain from the controller the rectification or erasure of personal data concerning him or her and the right to prohibit the processing of personal data for direct marketing purposes. In certain cases, the data subject has also the right to request from the controller restriction of processing of personal data or otherwise object to processing.
9.3. The Right to Withdraw Consent
In situations where the controller processes personal data of the data subject on the basis of his or her consent, the data subject has the right to withdraw his or her consent. The withdrawal of consent does not affect the legality of the processing that has happened prior to the said withdrawal.
9.4. The Right to Lodge a Complaint to the Supervisory Authority
In the case that the data subject finds the processing of his or her personal data unlawful, he or she has the right to lodge a complaint with a supervisory authority.
9.5. Using the Rights
All the requests mentioned here shall be provided to the above-mentioned contact person of the controller.
10. SECURITY OF PROCESSING
Only persons within the Normet group, whose employment tasks include responsibilities relating to the personal data in connection of the recruitment process, have access to the data and user rights for adding and modifying the information. The HR department controls the processing of employee data and gives access only to such personal data which is necessary for conduct of a task in connection of the recruitment process.
Appropriate access control is arranged in the business premises. Work equipment, such as the computers are protected with, inter alia, password, firewall, regular security updates and SSL / encrypted connections. The storage of documentation containing personal data is securely arranged.