INFORMATION NOTICE
General Data Protection Regulation (2016/679), Articles 13 and 14
Date of drafting: 11.2.2021
We may update or revise this Information Notice / Record of Processing Activities at any time, with any notice to you as may be required under applicable law. Your right to data portability and/or restriction of processing, if applicable, will become applicable as of February 11th, 2021
This Information Notice is provided to describe the processing of personal data in the recruitment processes of Orion Corporation and Fermion. Orion Corporation is a joint controller of the Fermion’s recruitment data file. The contact information and identity of the controller and joint controller can be found in the table below.
1. Recruiting company | Controller or joint controller |
Orion Corporation |
Orion Corporation (Company identification number: 1999212-6) Orionintie 1A 02200 Espoo, Finland Tel. +358 10 4261 |
Fermion Oy |
Fermion Oy (Company identification number: FI18552129) Koivu-Mankkaan tie 6A 02200 Espoo, Finland Tel. +358 10 4261 Orion Corporation Orionintie 1A 02200 Espoo, Finland Tel. +358 10 4261 |
2. The person in charge / contact person |
Contact person: Teija Piispanen Orion Corporation Orionintie 1A 02200 Espoo, Finland Tel. +358104263023 hrprivacy@orion.fi Contact details of the Data Protection Officer: Mikko Kemppainen e-mail: privacy@orion.fi |
3. Name of the data file
Orion Corporation´s recruitment data file
Fermion’s recruitment data file
4. The purpose for processing the personal data / the legal basis for processing the personal data
The purpose for processing personal data is to enable the operation of the selection procedure for Orion Corporation´s new employees and trainees, to enable internal mobility and to select members for the organs of the company.
Personal data is also processed in the recruitment system for administrating candidate’s user account and job alert.
Personal data is processed at different phases in the recruitment, e.g. for contacting candidate and processing job applications and talent and ability assessments. Personal data is processed by recruiting manager and HR specialists participating in the recruitment process. When selecting a member for the organs of the company also board members of the company and committees set by the board process personal data.
Orion Corporation may use external services in its operations and in this connection, personal data may be disclosed to the external service provider. Personal data is disclosed in order to obtain outsourced services such as recruitment, video interview and talent assessment services.
We may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting. If ownership, control of Orion Corporation, all, or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.
The processing of personal data is mainly based on the data subject´s consent. In addition the processing of personal data can be based on the legitimate interest of the controller in order to proceed recruitments. We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.
5. Content of the data file
The data file may contain information relating to the following groups, when the processing of such data is necessary:
- Person´s basic information (name, date of birth, contact information)
- Information related to job search (e.g. training information, work experience, references, language skills)
- Job application, CV and other possible information and attachments delivered by the applicant
- Interview information
- Video interviews
- Information relating to talent and ability assessments
- Information relating to security clearance (with the applicant´s separate consent)
- Information specified in the application process
Job applicant can determine what information he or she gives to the recruiting company, however, if he or se refuses to give above mentioned information or will not give a consent to the talent assessment process or security clearance, this can mean in some circumstances that the recruiting company can not proceed in the recruitment process with the candidate as it can not assess candidate’s performance and suitability for the job in an appropriate way.
6. Source of information
The personal data to be processed is delivered mainly by the job applicant in the recruitment process. For the purpose of recruiting necessary information may be obtained from other sources with the consent of the applicant or from service providers e.g. .headhunters. Information relating to security clearance are obtained from the Finnish Security Intelligence Service. Information may also be gathered from the regular operations of the controller.
7. Transfer and disclosure of personal data outside the EU and EEA
By default, personal data will not be transferred nor disclosed outside the European Union (EU) or the European Economic Area (EEA).
Possible transfers would concern only such situations, where some of the service provider’s servers where data is stored would be located outside of the EU or EEA or the data would be processed outside EU or EEA to fulfil technical support. If this would happen, data is transferred and processed in a legal manner with adequate safeguards.
8. Retention period of the personal data
The controller retains personal data for a maximum period of 2 years. The information on the submitting the security clearance will be retained for a maximum period of 5 years (only the date of the security clearance and its effect on the recruitment will be retained). Personal data related to applicants who haven’t been appointed to company’s organs will be deleted after the member selection process.
The controller may store data for longer period when it is necessary in order for the controller to satisfy legal or contractual obligations or defend legal claims.
The controller will delete the information when there is no longer any defined purpose for the storage.
9. The principles how the data file is secured
A. Manual data file
The manual data shall be stored in an area with restricted access, available only for the authorized persons.
B. Electronic information
The protection of the data file utilizes technical data protection (several security mechanisms) and electronically stored information is accessible only by the authorized persons.
10. Right of access and right to data portability
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the recruitment data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the sources of data in the file, on the uses for the data in the file and the destinations of disclosed data.
The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.
The data subject has the right to data portability (EU General Data Protection Regulation Art 20), i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine-readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
11. Right to withdraw consent
In case the legal basis for processing the personal data is the consent of the data subject, the data subject has the right to withdraw the consent.
The request regarding the withdrawal of the consent must be made to the person in charge of the data file by a personally signed or otherwise comparably verified document which must be presented to the representative of the controller named under section 2 hereof.
Withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.
12. Rectification, restriction of processing and erasure
A controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
The data subject shall have the right to obtain from the controller restriction of processing, in case the data subject has contested the accuracy of the processed personal data, if the data subject has claimed that the processing is unlawful and the data subject has opposed the erasure of the personal data and has requested the restriction of their use instead; if the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or if the data subject has objected to processing pursuant to the EU General Data Protection Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted based on the above grounds, the data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
If the controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.
Requests for the above uses of the data subject´s rights shall be made by contacting the representative of the controller named under section 2 hereof.