OP Financial Group's Recruitment data file

Privacy Notice

Created or edited on: 15 April 2024

1. Overview

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject and for the supervisory authority.

2. Controller and its contact information

Each OP Financial Group employer
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller's contact person: HR Service Centre
Telephone: +358 (0)10 2524627
Email address: hr-palvelut@op.fi

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi

4. Name of the personal data file and data subjects

Recruitment data file
Each OP Financial Group employer has their own recruitment data file. This Privacy Notice describes how personal data is processed in each of controller’s (each OP Financial Group employer) own recruitment data file.
The data subjects of the data file are OP Financial Group's internal and external applicants who are seeking jobs advertised by the controller. The applicant can save their basic information in the recruitment system, in which case this becomes an open application. If a person after this focuses their application to a vacancy and fills in the supplementary questions related to the vacancy, this becomes a position-specific application. As a rule, applicants can focus their applications to a specific position themselves, but this may also be done by a recruitment expert with the consent of the applicant.
The data file also contains, in accordance with the retention periods specified in advance, data on job applicants who participated in past recruitment processes but were not selected for open positions.

5. Purposes of personal data processing and legal basis for processing

Purposes of processing

The main purpose of personal data processing is to collect data on data subjects required for the selection of an employee. Data is collected only to the extent required by the implementation of the recruitment.
The purposes of personal data use include the following:
  • personal data processing required for filling vacancies, from the submission of an application to the selection of the employee(s) (i.e. implementation of the recruitment process), including evaluation of applicants and informing applicants of the choices made
  • analysis of the candidate experience of applicants
  • concluding an employment contract with the selected employee(s)
  • collecting statistics on the recruitment process
  • using the data for information purposes, such as notification of vacancies and OP Financial Group’s events and functions
  • performing or commissioning security clearances and other assessments and background checks permitted by law
  • implementing labour law rights and obligations
  • ulfilling statutory obligations and any other official rules and regulations


Processing of personal data held in the data file includes profiling. Profiling means the automated processing of personal data in order to evaluate certain personal characteristics. Profiling is used for suitability tests done during recruitment, to assess applicants’ characteristics as potential employees. Suitability tests are part of the overall assessments performed when hiring staff and are used in support of recruitment decisions. The goal is to find the most suitable candidate for the role.

Legal bases of processing

The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.
Legal basis Example
Actions preceding the conclusion of a contract Personal data is processed in the data file to conclude an employment contract with the selected applicant.
Legitimate interests of the controller or a third party The controller has a legitimate interest to process the personal data of applicants to implement the recruitment process. There is a factual connection between the controller and the data subject, based on the data subject’s application.

On this basis, the controller may also process personal data in order to demonstrate compliance with the statutory obligations related to the selection of employees and to prepare and present a legal claim or to defend it.

The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets their reasonable expectations.
Consent Consent acts as a basis for processing in the data file, for example when the controller asks the data subject to participate in certain recruitment assessments or asks the data subject to authorise the necessary background studies.

With the consent of the data subject, the open application submitted by them can be used to find suitable candidates for vacancies based on applications entered into the recruitment system.
Legal obligation When processing is necessary for a controller to fill a legal obligation, the legal obligation serves as the reason for data processing.

6. Categories of personal data

Category of personal data Data content of the category
Basic information
A person's basic information, typically processed in the application phase

Contact details (address, email address and telephone number)
Other identification details (such as the application ID)

Additional basic information processed on the person selected for the position
More detailed information for the employment contract, such as personal identity code / date of birth, first names, nationality and work permit information, gender, information on connections with the United States, and confirmation of reliability by employees involved in the distribution of insurance
Consents Consents given by the data subject to any personal assessments and necessary background studies

The data subject's consent to the use of an open application in several recruitment processes
Particulars related to the recruitment Tasks and events related to managing the recruitment process, such as information concerning a possible interview
Background information
Background information typically processed includes:
  • information on education and degrees
  • previous work experience
  • language skills
  • competencies
  • CV and covering letter, as well as any other appendices
  • LinkedIn profile
Profiling data Applicant information derived from suitability tests
Areas of interest Positions of interest to the data subject, and their locations
Behavioural information (incl. information collected using cookies and other such technologies) In the case of data subjects who submitted their application on the website, information is stored of the website from which they entered OP’s recruitment site. The data collected include, for example, IP address.
Recordings and content of messages Communications between the controller and the data subject

During the recruitment process, recordings are collected/produced for, inter alia, the following activities: assessment queries and video interviews.
Technical verification data Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary

7. Recipients and recipient groups of personal data

Data recipients

The collected personal data may be disclosed within OP Financial Group or to parties outside it based on the data subject's consent or a legal obligation.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation.

Data recipients include:

  • Finnish Security Intelligence Service (security clearances)
  • Relocation service providers
  • Suitability test service providers
  • Occupational healthcare service providers (drug tests)

Transfer of data to suppliers

The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers. Some of the suppliers used are other OP Financial Group entities, some are the Group's external recruitment partners.

International transfers of data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.

8. Personal data retention period or criteria for determining the period

The controller will retain search-specific data 24 months from the date of termination / selection decision of a search.

The controller will delete or anonymise the data after the end of the retention period, so that an individual person cannot be identified from the data.

OP Financial Group's external applicant can remove their applicant profile from the recruitment system at any time.

9. Personal data sources and updates

Personal data is collected primarily from data subjects themselves during the filling of the application.

With respect to an applicant considered for a position, personal data may also be collected and updated from the data files of third parties (background studies), such as:

  • the Finnish Security Intelligence Service for a possible safety clearance, with the data subject’s consent
  • credit information register controllers within the limits permitted by law

10. Data subject’s rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to erase their external applicant profile.

In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11. Right to cancel prior consent

If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation.

12. Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

Data will be processed as confidential and may be used only by those who need the data in their work. Archiving and disposal of data is performed in compliance with the rules and regulations in force from time to time, and unnecessary or outdated data will not be retained.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • Protection of equipment and files
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed