1. General information
2. Controller and its contact information
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller's contact person: HR Service Centre
Telephone: +358 (0)10 2524627
Email address: firstname.lastname@example.org
3. Data Protection Officer's contact information
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file and data subjects
5. Purposes of personal data processing and legal basis for processing
Purposes of processing
- personal data processing required for filling vacancies, from the submission of an application to the selection of the employee(s) (i.e. implementation of the recruitment process), including evaluation of applicants and informing applicants of the choices made
- concluding an employment contract with the selected employee(s)
- collecting statistics on the recruitment process
- using the data for information purposes, such as notification of vacancies and OP Financial Group’s events and functions
- implementing labour law rights and obligations
Legal bases of processing
|Actions preceding the conclusion of a contract||Personal data is processed in the data file to conclude an employment contract with the selected applicant.|
|Legitimate interests of the controller or a third party||The controller has a legitimate interest to process the personal data of applicants to implement the recruitment process. There is a factual connection between the controller and the data subject, based on the data subject’s application.
On this basis, the controller may also process personal data in order to demonstrate compliance with the statutory obligations related to the selection of employees and to prepare and present a legal claim or to defend it.
The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets their reasonable expectations.
|Consent||Consent acts as a basis for processing in the data file, for example when the controller asks the data subject to participate in certain recruitment assessments or asks the data subject to authorise the necessary background studies.
With the consent of the data subject, the open application submitted by them can be used to find suitable candidates for vacancies based on applications entered into the recruitment system.
6. Categories of personal data
|Category of personal data||Data content of the category|
A person's basic information, typically processed in the application phase
Contact details (address, email address and telephone number)
Additional basic information processed on the person selected for the position
More detailed information for the employment contract, such as personal identity code / date of birth, first names, nationality and gender
|Consents||Consents given by the data subject to any personal assessments and necessary background studies
The data subject's consent to the use of an open application in several recruitment processes
|Particulars related to the recruitment||Tasks and events related to managing the recruitment process, such as information concerning a possible interview|
Background information typically processed includes:
|Areas of interest||Positions of interest to the data subject, and their locations|
|Behavioural information (incl. information collected using cookies and other such technologies)||In the case of data subjects who submitted their application on the website, information is stored of the website from which they entered OP’s recruitment site. The data collected include, for example, IP address.|
|Recordings and content of messages||Communications between the controller and the data subject
During the recruitment process, recordings are collected/produced for, inter alia, the following activities: assessment queries and video interviews.
|Technical verification data||Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary|
7. Recipients and recipient groups of personal data
The collected personal data may be disclosed within OP Financial Group or to parties outside it based on the data subject's consent.
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation.
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers. Some of the suppliers used are other OP Financial Group entities, some are the Group's external recruitment partners.
International transfers of data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
8. Personal data retention period or criteria for determining the period
The controller will retain search-specific data 24 months from the date of termination / selection decision of a search.
The controller will anonymise the data after the end of the retention period, so that an individual person cannot be identified from the data.
OP Financial Group's external applicant can remove their applicant profile from the recruitment system at any time.
9. Personal data sources and updates
Personal data is collected primarily from data subjects themselves during the filling of the application.
With respect to an applicant considered for a position, personal data may also be collected and updated from the data files of third parties (background studies), such as:
- the Finnish Security Intelligence Service for a possible safety clearance, with the data subject’s consent
- credit information register controllers within the limits permitted by law
10. Data subject’s rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to erase their external applicant profile.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
11. Right to cancel prior consent
If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation.
12. Protection methods regarding the data file
The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
Data will be processed as confidential and may be used only by those who need the data in their work. Archiving and disposal of data is performed in compliance with the rules and regulations in force from time to time, and unnecessary or outdated data will not be retained.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and files
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed