suomeksisuomeksi

Kemppi - Employee Candidate Data Fair Processing Notice



This candidate Personal Data Fair Processing Notice (“Notice”) relates to the processing of personal information concerning candidates of Kemppi Group and its subsidiaries (“Kemppi Group”, “we”). Kemppi Group Oy acts as a data controller for those employee candidates (“Candidate”) who apply for an employment at Kemppi Group directly, via service partner such as recruitment agency or whose information is collected for possible employment.

This Notice sets out the types of personal data that we collect and process about candidates, the purposes for which we process personal data relating to candidates and the rights that you have in relation to the personal data that we process of you. It also outlines the standards by which we will process personal data relating to candidates.

In relation to any candidate located in the European Union (“EU”) or the European Economic Area (“EEA”), the Kemppi Group company which search for a potential new employee acts as the data controller for any personal data relating to that candidate. As a data controller, that Kemppi Group company is responsible for ensuring that the processing of personal data complies with applicable EU data protection law. Data Protection is about confidence, protecting your privacy and personal data is of vital importance to us. Therefore we collect only as much information as is necessary to evaluate your suitability, to offer you a suitable job and making the selection decision.

This Notice can also be found on Kemppi Group’s web page (www.kemppi.com). If you have questions or comments concerning this Notice, please take contact to the person(s) set out in section 2 of this Notice.

  1. Controller

    Kemppi Group Oy
    Business id 2051826-1
    Kempinkatu 1
    15810 Lahti

  2. Yhteyshenkilöt henkilötietojen käsittelyä koskevissa asioissa

    Data controller’s contact person: Miia Ylikorpi
    Company: Kemppi Oy
    Address: Kempinkatu 1, 15810 Lahti
    Email and phone number: miia.ylikorpi@kemppi.com, +358 3 89911

    Data protection officer: Päivi Rahkonen
    Company: Kemppi Group Oy
    Address: Kempinkatu 1, 15810 Lahti
    Email and phone number: paivi.rahkonen@kemppi.com, +358 3 89911

  3. The purposes of the processing of personal data and the legal basis for the processing

    Candidates personal data is processed for fulfilling data controller’s legitimate interest. The legal basis for processing personal data relating to candidates, is the relationship which begins when the candidate leaves an application in order to be selected for an employment at data controller. In order to process applications and complete the recruitment, it is necessary to process candidates’ personal data.

    Personal data relating to candidates is processed in particular for the following purposes:
    • receiving applications
    • processing and storing applications
    • contacting with the candidate
    • evalution of candidate’s suitability for the position
    • offering suitable jobs
    • defining the terms and conditions for possible employment.

  4. Categories of personal data

    For the possible employment relationship and recruitment purposes, as set out in section 3, we process the following personal data or categories of personal data relating to candidates:
    • candidate’s basic data, such as name, address, phone number, nationality, e-mail address
    • candidate’s educational data such as education, degree, main subject, graduation year, educational organization
    • candidate’s work history and experience such as current and previous positions, employers’ name, duration of employment
    • candidate’s certificates such as certificates of employment, education or qualification
    • candidate’s behaviour and competence related evaluation data like evaluation of natural behaviour or capability assessment

  5. Sources of personal data

    Personal data relating to candidate is collected from the candidates themselves. Personal data relating to candidates can also be collected from public sources and can also be generated through automatic methods for example in case when the candidate conducts a self-evaluation of own behaviour. Personal data relating to employees is collected in the following manner:
    • Provided by the candidate directly to Kemppi’s or Kemppi’s service provider’s information system or via email, phone or mobile application;
    • Provided by the candidate and saved to the information system by Kemppi Groupäs employee or Kemppi’s service provider
    • As automated report from information system based on the data provided by the candidate
    • From general public sources, used for professional purposes, such as Linkedin.

  6. Personal data retention

    Personal data relating to candidates are retained as long as it is necessary for the purposes for which they are processed, as set out in section 3, or as required by law or a contract for which the candidate is subject to. After the recruitment process, candidates’ personal data is retained as long as the candidate has the right to challenge or take legal action for not being selected, which is 12 months.

    With candidate’s consent to be contacted after the recruitment case is closed, candidate’s personal data is retained totally for the period of 12 months. The candidate can any time cancel his/her consent by informing about the cancellation to e-mail address gdpr@kemppi.com. It is to noted that when the candidate cancels her/his consent, we remove the personal data and cannot later contact the candidate.

  7. Data processors

    Kemppi Group employees, who are committed to confidentiality, may process personal data in accordance with EU data protection legislation. The data controller shall ensure that only persons authorised to process and persons for whom the processing of personal data is strictly necessary in order to carry out their tasks, will have access to personal data relating to candidates. Other employees of the data controller shall not have access to personal data relating to candidates.

    The processing of personal data is also partly outsourced to service providers, which act as data processors according to applicable EU data protection legislation. For instance, a recruitment service provider may search for or evaluate candidates. The data controller ensures, by way of binding contractual arrangements, that where the processing of personal data is to be carried out by a service provider, such service provider shall implement appropriate technical and organisational measures in such manner that the processing will meet the requirements of EU data protection legislation and ensures the protection of the rights of candidates.

  8. International data transfers

    If the candidate leaves an application to be selected for a position at Kemppi Group within the EU or the EEA region, candidate’s personal data is not transferred outside the EU or the EEA.

    If the candidate leaves an application to be selected for a position at Kemppi Group in Russia, China, India or Australia, candidate’s personal data is transferred inside Kemppi Group to the selected country outside the EU and the EEA. The justification for transfer is candidate’s consent. The candidate may cancel his/her consent anytime by sending a removal request to gdpr@kemppi.com.

    EU Commission has not approved Russia, China, India or Australia as providing adequate protection for data subjects rights. As a candidate, please note that these third countries may not have data protection laws as comprehensive or protective as those provided in the member states of the EU or the EEA. Due to the risk in data protection, it is recommended to remove all high level risk data, such as personal id, from the application.

    Employees’ data transfers outside EU or EEA are protected by safeguarding based on European Commission’s standard contractual clauses for data transfers and Kemppi Group’s own risk assessment of protection and technical and organisational measures in order to ensure the adequate level of protection for the transfers of personal data.

    You may ask further information concerning the adequate protection of your personal data by directly contacting the persons set out in section 2. Similarly, if you have a privacy or personal data use concern, please take contact directly to the same contact persons.

  9. Disclosures of personal data

    Kemppi Group will not share, sell or otherwise disclose personal data relating to candidates for purposes other than those outlined in this Notice without the consent of the candidate.

    Examples of instances where personal data relating to candidates may be shared or 1 disclosed without the consent of the candidate include:
    • Compliance with laws – where it is necessary or required by law, in order to comply with legal process or government requests (including public authorities law enforcement requirements);
    • Service providers – where we use service providers in connection with the services they provide, for instance in IT support services, infrastructure and application services, evaluation and consultancy services. The data controller has ensured the protection of personal data when using service providers by way of binding contractual arrangements.
    • Kemppi Group companies – where it is necessary to disclose personal data to Kemppi Group companies for purposes consistent with this Notice. Transfers and disclosures of personal data relating to candidates from the EU or the EEA to third countries will take place as set out in section 8.

  10. Automatic decision making and profiling

    To assess the suitability of a candidate, we may use automatic decision making and profiling. We assess the suitability of candidates to make right selection and to provide suitable position and employment to the candidate.

  11. Rights of the data subjects

    Under the applicable EU data protection legislation, candidates have the following rights as data subjects:

    Right to request access to personal data

    Candidate shall have the right to request access to the personal data processed of him or her in the recruitment process by receiving a copy of the personal data undergoing processing. In Kemppi’s recruitment system, the candidate may be accessed to the system and check the data saved in the system. Concerning other personal data of him or her, the candidate may issue a request to access personal data by sending an email to gdpr@kemppi.com and specifying the scope of request:
    • CV and application
    • Assessment and self-evaluation data
    • Other data (need to be specified the in the request)

    Right to rectification and restriction

    Data controller shall ensure to the best of its ability that personal data concerning candidates stay accurate and up to date. Data controller will rectify, delete, or complete personal data that is unnecessary, inaccurate or outdated on its own initiative or as requested by the candidate. Candidate shall, nonetheless, be liable for ensuring that the personal data provided by him or her is accurate and up to date. Candidates shall, furthermore, be liable for notifying changes to the personal data provided by him or her.

    Candidates shall have the right to restrict the processing of his or her personal data. As a candidate, note that if requesting to restrict the processing of some of your data, Kemppi Group is not necessarily able process your application.

    To rectify candidate’s own personal data, employees are encouraged to take contact to the contact persons set out in section 2 of this Notice

    Right to object and erasure

    If the candidate request for objecting or erasing his or her personal data, Kemppi Group is not able process candidate’s application.

    Right to data portability

    Candidate shall have the right to receive the personal data concerning him or her, which he or she has provided to the data controller, in a commonly used format in order to transmit those personal data to another data controller. The right concerns only the data that the candidate has saved directly to Kemppi’s recruitment system.

    Right to lodge a complaint to a supervisory authority

    Candidate shall have the right to lodge a complaint to a supervisory authority where his or her rights have been violated according to applicable EU data protection legislation. You can contact your state or national data protection authority in the jurisdiction where you live. The list of national data protection authorities within the EU and the EEA: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

  12. Principles for protecting personal data

    Personal data, relating to candidates, that appears in manual or paper form is always stored in locked premises and access to such premises is granted only to persons for whom the access is strictly necessary in order to carry out their tasks. Personal data, relating to candidates, in digital form is stored in databases, which are secured with technical measures, such as firewalls and passwords. Databases are in locked premises and access to such premises is granted only to persons for whom the access is strictly necessary in order to carry out their tasks. Furthermore, employees of Kemppi Group as well as employees of service providers, that process personal data relating to candidates, have committed to confidentiality. The processing of personal data according to this Notice is also monitored by way of log file management.

  13. Changes to this Notice

    Kemppi Group or Kemppi Group company, acting as a data controller, may make changes to this Notice. Candidates are encouraged to follow this Notice at www.kemppi.com regularly, in order to get information on the possible changes to this Notice.