Elisa’s data protection principles for personal data in recruitment

  1. Subject of the principles
    These data protection principles apply to the personal data of persons applying for a position as an employee or manager (hereinafter the “Applicant”) at Elisa Corporation or its affiliates (hereinafter “Elisa”).
  2. Controller
    The controller is Elisa Corporation along with subsidiaries owned 100% by Elisa Corporation.

    Elisa Corporation
    PL 1
    00061 ELISA

    Contact point for register-related matters:

    The data protection officer (DPO) is the Elisa DPO.
  3. Processed personal data groups
    Elisa shall process data necessary for recruitment including the following:
    • Name, social security number, nationality, home address, phone number, email
    • Language skills
    • Education and work experience
    • The job application sent by the applicant with all its appendices, a summary and video recording of a job interview, if applicable, as well as the results of a suitability test by a third-party psychologist and
    • Other information relevant to recruitment.

    The personal data of hired persons shall be transferred into the human resources register of the Elisa group company that hired them.
  4. Purposes of processing
    Personal data shall be processed for recruitment and for compiling statistics.
  5. Legal basis for processing
    The processing of data is based on the Applicant’s consent. The basis for processing may also be the employment contract being prepared or negotiated. The contract is the basis of the processing of data relevant for the contract.
    In addition, some of the data may be processed based on Elisa’s legitimate interests. In such cases, processing shall be necessary for accomplishing Elisa’s legal interests that can be clearly expressed, and the employee’s rights and benefits shall not override Elisa’s legitimate interests. Such legitimate interests include:
    • Processing for the benefit of the employee

    Personal data shall also be processed when the processing is necessary for fulfilling a legal obligation of a controller.
    Automatic decision-making may be used, for example, as a way of processing recruitment applications in such a way that speeds up decision-making.
  6. Source of personal data
    The source of personal data is the Applicant himself or herself. In addition, on a case- by-case basis, the source of data may also be a third-party psychologist or consultant or another person participating in recruitment in relation to the recruit’s suitability and competence, or a referee named by the Applicant, for example. Sources of data may also include occupational health care providers or an authority. An Applicant will leave technical traces by using Elisa’s electronic recruitment channel.
  7. Recipients of personal data
    Elisa may submit applicants’ personal data to occupational health care providers or the authorities.
  8. Transfer of personal data to third countries
    Some systems related to human resource management, such as the electronic recruitment systems, may also be maintained from outside the EU. In addition, some processes related to human resource management may be conducted outside the EU , such as the processing of personal data at foreign subsidiaries. In addition, the implementation of Elisa’s business involves several sub-contractors in other countries for issues such as system administration and fault resolution. This may involve the transfer of employees’ personal data. All transfers abroad shall be made using legitimate, suitable and appropriate security measures.
  9. Criteria for determining the retention period for personal data
    Personal data shall be deleted when its processing is no longer necessary. The retention period for a job application sent through the electronic recruitment system is generally two years at most. Legal retention requirements, such as those arising out of the Non-Discrimination Act and Equality Act, shall also be considered when determining retention periods.
  10. Data subject’s rights
    Right to inspect one’s own data: A person has the right to inspect data related to them- selves.

    Right to request correction of data: A person has the right to demand Elisa to correct any inaccurate and erroneous data related to himself or herself. The correction must be made without unnecessary delay. A person also has the right to supplement incomplete personal data in the form of a supplementary report, for example.

    Right to transfer one’s own data: In certain situations, a person has the right to transfer personal data related to themselves that he or she has provided Elisa to another controller when the processing is based on consent or an agreement.

    Right to request deletion of data or restriction of processing or to object to the processing of data: If the reasons for processing personal data no longer exist, a person has the right to request the deletion of their data.

    In addition, a data subject has the right to file a complaint about the processing of personal data to a supervisory authority.