Recruitment Register
Privacy Statement

Last updated
April 19, 2024

Data Controller
Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara

Contact person for data protection matters
Akseli Juurinen
akseli.juurinen@metsaavain.fi
+358 40 1606157

Legal basis for processing
Legitimate interest

Purpose of processing personal data
The purpose of the register is to support the recruitment of personnel for the company. The recruitment register is established for the purpose of recruiting employees for the data controller. The data controller has the right to use subcontractors to handle the recruitment process. In such cases, personal data may be transferred to subcontractors to the extent necessary to carry out the services (e.g., to store data on servers managed by a third party on the data controller’s behalf). In personal testing, psychological evaluations, and similar processes, the legal basis for processing is the data subject’s consent.

Basis for legitimate interest
Job applicants (and employees) can reasonably expect that their personal data will be processed for the purposes described in this statement, and the processing is considered legitimate based on a balancing of the interests between the data controller and the data subject, as the impact of processing on the data subject is positive (personal data processing related to recruitment) and measures have been taken to protect the data subject’s interests (balancing test). The data controller is entitled to process personal data based on legitimate interest, unless the interests or fundamental rights and freedoms of the data subject override such interests.

Categories of personal data
Name, contact details, visual data, educational and professional information.

Recipients and groups of recipients
The data controller’s personnel who need the personal data to perform their duties. Additionally, information may be disclosed to service providers who process personal data on behalf of the data controller under confidentiality and data protection obligations. Personal data may also be disclosed to authorities in accordance with applicable law, where required by law.

Consent
The right to withdraw consent if consent is the legal basis for processing: by notifying the data controller via the contact details listed above.

Content of the register

  • Name

  • Address

  • Phone number

  • Email address

  • Photo (or video)

  • Basic education and qualifications, including dates

  • Other completed training

  • Application and software usage skills, other special expertise

  • Language skills

  • Current position (employer, job title, and job description)

  • Key previous positions (employer, job title, and job description)

  • References

  • Possible image of the applicant

  • CV

  • Other possible information provided by the data subject

Regular sources of information
The primary source of information stored in the register is the data subject, i.e., the job applicant. Additionally, data is compiled from information recorded during the recruitment process. Other potential sources may be used within the limits prescribed by law. Providing personal data is a statutory requirement for job applicants in relation to entering into an employment contract.

Retention period for personal data
Personal data of data subjects will be stored in the register for 6 months from the submission of the job application, after which it will be anonymized.

Regular disclosures of information
The data in the register will not be disclosed to third parties unless necessary for the recruitment process.

Transfer of data outside the EU or EEA
The data in the register will not be transferred outside the EU or EEA.

Data protection principles A: Manual data
Employment contracts are stored in a locked cabinet, accessible only to the archive keeper. All other data related to the register is in electronic form, and the data is processed electronically only. Access to the register’s information is limited to those who need it for tasks such as supervising, payroll processing, or other employment-related matters. The register is stored on a secure server located in Finland. The protection and processing of data in the register comply with the provisions and principles of the Data Protection Act, the requirements of authorities, and good data processing practices.

Data protection principles B: Electronic data
Access to the data in the register is limited to those who need it for handling matters related to the recruitment process. The register is stored on a secure server located in Finland. The data in the system is protected from unauthorized access by network login credentials and user-specific access controls. The protection and processing of data in the register comply with the provisions and principles of the Data Protection Act, the requirements of authorities, and good data processing practices.

Automated processing and profiling
The processing of personal data in recruitment does not involve automated decision-making. If, at any stage of the recruitment process, the personal characteristics of a job applicant are assessed in a way that involves profiling, consent will be requested for the specific purpose of such processing.

Right to access personal data
The data subject has the right to check what data is stored about them in the register. Access requests must be made in writing, either through customer service or from a verifiably identifiable email address.

Right to data portability
The data subject does not have the right to transfer data to another system.

Right to request correction of data
If personal data in the register is incorrect, unnecessary, incomplete, or outdated for the purpose of processing, it must be corrected, deleted, or completed. Requests for correction must be made in writing, signed by hand, and sent to the company’s customer service or from a verifiably identifiable email address. The request should specify which data needs to be corrected and the grounds for the correction. The correction will be made without undue delay. The correction will be communicated to the person from whom the incorrect data was obtained or to whom the data has been disclosed. If the correction request is denied, the data controller will provide a written certificate explaining the reasons for the denial. The data subject may refer the matter to the Data Protection Ombudsman for a decision.

Right to restrict processing
The data subject has the right to request a restriction on processing, for example, if the personal data in the register is incorrect. Contact the data controller for more information.

Right to object
The data subject has the right to request access to their personal data and has the right to request the correction or deletion of personal data. Requests can be directed to the contact person for the register.

Right to lodge a complaint with the supervisory authority
If you believe that your personal data is being processed in violation of data protection laws, you have the right to lodge a complaint with a supervisory authority. You can file a complaint in the country where you reside or work. The contact information for the national supervisory authority is:
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Mailing address: P.O. Box 800, 00531 Helsinki
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

Other rights related to the processing of personal data
The data subject has the right to object to the disclosure and processing of their data and/or to be completely forgotten, if the legal basis for processing and other requirements allow for it.