Data protection

Privacy notice of the job applicant register

1. Controller

GRK Infra Oyj (business ID 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi

2. The name of the register

Job applicant register

3. Purposes and legal grounds for processing personal data

This privacy notice applies to all GRK Group companies, GRK Infra Oyj, GRK Suomi Oy, GRK Sverige AB and GRK Eesti AS (hereinafter referred to as “Controller” or “GRK”).

The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.

The controller collects and processes personal data of job applicants in order to recruit new employees, on the legal basis of Article 6 of the EU General Data Protection Regulation:

Processing is necessary for the implementation of a contract to which the data subject is party or in order to move forward at the request of the data subject prior to entering into a contract (such as an employment contract).
Legitimate interest of the controller.
The data subject has given his or her consent to the processing of personal data for one or more specific purposes, for example, to carry out the capability assessment.

The controller’s electronic direct marketing (information on open jobs) can be sent to data subjects who have given their voluntary consent to electronic direct marketing. Withdrawal of consent is possible easily and at any time.

Consent to direct marketing can be withdrawn by notifying the controller or by clicking on the opt-out option in connection with each marketing message (“Unsubscribe” function), in which case the data subject’s data will be removed from the controller’s electronic direct marketing subscriber list.

The controller processes personal data for the following purposes:

Receiving and processing job applications
Carrying out recruitment activities
Evaluation and selection of job applicants
Meeting the needs related to the recruitment process
Informing about open jobs
Promoting a person’s employment

If a job applicant does not wish to disclose their data to the controller, they may not be taken into account in the recruitment process.

4. Categories of personal data processed

The personal data processed include:

Name and contact information such as address, email address and telephone number
Sex and date of birth
Educational background, information to be used for assessing eligibility and suitability
Specific competences
Language skills
Current and previous duties (employer, job title and job description)
Desired salary
Attachments such as application and curriculum vitae, photo
Information related to the recruitment process such as emails and other communication and files to be saved
Names, phone number and email of references, if any
Classifications and notes made by the employer
Other information provided by the job applicant to the controller
Other information necessary for the purpose of the register

5. Regular sources of personal data

The personal data used for recruitment purposes are mainly collected from the data subject himself/herself.

In addition, the necessary personal data will be obtained from references indicated by the data subject, from public authorities and experts involved in the recruitment process, as well as from other sources of information as may be necessary, in accordance with applicable data protection legislation.

6. Disclosure and transfer of personal data

The controller may disclose personal data to its service providers who process personal data on behalf of the controller in accordance with the controller’s instructions and data processing agreements. Personal data may also be disclosed where required by law or by public authorities based on mandatory legal provisions.

The controller collects personal data in the TalentAdore VRA recruitment system when recruiting , which is provided by Talentadore Oy (the service provider).

In principle, personal data will not be transferred outside the European Union or the European Economic Area. However, personal data may be transferred outside the European Union or the European Economic Area if this is necessary for the operation and maintenance of the information systems. Any transfer of personal data will always be carried out in accordance with the applicable data protection legislation.

7. Retention of personal data

The controller actively processes personal data during the recruitment process. After the end of the recruitment process, the personal data will be retained for as long as necessary to fulfil the rights and obligations of the controller and to respond to any requests, but not more than two years after the recruitment decision has been taken.

In certain cases, personal data may be kept longer, with the consent of the data subject, for example for future recruitment processes. In such cases, the individual will be asked for his/her consent to longer storage and the personal data will be stored for the period indicated when giving consent.

Personal data may also be kept for a longer period if this is necessary to fulfil an obligation imposed on the controller by law, regulation or other public authority.

8. Protection and security of personal data

Access to the register of personal data is only granted to representatives of the controller who are bound by the obligation of confidentiality and who have a legitimate need to process the data of the register for the exercise of their duties.

The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.

The security of information systems is adequately ensured, including through encryption and other technical safeguards.

We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.

9. Automated processing of personal data and profiling

The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.

10. Rights of the data subject

The data subject has rights under the EU General Data Protection Regulation.

Right	Description
Right of access to personal data	The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access.
Right to request rectification, erasure or restriction of processing	The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law.
Right to object	The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest.
Right to withdraw consent	Where personal data of the data subject is processed on the basis of his or her consent, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent prior to its withdrawal.
Right to data portability	The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a commonly used and machine-readable format and the right to transmit such data to another controller without the controller’s interference, where the processing is based on consent or on a contract and the processing is carried out automatically. The data subject shall have the right to obtain the transfer of personal data directly from one controller to another, where technically possible.
Right to file a complaint to the supervisory authority	Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi.

Exercising the rights

The data subject may exercise his or her rights by contacting the controller’s representative using the contact details provided in section 1. The controller will endeavour to respond to the request as soon as possible and, if necessary, provide further instructions or ask further questions about the request.

Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.

If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.

11. Further information

For further information on the processing of personal data, please contact us using the contact details provided in section 1 of this privacy notice.

The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.