Register of job seekers
General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
1. Data controller
For the part of the information in the Job seeker profile Suomen Osuuskauppojen Keskuskunta (SOK) is the data controller.
For the part of the Job application information (application form with annexes) the data controller is the company belonging to the S Group from where the applicant is applying for a job.
2. Contact information of the Data Protection Officer
Heljä-Tuulia Pihamaa, firstname.lastname@example.org
3. Keeper of the register
At SOK HR Manager Mari Junnila, email@example.com
The register matters of the regional cooperatives and the subsidiaries are processed at the HR departments of each employer company.
Additional information and contact information:
|Helsingin Osuuskauppa Elantofirstname.lastname@example.org|
|Inex Partners Oyemail@example.com|
|Kymen Seudun Osuuskauppafirstname.lastname@example.org|
|Osuuskauppa Hämeenmaa, ml. Vesijärven Auto Oyemail@example.com|
|SOK Liiketoiminta Oyfirstname.lastname@example.org|
|S-pankki-konserni, ml. FIM Oyjemail@example.com|
|Suomen Osuuskauppojen Keskuskunta (SOK)||firstname.lastname@example.org|
|Suur-Seudun Osuuskauppa, ml. Lohjan Autokeskus Oy ja PP-Auto Oyemail@example.com|
4. Name of the register
Register of job seekers
5. Purpose of processing personal data
The personal data stored in the system is used for the selection of suitable persons for vacant positions within the S Group.
6. Basis for processing personal data
Executing a contract or the measures preceding execution.
Consent, as applicable
7. Description of the data controller’s legitimate interest
The processing of personal data is not based on the data controller’s legitimate interest.
8. The processed personal data
In the job advertisement: name and contact information of the recruiting superior.
In the job application profile: the job seeker’s name and contact information.
Optional: the job seeker’s date of birth, sex, link to a profile (e.g. Linked In), information provided in the free text box.
In the job application: Name, basic information, degrees, skills, work history, task-specific questions.
The job seeker’s degree information, courses, work history, skills.
The job seeker can also include a photo and own CV, or other attachments and a link to LinkedIn, the names and contact information of referees.
The job seeker can say whether the application may also be used for other recruitments.
A video interview tool (RecRight) can be used in the recruitment process. When an applicant enters the RecRight service, the tool records the applicant's name, phone number, email address and a video that will be stored in RecRight’s database. This information will also be collected from the supervisor who is responsible for recruitment and who has recorded the interview questions on video.
Open recruiting: In case the company has made open recruiting possible, then a person may fill in an open application.
9. The registration groups and the processed personal data groups
Job seekers or the persons who are applying, or have applied, for a job in the data controller’s service, or who have filled in the job application profile in order to later apply for a job in an S Group’s company.
Contact information, background information, skills, work history
10. Information source and a description of the information sources in case the information is gathered from public sources
The information in the register is mainly gathered from the job seeker. In case information is gathered from a source other than the job seeker (for example, a suitability assessment from a partner, or credit information check), permission must be asked for separately from the job seeker.
11. Receivers of the personal data
As a rule, personal data is not handed over. However, if the job seeker gives permission for this, their name and phone number may be handed over to a partner for the purpose of making a suitability assessment. Information may also be handed over to partners outside the S Group that process applications.
When the video interview tool is used in the recruitment process, the applicant's name, phone number and email address as well as the recorded video will be transferred to the data controller's external partner. The same information concerning the supervisor responsible for the recruitment will also be transferred. RecRight will act as the processor of personal data.
12. Transfer of personal data to third countries or international organisations and the used guarantees of protection
Personal data is not transferred outside the EU or the EEA.
13. Period for storing personal data or the criteria for determining the period for storing the data
Job application data is preserved for two years after the recruitment in question is closed, after which the data is removed automatically. Also, the job application profile is removed in cases where the applicant has not updated it for two years.
The suitability assessments are stored for the ongoing year + 1 year.
The storage times are based on the limitation periods for bringing proceedings defined in the acts on equality and parity.
14. The data subject’s rights
The data subject has the right to access his/her own personal data as laid down in Article 15 of the General Data Protection Regulation (GDPR).
The data subject has the right to demand that the data controller corrects eventual incorrect or erroneous information as laid down in Article 16 of the Data Protection Regulation.
The data subject has the right to have his/her personal data removed in case the preconditions stated in Article 17 of the Data Protection Regulation are met.
The data subject has the right to restrict the processing of his/her personal data in case the preconditions stated in Article 18 of the Data Protection Regulation are met.
The data subject has the right according to Article 20 of the Data Protection Regulation to move the personal data from one system to another for the part for which the data was received from the data subject, its processing is automatic and its processing is based on consent or agreement.
The data subject has the right based on Article 21 of the Data Protection Regulation to object to the processing of the data that applies to him/her, in case the data was gathered in order to perform a task that concerns the common good, or based on legitimate interest, in case the other criteria included in the Article are met.
In case a person wishes to exercise his/her rights or to have more information about the handling of the personal data then he/she may contact the data controller mentioned in this statement.
The data subject has the right to file a complaint with the supervisory authority.
15. Withdrawal of consent
So far as the processing of the information is based on consent, the data subject has, according to Article 7 of the Data Protection Regulation, the right to withdraw their consent at any time. After the withdrawal, the data controller no longer has the right to use the personal data for such purposes that have no other grounds for processing except for the consent. Consent may be withdrawn by notifying it to the data controller.
16. Effects on an agreement of not providing personal data
In case a job seeker does not provide his/her personal data that the data controller needs, it is possible that he/she cannot be selected for the applied task.
17. Key information for automated decision-making or profiling
No automated decision-making or profiling is associated with the personal data processing.
18. Effects of the processing of personal data and a general description of the technical and organised safety measures
The register functions solely on S Group’s internal network. Processing the data complies with the legislation pertaining to processing, protecting and disclosing the data of private persons as well as the information security guidelines of SOK Corporation and the regional cooperatives.
Based on the log files, it is possible to investigate possible misuse and alterations in the register. The register has been assigned one S Group administrator and one administrator for each organisation.
We will protect the personal data for the whole duration of its life cycle by using appropriate data protection and data security measures. The system providers process personal data in data secure server spaces. Access to personal data is restricted and the personnel is bound to confidentiality.
The S Group protects personal data, for example, by preventive risk management and safety planning, protection measures for data communication, constant upkeep of information systems, by backup copying, and by using secure equipment facilities, access control and security systems. After initial processing, the physical documents that contain personal data are kept in locked and fireproof storage areas. Giving and controlling user rights is well managed. We regularly train our personnel participating in the processing of personal data and ensure that also the personnel of our partners understands the confidential nature of personal data and the importance of secure processing. We choose our subcontractors carefully. We continuously update our internal policies and instructions.
If, in spite of all our safety measures, personal data ends up in the wrong hands, it is possible that the identity is stolen or that the personal data is misused in any other way. If we observe such an event, we will immediately start an investigation and will try to prevent any damage. We will inform the necessary authorities and the registered persons about the data breach in compliance with the requirements of the legislation.
We use a Google Analytics cookie for visitor tracking and recruiting marketing performance measurement.