Data Protection Statement – Employee Candidates

Last updated: 16 September 2024

Introduction

Siili Solutions Plc and its group companies ("Siili") place the highest value on protecting the privacy of its employee candidates and is committed to processing personal data carefully and responsibly. This Data Protection Statement (“Statement”) informs data subjects about how Siili processes personal data in the context of its recruitment processes. Personal data refers to any information related to an identified or identifiable person, a data subject. Data subjects under this Statement include Siili’s potential and actual employee candidates.

Siili is the data controller of its employee candidates’ personal data. As the data controller, Siili is responsible for personal data processing and defines the purposes and means for the data processing.

Siili processes personal data in accordance with all applicable laws, as well as Siili’s Data Protection Policy, Information Security Policy and guidelines derived from them.


Personal Data Collection Methods and Sources

Siili primarily collects personal data from the individuals themselves. Participating in the recruitment process requires that employee candidates disclose certain personal data to Siili.

Whenever personal data is intended to be collected from other sources (such as previous employers), Siili will seek a data subject’s consent as required by law.

 

Personal Data Collected and Processed

Siili may process the following personal data:

  • Basic Data – First and last names, personal contact information (phone number, email address, mailing address), photos. 
  • Education, Skills, and Experience Data – CV, education and degree information, professional experience, skills and competencies, certificates, interests.
  • Suitability Assessment Data– Interview notes, suitability assessment, potential internal and external referees, and their assessment of the candidate.
  • Potential Employment Relationship Preparations Data– Employment contract proposal, job title and description, salary proposal, office/workplace, business unit, employment start date, other employment terms and agreed benefits.
  • Online Behavior Monitoring Data – Data collected via cookies such as the pages visited, the operating system of the person's computer, and browser type.

Data subjects may disclose to Siili also other types of personal data beyond what is described above. Siili processes all personal data in accordance with this Statement.

If a data subject discloses personal data related to a third party to Siili (such as referee contact information), the data subject is responsible for obtaining consent from the third party as required by law.

 

Legal Bases and Purposes of Data Processing

Siili processes personal data for predefined purposes based on contract, legal obligation, consent or Siili’s legitimate interests. Siili ensures that its interests can be considered legitimate and conducts an evaluation of the lawfulness of its interests.

Siili processes personal data to conduct its recruitment processes and prepare the potential employment relationship and introduction process.

The table below provides more information on the legal bases and purposes of processing.

 

Personal Data Category

Legal Bases

Purposes

Basic Data

Consent,
contract (if the employee candidate is chosen for the position), Siili’s legitimate interests: personal data is necessary for identifying employee candidates, contacting them, arranging discussions, negotiating employment terms, making decisions, and preparing for onboarding.

Conducting a recruitment process, including identifying employee candidates, contacting them, arranging discussions, negotiating employment terms, making decisions, and preparing for onboarding.

Education, Skills, and Experience data

Consent,
contract (if the employee candidate is chosen for the position),
Siili’s legitimate interests:
personal data is necessary for assessing suitability and ensuring the success of the recruitment process.

Conducting a recruitment process, assessing the candidate’s suitability for the position, and preparing for the potential employment relationship.

Suitability Assessment data

Consent,
Siili’s legitimate interests:
personal data is necessary for assessing suitability and ensuring the success of the recruitment process.

Conducting a recruitment process and assessing the candidate’s suitability for the position.

Potential Employment Relationship Preparations Data

Consent,
Siili’s legitimate interests:
personal data is necessary for conducting a recruitment process, entering an employment contract as well as preparing for onboarding and employment.

Negotiating employment terms, making decisions, and preparing for onboarding.

Online Behavior Monitoring Data

Consent,
Siili’s legitimate interests: using essential cookies is necessary for the proper functioning of Siili’s website and services.

Cookies are employed to personalize website content and advertisements according to your preferences, facilitate social media functionalities, analyze website visits and usage patterns, and overall improve the website's performance. For further details on how Siili uses cookies, please refer to Siili’s Cookie Statement.

 

Personal data may also be processed based on Siili's legitimate interest to prevent and investigate misuse and issues, as well as to comply with legal requirements. Siili may process personal data also for defending its legal rights, carrying out a trial or authority process and the execution of an authority order.

In addition, personal data can be processed for reporting and analytics based on Siili’s legitimate interest. In these cases, Siili ensures that personal data is processed in such a form that data subjects are not identifiable from the report or other result.

If Siili collects feedback from employee candidates about the recruitment process, such feedback is provided anonymously unless otherwise informed.

Siili may consider a candidate for other positions that are open at the time of application or for future openings, with the purpose of collecting and maintaining a pool of candidates for potential vacancies. For this purpose, a separate consent will be requested from the candidate.


Disclosures of Personal Data

Siili may disclose personal data to the following recipients:

  • Siili Group Companies: Personal data may be shared with companies within the Siili Group, based on Siili’s legitimate interest. These companies process personal data in accordance with this Statement or their own statement, substantially similar to this one.
  • Service Providers and Subcontractors: Personal data may be disclosed to Siili’s service providers and subcontractors who process personal data on behalf of Siili. Through appropriate contractual arrangements, Siili ensures that personal data is processed in accordance with this Statement and applicable laws.
  • Business Partners: Personal data may be disclosed to trusted third parties, such as external advisors and auditors, based on Siili’s legitimate interest.
  • Authorities, Legal Processes, and Legislation: Siili discloses personal data to competent authorities as required by mandatory legislation. Personal data may also be disclosed in connection with legal processes or as a response to the requests by authorities based on law, court order, court proceedings, or authority process, in compliance with applicable laws.
  • Mergers and Acquisitions: In the event that Siili decides to sell, merge, or rearrange its business, such actions may include disclosing personal data to potential or actual purchasers and their advisors. If the disclosure of personal data is necessary in such a situation, Siili will share only the necessary personal data and only as permitted by applicable legislation.

 

Data Transfers Outside of the European Economic Area

Siili may transfer personal data to Siili Group companies located outside of the European Economic Area (EEA) for arranging Siili Group operations. Siili may transfer personal data also to its cooperation partners, service providers and subcontractors located outside of the EEA for the purposes described in this Statement.

When personal data is transferred outside of the EEA, Siili uses appropriate transfer basis (such as standard contractual clauses approved by the European Commission and possible supplementary measures) to ensure an adequate level of data protection.

 

Data Retention

Siili retains personal data for as long as it’s necessary for the initial or compatible purposes for which the personal data have been collected. Retention periods are determined based on mandatory legislation and common industry practices.

Generally, Siili retains employee candidates’ personal data no longer than 2 years from the earlier of first recruitment process decision (whether positive or negative) where personal data is processed, or collection of personal data (in case no recruitment process decision concerning the employee candidate is made).

Siili may also delete personal data that is no longer needed for its intended purpose during the recruitment process. Information that becomes unnecessary, outdated, or for which there is no longer a valid reason for processing, will be anonymized or securely destroyed.

If an employee candidate accepts an offer of employment by Siili, any relevant personal data collected during recruitment process may become part of the individual’s personnel records.

More information about personal data retention periods and deletion practices can be found in Siili’s Data Retention Policy. Detailed information on the retention of personal data collected with cookies is available in Siili's Cookie Statement.

 

Data Security

Siili employs appropriate organizational and technical measures to guard against accidental and/or unlawful access, alteration, and destruction, or other processing, including unauthorized disclosure and transfer of personal data.

These measures encompass (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages, as well as the use of secure and monitored equipment and server rooms. Data security is of special concern when third parties provide and implement IT systems.

Data security requirements are diligently observed in IT system access management and monitoring of access to IT systems. Siili personnel, processing personal data as part of their tasks, are trained and properly instructed in matters of data protection and data security.

For more information on Siili’s data security practices, please refer to Siili’s Information Security Policy.

 

Automated Decision-Making

Siili does not make decisions about data subjects through automated decision-making.

 

Data Subject Rights

Data subjects have the following rights according to data protection legislation:

  • Right to obtain information on the processing of personal data: Data subjects have the right to be informed of the collection and processing of their personal data.
  • Right of access to their data: Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed.
  • Right to rectification of their data: Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.
  • Right to the erasure of data: In certain cases, the data subjects have the right to have the controller erase data concerning them without undue delay.
  • Right to restriction of processing: The data subjects can request the controller to restrict the processing of personal data concerning them.
  • Right to object to the processing of data: The data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation when a processing is based on legitimate interests pursued by the controller or a third party.
  • Right to data portability: The data subjects have the right to receive the personal data that they have provided to the controller in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller.
  • Right not to be subject to a decision based solely on automated processing: The data subjects have the right to demand human involvement in decisions that concern them.
  • Right to file a complaint to the data protection authority: The data subjects have the right to file a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or other data protection authority within the EU or EEA if they have experienced that personal data have not been processed lawfully.

 

If Siili processes certain personal data based on the data subject’s consent, they have a right to withdraw their consent at any time.

Data subjects may not be able to exercise their rights in all situations. For instance, the basis for data processing has an impact on the data subjects’ possibility to exercise their rights (e.g., if the processing is based on legal obligation, it is not possible to erase the data upon the request of the data subject).

Data subjects can exercise their rights by contacting dataprotection@siili.com.

 

Changes

Siili may change or amend this Statement as necessary, and therefore it is recommended that you revisit this Statement regularly. Substantial changes are announced on Siili’s website and/or data subjects are informed personally.

 

Contact Information

For questions related to data protection, you can email Siili's data protection team at dataprotection@siili.com.