Employee Candidate Data Protection Description

Employee Candidate Data Protection Description

European Union general data protection regulation ((EU) 2016/679) compliant version

Effective date: 25 May 2018

Data Controller:

Siili Solutions Oyj, Finnish Business ID 1979903-5 (below also "Siili")  

Address: Porkkalankatu 24, 00180 Helsinki, Finland


Contact Person in Data File Related Matters:


Mailing address as above.


Data File:

Siili Solutions Oyj Employee Candidate Data File


Data Subjects:

Siili employee candidates and possibly referred third parties (e.g. in form of earlier employers or references or as part of recommendations)


Legal Basis for the Processing and Purpose of Use of the Personal Data:

Processing of personal data ("Employee Candidate Data") is based on:

  1. Consent(s) received from employee candidate and/or third parties (as may be required by the law); and
  2. Obligations and rights of Siili based on mandatory laws – such laws include (without limitation) labor, data protection and non-discrimination laws as well as penal codes.

The data subject may at any time withdraw the consent to which the processing of Employee Candidate Data is based on.

The general purpose for processing and use of the Employee Candidate Data is fulfilling Siili open job positions by recruiting employee candidates.  

In detail, the purposes for processing and use of the Employee Candidate Data include the following items:

  1. Recognition of employee candidates (also potential for the future);
  2. Communication with employee candidates (providing information and enabling discussion);
  3. Enabling and managing Siili recruitment and onboarding processes;
  4. Assessing employment potential of employee candidates;
  5. Offering, negotiating and making decisions (both positive and negative) on employment contracts (including benefits);
  6. Collecting and maintaining employee candidate pool for:
  1. future employment opportunities; and
  2. to prevent unnecessary communication to employee candidates;
  1. Collecting feedback from the employee candidates; and
  2. Ensuring the execution and maintaining of the obligations and rights of data controller and employee candidate which are based on mandatory legislation (i.a. Finnish Non-discrimination Act, 1325/2014).



Data Content (Data Attributes):

Identification and general recruitment related data attributes such as:

  • First name;
  • Last name;
  • Home address;
  • Email address;
  • Mobile telephone number;
  • Curriculum vitae (document);
  • Letter of application (document);
  • Desired pay;
  • Potential internal recommendations;
  • Potential external recommendations;
  • Internal offering match discussion;
  • Minutes of the job interviews;
  • Estimation of the employee candidate suitability;
  • Employment contract proposal;
  • Salary proposal;
  • Start date;
  • Title/ role;
  • Agreed benefits;


Sources of Personal Data:

Employee candidates themselves and, after having informed Employee candidates and obtained their consent in advance, their former employer(s), Siili employees and external resources supporting Siili business processes (e.g. recruitment consultants), public sources (such as online profiles).


Disclosures and Transfers of Employee Candidate Data and Transfer of Employee Candidate Data to countries outside European Union or the European Economic Area:

Employee Candidate Data are not disclosed (to another controller for independent use unless required by the law such as to authorities) except within Siili and even then, always in accordance with applicable laws.

If Employee Candidate Data is transferred to external data processors (subcontractors or vendors) to be processed on behalf of Siili, appropriate contractual arrangements (such as data processing agreements), as required by the applicable laws, are executed to secure lawful and appropriate processing of Employee Candidate Data. Personal data belonging to special categories (i.e. health data) may occasionally be included in these transfers.

Employee Candidate Data may due to necessary technical and practical processing requirements be transferred outside EU and/or EEA (incl. Switzerland). Should such transfer occur, it would only be executed as allowed by and in accordance with applicable laws. Due to rarity of EU Commission adequacy decisions, EU Commission standard contractual clauses (of type controller to processor, EU Commission decision 2010/87/EU) would be used as appropriate and suitable safeguards for these data transfers. Copies of the standard contractual clauses would be available through the contact details mentioned above.

Employee Candidate Data can be transferred from Finland to the following countries for processing:

o        All European Union member states;

o        United States of America;


Security Principles of the Data File:

Employee Candidate Data is protected by organisational and technical measures against accidental and/or unlawful access, alteration, and destruction or other processing including unauthorized disclosure and transfer of Employee Candidate Data.

Such measures include (without limitation) proper firewall arrangements, malware detection, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing Employee Candidate Data as part of their tasks is trained and properly instructed in data protection and data security matters.


Rights of Data Subject:

In accordance with the law the data subject has at any time the right to:

  1. Access the Employee Candidate Data on him/her and at request, receive a copy of the Employee Candidate Data and related supplementary information concerning Employee Candidate Data processing as required by the law;
  2. Request, provided that the purposes of Employee Candidate Data processing allow:
    1. Inaccurate Employee Candidate Data to be rectified;
    2. Incomplete Employee Candidate Data to be supplemented; and
    3. Outdated or obsolete Employee Candidate Data to be erased;
  3. Be forgotten by Siili, if:
    1. Employee Candidate Data are no longer necessary in relation to the purposes of data processing;
    2. The data subject withdraws consent on which the processing of Employee Candidate Data is based and where there is no other legal ground for the processing;
    3. The Employee Candidate Data have been unlawfully processed by Siili;
  4. Restrict the processing of the Employee Data on him/her if:
    1. The data subject contests the accuracy of the Employee Candidate Data;
    2. The processing is unlawful, and the data subject opposes the erasure of the Employee Candidate Data and requests the restriction instead; or
    3. Siili no longer needs the Employee Candidate Data for the purposes of uses, but Employee Candidate Data are required by the data subject for the establishment, exercise or defense of legal claims;
  5. Receive the Employee Candidate Data concerning him or her, which he or she has provided to Siili (but not other Employee Candidate Data such as that generated by Siili independently or provided by a third party), in a structured, commonly used and machine-readable format and have the right to transmit those data to other data controller (typically employer); or
  6. Lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman);

Furthermore, the data subject may at any time withdraw the consent to which the processing of Employee Candidate Data is based on.

In order to use these rights, the data subject shall contact the above mentioned contact persons in writing (incl. e-mail). However, the request may be declined or restricted where allowed or required under the law.


Retention period of Employee Candidate Data:

Generally, Siili retains the Employee Candidate Data no longer than twenty-four (24) months from the earlier of:

  1. First recruitment process decision (positive or negative) where Employee Candidate Data of a data subject is used; or
  2. Collection of Employee Candidate Data (in case no recruitment process decision concerning a data subject is made);

Notwithstanding the above, if the data subject withdraws the consent for Employee Candidate Data processing, corresponding Employee Candidate Data shall be archived and used only for ensuring the rights of the data subjects and Siili as well as Siili's compliance with any other legislation applicable to the recruitment process. In this case the retention (in archive but not in any operational IT systems) shall not exceed twenty-four (24) months from the withdrawal of the consent.

Notwithstanding the above, the retention may be extended due to existing or imminent need of Siili to establish, exercise or defend itself against legal claims.


Provision of Employee Candidate Data:

Provision of Employee Candidate Data is voluntary for employee candidate but necessary to proceed with the Siili recruitment process and to enable possible entering into an employment contract with Siili.

Failing to provide Employee Candidate Data prevents or may prevent participation to Siili recruitment and entering into an employment contract as the case may be.