Processing the personal data in the customer register of City of Espoo recruitment

Date of publication of the Privacy Statement: 22 September 2020

1. Data controller

City of Espoo P.O. Box 1, 02070 CITY OF ESPOO 
Street address of the registry: Siltakatu 11, Espoon keskus 
Tel.: (09) 81621

2. Person responsible for the register

Head of Recruitment at the City of Espoo
Contact person of the register

Head of Recruitment at the City of Espoo
Address: PL 651, 02070 ESPOON KAUPUNKI
Tel.: +358 9 81621 (exchange)
E-mail address: keha.rekrytointi(at)espoo.fi  

4. Data protection officer

City of Espoo Data Protection Officer
Address: P.O. Box 12, 02070 City of Espoo
Tel.: +358 9 81621 (exchange)
E-mail: tietosuoja(at)espoo.fi

5. For what purpose will personal data be processed?

The purpose of the processing of personal data is the recruitment of personnel for the City of Espoo, the informing of the applicants about the progress of the recruitment process, and the marketing of open positions at the city to potential applicants.

• General Data Protection Regulation (679/2016) 
• Data Protection Act (1050/2018)  
• Act on the Openness of Government Activities (621/1999) 
• Act on the Protection of Privacy in Working Life (759/2004) 
• Archives Act (831/1994) 
• Employment Contracts Act (55/2011) 
• Municipal Civil Servants Act (304/2003)
• Local Government Act (410/2015) 
• Administrative Procedure Act (434/2003) 
• Non-discrimination Act (1325/2014) 
• Act on Equality between Women and Men (609/1986)
• Act on Information Management in Public Administration (906/2019)
• Security Clearance Act (726/2014)
• Collective agreements and collective bargaining agreements in the municipal sector

6. On what grounds will personal data be processed?

The grounds for the processing are the legitimate interest and the statutory obligation and the agreement of the data controller.

7. What data will be processed?

To the customer register of recruitment is collected the applicant’s name, contact information, date of birth, education, language skills, work experience, and the applicant’s own free-form introduction and other possible additional information.

To the data collected in the register will be added categorisations relevant for the recruitment process (such as meeting the qualifications criteria and information about the stages of the recruitment process) and evaluations.

The personal data saved in the register during the recruitment process will be supplemented with information, responses and descriptions collected from sources such as video interviews, interviews, and personal evaluations. Cancelled applications, proposed selections, waitlisted persons, and the reasons for selection will also be added to the register.

In cases of applications to public office positions, the selections (including the names of the person selected and the possible waitlisted persons) will be published in a public data network and announced to all applicants.

The data provided by the applicant, the data collected from the possible work method analyses and aptitude assessments, and the data provided by the references named by the applicant are processed by the persons participating in the recruitment process.

The city sectors have determined positions that require a particularly high level of security. Persons proposed for these positions are subject to security clearance vetting by the Finnish Security and Intelligence Service (Supo) in connection with the recruitment process. Security clearance vetting is only conducted with the subject’s written consent.

In cases of persons who have allowed secondary marketing from the City of Espoo recruitment, the data subject’s contact information, education and work experience information, interest towards open positions and traineeships and coming events will be saved in the customers register of registration.

8. What are the sources of data?

The personal data in the customer register of recruitment is primarily collected from the persons themselves. Data can also be collected from other bodies, such as references named by the applicant. Security clearance information is provided by the Finnish Security and Intelligence Service (Supo).

9. Will data be disclosed or transferred outside the city?

Data is only disclosed from the customer register of recruitment in the situations referred to in the legislation (Section 11 of the Act on the Openness of Government Activities).

Pursuant to the publicity principle of official documents, the documents of the City of Espoo are public unless ruled otherwise by the legislation (Section 1 of the Act on Openness of Government Activities). As the City of Espoo is an authority of public administration, the data in the customer register of recruitment is chiefly public, unless the data has been ruled confidential due to privacy protection or other justified reason. According to the publicity principle, the data is principally only available upon request. Personal data is published on web pages only after careful consideration and when the municipality residents’ access to information must be guaranteed. However, much of the data in the register is confidential and it cannot be accessed even upon request.  

The data accessible by the party is only disclosed from the customer register of recruitment in the situations referred to in the legislation (Section 11 of the Act on the Openness of Government Activities).  

Confidential data is processed in a confidential manner and it is not disclosed to outside parties.  

Under Section 24 of the Act on the Openness of Government Activities, the following data saved in the customer register of recruitment and the documents containing the data are confidential: 

• Data about psychological tests, aptitude assessments or their results, or assessments performed in relation to employee selection or wages (personal assessments and work method assessments) (Paragraph 29 of Section 24 of the Act on the Openness of Government Activities). 
• Data about unlisted phone numbers or contact details covered by non-disclosure for personal safety reasons (municipality of residence, address, phone number) (Paragraph 31 of Section 24 of the Act on the Openness of Government Activities). 
• Data about the opinions the person has expressed in their private life, data about the person’s lifestyle, participation in union activities, free-time hobbies, family life or other comparable personal aspects (family relations, hobbies, political conviction) (Paragraph 32 of Section 24 of Act on the Openness of Government Activities).

In the performing of the aptitude assessments, the City of Espoo uses, when necessary, sole suppliers on the basis of the procurement agreements awarded after a competition that are valid at that time. In this case, the application with its possible attachments is delivered to the party performing the aptitude assessment.

10. Will data be transferred outside the EU/EEA?

Data is not transferred outside the EU or EEA. 

11. How long will data be stored?

The personal data the applicant has provided in their application and which is saved in the customer register of recruitment is stored for the position for which the person applied for 2 years after the recruitment decision has been made.

Open applications are stored for 2 years or for the time determined by the applicant. The storing time determined by the applicant for their job application is, at minimum, one day and, at maximum, two years.

Video interview replies are stored for 2 years. 

In order to support the recruitment, data is collected with a work method analysis, the results of which are stored on a server owned by the city for two years, in addition to the current calendar year. 

Security clearance certificates are stored for five years.

The data of the potential job seekers who have allowed secondary marketing is stored for 2 years. The data of those who have participated in a raffle is stored only until the raffle has been carried out.

12. How will data be protected?

The data of the customer register of recruitment is principally stored in a recruitment system. Use of the register requires a username and a password from both the job seeker and the City of Espoo employee who is using the system.  

Additionally, the recruitment decisions of the office-holders are stored in the case processing system of the city.

The databases and software of the recruitment system are on the Kuntarekry.fi service of the company FCG Talent Oy that provides operational services.  

The privacy statement of the profile data register of the Kuntarekry.fi service(external link, opens in a new window) 

The data of the manually delivered applications is entered into the electronic recruitment system. The legal provisions and regulations that are valid at the time are observed when archiving and destroying data. 

The parties processing the personal data in the customer register of recruitment of the City of Espoo are bound by obligation of secrecy. Some of the data is confidential in which case it is processed with particular carefulness and the access rights are limited to a certain processor group and they cannot be disclosed even upon request.  

Access rights to the personal data systems and files are based on personal access rights whose use is controlled. Access rights are granted position-specifically and they are removed when the person leaves the position for which the rights have been granted. Each user accepts the data security commitment of the City of Espoo which includes the access and secrecy obligation of the data. The personnel are introduced to data protection and appropriate processing of personal data. 

Archives and units are protected by access control and locked doors. Documents are held on supervised premises and/or in lockable cabinets.  

13. The data subject’s rights

Further instructions on submitting information requests referred to in the General Data Protection Regulation.

You have the right to obtain from the data controller a copy of the personal data undergoing processing. The controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests by the data subject and the related measures are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to take the action requested.

You have the right to have us correct or supplement any incorrect, inaccurate, incomplete, outdated or unnecessary personal data that we retain.

You have the right to have personal data concerning you erased by the data controller without undue delay under certain preconditions. You have no right to remove the data if, following the statutory commitment requires processing of the data or the processing is done for the purpose of performing a task concerning public interest or exercising official authority vested in the controller. In these cases, the personal data will only be destroyed after the statutory deadline.

If the data collected about you is inaccurate, you may require that the processing of your customer data be restricted until the accuracy of the data has been verified.

You have the right to lodge a complaint with a supervisory authority if you consider the processing of personal data to be in breach of data protection legislation. You can lodge a complaint with the office of the Data Protection Ombudsman(external link, opens in a new window).