Privacy policy for job applicants

Data controller

This privacy policy is based on the requirements of the EU General Data Protection Regulation. Last updated: 7 August 2019

Name: Kivra Oy 
Business ID: 2918721-9
Visiting address: Miestentie 9 C, 02150 Espoo, Finland


Contact person for the register

Kivra Oy, tietosuoja@kivra.fi 


Name of the register and data subjects

Kivra Oy’s job applicant register.


What is personal data?

Personal data is data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity code and IP address. The register consists of personal data.


What personal data is processed and how is it collected?

During recruitment processes, Kivra processes personal data (e.g. curriculum vitae, personal letters and interviews) provided by job applicants in their applications. Such data may include, for example, names, addresses, personal identity codes, contact information (email addresses and telephone numbers), marks, recommendations, certificates and other information included in applications.

As a rule, personal data is collected directly from the job applicant if they contact Kivra, file an internal application or submit an application through Kivra’s website. With their consent, Kivra may also collect information about the applicant from third parties, such as referees, LinkedIn and other public sources. In addition, information may be collected from recruitment companies when Kivra cooperates with such a company during a recruitment process.


Legal basis and purpose of personal data processing

Kivra processes and maintains job applicants’ personal data to fill open positions as part of recruitment processes.

Personal data is processed for the following purposes:

  • To check application documents (such as curriculum vitae, application letters, certificates and marks).
  • To assess how well the application meets the requirements of the position in question, in terms of skills, qualifications and education, for example. Other candidates’ applications are also taken into account as part of this assessment.
  • To manage the recruitment process, such as by sending invitations to attend job interviews, communicating about selections and possibly offering jobs.

Based on consent, personal data may also be stored and processed for future reference during recruitment processes for positions the applicant may find interesting.

Due to statutory obligations concerning Kivra, personal data may also be processed to ensure that Kivra complies with its statutory rights and obligations.

Kivra’s legal basis for processing job applicants’ personal data is compliance with statutory obligations in accordance with Article 6(1)(c) of Regulation (EU) 2016/679 (General Data Protection Regulation).

Kivra processes your personal data in accordance with the regulations concerning privacy in working life:

Act on the Protection of Privacy in Working Life (759/2004)


Personal data protection

Kivra’s employees have been provided with basic information about data protection, and Kivra seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.


How long will personal data be stored?

Kivra has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.

With regard to personal data processing based on a legitimate interest, Kivra does not usually process personal data after the recruitment process has ended. The personal data is deleted, unless Kivra has a legal obligation to store the data or its storage is necessary for the establishment, exercise or defence of a legal claim. In such a case, the processing is limited to what is permitted by the applicable law, and the personal data is deleted as soon as this purpose expires. With consent from the data subject, Kivra may store data for future recruitment purposes. In such an event, the data is stored for 6 months after the end of the recruitment process.


Who has access to personal data?

We process personal data with utmost accuracy and care. We respect the individual’s right to personal data protection. Kivra never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, Kivra does not disclose or otherwise use personal data for purposes other than those mentioned above.


Personal data is processed only by employees whose duties require them to process personal data.

Kivra implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns Kivra internally, in addition to third parties with whom Kivra cooperates and possibly shares personal data in order to provide the Service. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.


Kivra’s subcontractors and companies belonging to the same group of companies as Kivra

In providing the Service, Kivra may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide Kivra with information technology services, for example. Subcontractors and companies belonging to the same group of companies as Kivra may process personal data on behalf of Kivra. In such an event, Kivra is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that Kivra communicates to the data subject in accordance with the table above. The disclosure and transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with Kivra regarding the lawful processing of personal data.


The authorities

Kivra may disclose personal data to the authorities, such as the police, if required by law to do so.


Where is the data processed?

Kivra usually processes personal data in Finland. However, there may be circumstances in which some of the data may be physically located on external subcontractors’ servers or equipment, where it is processed through a technical connection. Personal data will not be transferred outside EU or EEA countries, unless it is necessary to do so for technological reasons. If Kivra needs to use a subcontractor in a non-EU or non-EEA country, Kivra ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.


Automatic decision-making

Kivra will not engage in automatic decision-making or profiling based on your personal data.


What are the data subject’s rights?

If you so wish, you may contact Kivra for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact Kivra at tietosuoja@kivra.fi.

Your rights concerning personal data processing:

You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.

You have the right to access your personal data, meaning that you are entitled to obtain confirmation from Kivra as to whether or not Kivra is processing personal data concerning you. You are also entitled to obtain a copy of the personal data Kivra has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to Kivra, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If Kivra is unable to provide you with the requested data, Kivra has the obligation to explain the justifications.

You have the right to request that your personal data be rectified. It is important that the personal data processed by Kivra concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.

In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if Kivra is required by law to store some of your personal data. If you request that your personal data be erased, Kivra will erase all personal data concerning you that can be erased. However, Kivra will erase your personal data without request once there no longer are legal or other obligations for its storage.

In certain circumstances, you have the right to request that Kivra restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.

In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.

In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.

Kivra will respond to your request within one (1) month of receiving it, unless Kivra has specific reasons to extend the response time. If necessary, Kivra may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. Kivra may refuse your request based on the applicable law.


Where can I file a complaint?

If you believe that Kivra is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact Kivra at tietosuoja@kivra.fi. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman at www.tietosuoja.fi.


Updating this privacy policy

Kivra reserves the right to make changes to this privacy policy at any time, since Kivra is developing the Service continuously. Updates may also be made in connection with amendments to laws. The changes will come into effect once the updated policy has been published. For this reason, we ask you to study this privacy policy at regular intervals. The newest version of the privacy policy can always be found on Kivra’s website.