HR Privacy Statement

This HR Privacy Statement informs employees and job applicants why and how Dispelix Oy ("Dispelix") collects, uses or shares personal data in connection with recruitment process and employment relationship and what rights employees and job applicants have.

1.              DATA CONTROLLER

The data controller in accordance with the applicable data protection law is Dispelix Oy. Dispelix is responsible for ensuring that the job applicant' and employees' personal data is processed in compliance with this HR Privacy Statement and applicable data protection law.

In Dispelix, the primary contact person is:

HR Privacy Contact Person


Dispelix processes personal data for various purposes, which are explained below.

2.1            Recruitment

Dispelix processes job applicants' personal data in order to recruit new employees and reassign current employees as well as to manage the recruitment process and administrative duties related to it. The legal basis for processing is to take steps prior to entering into an employment contract.

2.2           Employment

Dispelix processes employees' personal data for following purposes:

to determine content and terms of employment;

to pay salaries and benefits;

  to organize occupational health care;

to monitor working hours and absences;      

to arrange trainings;

     to manage work-related travel and reimbursement; and for disciplinary matters and termination of employment.

Primarily, the legal basis for processing employees' personal data is the performance of the employment contract between Dispelix and the employee, and legal obligations to which Dispelix as an employer is subject to.

Dispelix processes special categories of personal data ("sensitive data") when such processing is necessary for the purposes of carrying out the obligations and rights of Dispelix as an employer. For example, Dispelix may collect a medical certificate when an employee is sick or information on trade union membership when such membership fee is deducted from salary.

2.3           Business operations

Processing of employees' personal data is also necessary for following business purposes:

     to assess and plan recruitment needs;

     for project management purposes;

   budgeting and other financial management; and

to manage IT and internal communications systems.

The processing is based on Dispelix' legitimate interest to effectively plan, manage and organize workforce to best support its business. Should the employee like more information regarding the balancing of legitimate interest, please contact the person named above.

2.4           Information security purposes

Dispelix maintains information security measures, such as automated filtering of email and internet traffic, maintenance and retention of log data, for information security purposes to safeguard business information and business assets, to avoid criminal activities and ensure availability of the services. Dispelix bases this processing on Dispelix' legitimate interest to ensure network and information security and to safeguard its important business information and assets. The information security measures are not used for the purpose of employee monitoring. Should the employee like more information regarding the balancing of legitimate interest, please contact the person named above.


Dispelix processes following categories of personal data for the purposes listed above;

date of birth, gender, nationality;

Passport and work permit (if needed);

Job description, such as position, title, tasks, part-time or full-time employment;

Education, examination, language proficiency, other qualification;

Health examination certification (if applicable);

Information concerning employment relationship, such as employment history at Dispelix (incl. positions and promotions), applicable collective agreement, start and end date of employment;

Payroll information, such as salary, benefits, bank account details, data for calculations and payment, traveling expenses, bank related data, tax class, church and/or trade union membership;

Traveling, such as travel document details, booked and completed trips;

Leaves, attendance and absence records, e.g. working hours, attendances and absences, annual leaves, family leaves (paid and unpaid);

Data concerning health, such as informationabout sick leaves and working capacity;

Information concerning professional development, appraisals and evaluations;  

Information that is collected in the course of running the business and day-to-day communications; and

Information related to termination of employment.

As listed above, Dispelix processes sensitive data relating to employee's health, trade and church membership, only if required and allowed by applicable law.


As a rule, personal data is collected directly from the employee or job applicant in connection with the employment or recruitment process. However, some personal data may be collected from third parties, such as

   references from former employers, when named in the application;

    personal data related to aptitude tests or professional competence as part of recruitment process carried out by an external recruitment agency;

     personal data related to an employees' professional development and potential disciplinary matters may be collected from the immediate superior, other employees, business partners; and

health examination certifications issued by the occupational health care provider.


Dispelix may disclose personal data to third parties:

When permitted or required by law, such as to tax authorities, social security authorities, insurance companies, pension institutions, occupational health care institutions, and trade unions and to occupational health and safety institutions and other equivalent authorities;

to trusted services providers, such as outsourced payroll, IT service providers or recruitment agencies, for the purposes listed above; and

if Dispelix is involved in a merger, acquisition, or sale of all or a portion of its assets.


Dispelix operates in international environment and has subsidiary companies in the US and in China. Therefore some personal data may be transferred outside the EEA in order to enable functioning of the daily work and business operations of Dispelix. These kind of transfers may include for example email exchange required by certain work assignments. When personal data is processed outside the EEA, we take steps to ensure that there are adequate safeguards in place to protect personal data, such as the EU Commission’s Standard Contractual Clauses. Please reach out to our HR Privacy Contact Person if you would like to learn more about a specific transfer.


Personal data related to non-chosen job applicants is retained for a minimum of one year from the announcement of recruitment decision.

Employees' personal data related to employment relationship will be retained during the course of the employment and at least 5 years from the end of the year, where the employment ended. These retention periods are based on applicable accounting and employment contract laws.

Dispelix may retain personal data for a longer period if it has a legitimate reason or an obligation to retain the data for the purposes of legal proceedings or other corresponding reason.

8.             PRIVACY RIGHTS Employees and job applicants have the following rights:

   The right to request access to personal data about himself/herself;

   The right to request rectification, restriction or erasure of personal data. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this HR Privacy Statement and may also be required by law, for example personal data relating to the employment contract. Therefore, the election of such data may not be allowed by the applicable law, which   The right to object for processing based on legitimate interest of Dispelix;

·       The right to withdraw consent at anytime when processing is based on consent.The withdrawal will not affect the lawfulness of the processing carried out before the withdrawal;

·       Employees have a right to data portability, i.e. right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies for personal data processed based on the employment contract or the employee's consent.

·       Employees have a right to file in a complaint to the national data protection authority in the EEA.

Please send above-mentioned requests to Dispelix at

9.             SECURITY

Dispelix maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, Dispelix limits the access to this information to authorized employees who need to know that information in the course of their job description and third party service providers who may only process data in accordance with instructions provided by Dispelix.

Sensitive data, such as health data, may only be processed by persons who prepare, make or implement decisions concerning employment relationships based on such personal data. Accordingly, such persons are nominated to these tasks that involve processing of sensitive data.

10.           CONTACT DISPELIX For requests regarding this HR Privacy Statement or personal data Dispelix holds about the employee or job applicant in question, please contact Dispelix by email at Last updated 11/1/21