Last updated 21 April 2023

Dispelix Oy respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we collect, process, and share your personal data when you apply for a job at Dispelix, when you are working with us as an employee or as an external worker. In addition, this privacy notice will tell you about your data protection rights.


1. WHO IS DATA CONTROLLER?


The data controller for the processing described in this notice is: Dispelix Oy (‘Dispelix’)

If you have questions regarding this privacy notice, please contact us by email at email hidden; JavaScript is required.


2. DATA WE COLLECT AND HOW WE COLLECT IT


In the following, we will tell you which types of personal data we may collect about you and how we collect it. In section 3, you will find a table which explains the purposes for which we process your personal data and the lawful basis we rely on.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

(A) Identity and Contact Data include name, date of birth, employee ID, photo identification, email, telephone number and address and emergency contacts.

(B) Social security number

(C) Recruitment Data include the information collected in the process of recruiting you, e.g., your application and CV, documentation and information about your education, previous work experience and employment, qualifications, and skills as well as any photos, videos, or other recorded material which you at your own discretion choose to make available to us etc.

(D) Work Permits include information on your passport and citizenship, residence and, where needed, work permit.

(E) Financial Information includes information relating to compensation, benefits and pension arrangements, such as details of salary, commission and bonus, bank account, tax codes, expenses and outlays, public refunds and subsidies, insurance and employee purchases.

(F) Employment Administration Information such as employment and career history, employment contract details, location of work, working hours and schedule, holiday and sickness absence records, appraisals, traveling information, performance and development reviews, use of employer owned mobile phone, IT equipment, company car and credit cards (where applicable), disciplinary measures, resignation and dismissal.

(G) Qualification Records include education information, authorisations and certifications, professional experience, qualifications and training records.

(H) Health and Safety Records include information on your health, declarations from health professionals, records of accidents and injuries, health and safety training records.

(I) IT Log and Use Data include records of authorisations to access IT systems and data, and information about your use of our information and communication systems.

(J) Test Data include your replies to aptitude, skills, or personality tests.

(K) CCTV Data include video recordings from cameras in certain shops and office areas.

(L) Pictures and Content include pictures, comments and stories related to our employees

(M) References include information obtained from previous employers or other references at our request.

(N) Notifications Data include information included in whistleblowing notifications.

(O) Sanctions Data include information included in international sanctions lists regarding restriction or suspension of economic or commercial relations, or other areas.

The information is primarily collected directly from you or observed or derived by virtue of your employment related activities with us. With your consent, we may also get information, such as recommendations, from third parties.


3. THE PURPOSES AND THE LAWFUL BASIS


We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

(i) Where it is necessary for the performance of the employment contract we have entered into with you cf. Article 6(1)(b) GDPR.

(ii) Where it is necessary for the purposes of carrying out the obligations and exercising your or our specific rights in the field of employment cf. Article 9(2)(b) GDPR and Chapter 2 of the Act on the Protection of Privacy in Working Life.

(iii) Where we need to comply with a legal or regulatory obligation cf. Article 6(1)(c) GDPR or, where necessary, for the establishment, exercise or defence of a legal claim cf. Article 9(2)(f) GDPR.

(iv) Where you have provided your consent cf. Article 6(1)(a) GDPR or Article 9(2)(a) GDPR.

(v) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests cf. Article 6(1)(f) GDPR.

In the table below we describe all the purposes for which we will use your personal data and the legal basis on which we process your personal data. Where appropriate, we have also identified our legitimate interests.

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To manage the recruitment process, including:

  • To receive and review job applications
  • To arrange and invite to interviews
  • To screen and evaluate candidates to choose the most appropriate candidate for the job

To inform applicants about the progress and outcome of the recruitment process

(A) Identity and contact

(C) Recruitment Data

Processing is necessary to pursue our legitimate interest to manage recruitment processes and to evaluate job applicants for the purpose of finding appropriate candidates for jobs within our organisation.

To manage the recruitment process, including:

To enter into employment contract with the chosen candidate

(A) Identity and contact

(C) Recruitment Data

Processing is necessary to take steps prior to entering into a possible employment contract at your request when you submit your job application to us.

To evaluate the candidates’ qualifications and appropriateness for jobs by taking references

(A) Identity and contact

(M) References

Your consent

Aptitude tests may be used where necessary to assess relevant professional and personal skills and qualifications

(J) Test

Your consent

To evaluate your eligibility for employment, promotion, reassignment or transfer or to make decisions on continued employment

(A) Identity and contact

(C) Recruitment Data

(F) Employment

administration

(G) Qualification

Processing is necessary to pursue our legitimate interest to manage recruitment and resource planning, including promotions, reallocations and dismissals.

To determine the terms on which you work for us and to draft and amend the employment contract


(A) Identity and Contact

(E) Financial

(F) Employment administration

Processing is necessary for the performance of the employment contract.


To confirm and be able to document your residence and work permit


(A) Identity and Contact

(D) Work Permits


To comply with our legal obligation under the Aliens Act to not employ individuals without necessary permits to reside and work in Finland.


To meet our contractual and legal obligations and exercise our rights as an employer including as required for the performance of the employment agreement and other agreements between us, including e.g.:

  • Payroll remuneration, employee benefits, pensions, holiday pay, holiday compensation and holiday bonus; reimbursement of travel expenses
  • Managing absence due to leave, holidays and sickness
  • Business and resources management, work planning including determining work schedules, monitoring working hours and absences
  • To conduct and maintain records from training and education programs, including evaluation and results
  • To conduct performance reviews and evaluations of performance
  • To monitor and manage compliance with our instructions and policies and the applicable law
  • To take appropriate disciplinary measures
  • To make decision on dismissal or termination and to administer the off-boarding process
  • To manage legal disputes

(A) Identity and Contact

(B) Social Security

(C) Recruitment

(E) Financial

(F) Employment administration

(G) Qualification

(H) Health and Safety

(I) IT log and use

Processing is necessary for the performance of the employment contract.

Processing is necessary to comply with our legal obligation under employment law obligations and rights.

Processing is necessary to comply with our legal obligation to withhold tax.

To meet our legal obligations for tax withholding

(A) Identity and Contact

(E) Financial

(F) Employment administration

Processing is necessary to comply with our legal obligation to withhold tax.

To organise occupational health care, to ensure safety and protection for our employees, customers and business partners, and to comply with our legal obligations, including statutory reporting to public authorities

(A) Identity and Contact

(B) Social Security

(F) Employment administration

(H) Health and Safety

Processing is necessary to comply with our legal obligation under the Act on the Protection of Privacy in Working Life, the Data Protection Act and the GDPR to ensure and manage safety in the workplace.

To manage access and security to our IT and communication systems, including:

  • To provide tools for internal and external communication
  • To ensure network and information security, including preventing unauthorised access to our IT and communication systems
  • to collect system logs to enable investigation in cases of misconduct
  • To access information relevant to us in exceptional cases

(A) Identity and Contact

(I) IT log and use

Processing is necessary to pursue our legitimate interest to provide relevant access to IT and communication systems, to protect data stored or transmitted, to access relevant information and to ensure compliance with our policies. We will not access emails sent to or from work email addresses provided to employees without a specific right provided by law.

To ensure safety and protection for our employees, customers and business partners and for crime prevention and detection purposes

(K) CCTV

Processing is necessary to pursue our legitimate interest to ensure safety and to prevent and detect crime.

Processing is necessary to comply with our legal obligation under employment law obligations and rights.

To market and brand our business and products, including at our website and other platforms, social media platforms and other media

(L) Pictures and content

Depending on the picture and content we may rely on:

  • Your consent;
  • Performance of an agreement we enter into for the use of pictures and content;
  • Our legitimate interest to market and brand our business and products.

To conduct data analytics to review and better understand employee retention and attrition rates

(A) Identity and Contact

(C) Recruitment

(E) Financial

(F) Employment administration

(G) Qualification

Processing is necessary to pursue our legitimate interest to analyse and improve our recruitment and employment administration practices and generally to improve our business procedures.

Receiving and processing notifications made in the whistleblowing channel

(O) Notifications

Processing is necessary to comply with a legal obligation (whistleblowing act).

Background checks

  • Dispelix may carry out background checks on you verifying certain information that you have provided to Dispelix.
  • Dispelix may also check whether you are listed in international sanctions lists.
  • Dispelix may also request the Finnish Security and Intelligence Service to carry out Security Clearances on you.

(A) Identity and Contact

(O) Sanctions Data

Your consent

Funding purposes

  • Some data may be shared with financiers or investors to the extent necessary for the funding purposes

(A) Identity and contact

(F) Employment administration

Processing is necessary to pursue our legitimate interest to finance the business.

Below we will provide more detailed information on the processing activities involving particularly sensitive personal data on you. This more detailed information must be seen in connection with the information provided above

Purpose/Activity

Lawful basis for processing

Health data: We will use information about your health or disability status to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absences and to administer benefits, including maternity, paternity and parental pay, sick pay, public refunds and insurances.

Processing is necessary for the purposes of carrying out obligations and for exercising your or our specific rights in the field of employment. This includes the purpose of observing and respecting our employer obligations and our or your rights laid down by law or collective agreements.

Social Security Number: We process information on your social security number for tax reporting purposes and to ensure unique identification when we are required to disclose information on you where such disclosure is a natural element of conducting business, or the disclosure is demanded by a public authority. We will also process your social security number internally for unique identification purposes set forth under Section 29 of the Data Protection Act.

Processing is necessary to comply with our legal obligations.

In the context of disclosures where such disclosure is a natural element of the ordinary operation of our business and the disclosure is of decisive importance for unique identification of the data subject, or the disclosure is demanded by a public authority.

Processing is necessary for the establishment, exercise or defence of a legal claim.

Where we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test. The purpose of the balancing test is to ensure that our legitimate interest is not overridden by your interests or fundamental rights and freedoms. Please contact us using the contact information provided under section 1 of this privacy notice if you wish to receive more information on the balancing test.


4. SHARING OF DATA COLLECTED


We may disclose personal data to third parties:

  • To public authorities when required by law.
  • To any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
  • When it is necessary for the purposes listed in section 3.
  • When we in good faith believe that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.

We share data, including personal data, with our trusted third-party service providers that process your data on our behalf and under our instruction. Such services include, e.g., IT services, recruitment services, and HR management platforms, test providers, whistleblowing channel services, providers of work force planning and communication platforms, payroll administration etc. These third-party service providers may have access to or process your personal data for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal data that we share with them for any other purpose than in connection with the services they provide to us. We have entered into data processing agreements with our data processors.


5. TRANSFERS TO THIRD COUNTRIES


We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with Chapter V of the GDPR.

Dispelix operates in international environment and has subsidiary companies in the US and in China. Therefore, some personal data may be transferred outside the EEA in order to enable functioning of the daily work and business operations of Dispelix. This kind of transfers may include for example email exchange required by certain work assignments.

In order to ensure that your personal data receive an adequate level of protection, we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data, or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in the EEA.

If you require further information about our data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us by sending your request to us using the contact information provided under section 1 of this privacy notice.


6. DATA RETENTION


We retain the personal data we collect where we have an ongoing legitimate need or obligation to do so. Where we are no longer obliged to keep your records and do not have an ongoing need to process your personal data, we will either delete or anonymise them.

Personal data related to non-chosen job applicants is retained for a minimum of one year from the announcement of recruitment decision.

Employee’s personal data related to employment relationship will be retained at least during the course of the employment. We must retain some data for longer. Records of training or disciplinary records, for 5 years after the termination of employment. Information about your employment contract and basic personal data must be retained for 10 years after the termination of the employment relationship. Exceptionally, we need to keep certain financial records, like documentation of purchases or orders for 10 years for bookkeeping. In those cases, we strive to store only the minimum amount of personal data. Immigration check documents will be retained for 4 years after the end of employment.

CCTV Data will be retained for 12 months after the collecting of data.

Data may be retained for a longer period if we are legally obliged to do so or if retention is necessary to establish, exercise or defend legal claims.


7. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS


You have certain choices available to you when it comes to your personal data. Below is a summary of those choices as well as information on how to exercise them and any limitations to them.

Under certain circumstances, you have the following rights:

  • Right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are processing the data lawfully.
  • Right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. Please note that the law may prohibit that we delete entries in certain cases, for example medical records.
  • Right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it.
  • Right to object to processing of your personal data where we are relying on our legitimate interest (or that of a third party) as a legal basis for processing and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish accuracy of the data or the reason for processing the data.
  • Right to request that we transmit your personal data to another party (also known as data portability).
  • Where our processing is solely based on your specific consent, the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise any of the data protection rights that are available to you, please send your request using the contact information provided under section 1 of this privacy notice and we will action your request in accordance with applicable data protection laws.

You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. You can lodge a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.


8. CHANGES TO THIS PRIVACY NOTICE


This privacy notice may be updated from time to time to reflect changing legal, regulatory, or operational requirements, and we will provide you with a new notice when we make any substantial updates.