HR privacy statement
Last updated 21 April 2022
This HR Privacy Statement informs employees and job applicants why and how Dispelix Oy ("Dispelix") collects, uses or shares personal data in connection with recruitment process and employment relationship and what rights employees and job applicants have.
1. DATA CONTROLLER
The data controller in accordance with the applicable data protection law is Dispelix Oy. Dispelix is responsible for ensuring that the job applicants' and employees' personal data is processed in compliance with this HR Privacy Statement and applicable data protection laws.
At Dispelix, the primary contact person is:
2. LEGAL BASIS AND PURPOSE OF PROCESSING PERSONAL DATA
Dispelix processes personal data for various purposes, which are explained below.
2.1 RecruitmentDispelix processes job applicants' personal data in order to recruit new employees and reassign current employees as well as to manage the recruitment process and administrative duties related to it. The legal basis for processing is to take steps prior to entering into an employment contract. 2.2 Employment
Dispelix processes employees' personal data for following purposes:
- to determine content and terms of employment;
- to pay salaries and benefits;
- to organise occupational health care;
- to monitor working hours and absences;
- to arrange trainings;
- to manage work-related travel and reimbursement; and
- for disciplinary matters and termination of employment.
Primarily, the legal basis for processing employees' personal data is the performance of the employment contract between Dispelix and the employee, and legal obligations to which Dispelix as an employer is subject to.
Dispelix processes special categories of personal data ("sensitive data") when such processing is necessary for the purposes of carrying out the obligations and rights of Dispelix as an employer. For example, Dispelix may collect a medical certificate when an employee is sick or information on trade union membership when such membership fee is deducted from salary.
2.3 Business operations
Processing of employees' personal data is also necessary for following business purposes:
- to assess and plan recruitment needs;
- for project management purposes;
- budgeting and other financial management; and
- to manage IT and internal communications systems.
The processing is based on Dispelix' legitimate interest to effectively plan, manage and organize workforce to best support its business. Should the employee or job applicant want more information regarding the balancing of legitimate interest, please contact the person named above.
2.4 Information security purposes
Dispelix maintains information security measures, such as automated filtering of email and internet traffic, maintenance, retention of log data and recording camera surveillance on Dispelix premises for information security purposes to safeguard business information and business assets, to avoid criminal activities and ensure availability of the services. Dispelix bases this processing on Dispelix' legitimate interest to ensure network and information security, to safeguard its important business information and assets, and to protect business and trade secrets from unauthorized access, as well as investigation of any type of misconduct on Dispelix premises, and to monitor and manage compliance with Dispelix’ instructions and policies and applicable law. The information security measures are not used for the purpose of employee monitoring. Should the employee want more information regarding the balancing of legitimate interest, please contact the person named above.
3. COLLECTION OF PERSONAL DATA
Dispelix processes following categories of personal data for the purposes listed above;
Basic personal data, such as name, address, date of birth, gender, nationality;
Passport and work permit (if needed);
Job description, such as position, title, tasks, part-time or full-time employment;
Education, examination, language proficiency, other qualification;
Health examination certification (if applicable);
Information concerning employment relationship, such as employment history at Dispelix (incl. positions and promotions), applicable collective agreement, start and end date of employment;
Payroll information, such as salary, benefits, bank account details, data for calculations and payment, travelling expenses, bank related data, tax class, church and/or trade union membership;
Travelling, such as travel document details, booked and completed trips;
Leaves, attendance and absence records, e.g. working hours, attendances and absences, annual leaves, family leaves (paid and unpaid);
Data concerning health, such as information about sick leaves and working capacity;
Information concerning professional development, e.g. performance appraisals and evaluations;
Information that is collected in the course of running the business and day-to-day communications;
Information related to termination of employment; and
Information stored on video recordings from camera surveillance on Dispelix premises.
As listed above, Dispelix processes sensitive data relating to employee's health, trade union membership and church membership, only if required and allowed by applicable law.
4. SOURCES OF PERSONAL DATA
As a rule, personal data is collected directly from the employee or job applicant in connection with the employment or recruitment process and security practices. However, some personal data may be collected from third parties, such as
- references from former employers, when named in the application;
- personal data related to aptitude tests or professional competence as part of recruitment process carried out by an external recruitment agency;
- personal data related to an employees' professional development and potential disciplinary matters may be collected from the immediate superior, other employees, business partners; and
- health examination certifications issued by the occupational health care provider.
5. DISCLOSURE OF PERSONAL DATA
Dispelix may disclose personal data to third parties:
- when permitted or required by law, such as to tax authorities, social security authorities, insurance companies, pension institutions, occupational health care institutions, and trade unions and to occupational health and safety institutions and other equivalent authorities;
- to trusted services providers, such as outsourced payroll, security service providers, IT service providers or recruitment agencies, for the purposes listed above; and
- if Dispelix is involved in a merger, acquisition, or sale of all or a portion of its assets.
6. TRANSFER OF PERSONAL DATA OUTSIDE EEA
Dispelix operates in international environment and has subsidiary companies in the US and in China. Therefore, some personal data may be transferred outside the EEA in order to enable functioning of the daily work and business operations of Dispelix. This kind of transfers may include for example email exchange required by certain work assignments. When personal data is processed outside the EEA, we take steps to ensure that there are adequate safeguards in place to protect personal data, such as the EU Commission’s Standard Contractual Clauses. Please reach out to our HR Privacy Contact Person if you would like to learn more about a specific transfer.
7. RETENTION OF PERSONAL DATA
Personal data related to non-chosen job applicants is retained for a minimum of one year from the announcement of recruitment decision.
Employees' personal data related to employment relationship will be retained during the course of the employment and at least 5 years from the end of the year, where the employment ended. These retention periods are based on applicable accounting and employment contract laws.
Surveillance camera recordings may be retained for up to one year.
Dispelix may retain personal data for a longer period if it has a legitimate reason or an obligation to retain the data for the purposes of legal proceedings or other corresponding reason.
8. PRIVACY RIGHTS
Employees and job applicants have the following rights:
- The right to request access to personal data about himself/herself;
- The right to request rectification, restriction or erasure of personal data. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this HR Privacy Statement and may also be required by law, for example personal data relating to the employment contract. Therefore, the deletion of such data may not be allowed by the applicable law, which prescribes mandatory retention periods.
- The right to object for processing based on legitimate interest of Dispelix;
- The right to withdraw consent at any time when processing is based on consent. The withdrawal will not affect the lawfulness of the processing carried out before the withdrawal;
- Employees have a right to data portability, i.e. right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies for personal data processed based on the employment contract or the employee's consent.
- Employees have a right to file in a complaint to the national data protection authority in the EEA.
Dispelix maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, Dispelix limits the access to this information to authorized employees who need to know that information in the course of their job description and third-party service providers who may only process data in accordance with instructions provided by Dispelix.
Sensitive data, such as health data, may only be processed by persons who prepare, make or implement decisions concerning employment relationships based on such personal data. Accordingly, such persons are nominated to these tasks that involve processing of sensitive data.
10. CONTACT DISPELIX