Privacy Policy for Forvis Mazars Oy's job applicant data
Applicant privacy policy
1 Data Controller
Controller of the personal data: Forvis Mazars Oy, business ID 3389856-6
Contact point in all questions and requests related to data protection:
Email: contact@mazars.fi
Address: Bulevardi 21, 00180 Helsinki
2 Personal Data collected about job applicants
Forvis Mazars may collects and process following data of its job applicants ("data subjects"):
| Data category | Description | Data Source |
| Basic information | E.g., name, e-mail address, telephone number, postal address information; date of birth, gender, native language, and personal identity code | Applicant |
| Details of the role applied for and recruitment process data | Information on the progress of the recruitment process, such as information about an upcoming follow-up interview or interruption of the recruitment process and description of the job to be applied for, form, nature and duration of the employment, salary, information related to the start of the employment | Controller |
| Public applicant data | Data which the data subjects themselves have made generally available to enable employers to contact them. | Applicant via professional Internet services, e.g. LinkedIn and other similar services in accordance with the contract terms of such services |
| Application Data | E.g., application and resume (CV), photographs, application videos, competencies, qualifications, skills, work experience, and education, language skills, other specific skills, certificates, other information voluntarily provided by the applicant during the recruiting process | Applicant |
| References | References, opinions, and other career related data | Previous employers and other third parties (e.g. LinkedIn) named by the applicant |
| Assessment Data | Statements from personal and aptitude assessment tests and occupational health care statements of the applicant´s work ability | Controller's occupational health care provider, recruitment consultant, qualified companies providing personal and aptitude assessment services |
| Credit Information | Personal credit information | Credit information companies |
| Other Data | Any other information, e.g. details of the role applied for | Applicant |
Where data are collected from you as the data subject, you will be notified whether the provision of personal data is a statutory or contractual requirement, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data.
Please note, that where fields of data are mandatory as part of an application, we may be unable to continue your application should those personal data be omitted.
3 Legal basis and purposes of processing personal data
Applicable personal data protection law provides us with a range of legal bases for processing your personal data.
Our purposes and legal basis for the processing of personal data specified in section 2 are:
| Purpose of processing | Processed data categories | Legal ground |
| Search and contact suitable candidates on the controller´s own initiative | Public applicant data | ·The legitimate interest of the controller as an employer |
| Assess applicant´s personal qualities, knowledge, and skills to determine applicant´s capacity to perform the work in question, or the need for training or other vocational development | Job Description Assessment Data | ·Applicant´s consent ·Legitimate interests of the data controller in establishing suitability for a role. |
| Evaluate the applicants and select employees, manage the recruitment process, and perform other recruitment-related measures. | All data specified in section 2 | ·The legitimate interest of the controller in determining suitability for a role ·Applicant´s consent when required as specified below |
| Ensure the reliability of the applicant selected for a job requiring special reliability | Credit Information Job Description | ·Consent |
| Ensure that the applicant selected for a job requiring accuracy, reliability or independent judgment | Job Description Credit information References | ·Applicant´s consent ·Legitimate interests of data controller in establishing a workforce capable of meeting its business needs For sensitive data: ·Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law ·Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. ·Processing is necessary for the establishment, exercise or defence of legal claims ·Consent |
| Ensure the reliability of the applicant selected for a job related significant private economic interests and business security | Personal security clearance Job Description | ·Applicant´s consent ·Legitimate interests of data controller in establishing a workforce capable of meeting its business needs For sensitive data ·Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law ·Processing is necessary for the establishment, exercise or defence of legal claims ·Consent |
| Fulfill the rights and obligations of the applicants and the controller, e.g., equality rights and obligations, and privacy rights and obligations | All data specified in section 2 if necessary to fulfill the obligations in each case | ·Applicant´s consent ·Legitimate interests of data controller in establishing a workforce capable of meeting its business needs ·Compliance with legal obligations to which the data controller is subject. For sensitive data ·Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law ·Processing is necessary for the establishment, exercise or defence of legal claims ·Consent |
| Comply with legal and regulatory obligation to which the controller is subject | All data specified in section 2 if necessary to fulfill the obligations in each case | ·Comply with legal obligations to which the data controller is subject For sensitive data ·Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law ·Consent |
| Exercise legal rights and defence of claims | All data specified in section 2 if necessary to fulfill the obligations in each case | ·Legitimate interests in protecting the data controller’s business ·Comply with legal obligations to which the data controller is subject For sensitive data ·Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law |
Automatic decision making may be used in any recruitment process involves a test element. The test element may be scored using automated decision taking processes. Our tests are scored using predefined criteria to enable us to assess competence for a specific role. Where tests are scored automatically, the scores are considered manually in conjunction with our wider review of your application.
In the event you are unhappy with the outcome of an automated decision process, you should raise your concerns using the contact details indicated above under ‘Contact’.
4 To whom personal data is disclosed or transferred
Data will not be disclosed to third parties unless it is necessary to fulfil the controller's legal obligations, in connection with legal proceedings, at the request of authorities or as part of business arrangements. Where necessary, consent will be sought.
The controller has the right to use subcontractors in the processing of personal data in accordance with this privacy policy. In this case, personal data may be transferred to subcontractors to the extent necessary for the performance of the subcontractor's services. The controller uses subcontractors in the following tasks:
- HR, recruitment, personal and aptitude assessment tests and occupational health care services
- IT: IT infrastructure and storage, information security and user management, electronic messaging services
Subcontractors process personal data on behalf of the Controller in accordance with the instructions of the Controller. Subcontractors are bound by agreements with the Controller on the processing of personal data, including conditions concerning confidentiality and data security.
Personal data may also be transferred for processing in a country outside the EU/EEA. Unless the European Commission has decided that the level of data protection in the country of processing is acceptable, the Data Controller ensures appropriate data protection by concluding written agreements with subcontractors in accordance with standard contractual clauses approved by the European Commission or by other lawful procedure.
5 Data security and data retention
Only such controller´s personnel who perform recruitment-related tasks, e.g. recruiting managers and HR as well as the controller's subcontractors who need personal data to perform their duties in the recruitment process are entitled to process applicant personal data.
The personnel and subcontractors processing the data are bound by confidentiality obligations. Manual material is stored in locked premises. The protection of electronically stored data is based on access rights management, technical protection of databases and servers, physical protection of premises, access control, data traffic protection and data backup. The right to access and process data is granted based on work tasks.
The data of selected applicants is stored as part of employment information in accordance with the controller´s privacy policy for employees.
The personal data of other applicants will be stored after the recruitment decision for as long as it is necessary to complete the rights and obligations related to recruitment, however, at least two years from the recruitment decision (period for filing suit based on the Equality Act).
The personal security clearance will be deleted no later than six months after the security clearance report has been received.
Data may also be stored for other possible recruitment needs of the controller in accordance with any consent given by the data subject.
6 Data Subject´s Rights Relating to Personal Data
Data subjects have the following rights relating the personal data processed by the controller. You may:
- Request access to and copy of your personal data;
- Request correction or deletion of inaccurate, incomplete, outdated, unnecessary or unlawful personal data;
- Request that the processing of personal data be suspended or otherwise restricted temporarily or permanently if you consider that there is ambiguity about the accuracy of the data or its processing and in other circumstances defined by law;
- Request transfer of personal data to a third-party in a structured, commonly used and machine-readable format if you have provided the data to controller and the processing is based on consent;
- Opt-out of marketing or object to processing of personal data if the processing is based on the controller´s legitimate interests.
- Cancel previously given consent to the processing of their personal data at any time. The cancellation does not affect the lawfulness of the processing carried out before the cancellation of the consent but may impact our ability to continue any employment application process.
- In certain circumstances have the right not be to subject to a decision based solely on automated decision taking which produces legal effects.
Requests must be submitted in person, by letter or e-mail using the contact details referred to in paragraph 1. If necessary, the controller may ask the data subject to specify the request in writing and to prove the data subject´s identity.
If you considers the processing of your personal data infringes applicable law you should first submit your complaint to us. In the event we are unable to resolve the matter, [A1] you have the right to lodge a complaint about the processing of personal data with the Data Protection Ombudsman in Finland.
[A1]Most data protection supervisory authorities prefer data subjects to complaint to the data controller and to only be involved if the matter cannot be resolved between you. My suggested wording here should help facilitate that and would give you evidence to provide to the supervisory authority that you do encourage data subjects to cotact you first so you can help resolve the issue (if ever needed of course).