HR Privacy Statement
Version 3, last updated 18 March 2020
Version 3, last updated 18 March 2020
This HR Privacy Statement informs employees and job applicants why and how Dispelix Oy (“Dispelix”) collects, uses or shares personal data in connection with recruitment process and employment relationship and what rights employees and job applicants have.
1. Data Controller
The data controller in accordance with the applicable data protection law is Dispelix Oy. Dispelix is responsible for ensuring that the job applicant’ and employees’ personal data is processed in compliance with this HR Privacy Statement and applicable data protection law.
In Dispelix, the primary contact person is:
HR Privacy Contact Person
2. Legal Basis and Purpose of Processing Personal Data
Dispelix processes personal data for various purposes, which are explained below.
Dispelix processes job applicants’ personal data in order to recruit new employees and reassign current employees as well as to manage the recruitment process and administrative duties related to it. The legal basis for processing is to take steps prior to entering into an employment contract.
Dispelix processes employees’ personal data for following purposes:
- to determine content and terms of employment;
- to pay salaries and benefits;
- to organise occupational health care;
- to monitor working hours and absences;
- to arrange trainings;
- to manage work-related travel and reimbursement; and
- for disciplinary matters and termination of employment.
Primarily, the legal basis for processing employees’ personal data is the performance of the employment contract between Dispelix and the employee, and legal obligations to which Dispelix as an employer is subject to.
Dispelix processes special categories of personal data (“sensitive data”) when such processing is necessary for the purposes of carrying out the obligations and rights of Dispelix as an employer. For example, Dispelix may collect a medical certificate when an employee is sick or information on trade union membership when such membership fee is deducted from salary.
2.3 Business operations
Processing of employees’ personal data is also necessary for following business purposes:
- to assess and plan recruitment needs;
- for project management purposes;
- budgeting and other financial management; and
- to manage IT and internal communications systems.
The processing is based on Dispelix’ legitimate interest to effectively plan, manage and organize workforce to best support its business. Should the employee like more information regarding the balancing of legitimate interest, please contact the person named above.
2.4 Information security purposes
Dispelix maintains information security measures, such as automated filtering of email and internet traffic, maintenance and retention of log data, for information security purposes to safeguard business information and business assets, to avoid criminal activities and ensure availability of the services. Dispelix bases this processing on Dispelix’ legitimate interest to ensure network and information security and to safeguard its important business information and assets. The information security measures are not used for the purpose of employee monitoring. Should the employee like more information regarding the balancing of legitimate interest, please contact the person named above.
3. Collection of Personal Data
Dispelix processes following categories of personal data for the purposes listed above;
- Basic personal data, such as name, address, date of birth, gender, nationality;
- Passport and work permit (if needed);
- Job description, such as position, title, tasks, part-time or full-time employment;
- Education, examination, language proficiency, other qualification;
- Health examination certification (if applicable);
- Information concerning employment relationship, such as employment history at Dispelix (incl. positions and
promotions), applicable collective agreement, start and end date of employment;
- Payroll information, such as salary, benefits, bank account details, data for calculations and payment, travelling
expenses, bank related data, tax class, church and/or trade union membership;
- Travelling, such as travel document details, booked and completed trips;
- Leaves, attendance and absence records, e.g. working hours, attendances and absences, annual leaves, family
leaves (paid and unpaid);
- Data concerning health, such as information about sick leaves and working capacity;
- Information concerning professional development, e.g. performance appraisals and evaluations;
- Information that is collected in the course of running the business and day-to-day communications; and
- Information related to termination of employment.
As listed above, Dispelix processes sensitive data relating to employee’s health, trade union membership and church membership, only if required and allowed by applicable law.
4. Sources of Personal Data
As a rule, personal data is collected directly from the employee or job applicant in connection with the employment or recruitment process. However, some personal data may be collected from third parties, such as
- references from former employers, when named in the application;
- personal data related to aptitude tests or professional competence as part of recruitment process carried out by
an external recruitment agency;
- personal data related to an employees’ professional development and potential disciplinary matters may be
collected from the immediate superior, other employees, business partners; and
- health examination certifications issued by the occupational health care provider.
5. Disclosure of Personal Data
Dispelix may disclose personal data to third parties:
- when permitted or required by law, such as to tax authorities, social security authorities, insurance companies, pension institutions, occupational health care institutions, and trade unions and to occupational health and safety institutions and other equivalent authorities;
- to trusted services providers, such as outsourced payroll, IT service providers or recruitment agencies, for the purposes listed above; and
- if Dispelix is involved in a merger, acquisition, or sale of all or a portion of its assets.
6. Transfer of Personal Data Outside EEA
Personal data may be transferred outside the EEA by our service providers. When personal data is processed outside the EEA, we make sure that the service provider has committed to use the EU Commission’s standard contractual clauses and/or is covered by the Privacy Shield. Further, Dispelix Group operates in Finland and in the US, and data can be transferred between Dispelix Finland and Dispelix US. Such transfers are governed by the EU Standard contractual clauses.
7. Retention of Personal Data
Personal data related to non-chosen job applicants is retained for a minimum of one year from the announcement of recruitment decision.
Employees’ personal data related to employment relationship will be retained during the course of the employment and at least 5 years from the end of the year, where the employment ended. These retention periods are based on applicable accounting and employment contract laws.
Dispelix may retain personal data for a longer period if it has a legitimate reason or an obligation to retain the data for the purposes of legal proceedings or other corresponding reason.
8. Privacy Rights
Employees and job applicants have the following rights:
- The right to request access to personal data about himself/herself;
- The right to request rectification, restriction or erasure of personal data. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this HR Privacy Statement and may also be required by law, for example personal data relating to the employment contract. Therefore, the deletion of such data may not be allowed by the applicable law, which prescribes mandatory retention periods.
- The right to object for processing based on legitimate interest of Dispelix;
- The right to withdraw consent at any time when processing is based on consent. The withdrawal will not affect
the lawfulness of the processing carried out before the withdrawal;
- Employees have a right to data portability, i.e. right to receive the personal data in a structured, commonly used
machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies for personal data processed based on the employment contract or the employee’s consent.
- Employees have a right to file in a complaint to the national data protection authority in the EEA.
Please send above-mentioned requests to Dispelix at HRprivacy@dispelix.com.
Dispelix maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, Dispelix limits the access to this information to authorized employees who need to know that information in the course of their job description and third party service providers who may only process data in accordance with instructions provided by Dispelix.
Sensitive data, such as health data, may only be processed by persons who prepare, make or implement decisions concerning employment relationships based on such personal data. Accordingly, such persons are nominated to these tasks that involve processing of sensitive data.
10. Contact Dispelix
For requests regarding this HR Privacy Statement or personal data Dispelix holds about the employee or job applicant in question, please contact Dispelix by email at HRprivacy@dispelix.com.