Updated 9.1.2023

1. Data Controller
Aresman Oy, auxiliary company name Arespartners
Business identity code: 1794161-6.
Teknobulevardi 3-5, G
01540 Vantaa
Tel. 09 4257 9880
hallinto@arespartners.fi

2. Contact person for register matters
Jarmo Virtanen, senior consultant, partner
Tel. 040 560 9585
jarmo.virtanen@arespartners.fi

3. Name of register
Job Applicant Register; a register based on recruitment services between the data controller and natural persons containing data of job applicants (data subjects).

4. Purpose and legal basis for processing personal data
The purpose of processing personal data that Arespartners has collected is to bring the right people and organizations together and to develop them to make profit and success together.

This means establishing, managing, and maintaining the client relationship between Arespartners and the job applicant. Practical examples of processing activities are communication with (potential) job applicants, interviews, personal assessment and aptitude tests, and measuring applicant satisfaction. Arespartners can also inform the job applicant about open positions if she/he so wishes.

The processing of personal data in a public and open recruitment process is based on consent i.e., the job applicant’s own activity and recording of personal data to the electronic channel of Arespartners by the job applicant’s own initiative.

The processing of personal data in a direct recruitment process is based on Arespartner’s legitimate interest when Arespartners, based on the assignment, collects and processes personal data necessary to fulfill the position.

For the purposes of direct recruitment processes, the data of job applicants is collected, among others, from public sources of information that contain information on proficiency, education, and experience as well as information from different online services the purpose of which is expressly to present the personal professional expertise of the relevant person. Consequently, collecting personal data from these services or sources is not inconsistent with the personal data processing occurring here, and the data subject has knowingly made public or expressly wished to make available the data concerning him/her and related to various recruitment situations.

Personal data may also be used for profiling purposes. In direct recruitment, the candidate’s suitability for the position is estimated based on the received and collected personal data. In these situations, profiling is always carried out by a consultant, and it will never be done by utilising solely automatic processing actions.

Data processing tasks may be outsourced to external service providers in accordance with data protection legislation and within the limits stipulated by it.

Arespartners can, based on legitimate interest, also use personal data for analytics and compiling internal reports in order to better understand its customers and to develop and manage its operations. In addition, personal data may be processed to fulfill statutory rights and obligations, as well as to protect rights and demonstrate compliance.

5. Content of the register

The following types of information is collected and processed about applicants:

•  The person’s basic information (name, date of birth, contact information)
• Information about education, work experience and knowledge
• Possible cover letter for the application, curriculum vitae, photo, work and study certificates
• Information regarding the applicant’s job application
•  Information related to personal assessment and aptitude tests
• Personal credit information (if obtained)
• Video recorded by the person
• Candidate’s progress in different phases of the recruitment process and a possible reason to interrupt the process
• Other separately defined possible employment relationship related information such as term of notice, salary, non-compete undertaking, tools for working
• Answers to satisfaction and feedback surveys
• Any other information that the person has personally provided to Arespartners in different contexts, such as via an online form or e-mail.

6. Time period for retention of personal data
Arespartners retains the personal data for a maximum period of two (2) years from the latest update of the application data. The applicant may however request, at any time, for the erasure of all data of him/her from the registers of Arespartners.

7. Regular sources of information
Information regarding job applicants in connection with both public and open recruitment is collected from the applicant on his/her own initiative and consent.

In a direct recruitment process, personal data necessary to fill the position in accordance with the assignment is collected by using public sources of information (including social media, media archives, registers of graduates, degree databases of universities, electronic phone books and other databases) as well as Arespartners’ own registers and other registers, to which job applicants have submitted or recorded by themselves their own curriculum vitae/information for the purpose of applying for a job.

These registers are, among others, the recruitment database Teamtailor used by Arespartners, CV database of Jobly, Linkedin (social media), Melinda (degree database), Diplomi-insinöörit ja arkkitehdit (a register of graduates), 16100.fi (phone numbers), Population Register Centre (address information), Fonecta Kohdistamiskone B2B (business information), HS.fi (online news).

Other sources of information can be, for example, Arespartners’ clients, and persons giving recommendations. In these cases, personal data is stored in the register only when the applicant has given his/her consent.

8. Regular data disclosure and the groups of recipients
Personal data of registered job applicants is not, in principle, disclosed to outsiders without the data subject’s consent. Personal data is disclosed only to the client of Arespartners, person/persons responsible for recruitment.

However, Arespartners may disclose personal data to third parties, such as authorities, legal advisors, or other similar actors, based on law or its legitimate interest, to properly protect its rights.

9. Data transfers outside EU/EEA
Personal data is primarily processed within the European Union (EU) and the European Economic Area (EEA). To the extent that our service providers are located or may have access to personal data from outside the EU or EEA, we ensure that personal data is only transferred to countries that the European Commission has assessed in its decision as providing an adequate level of data protection or that international data transfer takes place with appropriate protective measures permitted by law, such as the European Commission’s Standard Contractual Clauses.

10. Data security principles
Personal data contained in the Job Applicant Register is retained as confidential information. Arespartners is responsible for ensuring that personal data of job applicants is not accessible to unauthorized persons. Personnel of Arespartners have signed non-disclosure agreements regarding the processing and handling of their working tasks.

Manual data
Manual data is stored in locked premises. Access to storage premises is granted only to personnel of each office of Arespartners.

Electronically processed data
The information network and the hardware where the register is located is protected by firewall and other appropriate technical measures. Information on the website is protected by SSL secured connection.

Electronic registers are protected by firewalls, protection software of the operating system, personal usernames and passwords of the personnel of Arespartners and by other technical measures of data security generally recognized within the industry.

Based on the cooperation agreement between Arespartners and its IT service providers, the service providers have access to registers as far as it is necessary to carry out IT maintenance. Arespartners requires all its IT service providers to sign an agreement where confidentiality, appropriate information security, secrecy, and commitment to the principles of applicable data protection legislation are defined.

Enterprise level data security software, protected connections and applications are used for data transfers.

The purpose of the measures presented above is to secure the confidentiality, access and integrity of the personal data retained in registers and the fulfilment of the rights of data subjects.

11. Automated decision making
Personal data is not used for automatic decision making that would produce legal or equivalent consequences to data subject.

12. Data subject’s right to object personal data processing
On grounds relating to his/her particular situation, the data subject is entitled to object profiling and other processing actions carried out by the data controller regarding the personal data concerning him/her, provided that the processing is based on the data controller’s legitimate interest. Data subject may send his/her request to object to the processing in accordance with section 15 of this privacy notice. In this request, the data subject shall define the particular situation based on which data subject is objecting the data processing. The data controller may refuse to fulfil the request on statutory grounds.

13. Data subject’s right to object direct marketing
Data subject may give his/her consent or prohibition regarding direct marketing related to each channel including profiling for direct marketing purposes.

14. Other rights of data subject
Access to information
Data subject is entitled to access the information concerning him/her, which is recorded in the register. Request for access shall be presented according to the instructions of this privacy notice. The use of this access right to information is primarily free of charge.

Right to rectification, erasure and restriction
In so far as data subject is able to act by him-/herself, he/she shall without undue delay after being informed of mistake or observing the mistake by him-/herself, on his/her own initiative, rectify, erase or complete information in the register, which is against the purpose of the register, incorrect, unnecessary, imperfect or outdated. 

If the data subject is not able to correct or erase the information by him-/herself, the request shall be presented according to section 15 of this privacy notice.

Data subject is also entitled to have the data controller restrict processing of the data subject’s personal data for example when the data subject is waiting for the data controller’s answer to the data subject’s access or erasure request.

Right to data portability
As a general rule the data subject is allowed to receive in a machine-readable format personal data concerning him/her which he/she has provided to the controller, and which is processed on his/her consent and to transmit the data to another data controller.

Right to lodge a complaint
If the data controller does not follow the applicable data protection legislation, a data subject is entitled to lodge a complaint with the competent data protection authority. The Data Protection Ombudsman is the data protection authority in Finland.

Other rights
If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw his/her consent by informing the data controller according to section 15 of this privacy notice.

15.Contacting the data controller
In all matters concerning processing personal data and using own rights, the data subject should contact the data controller by e-mail tietosuoja@arespartners.fi or

Arespartners
Teknobulevardi 3-5, G
01540 Vantaa
Tel. 09 4257 9880

Data subject has the right to receive information concerning him/her in a machine-readable format. Information can be sent by letter to the address found in population register or data subject can receive it personally at the office of Arespartners (identification shall be presented).