Data privacy notice regarding job applicants at the University of Oulu

Data Controller

The University of Oulu is the data controller and Human Resources Services is the unit in charge.

Contact details of the unit in charge

The contact persons for the job applicant register of the University of Oulu are: Human Resources Director Jarmo Okkonen, jarmo.okkonen(at), Human Resources Specialist Heidi Huttunen, heidi.huttunen(at) and Human Resources Specialist Tero Vedenjuoksu, tero.vedenjuoksu(at)

Contact details of the Data Protection Officer


The data being collected on job applicants includes i.a. the following:

  • Basic personal information (name, family name, e-mail, address, country, phone number, date of birth, sex, and other such data) 
  • Data concerning education and language skills
  • Data concerning work experience
  • Data concerning skills and know-how
  • Data concerning research and teaching merits
  • Application preferences
  • Additional information (possible starting date, references, strengths, source of job advertisement)
  • Attachments

What purposes your personal data is used for and what is the legal basis for data processing?

The purposes for data processing are to post open positions, to gather information about applicants and to compare applicants to find suitable candidates, to receive open applications, and reporting.

The legal basis for data processing:

According to the EU General Data Protection Regulation Article 6: 1. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

According to the EU General Data Protection Regulation Article 6: 1. c) processing is necessary to comply with the legal obligation of the controller.

According to the EU General Data Protection Regulation Article 6: 1. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

According to the EU General Data Protection Regulation Article 6: 1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Exceptionally, the basis for data processing can be the data subject’s consent, in the case of voluntary recreational events or other similar activities that are not directly related to employee’s work or to employer’s obligations.

The implementation of statistical analysis is based on the EU General Data Protection Regulation (EU 679/2016) Article 6 Section 1.e) and on the National Data Protection Act (4 §).

Who has access to your personal data?

The data is accessible only by you, until you submit your application. After this, the data is processed only by people who are involved in the recruiting process. Access to your personal data is protected with usernames and passwords together with user roles within secure IT network. Paper records and printouts are stored in locked spaces and cabinets. 

The retention time for applications is 36 months, after which the application data is deleted from the system. The applications of the recruited applicants are stored permanently as paper printouts at the University’s Registry Office and in electronic systems.

Information systems using the register

The register is used by SAIMA -recruiting system.

Transfer of personal data

The application process is open and transparent according to the Act on the Openness of Government Activities 621/1999. Your data can be transferred in the following cases:

  • For reporting purposes related to recruiting
  • For data collection purposes carried out by the Ministry of Education and Culture
  • For evaluation by external experts – also evaluation reports can be transferred to other evaluated candidates
  • Upon request applicant names and application data, excluding data concerning private life
  • The name of the chosen applicant can be notified to other applicants

The data is not transferred to any other systems via an interface.

Transfer of personal data outside EU/EEA

Data can be transferred outside EU/EEA in the above mentioned cases. In case your personal data is transferred outside EU/EEA, this can take place only under the circumstances and conditions defined by EU’s General Data Protection Regulation.

What rights do you have as a data subject?

You have the following rights as a data subject according to the EU General Data Protection Regulation Articles 15-22:

  • Right to receive confirmation whether your personal data is being processed, right to access your data and receive a copy of the data
  • Right to have inaccurate data corrected and the right to have data erased
  • Right to restriction of data processing and the right to object to data processing
  • Right to appeal to the supervisory authority
  • Right to have data transferred from one system to another and to receive the data in machine-readable format

Please note that the applicability and scope of your rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation. Depending on e.g. the grounds for processing the data, you may not have the above mentioned rights in all cases.

How can you exercise your rights?

If you have any questions about your rights, you can communicate with the University's Data Privacy Officer or the contact person of the responsible unit.

If you want to use the above mentioned rights, please send a request to the University’s registry office: kirjaamo (at) oulu. fi, where you will get the necessary additional instructions.

Right to appeal to the supervisory authority

In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.

General description of the technical and organizational protection measures

The University as a Data Controller uses appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing, as well as the damage or loss of personal data.

The contact person for matters concerning data subject’s rights is the Data Protection Officer, dpo(at)

Last updated: 4.3.2022