Data privacy notice - Job applicants at the University of Oulu
Data privacy notice
Data controller
University of Oulu
Pentti Kaiterankatu 1
P. O. Box 8000
90014 University of Oulu
Unit in charge of the processing
University of Oulu, Human Resources Services
The contact persons for the job applicant register of the University of Oulu are:
- Human Resources Director Jarmo Okkonen, jarmo.okkonen(at)oulu.fi
- HR Development Manager Päivi Rundgren, paivi.rundgren(at)oulu.fi
- HR Development Manager Tero Vedenjuoksu, tero.vedenjuoksu(at)oulu.fi
University Data Protection Officer: dpo(at)oulu.fi
Purpose of processing personal data and legal basis for processing personal data
The purposes for data processing are to post open positions, to gather information about applicants and to compare applicants to find suitable candidates, to receive open applications, and reporting.
The legal basis for data processing:
According to the EU General Data Protection Regulation Article 6: 1. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
According to the EU General Data Protection Regulation Article 6: 1. c) processing is necessary to comply with the legal obligation of the controller.
According to the EU General Data Protection Regulation Article 6: 1. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
According to the EU General Data Protection Regulation Article 6: 1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Exceptionally, the basis for data processing can be the data subject’s consent, in the case of voluntary recreational events or other similar activities that are not directly related to employee’s work or to employer’s obligations.
The implementation of statistical analysis is based on the EU General Data Protection Regulation (EU 679/2016) Article 6 Section 1.e) and on the National Data Protection Act (4 §).
Personal data to be processed
- Basic personal information (name, family name, e-mail, country, phone number, date of birth, sex, and other such data)
- Data concerning education and language skills
- Data concerning work experience
- Data concerning skills and know-how
- Data concerning research and teaching merits
- Application preferences
- Additional information (possible starting date, references, strengths, source of job advertisement)
- Attachments
Recipients or categories of recipients of personal data
The data is accessible only by you, until you submit your application. After this, the data is processed only by people who are involved in the recruiting process. The register is used by Varbi -recruiting system since 1.1.2023. Access to your personal data is protected with usernames and passwords together with user roles within secure IT network. Paper records and printouts are stored in locked spaces and cabinets.
Data storage time
The retention time for personal data of applications in recruiting system is 24 months from the time of the recruitment decision, after which the data is deleted from the system. The recruited applicant's application documents, applicant summary (applicants' names and dates of birth) and recruitment memo are stored permanently in electronic form. Other applications, which are not sent through the recruitment system but e.g. by e-mail, will be deleted no later than 24 months after the recruitment decision is made.
Data transfers
Your data can be transferred in the following cases:
- For reporting purposes related to recruiting
- For data collection purposes carried out by the Ministry of Education and Culture
- For evaluation by external experts – also evaluation reports can be transferred to other evaluated candidates
- Upon request applicant names and application data, excluding data concerning private life
- The name of the chosen applicant can be notified to other applicants
The data is not transferred to any other systems via an interface.
Data can be transferred outside EU/EEA in the above mentioned cases. In case your personal data is transferred outside EU/EEA, this can take place only under the circumstances and conditions defined by EU’s General Data Protection Regulation.
Data subject rights
You have the following rights as a data subject:
- Right to access your data
- Right to have inaccurate data corrected (make sure to keep your contact information up to date)
- In certain situations, the right to have data erased ("right to be forgotten")
- In certain situations, the right to restriction of processing
- In certain situations, the right to object to processing
- In certain situations, the right to have data transferred from one system to another if the processing is based on consent or agreement and is performed automatically.
Please note that the applicability and scope of your above-mentioned rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation, depending on e.g. the grounds for processing the data, and that you do not have the above-mentioned rights in all cases.
If you have any questions about your rights, you can communicate with the University's Data Privacy Officer or the contact person of the responsible unit.
If you want to use the above-mentioned rights, please send a request to the University’s registry office: kirjaamo(at)oulu.fi, where you will get the necessary additional instructions.
Right of appeal to the supervisory authority
In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.
General description of the technical and organisational protection measures
The University as the Data Controller uses appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against damage or loss.