The Privacy Policy of Job Applicant Register

Privacy Policy

Date of drafting 23 May 2018

Data Controller

Castrén & Snellman Attorneys Ltd (‘C&S’)

Business ID: 0103602-1

Visiting address: Eteläesplanadi 14, 00131 Helsinki, Finland

Postal address: PO Box 233, 00131 Helsinki, Finland

Telephone: +358 20 7765 765

Name of the Register

C&S job applicant register

Purpose of and Grounds for Processing Personal Data

The processing of personal data is based on the legitimate interest of C&S to process personal data as required by the recruitment process in a relevant context between C&S and the job applicant. In certain cases, the processing of personal data is also necessary for carrying out measures preceding the entering into an employment agreement between C&S and the job applicant and performing the employment agreement.

In addition, C&S can, if required by national legislation, request the job applicant’s consent for the collection of certain types of personal data and certain types of processing of personal data. Consent may be required, for example, for carrying out an aptitude assessment.

Personal data are processed for receiving and processing job applications, evaluating and selecting job applicants, and fulfilling the needs related to the recruitment process. If the job applicant does not wish to disclose his or her data to C&S, it may not necessarily be possible to take that applicant into consideration in the recruitment process.

Data Content of the Register

C&S processes job applicants’, i.e. data subjects’, personal and contact data as well as other data that are necessary for evaluating the job applicant’s suitability for the applied position, such as:

  • name
  • date of birth
  • address
  • telephone number
  • e-mail address
  • basic education and degrees with the dates of completion
  • other completed education
  • special skills
  • language skills
  • current and previous duties (employer, title and job description)
  • referees
  • video interview recording
  • other data disclosed by the job applicant to C&S (e.g. copies of letters of reference and diplomas).

Regular Sources of Data

As a rule, the data are collected from data subjects themselves through job applications and job interviews. With the data subject’s consent, personal data can also be collected from third parties, such as the service provider carrying out the aptitude assessment.  Personal data can also be collected from the data subject’s referees.

Regular Disclosures of Data and Categories of Recipients

As a rule, C&S does not disclose data to third parties. However, the data can be accessed by third parties providing services for C&S. C&S uses agreements to ensure that these parties do not process personal data in any other ways than in compliance with instructions issued by C&S and this privacy policy.

Transfer of Data outside the EU or EEA

The applicant’s data may be processed in the Russian offices of C&S when the application concerns a position in one of the Russian offices.  A sufficient level of data security is ensured in these circumstances by using the EU’s model clauses. We do not transfer personal data outside the European Union or the European Economic Area in other circumstances.

Storage Period of Personal Data

C&S processes the job applicant’s personal data actively during the recruitment process. After the recruitment process has been completed, personal data will be stored for as long as necessary for implementing the rights and obligations of C&S and responding to potential claims, however, no more than two years after the recruitment decision has been made.

With the data subject’s consent, personal data can also be stored for a period of time mentioned when giving the consent, for example, for future recruitment processes.

The necessary data will be transferred to the personal data register when C&S and the job applicant conclude an employment agreement.

Personal data can also be stored for a longer period if this is necessary to fulfil the obligations of C&S under acts, decrees or any other authority sources.

Register Security Principle

Manual material

Any manual material is stored in a locked room to which only separately authorised persons have access.

Electronically processed data

The data are stored appropriately on secure servers with technical data security that is controlled by several different means. The access to the data is managed by job role-based management of access rights.

The purpose of the activities above is to secure the confidentiality of the personal data stored in the register, the availability and integrity of the data, and the implementation of the data subject’s rights.

Automated Decision-Making

Personal data will not be used for such automated decision-making that might have legal or corresponding effects on the data subject.

Rights of the Data Subject

Right of the Data Subject to Access the Data

The data subject has a right of access to his or her data in the register. The access request must be made in accordance with the instructions given in this privacy policy. The right of access can be declined based on the grounds provided by law. Exercising the right of access is generally free of charge.

Right of the Data Subject to Request Rectification, Erasure or Restriction of Processing of Personal Data

To the extent that the data subjects can act themselves, they must without undue delay, after becoming aware of an error or, after having observed the error themselves, on their own initiative rectify, erase or supplement data contained in the register and that conflicts with the purpose of the register and that is incorrect, unnecessary, incomplete or outdated. To the extent that the data subjects cannot correct or erase the data themselves, the correction or erasure request must be made in accordance with the section Contacts in this privacy policy.

The data subject also has the right to demand that the data controller restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for the data controller’s response to the request concerning the rectification or erasure of the data.

Right of the Data Subject to Object to Processing of Personal Data 

In relation to his or her particular situation, the data subject is entitled to object to profiling and other processing that the data controller carries out on the data subject’s personal data to the extent the processing is based on the data controller’s legitimate interest.  In conjunction with the claim, the data subject must specify the particular situation based on which the data subject is objecting to processing. The data controller can refuse to comply with the objection on the grounds provided for in law.

Right of the Data Subject to Data Portability

To the extent that the data subject has provided data to the register to be processed in order to perform an agreement between the employee and C&S or based on the data subject’s consent, the data subject generally has the right to receive such data in a machine-readable format and has the right to transmit these data to another data controller.

Right to Withdraw Consent

If personal data are processed based on the data subject’s consent, the data subject has the right to withdraw his or her consent by notifying the data controller of this in accordance with the section Contacts in this privacy policy.

Right of the Data Subject to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data controller has not complied with the data protection regulations applicable to its operations.


In case of questions related to the processing of personal data and situations related to the exercise of the data subject’s rights, the data subject should contact the data controller. The data subject can use his or her rights by sending an e-mail message to

Changes to the Description of the Register

C&S can make changes to this description of the register if the methods or purposes of the processing of personal data change. The changes will be discussed with the employees in the co-operation procedure if applicable legislation requires this. However, the content of the description of the register should be checked on a regular basis.