Recruitment privacy statement

1. DATA CONTROLLER

YIT Oyj
Panuntie 11
00620 Helsinki
puh. +350 20 433 111

This privacy statement describes how YIT processes the personal data of job applicants in order to carry out recruitment processes. Personal data is processed in accordance with this privacy statement, laws, and the European Union General Data Protection Regulation (GDPR). 

2. CONTACTS

Person responsible for data protection matters:

All contacts can be sent by email to privacy@yit.fi or by filling this form.

Tarmo Nikkilä
tarmo.nikkila@yit.fi
+358 40 821 1214

Person responsible for register matters:

Anneli Metsmaker-Neerot
anneli.metsmaker-neerot@yit.ee
+372 52 41 879

3. PROCESSORS AND RECIPIENTS

Personal data is processed by the HR representative and the recruiting supervisors taking part in the recruitment process. In some cases, job applicant’s personal data may be disclosed to third parties such as recruitment consultants or recruitment companies that are used for performing recruitments. In these situations, YIT uses agreements to make sure that job applicants’ personal data will only be used for purposes that are in compliance with this privacy policy, laws and GDPR.

The technical platform for the register is SmartRecruiters. The service provider is SmartRecruiters, whose headquarters is in the United States. Those SmartRecruiters’ data centers in which YIT’s data is processed are located in the EU and in the US. The service provider acts as a processor of personal data.

4. PURPOSE AND GROUNDS FOR PROCESSING PERSONAL DATA

The processing of personal data is based on job applicant’s (data subject’s) consent. In some cases, processing may also be necessary for the performance of an employment contract between YIT and the job applicant or in order to execute measures prior to entering an employment contract between YIT and the job applicant.

Personal data is processed in order to execute YIT’s recruitment processes and save the data of potential job applicants for later recruitment purposes if suitable positions open later. The above mentioned includes communications with job applicants, such as a recruitment mailing list, and other measures connected to the recruitment process.

The personal data collected is only used for the purposes mentioned in this privacy statement.

It is not necessarily possible to consider the applicant in the recruitment process, if the job applicant does not wish to disclose his/her personal data necessary to the recruitment process to YIT.

5. DATA CONTENT OF THE REGISTER

YIT processes job applicants’ following personal and contact data as well as other data that are necessary in order to carry out the recruitment process:

  • name,
  • date of birth,
  • contact information (address, email, and telephone number),
  • work experience and other experience,
  • education,
  • submitted by the applicant on his/her own initiative:
    • description of his/her competence and suitability for the task, as well as a salary wish;
    • letters of reference or names, statuses and contact information of referees;
    • other freeform information,
  • possible summaries of the job applicant written by the persons involved in the recruitment process as well as summaries of the statements of the referees.

6. REGULAR SOURCES OF DATA

Personal data are primarily collected from the data subjects themselves during the recruitment process. With the data subject’s consent, personal data can also be collected from other sources, such as the consultants and the recruitment companies participating in the recruitment process.

With the data subject’s consent, personal data can also be collected from referees, whose contact information the job applicant has submitted on his/her own initiative.

7. REGISTER SECURITY PRINCIPLE AND THE STORAGE PERIOD OF PERSONAL DATA

YIT processes the job applicant’s personal data during the recruitment process. After the recruitment process has been completed, personal data will be stored for as long as it is necessary for executing YIT’s rights and obligations and responding to potential claims, but not for longer than two years.  

If an applicant is chosen for the position, YIT may transfer the personal data collected during the recruitment process to YIT’s personnel register.

Personal data can also be stored for a longer period if it is necessary to carry out the obligations of YIT under acts, regulations, and other authority sources.

The service provider (SmartRecruiters, Inc.) provides the technical protection of personal data stored in the service.  

8. RIGHTS OF THE DATA SUBJECT

Right to request access

Data subject has the right to be informed if his/her personal data is being processed and the right to request access to personal data concerning him/her.

Other rights

Data subject has the right at any time to:

  • withdraw consent;
  • request rectification of personal data;
  • request erasure of personal data;
  • request a transfer of personal data to another system;
  • lodge a complaint with a supervisory authority.

A SmartProfile (Candidate Portal) is formed after a job applicant submits an application. In the case of an internal job applicant (YIT employee) an inner applicant profile is formed after an application has been submitted through the Employee Portal.

Data subjects may exercise their rights by logging into the Candidate Portal or in the case of an internal job applicant, to the Employee Portal.  In the Candidate Portal or Employee portal data subjects can for example erase or complete their inaccurate or incorrect personal data.

To the extent that the data subjects cannot exercise their rights in the Candidate Portal or Employee Portal, a request has to be submitted as instructed in section two.

9. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION (EU) OR EUROPEAN ECONOMIC AREA (EEA)

We have outsourced the processing of personal data to third party sub-contractors, some of which are also located outside the EU or EEA, such as in the United States.  These sub-contractors will process personal data on behalf of the controller and must comply with the controller´s instructions and this privacy policy. If the provision of services takes place or if personal data is otherwise processed in a country outside the EU or EEA, the data controller ensures through contractual measures that data is processed in compliance with data protection regulations.

When transfer of personal data outside the EU or EEA is necessary, the data controller makes sure that the European Commission has issued an adequacy decision for the country or that standard clauses adopted by the Commission are used.   

10. AUTOMATED DECISION MAKING

Personal data will not be used for automated decision making.