Privacy Policy

  1. Controller

    Tampere University Foundation sr acting as Tampere University
    Kalevantie 4
    33100 Tampere

    Business ID 2844561-8

  2. Contact person in matters concerning the register

    Questions on the register should be sent to

  3. Data Protection Officer

  4. Name of the register

    Recruitment register

  5. The purpose and legal basis of processing personal dataThe purpose and legal basis of processing personal data

    The purpose of processing personal data is to enable recruitment processes undertaken by the controller (employer) for the purpose of forming an employment contract between an applicant and the employer. With regard to the employment relationship, the purpose of processing personal data is to perform the duties entailed by the employment contract. (Article 6 (1b) of the General Data Protection Regulation). Personal data are also processed for the purpose of fulfilling statutory obligations (Article 6 (1c)) and for the legitimate interest of the controller (Article 6 (1f)) in order to develop the recruitment process.

    The basis for processing personal data:
    ☐ Consent
    ☒ Agreement
    ☒ Legal obligations (Employment Contracts Act, Act on the Protection of Privacy in Working Life, Universities Act and the decrees based on it, Act on the Openness of Government Activities, Archives Act, and Act on the Openness of Government Activities)
    ☐ Protecting the vital interest of the data subject
    ☐ Duties related to public interest or the exercise of public authority
    ☒ Legitimate interest of the controller

  6. Data content of the register

    The collected data are most often the following:
    • Name and contact details such as name, place of residence and country, email address, telephone number (for identification and communication purposes)
    • Gender and nationality (for statistical purposes)
    • Mention of where the applicant found information on the vacancy (for the purposes of developing recruitment processes)
    • Information for assessing competence and suitability (e.g. work experience, education and training, language and other skills, possible expert statements on the applicants, suitability assessments, and evaluations from previous demonstration lessons)
    • If the nature of the vacancy requires a credit history check, this is stated separately in the job advertisement, and the credit history is checked from the credit information register
    • Attachments (e.g. CV, cover letter, teaching portfolio, work sample, research plan)
    • Testimonials and data on the persons who issue the testimonials according to the specifications made by the data subject
    • Data created during the recruitment process, such as interviews, emails, text messages and files that are saved
    • Classifications made and notes taken by the controller (employer)
    • With the data subject’s permission, data from third parties (e.g. social media such as LinkedIn)
    • Recipients’ email address when the vacancy announcements are shared on social media.

    The data handled in recruitment processes are collected and mainly processed on the LAURA™ recruitment software the University uses and on the RecRight platform (video interviews). Some data are stored outside these systems.

  7. Regular sources of data

    The recruitment software collects the data needed for the recruitment process mentioned on the job application form and data collected during the recruitment process. The data are mainly obtained from the applicants themselves.

    Data on applicants may also be obtained from companies that provide credit histories and from any persons the data subject has mentioned as giving a reference.

    Cookies and other analytics tools (Google Analytics) used in the services are utilised to compile statistics and analytics on the use of the services and to improve our recruitment processes and services. The data collected in this manner are completely anonymous and individuals cannot be identified from it.

  8. Regular disclosure of data and recipient groups

    Regular disclosures to third parties:

    The University has the duty to provide the Ministry of Education and Culture (MINEDU) with the data needed for the evaluation, development, statistics and other monitoring and steering of education and research in a manner decreed by Section 51 of the Universities Act.

    Data subjects may be sent subsequent surveys to the address they have submitted to the register, either for the development of the University's own recruitment processes or when the University is required to do so (e.g. surveys related to MINEDU’s statistics).

    The data are disclosed to third parties in accordance with the Act on the Openness of Government Activities. Unless explicitly provided by legislation, the data contained in the application documents become public when the applicant has sent them to the University (via the Laura™ -system or otherwise).

    The processing of the personal data in the register has been outsourced by the means of a mandate:
    ☐ No.
    ☒ Yes, further information on the outsourced processing:

    Personal data are handled by persons participating in the recruitment processes. On a case-by-case basis, third parties such as recruitment consultants, suitability assessors or expert evaluators may be used in the recruitment process.

    The technical platform for the register is the LAURA™ service and the service provider LAURA Rekrytointi Oy is in charge of the technical implementation of the register. The company thus acts as a processor of personal data on behalf of the University.

    Video interviews (including video questions placed in application forms) are implemented by the RecRight service provided by MobileCV Oy.

  9. Transferring data outside the EU or EEA

    If data are transferred outside the EEA, the following is a description of the protection methods: The servers processing the data on the LAURA™ service are in Finland. The data contained in the LAURA™ service is not handled outside the EU and EEA by LAURA Rekrytointi Oy.

    The servers of RecRight are in the EU.

    Is the register data transferred to a third country or international organisation outside the EU or the EEA?
    ☐ No.
    ☒ Yes, where?

    Data may be transferred outside the EU or the EEA, for example, when a person involved in the controller’s recruitment process is located outside the EU or the EEA. In this and all other cases, data security is ensured by using encrypted communication.

  10. The principles of protecting the register data

    A Manual data

    No manual data storage.

    B Electronically processed data

    The controller is responsible for ensuring that the data stored in the service are processed in accordance with good security practices and instructions issued by the controller. Data on the applicants is only processed by those persons whose job involves recruiting staff to specific jobs.

    The service provider (LAURA Rekrytointi Oy) is responsible for the technical protection of personal data contained in the register (LAURA™ -service) comprising, for example, internal data security, access control, security updates of software, and backups. The security of the service is tested both in-house and by third parties.

    All communication between the user’s browser and the service is always protected by strong encryption.

  11. Criteria for the retention of personal data or determination of the retention period

    The applications are stored in the service for 1095 days from the submission of the application or the latest update the data subject has made. The University may process the data for longer, for example, when the University fulfils a legal obligation to provide statistical data on its recruitment processes (see point 8 above), or the data are required in legal cases or similar situations.

    The retention periods of personal data handled in recruitment processes are based on the Archives Act, the guideline issued by the National Archives of Finland and Tampere University’s Data Management Plan (DMP). When the expert assessment procedure is used, data on the applicants selected for an interview and appointed to a post are permanently retained. A list of all applicants is also kept permanently.

  12. Information on the existence of automated decision making or profiling and the logic and the significance of processing the data for the data subject

    Register data is used in individual automated decisions including profiling
    ☒ No.
    ☐ Yes, which?

  13. The rights of data subjects

    Unless otherwise decreed by data protection legislation, data subjects have the following rights:
    • Right to information (right to access one’s personal data)
      Data subjects have the right to know whether their personal data are processed and which of their personal data are stored.
    • Right to rectification
      Data subjects have the right to request that any incorrect or inadequate personal details are rectified or supplemented without undue delay. They also have the right to request that unnecessary personal details are deleted.
    • Right to erase data
      In exceptional cases, data subjects have the right to have their personal data completely erased from the registrar’s registers (right to be forgotten).
    • Right to restrict processing
      In certain cases, data subjects have the right to request that the processing of their personal data is restricted while the data is properly checked and corrected or supplemented
    • Right to object processing
      In specific personal situations, data subjects have the right to object the processing of their data whenever they want.
    • Right to data portability
      In certain cases, data subjects have the right to transfer the personal data they have submitted to the controller in a structured, commonly used and machine-readable format and to transmit it to another controller.
    • Right to lodge a complaint to a supervisory authority
      A data subject has the right to lodge a complaint, in particular with the supervisory authority of the place where he or she is domiciled, if he or she considers that the processing of his or her personal data is in breach of the EU’s General Data Protection Regulation (EU) 2016/679. The data subject also has the right to an administrative appeal and to use other legal remedies.

      Contact details of the Finnish authority:
      The Office of the Data Protection Ombudsman
      P.O. Box 800,
      FI-00521 Helsinki

    Requests related to the exercise of the rights of the data subject should be submitted electronically to the University’s email address or by a letter sent to:
    Tampere University
    FI-33014 Tampere University