This Privacy notice is used and is valid for Natlink Group and its daughter companies, currently Natlink Ab, Natlink Oy and Natlink As.

Natlink Group Ab (“Natlink” or “we”) is fully committed to keeping your personal data safe and private. This privacy notice outlines the collection, use, storage and sharing of your personal data.

It is important to us that you are fully aware of how we process your personal data and below you will find more detailed information on how your data is processed

 

1. Controller 

Natlink Group Ab, including subsidiaries
Sveavägen 168, 113 46 Stockholm, Sweden
Business ID: 559354-2474

 

2. Contact in data protection related matters

The data protection officer (DPO), who handles all personal data protection related matters, can be contacted by e-mail: gdpr@natlink.fi.

 

3. Name of the data file

Recruitment data file

 

4. The purposes for processing personal data

The personal data is used for executing all the actions related to all the actions related to job applications and recruiting. In addition to existing job applicants, we may also process personal data of former job applicants.

 

5. The legal basis for processing personal data

Personal data is processed based on a consent (where you give your approval for the processing of your personal data for a predefined, specific purpose). In certain instances, such as when sourcing suitable candidates for a specific position, we may rely on our legitimate interest as the legal basis for processing.

 

6. The contents of the data file

We may process following data about you:

• Basic personal data such as name, address, email, telephone number.
• Data related to former education and employment history and competence such as finished and ongoing training and studies and their dates, former employers, job descriptions, tasks, titles and dates.
• Additional data related to the application process such as taken suitability tests and their results.
• Other information given by you such as date of birth, social security number, sex, nationality, hobbies, photo.

 

7. The data sources

Primarily, personal data is collected directly from you. However, we may also work with external providers, such as Intro.io, to source suitable candidates, from whom we receive information about you. We work exclusively with trusted external providers who comply with applicable data protection laws and with whom we have established clear agreements regarding personal data processing activities.

We do not perform automated decision-making or profiling as part of the personal data processing activities covered in this privacy notice.

 

8. Disclosures and transfers of personal data

We will not regularly disclose your personal data to parties outside the Natlink organisation. However, we may disclose your data within our group companies, meaning that another company within our group of enterprises may process the data on our behalf. If we share your personal data with companies within our group, we will make sure that your personal data is processed in a way that conforms to this privacy notice.

 

8.1 Transfers to third parties

We may also disclose some essential data to those third parties who act as our authorised service providers or subcontractors who provide e.g., job application management and suitability testing.

As far as these third parties require access to personal data to provide their services, Natlink has taken appropriate contractual and organisational measures to ensure that your personal data is processed solely in accordance with the purposes outlined in this privacy notice and all applicable laws and regulations. The transfers will be carried out securely in accordance with our written instructions as well as EU GDPR and other legislative requirements. We use trusted, carefully selected partners on the basis of a mutual partnership agreement (including Data processing agreements, DPAs) where they agree to fully comply with the appropriate privacy and security standards.

We may transfer your personal data to authorities such as the police, border controls or other third parties outside the Natlink organisation if access to and use of such data is reasonably necessary to comply with any applicable laws, regulations, and / or court decisions; detecting, preventing and handling cases of fraud, a security issue, or technical problem; and / or to protect Natlink’s or our customers’ interests or property, to secure or safeguard the public interest in accordance with the law. If possible, we will notify you of this type of transfer or processing of your personal data.

If Natlink is party to a merger, business deal or other acquisition, we may transfer your personal data to a third party or third parties involved in the transaction. In cases like this we will always ensure that your personal data remains confidential. If this happens, it will be informed on our website and the privacy notice will be updated accordingly.

 

8.2 Transfers outside of EEA

As a general practice, Natlink stores your personal data within the European Economic Area (EEA). However, please be aware that our service providers operate in various geographical regions, which may require the transfer or access of your personal data outside of the EEA. We want to assure you that we take every step to protect your data during such transfers.

• Explicit Consent: By using our services, you consent to the transfer of your personal data as described herein.
• Transfer Destinations: These transfers may involve countries or regions outside the EEA. While we aim to minimize these transfers, they are occasionally necessary to provide our services effectively.
• Service Provider Certifications: Rest assured, we only engage with service providers who maintain certifications in accordance with GDPR and other internationally recognized data protection standards, such as ISO 27001.
• Safeguarding Measures: To protect your data during transfers to non-EEA countries, we implement stringent safeguards. These may include encryption, access controls, and other security measures.
• Legal Framework: These transfers are carried out in compliance with Article 46 of the General Data Protection Regulation (GDPR), which permits such transfers when appropriate safeguards are in place.

Your data security is of utmost importance to us, and we continuously monitor and improve our practices to ensure your personal information remains protected, regardless of its location. If you have any concerns or questions about this process, please feel free to contact our Data Protection Officer.

 

9. Storage of personal data

We will only store your personal data for as long as is necessary for the purposes outlined above, or for as long as required by law. You may ask us the exact storage time for your specific data. In most cases data is stored for no longer than one (1) year from the recruitment decision. The data will be erased once storing them is not anymore necessary according to legislation or to ensure the rights or responsibilities of either party. We may also be required to store personal data for a longer period of time for other purposes, for example for establishment, exercise or defence of legal claims.

 

10. Protection of personal data

We have implemented appropriate administrative, organisational, technical and physical safeguards in order to protect all of the personal data we process. Our security measures have been designed to ensure a sufficient level of confidentiality, integrity, and availability, to protect personal data from being lost, destroyed, misused, unlawfully accessed or disclosed to third parties. Personal data may only be processed by people who need to process this data in order to complete their work. Data is mainly stored only in electronic form and personal user IDs and passwords are required for accessing the systems containing personal data. Any physical material is stored in locked premises.

 

11. Your rights as the data subject

In this section we describe your rights under applicable European data protection legislation. You will not be charged if you want to exercise your rights and you can exercise them by contacting us (please see our contact details in Chapter 2 of this Privacy Notice). Do not hesitate to contact us if you have any questions regarding your rights.

Please note that we will always do an assessment of a request of exercising a right in order to determine whether the request is legitimate. We may request some additional information from you in order to verify your identity and your justification to the request. Not all rights listed below are absolute and there are exemptions which can be valid. Please note that we have the right to reject requests that are repeated too often, are excessive, or are clearly unfounded.

Your rights are the following:

• The right of access: You may request to review all your personal data in this data file.
• The right of rectification: You may request to have your personal data be corrected and/or complemented if they are erroneous, inaccurate and/or incomplete.
• The right to erasure: You may request that we delete your personal data from the data file providing that they are no more needed for the purpose they were collected for or that there are no legal obligations in effect concerning us regarding the processing or storing them.
• The right to object to / restrict the processing of your data: You may in certain cases request us to restrict the processing of personal data concerning you or to object to the processing of your personal data.
• The right to data portability: You may request us to transmit your personal data to another controller when that data was provided by you. You will then receive your personal data from us in an organised and commonly used format for transferring that data to a third party.
• The right to withdraw consent: When our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Please note that the lawfulness of any processing based on your consent before its withdrawal is not affected by the withdrawal.
• The right to object to direct marketing: You may at any time object to processing which is done for the purpose of direct marketing. As a recipient of marketing messages you may anytime leave the marketing channel by acting as advised in the message.
• The right to make a complaint to the supervisory authorities: You may at any time make a complaint to authorities regarding the processing of your personal data. However, if you feel that Natlink’s processing of your personal data goes against applicable data protection legislation, we encourage you first contact us in order for us to oversee your complaints and make any necessary corrections.

This document has been reviewed / updated 23 September 2024.