Last updated 1.4.2021

This Privacy Policy explains how we at Citec process the personal data of our job applicants (“you”, “your”) as per the General Data Protection Regulation (EU) 679/2016. We also inform you of your rights as data subject and the exercise thereof.

1. Name and address of the controllers

Data controller of your personal data is the respective Citec company you are applying a job for.

Citec Oy Ab (”Registrar”)Data controller of your personal data is the respective Citec company you are applying a job for.

Should you have any questions regarding data protection don’t hesitate to be in touch with our contact persons mentioned above.

2. Personal data processed

We process the following categories of personal data:

  • Basic data: name, contact details
  • Data included in your CV


Provision of the above described personal data is necessary to participate in the recruitment process.

3. Purposes of processing and legal basis for processing

Below is a general overview of the purposes your personal data is processed for and their corresponding legal basis.

Processing your personal data is based on your consent for the following purposes:

  • Carrying out the recruitment process
  • Evaluating job applicants’ skills and making a hiring decision
  • Contacting job applicants in recruitment-related matters

Processing your personal data is also necessary for complying with legal obligations we are subject to for resolving any dispute arising out of a recruitment decision.

4. Information sources of personal data

As a rule, personal data is collected directly from the data subject in connection with the recruitment process. However, some personal data may be collected from third parties, such as:

  • former employers, when named as references in the job application;
  • an external recruitment agency as regards personal data related to professional competence as part of recruitment process carried out by such agency;
  • current employees who recommend a candidate for the announced position or for the open application purpose

5. Retention of personal data

We store your personal data for two years after the recruitment decision has been communicated to you.

6. Automated decision-making and profiling

We do not use automatic decision-making or profiling in the processing of personal data.

7. Recipients of personal data

We use service providers that assist us in achieving the purposes for processing your personal data mentioned above. For this reason, they receive personal data to the extent necessary for fulfilling these purposes. Such service providers are our contractual partners that process personal data on our behalf, and to ensure the safe disclosure of personal data we have Data Processing Agreements in place with them:

  • Cornerstone OnDemand ®
  • Microsoft Corporation as regards the candidate’s name
  • Citec Group companies

In addition, we disclose your data to the authorities when necessary based on applicable legislation or court decision.

8. Transfers outside EU/EEA

In some exceptional cases we transfer personal data outside the EU/EAA. These transfers adhere to choose the applicable transfer mechanism, such as the standard contractual clauses drafted by the European Commission. You can find such clauses

9. Your rights as data subject

Under the General Data Protection Regulation, you are granted the rights listed below. The rights granted to you in each specific case depend on the legal basis used for each of the processing activities.

Should you wish to use your rights as a data subject, please contact the contact person mentioned in section 1. We may have to request some additional information in order to confirm your identity before fulfilling your rights.


A) Right to access

You have a right to know whether we process your personal data and if we do, you have the right to access your data. However, the right of access can be limited by legislation or to protect the privacy of other people.

B)Right to have inaccurate personal data rectified

Should your personal data be inaccurate or incomplete, you have a right to have it rectified. If your data has been shared with third parties, we will take reasonable steps to inform them of the rectifications where possible.

C) Right to erasure

In certain cases, you have a right to request erasure of your personal data. However, such right can be limited by legislation.

D) Right to object processing of personal data

You have a right to object the processing of your personal data when it is processed based on our legitimate interest or public interest grounds. The right can be restricted by overriding compelling legitimate grounds.

E) Right to restrict processing

In certain circumstances, you have the right to restrict the processing of your personal data not to be used but to be stored only. This right is alternative to erasure and it applies e.g. when you have contested the accuracy of your personal data or objected to processing and we are verifying the accuracy or considering if overriding interests apply.

F) Right to data portability

You have a right to receive a copy of the personal data you have provided to us in a commonly used electronic format. The right applies only to personal data we process based on your consent or on fulfilling a contract.

G) Right to withdraw your consent

You may, at any time, withdraw your consent to processing of your personal data.

H) Right to lodge a complaint with a supervisory authority

You have a right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.

For data protection authority in Finland see

For data protection authority in Sweden see

For data protection authority in Norway see

For data protection authority in France see

For data protection authority in Germany (Hessen) see

10. How we protect your personal data

Protecting your personal data is paramount for us. We apply appropriate technical and administrative safeguards to prevent any loss, misuse or unlawful access to your data. All manual material is stored in a locked space and can be accessed only by authorized people.

Data stored in electronic systems is protected by firewalls, passwords and other technical solutions. Access to personal data is limited by access control measures and those involved in processing personal data are bound by confidentiality obligations. Special categories of data are subject to stricter access controls and security measures.