Recruitment privacy policy
This privacy policy is valid since April 22, 2025. (Older versions of the privacy policy can be found here).
Introduction
At Barona, it is important to us that you can trust us to handle your personal data in a careful and transparent manner and with respect for your privacy. When processing your personal data, we strictly comply with the General Data Protection Regulation (GDPR) and other data protection legislation, and we always strive to act in accordance with good data protection practices. This data protection notice describes how we collect, process and protect the personal data of our job applicants.
This data protection notice is updated regularly. The current version is always available at https://policies.barona.fi/recruitment-privacy-policy/.
Data controller’s contact information
Barona Oy
Business ID 2808477-9
Workery East, 8th floor, Pasilan Asema-aukio 1,
FI-00520 Helsinki
Contact information of the data protection officer
Lauri Huhtanen
privacy@barona.fi
+358 20 198 3460
Processing of personal data
| Purpose of processing | Legal basis | Types of personal data | Retention periods |
| Creating and managing a job applicant profile | Consent | * Name * Email address * Phone number * Job search documents, such as CV and job application * Information on competence, training and skills | Two and a half years from the last data update |
| Assessment of the job applicant | Legitimate interest | * Data collected during the recruitment process, such as video interviews and interview notes * Results of any aptitude and personality tests | Two and a half years from the last data update |
| Carrying out the checks required for the position | Consent, legitimate interest | * Credit report * Information on the approval of the security clearance | Two and a half years from the last data update |
| Communications related to the recruitment process | Legitimate interest | Name Email address Phone number Information on competence, training and skills | Two and a half years from the last data update |
| Service development | Consent, legitimate interest | * Analytics on the use of services or products * Statistics on recruitment | Product and service development data will be retained for 24 months |
| Recruitment communications | Legitimate interest | * Name * Email address * Information on competence, training and skills * Information on participation in recruitment processes | Two and a half years from the last data update |
| Marketing communications | Consent | * Email address | For the duration of the validity of the marketing permission |
| Content recommendation | Legitimate interest | * Information about platform usage, such as viewed pages and search history * Content of the job applicant profile, such as competence, employment history and interests | Two and a half years from the last data update |
Sources of personal data
Personal data will mainly be collected directly from you during the recruitment process. Personal data may also be collected from external sources, such as LinkedIn. Personal data may be obtained from other companies in the same group if you change workplaces within the group, for example.
Disclosure of personal data
Disclosure refers to an event in which the data controller (here Barona) provides personal data to a third party that uses it for its own purposes. Personal data may be disclosed to the following parties:
- Barona’s client company in connection with a recruitment assignment. Data will be disclosed to the extent that is necessary for carrying out the assignment.
- Other companies in the Bravedo and Barona Group. For example, if you change workplaces within the Group, the data stored about your employment relationship may be transferred to your new workplace.
Recipients of personal data
We use external service providers, such as system providers, to process the data. The service providers process personal data as data processors on behalf of Barona. We use contractual and technical measures to ensure that the service providers we use process your data in accordance with legislation and good data protection practices.
We use third-party processors to process personal data for the following purposes:
- Managing the personal data of job applicants
- Arranging video interviews
- Arranging aptitude and personality tests
- Analysis of the use of services or products
- Communications
Data transfers outside the EU/EEA
In some cases, the service providers we use may process personal data outside the EU/EEA, e.g. in the United States. Personal data will only be transferred outside the EU/EEA area when the requirements of the data protection legislation are fulfilled. The service providers we use are contractually obligated to ensure that an adequate level of data protection is guaranteed in all processing of personal data.
Safeguarding your personal data
We use appropriate technical and organisational safeguards to protect personal data against loss, unauthorised access and other misuse. Examples of such measures include the use of firewalls, encryption technologies, backups and secure computer rooms. Access to your personal data is internally restricted through electronic and physical access control, as well as through policies for granting and controlling access to different systems. Access to personal data is restricted to those employees who have the right to access it within the scope of their duties.
Rights of data subjects
The data subjects have many rights that they can exercise to influence the processing of their personal data. The rights below can be exercised by sending a request on the matter by email to privacy@barona.fi.
| Right to obtain information | The data subject has the right to obtain information on the processing of their personal data we perform in a transparent and easy-to-understand way. This data protection notice describes the basics of the processing of personal data. If you have any questions regarding data protection, please ask for additional information by using the contact information provided at the beginning of this notice. |
| Right of access | The data subject has the right to obtain information on what personal data regarding them we are processing and receive a copy of the data in question. As requested, the data controller will deliver a copy of the personal data being processed or information that the data subject’s personal data is not being processed. |
| Right to rectification | Data subjects have the right to request rectification or correction of their data, in which case we will complete inaccurate or incorrect data. |
| Right to erasure (“right to be forgotten”) | The data subject has the right to have all their personal data erased, i.e. the right to be forgotten. This right may be limited, for example, by a legal obligation to retain the personal data in question. |
| Right to restrict processing | The data subject has the right to request the restriction of personal data processing. The limitation of processing means that the data will be retained, but they will be processed in other ways only based on permission, for legal request, for protecting the rights of another person, or for an important reason related the common interests of the EU or a Member State. The restriction of processing is applicable in case, for example, the legality of processing has been disputed. Then, the processing of data is limited until its legality has been ensured. |
| Right to data portability | Data subjects have the right to request the transfer of personal data from one system to another. This right is applicable when the personal data has been collected directly from the data subject and the processing is based on a contract or consent. |
| Right to object | The data subject has the right to object to the processing of personal data on the basis of a personal reason if the grounds for processing is legitimate interest, public interest or exercise of official authority. The processing of the data is stopped unless the processing is necessary for some other justified reason. |
| Rights related to automated decision-making | The data subject has the right to not be subject to decision-making based solely on automated processing and which results in legal effects or other significant effects. The data subject has the right to request that a human reviews decisions that are based on automated decision-making. We do not make decisions based solely on automated processing of personal data that would have legal or other significant effects. |
| Right to withdraw consent | If the processing of personal data is based on your consent, you have the right to withdraw the consent at any time. However, this does not affect the lawfulness of any processing based on consent that took place before the withdrawal of consent. The processing of personal data may continue after the withdrawal of consent if another legal basis for the processing is applicable. |
| Right to lodge a complaint with the supervisory authority | The data subject has the right to lodge a complaint on the processing of personal data with a competent supervisory authority. In Finland, the data protection authority is the Office of the Data Protection Ombudsman. |