Digia's Recruitment Privacy Statement
This Privacy Statement (‘Statement’) covers the processing of personal data carried out in connection with Digia Plc’s (‘Digia’) recruitment activities.
This Statement was last updated on 4 December 2024.
1. Data Controller's contact details
Digia Plc
Business ID: FI-08313124
Address: Atomitie 2A, 00370 Helsinki
Tel.: Exchange, +358 (0)10 313 3000 (mpm/pvm)
In addition, companies within the Digia Group act as joint controllers with Digia Plc. insofar as these companies participate in recruitment processes, perform recruitment activities for their workforce needs, or otherwise utilize personal data collected during recruitment by Digia Plc. The majority of recruitment within the Digia Group is conducted on behalf of Digia Plc’s subsidiary, Digia Finland Oy. Contact information for companies within the Digia Group can be found here. All companies within the Digia Group adhere to the same data protection principles in their recruitment practices as described in this Privacy Notice.
In matters related to your personal data processed under this Privacy Notice, contact:
rekry(at)digia.com
2. Data Protection Officer's information
Data Protection Officer Digia Plc
dpo(at)digia.com
3. Purposes and legal bases of processing
The processing of personal data mentioned under Digia is solely for recruitment purposes. Candidate personal data is processed during the recruitment process, including assessing the suitability of candidates for specific roles, inviting applicants for interviews, and performing other necessary tasks related to the recruitment process. If a candidate is selected for a position, the personal data provided during the recruitment process is also used for establishing the employment relationship and related tasks.
The legal basis for processing personal data collected for Digia’s recruitment process includes the candidate’s consent, Digia’s legitimate interests related to proper execution of the recruitment process, and legal requirements, such as verifying necessary work permits. If a candidate is hired by Digia, their personal data is processed based on the obligations set by legislation for Digia as an employer.
Candidates are required to provide certain personal information during the recruitment process. These mandatory fields are indicated (e.g., marked with an asterisk *). If a candidate chooses not to provide this information to Digia, they may not be considered for the desired open position. Additionally, specific contact information for candidates is necessary to allow Digia to communicate with them regarding recruitment-related matters.
Purpose and legal basis of processing personal data is described in table below.
Purpose of Processing | Legal basis of processing |
Implementation of the recruitment process and assessment of individuals’ suitability | Consent |
Retention of applicant documents for 24 months after the end of the recruitment process Statistical reporting of applicant data |
Digia’s legitimate interests on the basis of fulfilling recruiting |
Provision of statistical applicant data to authorities for fulfilling legal obligations | Compliance with Digia’s legal obligations |
4. Groups of registered data subjects
Job seekers i.e. candidates for employment
5. Personal data to be processed
Digia processes the following personal data of candidates:
- Name (full name)
- Phone number
- Email address
- Address
- Educational background and work experience
- Other information necessary for assessing suitability (such as language skills or other qualifications)
- Attachments provided by candidates (e.g. cover letter, CV, work samples, photo, websites)
- Notes taken by Digia on the candidates during the recruitment process
In addition to the above, the following personal data of candidates may be collected in the following situations:
- Recipient’s email address if the ‘Tell a Friend’ feature is used when sending job advertisements.
- Recipient’s email address and search criteria if automatic notifications are subscribed to for open job advertisements using the ‘Job Alert’ feature.
- The candidate’s IP address, name, contact details and other information related to a recruitment provided by a candidate through the Digia recruitment bot on Digia’s website.
We may use artificial intelligence (AI) in the open applications we receive (e.g., open job applications to Digia, internship and thesis applications) and in Digia's Career Compass recruitment program, where we simultaneously seek candidates for multiple positions through the same job advertisement.
AI is utilized in the initial sorting of applications. It compares the answers provided in the application form to the job requirements described in the job postings. Applications are sorted with the help of AI into open positions based on how well the job requirements are met according to the application. This grouping speeds up the initial phase of the recruitment process. After grouping, a human reviews the applications and decides whether to move the application to the next phase of the recruitment process. AI does not make recruitment decisions.
If AI is used in the recruitment process, the applicant will be asked for permission when submitting the application. As an applicant, you can also choose not to participate in the AI-assisted process, in which case your application will be processed entirely by traditional methods by the recruitment personnel. This choice will not negatively affect your chances of being employed by Digia.
6. Storage periods and deletion of data
Candidates’ applications and personal information provided during the recruitment process will be retained for the duration of the recruitment process and for a total of 24 months from when the candidate has submitted their application, unless the candidate requests the deletion of their information before this time.
The information of candidates obtained through the recruitment bot on Digia’s website will be retained for 24 months unless the candidate requests the deletion of their information before this time.
Candidate information sent to the recruitment email will be retained in the recruitment email inbox for 12 months from the receipt of the information.
7. Regular sources of information
The information is primarily collected directly from the candidates themselves. Some information may also be collected, with the candidate’s consent, from public sites linked to the candidate’s application (such as LinkedIn) and from referees named by the candidate. In some cases, Digia may also use external recruitment consultants to search for candidates, in which case Digia may also receive candidate information through such recruitment consultants.
If a candidate is selected for the position targeted by the recruitment at Digia, additional information may also be collected from the candidate to perform tasks and obligations related to the employment relationship (such as payroll). Such information includes, for example, the personal identification number, information on valid work permits and qualifications, and the bank account number for payroll purposes. The processing of personal data of individuals hired by Digia is subject to Digia’s Privacy Notice for employees.
8. Regular disclosures of information and transfer of data outside the EU or European Economic Area
Digia uses TalentAdore Oy’s TalentAdore service as its technical platform and partner in recruitment. This partner of Digia, as the technical implementer of the TalentAdore service, has access to the personal data collected by Digia as described in this Privacy Notice, whereby the partner acts as a processor of personal data on behalf of Digia during recruitment activities. Digia has agreed upon appropriate contracts with the partner as required by applicable data protection legislation, in which Digia, among other things, obligates the partner to adhere to the principles of this Privacy Notice when acting as Digia’s processor.
From time to time, Digia may also use other subcontractors, service providers, and consultants in the implementation of its recruitment, who are so-called third parties. Such parties may include, for example, external recruitment consultants used in Digia’s recruitment or other suppliers of services used in recruitment. These parties may also occasionally process or otherwise have access to the personal data managed by Digia as described in this Privacy Notice. However, such parties only have access to the personal data managed by Digia in cases and to the extent necessary for the provision of services. Digia only uses service providers and subcontractors that have been proven to be reliable and commits them through contracts to comply with the data processing principles of this Privacy Notice.
Digia itself does not disclose or transfer personal data collected during the recruitment process outside the EU or EEA. However, the TalentAdore service includes features and functionalities that are produced in whole or in part by a service provider located outside the EU or EEA. Therefore, when using such features or functionalities of the TalentAdore service, it is possible that candidate information may also be processed from outside the EU or EEA. Such service providers act as subcontractors for Digia’s partner, TalentAdore Oy. Digia has obligated TalentAdore Oy to establish appropriate data transfer protection mechanisms with its subcontractors and has verified that this has been done.
For more information about the subcontractors, service providers, and consultants used in Digia’s recruitment, as well as the locations of data processing, please contact Digia using the contact details provided in this Privacy Notice.
9. Data Protection Principles
Digia has implemented the necessary technical and organizational security mechanisms required by legislation to protect the personal data it processes from unauthorized access, processing, loss, alteration, and other security risks. Candidate information is stored in the data controller’s system, which is secured using operating system security software and features. Access to the system requires user-specific identification. Additionally, the system is protected by firewalls and other technical measures. Only specific, pre-defined employees of the data controller are authorized to access and use the information stored in the system.
10. Rights of data subjects
Data protection legislation guarantees data subjects several rights concerning the processing of their personal data. Digia respects these rights and is committed to their implementation. The rights of data subjects are listed below.
- Data subjects have the right to request access to their personal data from the data controller and receive a copy of the data;
- Data subjects have the right to data portability when the processing is based on consent and carried out automatically;
- Data subjects have the right to request that any inaccurate, incomplete or outdated personal data is rectified or erased, and data subjects logged in to the recruitment system can also edit their information directly in the system;
- Data subjects have the right to request the restriction of processing in certain circumstances, such as when Digia no longer requires the data but the data subject does not wish the data to be erased but instead requests that its processing is restricted;
- Data subjects have the right to object, on grounds relating to their particular situation, to processing in certain circumstances, such as when the processing is based on the data controller’s legitimate interest and the data controller cannot present grounds that would override those presented by the data subject;
- Data subjects have the right to request that the data controller erases their personal data, provided that certain conditions are met (‘the right to be forgotten’), such as when the personal data is no longer needed for the purpose for which it was collected, or when the processing was based on consent and this consent is withdrawn;
- Data subjects have the right to withdraw their consent to processing at any time; and
- Data subjects have the right to lodge a complaint with the competent supervisory authority, which in Finland is the Office of the Data Protection Ombudsman (see tietosuoja.fi/en).
Requests for the execution of these rights should be addressed to PrivacyQuery(at)digia.com. Please note that the execution of some of the rights may require that certain additional legal requirements are met. In addition, Digia may need to request certain additional information from the party making the request to allow us to verify their identity.
Include the following information in your request:
- Information that allows us to identify you (such as full name, email address or similar)
- The role in which you are contacting us (= jobseeker/candidate)
- Which of the legal rights listed above you wish to exercise.