This Data Protection Notice (“Notice”) lays out how the European Centre of Excellence for Countering Hybrid Threats collects, processes and discloses personal data in connection with applications for vacant positions and the recruitment process.
The Controller, pursuant to applicable data protection legislation, is the European Centre of Excellence for Countering Hybrid Threats (‘Hybrid CoE’). Hybrid CoE is responsible for personal data processing in accordance with this Notice and applicable data protection legislation.
Contact details of the Controller:
The European Centre of Excellence for Countering Hybrid Threats
Business ID: 2841395-8
Address: Fabianinkatu 21, 00130 HELSINKI, Finland
2. Collection of personal data
Personal data may be collected in different ways. As a general rule, personal data are collected directly from the data subject. Insofar as is permitted by applicable European and Finnish data protection legislation, the Hybrid CoE may also collect personal data from other sources, such as public databases.
The Hybrid CoE collects and processes personal data related to applicants which are necessary for job application processing and the recruitment process, such as
- basic data, such as name, home address, email address, telephone number, date and place of birth;
- data contained in the job application and related documents, such as education, prior work experience, degrees, language proficiency and referees; and
- data collected and processed during the recruitment process, such as data on the progress of the recruitment process, notes on the application, possible interviews, data on security clearances, and referees.
3. Purpose and legal basis of personal data processing
The personal data processing is based on the Hybrid CoE’s legitimate interest of processing personal data in a fashion required by the recruitment process. In certain cases, personal data processing is also necessary to perform actions required by an employment contract concluded between the Hybrid CoE and an applicant, and to implement an employment contract.
In addition, if so required by national regulations, the Hybrid CoE may ask for the applicant’s consent for the collection or processing of certain kinds of personal data. For example, consent may be requested in order to conduct a suitability assessment.
Personal data are processed to receive and process job applications, evaluate and select applicants, as well as to meet the needs of the recruitment process.
4. Regular data sources
As a general rule, data are collected from the data subject himself or herself via the application and interviews. With the data subject’s consent, personal data may also be collected from other sources, such as a service provider conducting suitability assessments. Personal data may also be collected from referees indicated by the data subject.
5. Transfers and disclosures of personal data
The Hybrid CoE may disclose personal data to third parties:
- to the extent permitted and required by law;
- when the Hybrid CoE believes that disclosure of personal data is essential to exercise the Hybrid CoE’s rights, to protect the data subject’s and others’ security, to investigate abuse or to respond to a request from an authority; and
- with the data subject’s consent, to parties which the consent concerns, such as referees.
6. Disclosure of personal data outside the EU or EEA
As a general rule, the Hybrid CoE does not transfer personal data processed during the recruitment process outside the European Union (EU) or the European Economic Area (EEA).
In exceptional cases, the Hybrid CoE may transfer personal data outside the EU or EEA or to an international organization when a partner operating on assignment from the Hybrid CoE is located outside these areas or is an international organization. In these cases, the Hybrid CoE applies the appropriate safeguards to ensure the data subject’s rights and liberties in accordance with the applicable data protection legislation, such as the EU’s General Data Protection Regulation (679/2016).
7. Storage of personal data
Personal data are only stored for as long as necessary for the fulfilment of the purposes laid out in this Notice.
Personal data are stored for the duration of the recruitment process. Personal data may also be stored, insofar as is necessary, after the end of the recruitment process, to the extent permitted and required by law. Generally, personal data are stored for 6 months after the end of the recruitment process.
With the data subject’s consent, personal data may also be stored for a period indicated upon granting of consent, for example for future recruitment processes.
Necessary data are transferred to the employees’ personal data register when the Hybrid CoE and the applicant conclude an employment contract. Personal data may also be stored for longer if so required to fulfil an obligation of the Hybrid CoE under law, regulation or from another official source. Personal data are erased when their storage is no longer required by law or for the exercise or discharge of either party’s rights or obligations.
The personal data of applicants for the post of director of the Hybrid CoE are archived after the end of the recruitment process. Such data include, for example, applications and curricula vitae submitted personally by the applicants for the post of director.
8. Data subject’s rights
The data subject has the right to inspect personal data concerning him or her. The data subject may also, at any time, request the correction, update or erasure of his or her personal data. However, personal data which are necessary for the fulfilment of the purposes laid down in this Notice, or whose retention is required by law, may not be erased.
The data subject has the right to object to or restrict the processing of his or her personal data to the extent required by applicable legislation.
In certain cases, the data subject has the right under applicable legislation to transfer the personal data he or she has provided to the data controller from one system to another, that is, the right to receive his or her personal data in a structured, commonly used, machine-readable form and to transfer those data to another controller.
When the controller processes personal data on the basis of consent, the data subject has the right, at any time, to withdraw the consent given. The controller will not subsequently process the personal data further unless there is another legal basis for the processing.
The data subject may exercise his or her rights by submitting a request to the controller at firstname.lastname@example.org.
If the data subject considers his or her personal data are being processed inappropriately, the data subject has the right to consult the Data Protection Ombudsman on the matter. The Data Protection Ombudsman’s contact information is available at: https://tietosuoja.fi/en/contact-information.
9. Data security
The Hybrid CoE takes appropriate measures (including physical, digital and administrative measures) to protect personal data from loss, destruction, abuse and unauthorized access or disclosure. For example, only people who need the personal data to discharge their employment duties have access to it.
However, not even appropriate measures can prevent all possible data security breaches. If personal data security is breached, the Hybrid CoE will notify data subjects of the matter in accordance with applicable European and Finnish data protection laws.
10. Automatic decision-making and profiling
The Hybrid CoE does not use personal data for automatic decision-making or profiling.
11. Amendments to the notice
The Hybrid CoE has the right to amend this Notice. The Hybrid CoE will inform data subjects of amendments during the recruitment process on its website, which also contains the most
recent version of this Notice.
12. Contact details
The data subject may ask about this Notice or for more detailed information about personal data processing by emailing the Hybrid CoE at email@example.com.