Privacy policy for recruitment

Privacy notice for personal data processed in recruitment 

Privacy notice concerning personal data collected during Epec’s recruitment process.

Updated 27.3.2026

Controller

Epec Oy (hereinafter “Epec Oy”, “Epec” or “controller”)

Business ID: FI15690673
Laakeriväylä 1
60100 Seinäjoki, Finland
Telephone +358 20 7608 111
www.epec.fi

The controller is responsible for ensuring that personal data is processed in accordance with this privacy notice and applicable data protection legislation.

 

Contact details regarding the register

In all matters related to the processing of personal data, requests, and exercising the rights of the data subject, the data subject may contact:

Epec Oy

privacy@epec.fi

The controller may request additional information if necessary to verify the identity of the data subject.

 

Name of the register

Epec Recruitment Register

Legal basis and purpose of processing personal data

The purpose of processing personal data is to carry out, manage, and document the recruitment process and to select a suitable employee.

The processing of personal data is based on the following legal grounds:

  • the controller’s legitimate interest to carry out the recruitment process, assess applicants’ suitability, and respond to recruitment-related inquiries and possible legal claims;
  • processing necessary to take steps at the request of the data subject prior to entering into a contract;
  • the data subject’s consent where required (for example, storing data in a talent pool or conducting assessments)

The controller has assessed that the processing is necessary and proportionate and does not override the fundamental rights and freedoms of the data subject.

The controller has conducted a Legitimate Interest Assessment to evaluate the impact of processing on data subjects’ rights and to ensure that processing aligns with their reasonable expectations.

 

Content of the register

The data provided by the applicant in the application and its attachments, as well as additional data recorded by Epec during the recruitment process.

The register may include the following personal data necessary for the recruitment process and the position:

  • Basic information such as name, date of birth, gender, native language, username and/or other identifier, password;
  • Contact information such as private email address, phone number, address;
  • Information related to the position applied for, such as details regarding the type and nature of the employment relationship and information about the person responsible for the recruitment process. More detailed information is provided in the job advertisement;
  • Other information provided by the applicant to the controller during the recruitment process about themselves and their background, such as a photograph, education and training details, profession, employment history (including employers, start dates and durations of employment, and the nature of job duties), language skills, other areas of expertise, descriptions of personal characteristics, various certificates, and assessments, as well as references to portfolios, profiles or other sources available on the Internet;
  • Information relating to the progress of the recruitment process, such as information about upcoming interviews or the interruption of the recruitment process
  • Information produced during the recruitment process by Epec or external parties, such as data related to interviews and assessments;
  • Any other data voluntarily provided by the applicant during the recruitment process or collected by the controller with the data subject’s consent

In addition, the register may include:

  • evaluations and notes created during the process
  • results of suitability assessments (subject to data subject’s consent)
  • technical data relating to the recruitment process (such as the time of application submission and processing stages)

Data processing follows the principle of data minimization, meaning that personal data is processed only to the extent necessary for the recruitment process.

The controller does not process special categories of personal data (GDPR Article 9) unless required by law or explicitly provided by the data subject. In such cases, processing is limited to what is strictly necessary and carried out in accordance with applicable legislation.

 

Sources of data

The primary source of data stored in the register is the applicant.

Data may also be obtained from:

  • Individuals and parties involved in recruitment process (such as interviewers, and recruitment consultants)
  • References provided by the applicant
  • publicly available sources, such as professional networking services (e.g. LinkedIn)
  • Publicly available data is processed only under the following conditions:
  • The data has been made public by the data subject
  • The data relates to the data subject’s professional profile
  • The processing is necessary and proportionate in relation to the position in question
  • The collection of data is limited to relevant information (data minimization)
  • Data is not collected from private or non-professional sources
  • Data is not combined with other data in a manner that would be unexpected or excessive from the data subject’s perspective

Where personal data is collected from sources other than the data subject, the data subject will be informed of such processing in accordance with applicable data protection legislation.

By submitting an job application, the data subject provides their personal data for the purposes of the recruitment processing. The processing of personal data is based on the legal grounds described in this privacy notice.

 

Disclosure and transfer of data

Personal data is primarily processed within Epec Oy and its group companies.

Data may be disclosed:

  • To authorities in accordance with applicable legislation, where required or permitted by law
  • To service providers acting on behalf of the controller (such as recruitment systems, IT services, suitability assessments, and legal services)

All service providers act as data processors and appropriate data processing agreements have been concluded with them.

Epec’s parent company, Ponsse Oyj, may process data as a processor or joint controller depending on the nature of processing (including, without limitation, HR support services and systems). In such cases, the responsibilities and obligations of the parties are defined in agreements in accordance with the applicable data protection legislation. The data subject has the right to request further information regarding these roles.

Personal data will not be disclosed to other parties without the data subject’s consent, unless there is a legal obligation or a legal basis for such disclosure.

 

Transfer of data outside the EU/EEA

Personal data may be transferred outside the European Union or the European Economic Area only where such transfer is necessary for the implementation of the recruitment process or for technical processing purposes.

In such cases, the controller ensures that the transfers are carried out in accordance with applicable legislation by implementing appropriate safeguards, such as the standard contractual clauses approved by the European Commission.

 

Data protection and retention

Access to systems containing personal data is restricted to individuals whose job duties require such access.

The register is protected by appropriate technical and organizational measures such as access control, passwords protection, firewalls, and logging. The controller regularly evaluates the adequacy of its security measures using a risk-based approach on and continuously improves them, taking into account the risks to the rights and freedoms of data subjects.

Personal data is retained for a maximum 24 months after the recruitment process ends. This retention period is based on the controller’s legitimate interest in documenting the recruitment process and establishing, exercising, or defending legal claims. With the data subject’s separate consent, personal data may be retained in a talent pool for a maximum of 24 months from the end of the recruitment process. Different categories of personal data may be retained for different periods depending on the purpose of processing.

The data subject may request deletion of their personal data at any time, unless there is a legal obligation or a legitimate basis for retaining the data.

If the applicant is hired by Epec, the personal data provided during the recruitment process will be retained as part of employee records in accordance with Epec’s employee privacy notice.

Epec regularly reviews the necessity of data retention in accordance with applicable legislation. In addition, Epec takes reasonable measures to ensure that personal data that is incompatible with the purposes of processing, outdated, or inaccurate is not retained in the register.

 

Rights of the data subject

The data subject has the right to:

  • Access their personal data concerning them stored in the register
  • Request the rectification of inaccurate data and deletion of data
  • Withdraw their consent where processing is based on consent

Requests relating to these rights must be submitted in writing to the email address provided in the section “Contact”.

The data subject also has the right to:

  • Object to the processing of personal data within limits of applicable law;
  • Request restriction of processing;
  • Lodge a complaint with a supervisory authority if they consider that the processing of their personal data violates applicable data protection legislation. 

The data subject has the right to object to processing based on the controller’s legitimate interest. In such cases, the controller will assess whether processing can continue based on compelling legitimate grounds, such as documenting the recruitment process or establishing, exercising, or defending legal claims.

The data subject also has the right to:

  • Receive transparent information about processing of their personal data
  • Receive their personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller, where applicable (data portability).

The controller will respond to requests without undue delay and no later than one (1) month from receipt of the request. Where requests from a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, the controller may either charge a reasonable fee or refuse to act on the request in accordance with applicable legislation.

 

Automated decision-making

The controller does not make recruitment decisions based solely on automated processing and does not engage in profiling that produces legal effects concerning the data subject or similarly significant effects.

Assessment methods may be used during the recruitment process, however, all final decisions are based on a comprehensive evaluation carried out by a human.

 

Contact

For all matters related to personal data:

privacy@epec.fi

By submitting this form you consent Epec to store and process the information submitted.

Wordpress-sivustot toteuttaa Myynninmaailma Oy. Tampere, Oulu ja Seinäjoki.