Skip to content

Personnel Privacy Notice

Date of drafting: 25.10.2024 (version 9.0)

Orion Corporation (the controller, ”Orion”) is committed to protecting your privacy in compliance with all applicable regulation and ensuring the security of your personal data. 
 
This privacy notice explains how we collect, use, and protect personal data in recruitment processes, employment relationships, other contractual relationships with Orion, or when individuals are recipients of a commission.

1. How we collect personal data 

We generally collect personal data directly from you. Your data is mainly collected during the recruitment process or at the beginning of the employment relationship. The personal data is also gathered as part of our regular operations. 
 
We may also use third-party channels to collect your personal data as part of the recruitment process. We may also collect your personal data from publicly available sources when permitted in the respective jurisdiction.  In addition, authorities may provide the company with personal data, for which it acts as the controller, to fulfil statutory obligations such as taxation and security clearances. 

2. What data we collect about you

We will only collect personal data that we are permitted to collect by regulation on a jurisdictional basis in each country, and to the extent necessary to exercise the rights and obligations of the data subject and the controller.  We have set out below a list of the types of personal data that we most commonly collect: 

Type of personal Data  Description of Personal Data and phase in which it is collected e.g.: 
  Recruitment  Employment (In addition to the Recruitment data) 
Identity data  Name, date of birth, gender, nationality and other information relating to residency and citizenship which may be required to establish a right to work in a given country.  Title, social security number (or equivalent in your country), marital status and number of dependents. 
 Contact data  Home address, email address and telephone numbers. 
Verification data  Driving license, passport, identity card, visa or another form of identification document.  Immigration history (including residency and immigration status), information relevant to meeting health criteria. 
Historical data 
Educational history and credentials, employment history, skills and qualifications, and results from any other background and security clearances (criminal history), and credit checks, in countries where it is lawful to carry out such checks. 
Financial data  Bank sort code and account number and tax-related information. 
Qualifications and Employment-related data  Information and documents (e.g. CV and application) related to recruitment and interview, work experience, language skills, third party references (if taken), talent and ability assessments, and information specified in the application process . Training and qualification information, business title, pension and benefits information, organisation information, start and end date of the employment, working time, sick leave and absence information, information regarding well-being and occupational health, performance management, and travel management information. 
   Diversity data 

Diversity data for mandatory governmental reporting purposes. 
Video & Photos  Recorded video interviews, remote interviews, and photos e.g. in the CV.  Photo to be used in the intranet or other communication and management systems technical video monitoring (if applicable by local regulation), voluntary videos and photos taken in Orion’s events.  

3. How we use your data 

We process your personal data for the following purposes, e.g.:

  • Recruitment purposes
  • Payment of salary and/or commission
  • Management of benefits
  • Administration of the employment relationship
  • People management, planning, control, audits, statistics as well as operational planning and risk management
  • Training and education
  • Administration of training and qualification records  
  • Travel management
  • Internal services and system testing
  • Internal and external communication

4. Legal Basis 

We process your data based on the following Legal Grounds: 

Legal Ground  Purpose 
Consent of the data subject 
  • Applicants during recruitment 
  • Voluntary videos and photos taken in Orion’s events 
Performance of a contract 
  • Employment 
  • Other contractual relationship with Orion 
  • Recipients of a commission 
Compliance with Orion’s legal obligations 
  • Administrative purposes and compliance with Orion’s legal obligations 
  • Ensure continuity of operations and manage risks 
Legitimate interests 
  • The processing of personal data can be based on the legitimate interest of Orion in order to process recruitments. We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest. 

5. How we share your data 

  • We may share your data with the following recipients in accordance with global data protection regulations: 
     
    Third Parties: We may share your data with third parties who assist us in performing technical operations, such as data storage and hosting services.
  • Change of Ownership: If there is a change in ownership or control of our company, including any of our products, services, or assets, we may disclose your personal data to the new owner, successor, or assignee.
  • Intranet and Communication Tools: Personal data within our data files may be accessible via our intranet and communication tools, which are available to our employees, including those located in countries outside the European Union (EU) and the European Economic Area (EEA).
  • International Data Transfers: Personal data, including recruitment data, may be transferred within our organization to countries outside the EU and EEA, specifically to India, Kazakhstan, and Ukraine. By default, personal data will not be transferred or disclosed outside the EU or EEA. However, in certain situations, such as when a service provider’s servers are located outside the EU or EEA or when data processing occurs outside these regions for technical support purposes, personal data may be transferred. In such cases, the data will be transferred and processed in a legal manner with appropriate safeguards, such as standard contractual clauses approved by relevant data protection authorities or other applicable mechanisms to ensure adequate protection of your data.

6. How we store data and the retention period of your data 

We store data manually and electronically. The manual data is stored in an area with restricted access, available only to authorized persons. The protection of the electronic data files utilizes technical data protection (several security mechanisms), and electronically stored information is accessible only to authorized persons. 
 
We retain your personal data for no longer than is necessary for the purposes defined in this notice, unless the data is required to be preserved in connection with a litigation or investigation process. However, local regulations may have more detailed requirements to be followed. When personal data is no longer necessary for these purposes, the data will be securely deleted.   

Type of Data  Common Retention Period 
Recruitment 
  • Recruitment information will be deleted within 2 years of the recruitment process. 
  • Personal data related to applicants who were not selected will be deleted after the recruitment process. 
 
Employment 

  • Detailed* information regarding the employment relationship will be deleted no later than 2 years after the end of the employment relationship. 
  • Basic** information regarding the employment relationship will be deleted no later than 10 years after the end of the employment relationship. 
  • Minimum*** information requirements based on the pharmaceutical industry regulation to verify the employee’s qualification will be deleted no later than 25 years after the end of the employment relationship. 
Other contractual relationship with the controller and recipients of a commission 
  • Basic information regarding the contract or a payment of commission will be deleted within 10 years of the payment. 

*Detailed information can include, for example, documentation, health-, and performance-related data. 
**Basic information can include, for example, identification data, employment-related data or timelines. 
***Minimum information can include, for example person identification data, the start and end dates of employment, and job title(s).  

7. Your rights and options

You have the right to:

  • Access your data: You can request information and a copy of the personal data collected and stored about you in connection with our operations / this information notice. 
  • Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as described in chapter 11.
  • Erase your data: You can contact us if you think the processing of your personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 6 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
  • Restrict processing: If you want to restrict our processing of your personal data, please contact us.
  • Object to processing: If you want to object to the processing of your data, please contact us. When making the request, please specify the scope of your request.
  • Data portability: You have the right to data portability, i.e. the right to receive the personal data, that you have  provided to Orion and that is being processed by automated means, in a structured and machine readable format and the right to transmit this data to another controller, where the basis for the processing of personal data is consent or the fulfilment of a contract between the other controller and you.
  • Withdraw consent: You can withdraw any consent that you may have given us for data processing activities. After withdrawing your consent, we will no longer process your personal data for the purposes the consent was asked for. Please note that the withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.

8. Cookies and Tracking Technologies

We use cookies and similar technologies. For more information on how we use cookies, please read our Cookie Policy.

9. Security Measures

We hold your personal data in a combination of secure computer storage facilities. 
 
We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it. 
 
We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:

  • locks and security systems; 
  • encryption
  • usernames and passwords;
  • virus checking;
  • auditing procedures and regular data integrity checks; and
  • recording of file movements.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality. 
 
We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data. 
 
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.

10. Changes to this Notice 

We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.

11. Contact Us

If you wish to use your rights as a data subject described in chapter 7, or if you have any questions or concerns, please contact us at privacy@orion.fi. 
 
Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your rights as a data subject. 
 
Data Protection Officer (DPO): Jyri Wesanko, privacy@orion.fi 
Representative: Deniz Yildiz, deniz.yildiz@orion.fi