Date of drafting: 25.10.2024 (version 9.0)
Orion Corporation (the controller, ”Orion”) is committed to protecting your privacy in compliance with all applicable regulation and ensuring the security of your personal data.
This privacy notice explains how we collect, use, and protect personal data in recruitment processes, employment relationships, other contractual relationships with Orion, or when individuals are recipients of a commission.
1. How we collect personal data
We generally collect personal data directly from you. Your data is mainly collected during the recruitment process or at the beginning of the employment relationship. The personal data is also gathered as part of our regular operations.
We may also use third-party channels to collect your personal data as part of the recruitment process. We may also collect your personal data from publicly available sources when permitted in the respective jurisdiction. In addition, authorities may provide the company with personal data, for which it acts as the controller, to fulfil statutory obligations such as taxation and security clearances.
2. What data we collect about you
We will only collect personal data that we are permitted to collect by regulation on a jurisdictional basis in each country, and to the extent necessary to exercise the rights and obligations of the data subject and the controller. We have set out below a list of the types of personal data that we most commonly collect:
| Type of personal Data | Description of Personal Data and phase in which it is collected e.g.: | |
| Recruitment | Employment (In addition to the Recruitment data) | |
| Identity data | Name, date of birth, gender, nationality and other information relating to residency and citizenship which may be required to establish a right to work in a given country. | Title, social security number (or equivalent in your country), marital status and number of dependents. |
| Contact data | Home address, email address and telephone numbers. | |
| Verification data | Driving license, passport, identity card, visa or another form of identification document. | Immigration history (including residency and immigration status), information relevant to meeting health criteria. |
| Historical data | Educational history and credentials, employment history, skills and qualifications, and results from any other background and security clearances (criminal history), and credit checks, in countries where it is lawful to carry out such checks. |
|
| Financial data | - | Bank sort code and account number and tax-related information. |
| Qualifications and Employment-related data | Information and documents (e.g. CV and application) related to recruitment and interview, work experience, language skills, third party references (if taken), talent and ability assessments, and information specified in the application process | . Training and qualification information, business title, pension and benefits information, organisation information, start and end date of the employment, working time, sick leave and absence information, information regarding well-being and occupational health, performance management, and travel management information. |
| Diversity data |
Diversity data for mandatory governmental reporting purposes. | |
| Video & Photos | Recorded video interviews, remote interviews, and photos e.g. in the CV. | Photo to be used in the intranet or other communication and management systems technical video monitoring (if applicable by local regulation), voluntary videos and photos taken in Orion’s events. |
3. How we use your data
We process your personal data for the following purposes, e.g.:
- Recruitment purposes
- Payment of salary and/or commission
- Management of benefits
- Administration of the employment relationship
- People management, planning, control, audits, statistics as well as operational planning and risk management
- Training and education
- Administration of training and qualification records
- Travel management
- Internal services and system testing
- Internal and external communication
4. Legal Basis
We process your data based on the following Legal Grounds:
| Legal Ground | Purpose |
| Consent of the data subject |
|
| Performance of a contract |
|
| Compliance with Orion’s legal obligations |
|
| Legitimate interests |
|
5. How we share your data
- We may share your data with the following recipients in accordance with global data protection regulations:
Third Parties: We may share your data with third parties who assist us in performing technical operations, such as data storage and hosting services. - Change of Ownership: If there is a change in ownership or control of our company, including any of our products, services, or assets, we may disclose your personal data to the new owner, successor, or assignee.
- Intranet and Communication Tools: Personal data within our data files may be accessible via our intranet and communication tools, which are available to our employees, including those located in countries outside the European Union (EU) and the European Economic Area (EEA).
- International Data Transfers: Personal data, including recruitment data, may be transferred within our organization to countries outside the EU and EEA, specifically to India, Kazakhstan, and Ukraine. By default, personal data will not be transferred or disclosed outside the EU or EEA. However, in certain situations, such as when a service provider’s servers are located outside the EU or EEA or when data processing occurs outside these regions for technical support purposes, personal data may be transferred. In such cases, the data will be transferred and processed in a legal manner with appropriate safeguards, such as standard contractual clauses approved by relevant data protection authorities, binding corporate rules, or other applicable mechanisms to ensure adequate protection of your data.
6. How we store data and the retention period of your data
We store data manually and electronically. The manual data is stored in an area with restricted access, available only to authorized persons. The protection of the electronic data files utilizes technical data protection (several security mechanisms), and electronically stored information is accessible only to authorized persons.
We retain your personal data for no longer than is necessary for the purposes defined in this notice, unless the data is required to be preserved in connection with a litigation or investigation process. However, local regulations may have more detailed requirements to be followed. When personal data is no longer necessary for these purposes, the data will be securely deleted.
| Type of Data | Common Retention Period |
| Recruitment |
|
| Employment |
|
| Other contractual relationship with the controller and recipients of a commission |
|
*Detailed information can include, for example, documentation, health-, and performance-related data.
**Basic information can include, for example, identification data, employment-related data or timelines.
***Minimum information can include, for example person identification data, the start and end dates of employment, and job title(s).
7. Your rights and options
You have the right to:
- Access your data: You can request information and a copy of the personal data collected and stored about you in connection with our operations / this information notice.
- Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as described in chapter 11.
- Erase your data: You can contact us if you think the processing of your personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 6 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
- Restrict processing: If you want to restrict our processing of your personal data, please contact us.
- Object to processing: If you want to object to the processing of your data, please contact us. When making the request, please specify the scope of your request.
- Data portability: You have the right to data portability, i.e. the right to receive the personal data, that you have provided to Orion and that is being processed by automated means, in a structured and machine readable format and the right to transmit this data to another controller, where the basis for the processing of personal data is consent or the fulfilment of a contract between the other controller and you.
- Withdraw consent: You can withdraw any consent that you may have given us for data processing activities. After withdrawing your consent, we will no longer process your personal data for the purposes the consent was asked for. Please note that the withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.
8. Cookies and Tracking Technologies
We use cookies and similar technologies. For more information on how we use cookies, please read our Cookie Policy.
9. Security Measures
We hold your personal data in a combination of secure computer storage facilities.
We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.
We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:
- locks and security systems;
- encryption
- usernames and passwords;
- virus checking;
- auditing procedures and regular data integrity checks; and
- recording of file movements.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.
We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.
10. Changes to this Notice
We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.
11. Contact Us
If you wish to use your rights as a data subject described in chapter 7, or if you have any questions or concerns, please contact us at privacy@orion.fi.
Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your rights as a data subject.
Data Protection Officer (DPO): Jyri Wesanko, privacy@orion.fi
Representative: Deniz Yildiz, deniz.yildiz@orion.fi