At Rainmaker, we take data protection seriously. The proper handling of personal data of our customers, potential customers, employees, and job applicants is important to us, and we are committed to operating as transparently as possible regarding data protection matters. This statement describes how we process the personal data of data subjects and explains their rights concerning the processing of personal data.
Data controller
Rainmaker Group Oy (business ID: 2707250-6), together with other companies belonging to the Group (hereinafter “Rainmaker”). A list of the Group companies: https://rainmaker.fi/ota-yhteytta/
Address: Piispanportti 11, 02240 Espoo
Contact person for data protection matters
Kati Helavirta, Data Protection Officer
firstname.lastname(@)rainmaker.fi
Personal data processed and purposes of processing
We collect and process the following data concerning data subjects:
- Job applicant’s basic and contact information: name, date of birth, address, phone number, email address,
- Language skills, educational background, and previous work experience, as well as other information related to skills and qualifications,
- Information included by the job applicant in their job application and CV, to the extent that the applicant provides it to us,
- Necessary notes made by Rainmaker’s recruiter regarding the assessment of the job applicant’s suitability in relation to the job,
- Information about the progress of the job application process,
- Name and contact information of the applicant’s potential referees, if provided by the applicant,
- The job applicant’s potential previous job application history at Rainmaker,
- The job applicant’s potential wishes regarding the employment relationship (for example, salary expectations),
- A potential job application video, if submitted by the job applicant,
- Results of potential aptitude and personality tests,
- Results of potential credit and security checks,
- Call recordings.
Personal data is processed for the following purposes:
- Implementing the recruitment process: Personal data is processed to handle job applications and assess the suitability of job applicants for open positions.
- Communication between job applicants and Rainmaker: Personal data is processed to ensure the smooth, high-quality, and secure communication and relationship management between job applicants and Rainmaker.
- Verification of rights and obligations: If necessary, the content of communications and the fulfillment of rights and obligations can be verified using call recordings.
- Internal training and development of recruitment services: Call recordings related to the recruitment process may be used for internal training of recruitment personnel, improving service quality, and developing recruitment services.
Legal basis for the processing of personal data
The processing of personal data is based on the following legal grounds:
- Legitimate interest: The processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller.
- Compliance with obligations and rights: Processing is necessary for compliance with the legal obligations and specific rights of the controller and the data subject in the field of employment law.
- Data subject’s consent: Processing is based on the explicit consent given by the data subject to the processing of their personal data.
Regular sources of personal data
Personal data is primarily collected from the job applicant themselves based on the information and consent they provide. When submitting a job application, the job applicant enters their first and last name, email address, and phone number into the recruitment system. In addition, the job applicant may, if they wish, attach a short description of themselves, a CV, a photograph, a video, and a job application. After a job interview conducted by a Rainmaker recruiter, the recruiter records notes from the interview in the register, assigning them to the interviewed person. The register is also supplemented with information from publicly available internet sources and other public sources, if the information gathering is necessary and related to the open position.
By submitting a job application, the job applicant grants permission to collect their data from their professionally published profile to the extent that the data collection is necessary and relates to job performance, considering the open position.
For some jobs, it may be necessary to carry out a security clearance or check credit information. In these cases, the information is checked from the appropriate official registers. The data subject will be notified in advance of any such checks, and if necessary, their prior consent will be requested for carrying out the check.
Regular disclosures of personal data
If a job applicant is applying for a position mediated by Rainmaker at a Rainmaker client company, the job applicant’s personal data may be disclosed to the client company to the extent necessary for the implementation of the recruitment process. The client company may need this information, for example, to make a recruitment decision.
In addition, personal data may be disclosed within the Rainmaker Group to other group companies.
Personal data will not be disclosed to external parties without the data subject’s explicit consent.
Transfer of data outside the EU/EEA
Rainmaker may transfer personal data outside the EU/EEA as part of its operations. If this is done, we ensure that personal data is transferred outside the EU/EEA only in accordance with data protection legislation procedures and that the data in question is adequately protected and as required by current data protection legislation.
Principles of personal data protection and retention
The data is collected into databases that are protected by firewalls, personal user IDs and passwords, and other necessary technical means. Access to the data is granted only to those Rainmaker employees who have the right and need to process data in the job applicant register due to their work. Each processor of the job applicant register has personal user IDs and passwords. The databases and their backups are located in locked premises, and access to the data is restricted to certain pre-designated persons. Rainmaker requires its personnel and partners to commit to the confidentiality of personal data. In addition, recruitment personnel are bound by a duty of confidentiality.
The computers used to access the database are located in locked and monitored premises. Manual material is stored in a locked location.
Personal data is stored in the register for two years, at the end of which the person is asked for their consent to retain the data for another year. If consent is not given, the personal data is deleted.
Recruitment call recordings are retained for 180 days.
Management of risks to data subjects
Efforts are made to minimize the risks to data subjects in the processing of personal data. Rainmaker’s risk management measures related to personal data include, among other things, regular staff training and ensuring data protection competence, regular risk observation and assessment, and impact assessments regarding personal data processing.
In the event of possible personal data security breaches, Rainmaker will act in accordance with the instructions of the data protection authorities, urgently assessing the possible risks to data subjects. If it is probable that a data breach will result in a high risk to the rights and freedoms of the data subject, the data controller will notify the data subject of the incident without delay.
Data subject’s rights
The data subject has the right to exercise the rights listed below. To exercise these rights, the data subject can contact the data controller (Rainmaker). The data controller’s contact person and contact information are stated at the top of this statement.
The data subject has the right to inspect the personal data concerning them stored in the personal register and to demand the rectification or deletion of incorrect data. In this case, the data subject will be provided with a copy of the data concerning them, and it will be updated at the data subject’s request.
In certain situations, the data subject has the right to transfer the data they have provided to another system. Such a situation may arise when the data controller processes personal data based on consent or a contract.
The data subject also has the right in some situations to request the erasure of their data. This right may be limited, for example, by a legal obligation to retain the personal data in question. If the need for personal data processing ceases, the data will be erased without a separate request.
In accordance with the General Data Protection Regulation (from 25 May 2018), the data subject has the right to object to or request the restriction of the processing of their data. In connection with the request, the data subject must specify the particular situation on which they base their objection to the processing. Rainmaker may refuse to implement a request for objection only on grounds provided by law. The data subject also has the right to object free of charge to processing insofar as it relates to direct marketing. Restriction of processing means that the data is stored, but it is otherwise processed only on the basis of consent, for a legal claim, for the protection of the rights of another person, or for reasons of important public interest of the Union or a Member State. Restriction of processing is appropriate, for example, if the lawfulness of the processing has been contested. In this case, the processing of data is restricted until the lawfulness of the processing has been verified.
The data subject has the right to avoid decisions based solely on automated processing that produce legal effects or other significant effects. In addition, the data subject may request that decisions based on automated decision-making be reviewed by a human before a final decision is made. At Rainmaker, we do not make decisions in the processing of the job applicant register that would be based solely on automated processing and that would have legal or other significant effects.
If the data subject believes that their data has been processed improperly or unlawfully, we encourage them to first contact Rainmaker so that we can investigate the matter together. The data subject also has the right to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose up-to-date contact information and contact channels can be found on the Office of the Data Protection Ombudsman’s website.
Changes to this statement
If changes are made to this statement, we will update the information on our website and add a note indicating the date of the update.
Updated 20 January 2025