Privacy Policy

1.  Introduction

This Privacy Policy describes the principles according to which Heron Innovations Oy (hereinafter also "Heron Talent") as a data controller collects and processes personal data relating to (1) its customers, and (2) job applicants and candidates applying or considered for open positions represented by Heron Talent. Personal information is any information related to an identified or identifiable person, such as a name and email address.

2. Controller and contact details for privacy matters

Heron Innovations Oy

Business ID: 2740579-6

Bulevardi 50 

00120 Helsinki

FINLAND

Contact person in privacy matters: Jan Luukkonen, CEO, jan@herontalent.com

3. Our customers as independent data controllers

Our customers to whom we provide recruitment or executive search services are typically considered independent data controllers with regards to personal data relating to job applicants and candidates. They process personal data in accordance with their own privacy policies. Such processing cannot however be incompatible with the principles explained in this privacy statement. 

4. Heron Talent as a data processor

When we provide recruitment and executive search services to a customer, we usually act, to some limited extent, as a data processor when we handle the recruitment or executive search assignment on behalf of the customer. With regards to such processing, we may not process the data for any purposes other than for the benefit of the customer in question.

5. For what purposes we process personal data and what is the legal basis for it

Personal data relating to job applicants and candidates

We process personal data to find new recruiting opportunities and the best candidates for our clients. Our purpose for collecting candidate data is related to executive search, recruiting and interim or freelancer services including candidate sourcing, validation, and placement.

If you, as an applicant or candidate, enter your data to our online database, the use of your data is governed by the terms of use, which you must accept when entering the data. A candidate entry to our online service therefore forms a contract between you and us, which is also a legal basis for us for processing your data.

The processing of job candidates' personal data is necessary to fulfill our legitimate interests. When a person is considered for a position, we must process the necessary personal data so that we can take the person into account when making a decision about offering employment. As an applicant or candidate, you have a reasonable expectation that we will process the personal data as described in this privacy policy, as it is data that is commonly processed in connection with recruitment and executive search assignments. Taking into account the purposes mentioned above, your justified expectations, the nature of the data, and the fact that you can object to the processing as described below, we consider that the processing does not conflict with your fundamental rights or freedoms.

When employment is offered to a person, personal data must be processed for preparing an agreement.

Various test data, references, suitability assessments and other checks and examinations as well as personal data from third parties are processed based on your consent.

Personal data relating to our customers

Our purpose for collecting client data is related to business development, client relationship management, and marketing. Processing of personal data for such purposes is primarily based on our legitimate interests and for preparing and fulfilling contracts.

6. What personal data we process

We process primarily the following categories personal data relating to our clients and candidates:

  • First and last name

  • Job title

  • Contact information

  • Consents given (approved or not approved)

  • Website address (company site or portfolio site)

  • CV or portfolio (only candidates)

  • Profile links from social media (LinkedIn and Twitter)

  • Meeting notes in text format

7. From which sources has the personal data been obtained

We obtain personal data mainly from these primary sources:

  1. from you, if you contact us with the intention of using our services

  2. from you, if you contact and provide us with your details as a job candidate or applicant

  3. LinkedIn, Twitter, Google Analytics, job boards and publications (paper or digital format), requests for more information from our website

8. With whom do we share personal data

As a general rule, your personal data is processed only by us for the purposes described in this privacy policy. However, we may share personal data with others, especially in the following situations:

  1. Our customers. Applicant or candidate data may be provided to necessary extent to a customer, who uses our recruitment or executive search services to fill a certain position;

  2. Our service providers. We may use external service providers and outsource some processing of personal data (e.g. CRM, ATS, invoicing). The service providers we use may not use personal data for any of their own purposes, but only for our benefit. We always make sure, for example through contracts, that the confidentiality of your data is maintained;

  3. Official and other legal reasons. We may also disclose information when required by law, a court or a competent authority, to respond to a legal claim or to prepare one;

  4. Corporate and business arrangements. We may also disclose information if we were involved in a merger, business transaction or other reorganization of our business; and

  5. Consent of the data subject. We may also disclose information if the person has given their consent to the disclosure of information.

9. International transfers of personal data

Personal data is primarily processed within the EU/EEA area only. Personal data may, however, be transferred outside the EU/EEA especially if a services provider we use is located outside the EU/EEA.

If personal data were to be transferred outside the EU/EEA to a country that is not included in the EU Commission's decision on an adequate level of data protection, we will make sure that the processing, transfer and storage of your data is carried out on the grounds required by law and with adequate protection mechanisms, such as using the standard contract clauses confirmed by the EU Commission. The standard contract clauses can be found here (part of the text is in English): https://ec.europa.eu/info/law/law-topic/data-protection_fi. The standard contractual clauses have different modules for different situations, most likely we would apply modules 1 (controller-controller) or 2 (controller-processor), depending on the situation.

10. Personal data retention periods

We do not store personal data for longer than is necessary for the purpose of their use or as required by contract or law. Personal data can also be deleted in the situation when the data subject withdraws consent or requests the deletion of data (and there is no other legal basis for the processing). Data retention periods can also be governed by legislation and the expiration of deadlines related to presenting legal claims (e.g. statutes of limitations).

Job candidate and applicant data relating to a recruitment is typically stored for 2 years after the recruitment has ended. This retention period is based on the expiration of deadlines related to presenting legal claims. 

11. Your rights

You have the following rights in relation to your personal data:

Updating your own information

You may have certain possibilities to check and update your profile data by accessing your online account in our service.

The right to access personal data

You have the right to receive confirmation from us as to whether we are processing personal data concerning you and to know what personal data concerning you we are processing (e.g. a copy of the data). In addition, you have the right to receive additional information about the basis of the processing of your personal data. However, the right to access personal data can be restricted based on legislation, the protection of privacy of other persons and the protection of business secrets.

The right to correct data

You have the right to have your incomplete, incorrect or outdated personal data supplemented or corrected.

The right to delete data

You have the right to request the deletion of your personal data. Your data will be deleted if there is no longer a legal basis for processing personal data.

The right to restrict processing

You may have the right to restrict the processing of your personal data. In this case, the controller generally does not process personal data other than by storing the data. You may have this right, for example, when you dispute the accuracy of your personal data, if the processing is against the law, or if you have objected to the processing of your personal data and are waiting for a response to the request for action in question.

Right to object

If we process your personal data based on our legitimate interest, you have the right to object to such processing based on your personal reasons.

The right to transfer data from one system to another

If we have processed your data on the basis of your consent or to fulfill a contract and the processing has taken place automatically, you have the right to receive the data you have provided us electronically in a commonly used machine-readable format so that the data can be transferred to another data controller.

Withdrawal of consent

If the processing of personal data is based on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the legality of the processing of personal data that took place before the withdrawal. 

The right to prohibit direct marketing

You always have the right to object to the processing of your personal data for direct marketing purposes and the right to withdraw any consent you may have given for marketing purposes.

12. How you can exercise your rights

You can exercise your rights described above by contacting us, for example, by using the contact information provided in Section 2 of this statement. The use of your rights is basically free of charge for you. If you submit a request electronically, we will deliver the information electronically as far as possible, unless you request otherwise. If necessary, we may ask you to verify your identity or specify your request. 

13. Complaint to the supervisory authority

If you believe that we do not process your personal data in accordance with this privacy statement or the applicable national and European Union data protection legislation, you can file a complaint with the supervisory authority if you wish. In Finland, the authority in question is the office of the Data Protection Commissioner (homepage: https://www.tietosuoja.fi).

14. Security

Personal data in electronic form is stored on servers that are protected by technical means in accordance with the general practices of the industry. The personal data we collect and process are confidential, and we do not disclose it to anyone other than those who need the information in their work or, in accordance with this privacy statement.

15. Cookies

We use cookies on our website so that we can offer the best possible user experience to the website visitor. Cookies are short text files that the web server stores on the user's terminal device. Cookies give us information about how users use our website. We may use cookies to develop our website, to analyze website usage, and to target and optimize marketing. Non-essential cookies are processed only with the consent of the website visitor. Consent is given, it is revocable and it is managed using the cookie tool on our website, which also provides more information about the cookies on our site.

16. Obligation to provide personal data and the consequences of not providing it

With legal entity customers processing of certain personal data is also mandatory for instance for concluding and executing contracts and for invoicing purposes. 

Job applicants or candidates do not have an obligation to provide any personal data, but if necessary data is not provided to us, we may not be able to consider the applicant or candidate for the position. 

To the extent possible and when doing business with us, we try to inform you which information is mandatory and which information you can provide if you wish.

17. Automated decision-making and profiling

We do not perform such automatic decision-making and profiling that would have legal effects or other similar effects on a person.

18. Changes

We may make updates to this privacy statement as our operations, privacy principles or applicable legislation change. Unless otherwise stated, changes will take effect when we have posted an updated privacy statement on our website.