Processing of personal data in recruitment

General information

In accordance with the General Data Protection Regulation (EU) 2016/679, this privacy statement contains data of registered natural persons and information on how Finnish Customs processes personal data in different functions. 

Data controller and the controller’s contact information
Finnish Customs
Pasilan virastokeskus (Pasila Office Centre), Opastinsilta 12, FI-00520 Helsinki
PO Box 512, FI-00101 Helsinki
kirjaamo(at)tulli.fi
tel: 0295 5299
Juha Madetoja, Director of Personnel Management

Contact information of Customs’ Data Protection Officer
Katja Kapanen
tietosuoja(at)tulli.fi 

Purpose for processing personal data and legal bases

Personal data of a person dealing with Customs are processed to meet the needs of Customs’ recruitment process (posts, tasks, temporary appointments and other possible use of labour). The use of personal data is based on the State Civil Servants Act and regulation as well as the Employment Contract Act. 

Categories of personal data

The following data of applicants are collected:

  • basic details 
    • name, personal identity code, nationality and contact information
  • educational and work history details and possible governmental or municipal work records
  • other details possibly provided by the applicant in the application
  • security clearance details
  • details of statutory pre-employment medical examination
  • details of drug test

Sources of personal data

The applicant consents to provide personal details. Furthermore, data is collected from the following sources:

  • personal references provided by the applicant
  • Palkeet, governmental or municipal work records
  • Supo, security clearance
  • occupational health care, pre-employment medical examination and drug test

Recipients of personal data

Personal details are regularly disclosed to the following recipients: 

  • Customs’ Personnel Management
  • supervisors who recruit personnel as well as to others who participate in the recruitment
  • Customs’ Registry Office
  • master users of the Valtiolle.fi system based on their user rights

Data can only be disclosed within the limits and to the extent permitted by legislation or with the data controller’s permission. The application documents are public, according to the Act on the Openness of Government Activities of Finland (629/1999), and are shown upon request. Public documents are disclosed upon request in accordance with the requirements of sections 13 and 16 of the Act. Confidential documents are only shown and disclosed 1) with the consent of the party concerned, 2) to a party concerned or 3) by virtue of a right based in legislation.

Transfer of personal data to third countries or international organisations

Recruitment details are not transferred outside the EEA.

Personal data retention and disposal times

Personal data of the recruitment process, documents pertaining to the applications and selection, are stored for 5–50 years. Documents of the suitability assessment, security clearance, drug test and pre-employment health examination are destroyed after the recruitment. The National Archives of Finland determines, which documentation should be stored indefinitely.
Detailed information on storage times is available from Customs Registry Office: kirjaamo(at)tulli.fi.

Rights of the data subject

The data subject has the right to obtain confirmation from the controller on whether their personal data are being processed or have been processed. 

The data subject also has the right to

  • request access to their own personal data
  • request that the controller correct or delete personal data of the subject
  • request that the processing of personal data be restricted
  • object to the processing of personal data
  • withdraw their consent at any time 
  • If the data subject finds that the processing of their personal data is unlawful, the data subject has the right to appeal to the Data Protection Ombudsman. 

Protecting the processing of personal data

All Customs’ operations where personal data are processed, meet the principles of data protection by design and data protection by default. Personal data protection operations at Customs include staff instructions and regulations as well as staff training, security agreements between organisations and non-disclosure agreements between persons who process personal data, status monitoring and in-house control, taking care of data security in data systems, encryption/anonymisation/pseudonymisation, audits as well as control and enforcement systems, codes of conduct as well as certificate requirements and other technical restrictions. 

Customs uses a data balance sheet process through which it compiles an annual data balance sheet, which describes how it has succeeded in protecting data and the actions required for developing data protection.