Privacy statement for job applicants

This is the privacy policy of DNA Ltd, DNA Welho Oy, DNA Store Ltd, Moi Mobiili Oy, European Mobile Operator Oy and DNA Tower Finland Oy in accordance with the Personal Data Act (section 10 and 24) as well as the General Data Protection Regulation (GDPR) of the EU. Created on 22 May 2018. Last updated on 21 September 2021.

1. Data controller

The data controllers comprise the Telenor Group companies DNA Ltd, DNA Welho Oy, DNA Store Ltd, Moi Mobiili Oy, European Mobile Operator, DNA Tower Finland Oy, P.O. Box 10, 01044 DNA

2. Contact person for the filing system

You can reach the person in charge of the filing system at:

You can reach DNA Ltd’s dedicated Data Protection Officer at:

3. Name of filing system

Job applicants’ filing system.

4. Legal basis and purpose of processing of personal data

The purpose of data processing is to receive job applications from those registering as jobseekers and to maintain job search processes. The application can be for a specific task or a so-called open application. Applications can be either internal (changing jobs within the organisation of DNA or Telenor Group) or external. The data is processed on the basis of the person's consent and in order to fulfill employer obligations (e.g. placement obligations).

The data is not used for automated decision-making or profiling.

5. Data contained in the filing system

The data processed by the companies includes:

  • personal data, such as name and contact information
  • a free-form application’s accompanying text and additional information
  • information about the applicant's education and work experience
  • information regarding the applicant's experience and competence
  • the applicant's preferences regarding the future position
  • the recruiters' and supervisors' assessments of the applicant
  • information provided by references and former employers
  • aptitude assessments
  • recorded video interviews
  • any credit information and security clearances of the selected person

The data is stored for the purpose of filling vacancies. The data is stored for two (2) years after the person has been informed of the end of the selection process.

Aptitude assessments are retained for 24 months to avoid the need for re-testing. If the aptitude assessment is related to the fulfilment of obligations to offer work, it will be retained for the duration of any time limit for bringing proceedings.

In the event of a dispute, the data will be retained until the matter has been legally resolved.

6. Regular sources of data

Personal data is collected from the job applicant themselves, for example, from the data stored by the person in the Workday system, by email, post, telephone and from the information provided during the interview. In addition, data is collected from the aptitude tests subject to the consent of the person. Some tasks require the passing of a credit information or security clearance. With the consent of the person, data is also collected from references and/or previous employers.

In the case of external labour, the source of data is also the partner company, taking into account the confidentiality provisions.

7. Regular disclosures and transfer of data outside the EU or EEA

Data may be disclosed for other purposes related to the maintenance or reporting of the employment relationship. The data controller may disclose data concerning an individual as a report as provided for by law to shop stewards, occupational safety and health authorities or a company for which DNA provides services. Data may be disclosed within the limits permitted and made mandatory by legislation, for example, for auditing or official needs. Data will not be disclosed for direct marketing or other similar purposes.

The processing and disclosure of data may occur within Telenor Group.

As a rule, we process data within the European Union (EU) and the European Economic Area (EEA). We may also transfer data outside the EU or EEA if the server of a service provider is located in such a country, for example. In this case, we will use data transfer mechanisms approved by the European Commission, such as standard contractual clauses approved by the European Commission.

8. Principles of data protection

All persons involved in processing the data are bound by professional secrecy. The persons processing the data are trained in secure processing practices and ways of identifying and preventing threats to the data. The data is processed only by employees of the group who are required to do so for the performance of their duties.

When we use subcontractors and partners (such as the Workday system and aptitude assessments), we ensure an adequate level of protection as well as careful and proper processing of the data as required by law through contractual arrangements and in an appropriate manner. Partners are bound by their confidentiality obligations. Partners may only disclose to DNA the data necessary for recruitment in accordance with their confidentiality provisions.

Use of the data and systems is protected by user-specific usernames, passwords and access rights.

Personal data are stored in controlled premises. Any data that must be processed and stored outside controlled premises are encrypted to prevent unauthorised access. Communications with the personal data filing system are encrypted.

9. Data subject's rights: right of access and right to request the correction of data

All data subjects in the filing system have the right to access their personal data stored in the filing system and request the correction of inaccurate or incomplete data. If you wish to check your data, you can do so via the form on the website. 

The person making the request may be asked to verify their identity. DNA responds to requests within the time limit specified in the GDPR (usually within one month).

If there are inaccuracies or deficiencies in the data, you can request correction of the data from:

10. Other data subject's rights related to the processing of personal data

Persons in the filing system (= a jobseeker or person selected for the position) have the right, subject to certain conditions and restrictions, to request the deletion of personal data concerning them from the filing system (the “right to be forgotten”). Data subjects also have other rights specified by the EU GDPR, including the right to restrict personal data processing in certain situations. Requests must be sent in writing to the data controller. If necessary, the controller may ask the person making the request to verify their identity. The controller will respond to requests within the time limit specified in the GDPR (usually within one month).

Data subjects have the right to lodge a complaint with the Data Protection Ombudsman if they feel that their personal data has not been lawfully processed.

In the event of a very serious data security breach, DNA will personally notify the data subjects whose data is affected by the breach. A notification is made if the breach concerns unencrypted personal data and is likely to pose a significant risk to the rights and freedoms of the data subject, for example, in the form of identity theft or other crime.