Register of job applicants

DATA PROTECTION POLICY STATEMENT (updated 21st January 2026)

Data controller

For the part of the information in the job applicant profile, SOK Corporation is the data controller.For the part of the job application information (application form with annexes), the data controller is the S Group company at which the applicant is applying for a job.

Contact information of the Data Protection Officer

tietosuojavastaava@sok.fi

Officer in charge of register matters

Register matters at SOK and of the regional cooperatives and the subsidiaries are processed at the HR departments of each employer company. Additional information and contact information.

Purpose of processing personal data

Managing the job application process for the selection of suitable persons for vacant positions within the S Group.

Grounds for the processing of personal data

Legitimate interest
- The controller has a legitimate interest in selecting the most suitable candidates for open positions, and the recruitment process cannot be carried out without processing personal data. Such processing supports the applicant’s objective of obtaining employment. The controller also has a significant legal interest in retaining personal data after the recruitment decision to safeguard its legal rights. Retaining the data also safeguards the data subject’s legal rights.
- In certain situations, the controller may contact former employees to inquire about their interest in new opportunities. This processing of data does not adversely affect the rights or interests of individuals, but it contributes to an efficient recruitment process.
Consent where applicable (e.g. headhunting and aptitude assessments).

The personal data processed

In the job advertisement: the name and contact details of the recruiting supervisor, if specifically included. Not included by default. In the job application: Required: name, email address, phone number, language skills (if this information has been requested), whether the applicant has previously worked at S Group, and how they learned about us. Voluntary: address, role‑specific questions, link to profile (e.g. LinkedIn), education details, employment history. The Job Applicant may also include their own CV or other attachments. An applicant profile must be created in the recruitment system (email + password). Applicants may use Google/Apple login, in which case Google/Apple provides the email address to the employer. A Video interview tool (RecRight) may be used in the recruitment process. When an applicant enters the RecRight service, the tool records the applicant’s name, phone number, email address and a video that will be stored in RecRight’s database. This information will also be collected from the supervisor who is responsible for recruitment and who has recorded the interview questions on video. Aptitude assessments carried out by an external partner may also be used in the recruitment process. In this case, the partner receives basic information related to the applicant and the position he/she applied for (e.g. name, contact details, and job‑related information). In aptitude assessments, applicants provide responses to the assessment tasks, and an evaluation report is subsequently generated on the basis of these responses.Upon the applicant’s consent, the controller may collect reference information relating to the candidate from the referees identified by the candidate. For roles requiring special reliability, the applicant’s credit information may be checked. Open recruiting: In case the company has made open recruiting possible, then a person may fill in an open application. At the end of the recruitment process, applicants may be sent a link to an applicant survey, which they can respond on a voluntary basis. Direct recruiting: The employer company may also seek employees through direct recruiting. The direct recruiting is carried out both by SOK’s recruiters and with the assistance of external partners. In the course of direct recruiting the above-mentioned data are processed, as applicable, with the applicant’s consent. The employer may contact former employees to inquire whether they would be interested in a new employment opportunity. For this inquiry, the employer uses the former employee’s contact details, namely their telephone number and/or email address.Following the inquiry, any potential recruitment and/or hiring process will proceed in accordance with the standard procedures.

The registration groups and the processed personal data groups

Job applicants or the persons who are applying, or have applied, for a job in the data controller’s service, or who have filled in the job application profile in order to later apply for a job in an S Group’s company. In addition, candidates identified through direct recruiting and former employees who are contacted regarding their potential interest in open positions. Contact details, background information, skills, employment history, answers provided during the process (interviews, video interviews, aptitude assessments) and assessments based on these.

Data source and description of data sources if data is collected from public sources

Primarily obtained from the applicant. If data is obtained from other sources than the job applicant, the job applicant’s consent is separately requested (e.g. aptitude assessments with a partner) or the applicant is separately notified for this (e.g. credit information checks). If Google/Apple login is used, Google/Apple provides the applicant’s email address to the employer with the applicant’s consent

Recipients of personal data

As a general principle, personal data is not handed over.However, with the applicants’s consent, necessary information related to the applicant and position (see Personal data being processed above) may be handed over to an external partner for the purpose of making an aptitude assessments. Data may also be disclosed to external contractual partners handling applications outside the S Group. After a person has been employed by the data controller, the phone number they reported in their job application can be transferred to the employee register to grant access rights to S Group’s data systems and to identify the user. When the video interview tool is used in the recruitment process, the applicant’s name, phone number and email address as well as the recorded video will be transferred to the data controller’s external partner. The same information concerning the supervisor responsible for the recruitment will also be transferred. RecRight will act as the processor of personal data. We use a Google Analytics cookie to monitor visitors and measure the effectiveness of recruitment marketing.

Transfer of personal data to third countries or international organisations and data protection safeguards used

Personal data is not transferred outside the EU or the EEA.

Period for storing personal data or criteria for determining the storage period

Job application data is preserved for 2.5 years after the recruitment in question is closed, after which the data is erased.The storage times are based on the statute of limitations defined in the equality, non-discrimination and criminal legislation.

Rights of the data subject

The data subject has the right to access his/her own personal data as laid down in Article 15 of the General Data Protection Regulation (GDPR).The data subject has the right to demand that the data controller corrects eventual incorrect or erroneous information as laid down in Article 16 of the Data Protection Regulation.The data subject has the right to have their personal data removed in case the preconditions stated in Article 17 of the Data Protection Regulation are met.The data subject has the right to restrict the processing of their personal data in case the preconditions stated in Article 18 of the Data Protection Regulation are met.The data subject has the right according to Article 20 of the Data Protection Regulation to move the personal data from one system to another for the part for which the data was received from the data subject, its processing is automatic and its processing is based on consent or agreement.The data subject has the right, based on Article 21 of the Data Protection Regulation, to object to the processing of the data that applies to them, in case the data was gathered in order to perform a task that concerns the common good, or based on legitimate interest, in case the other criteria included in the Article are met.If a data subject wishes to exercise their rights or to obtain further information on the processing of their personal data, they may contact the data controller named in this data protection policy.The data subject has the right to file a complaint with the supervisory authority.So far as the processing of the information is based on consent, the data subject has, according to Article 7 of the Data Protection Regulation, the right to withdraw their consent at any time. After the withdrawal, the data controller no longer has the right to use the personal data for such purposes that have no other grounds for processing except for the consent.If consent is withdrawn after the recruitment decision has been made, the controller has the right and legitimate interest to retain the data until the end of the defined retention period in order to defend against legal claims.Consent can be withdrawn by notifying the controller.

Effects of not providing personal data on an agreement

In case a job applicant does not provide his/her personal data that the data controller needs, it is possible that he/she cannot be selected for the applied task.No automated decision-making or profiling is associated with the personal data processing.

Impact of personal data processing and general description of technical and organisational security measures

Processing the data complies with the legislation pertaining to processing, protecting and disclosing the data of private persons as well as the information security guidelines of SOK Corporation and the regional cooperatives.Based on the log files, it is possible to investigate possible misuse and alterations in the register.Access rights to the register are clearly defined and restricted to those persons whose work tasks include taking care of recruitment.We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. System providers process personal data at secure server facilities. Access to personal data is restricted and the personnel are subject to a confidentiality obligation.At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, the physical documents that contain personal data are kept in locked and fireproof storage areas. The granting and monitoring of user rights is a well-managed process. We regularly provide training to our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We choose our subcontractors with care. We continuously update our internal practices and guidelines. If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.