Privacy Notice for CSC Work Applicants

Updated 13 July 2022


1. Registrar

CSC – IT Center for Science Ltd
P.O. Box 405 (Keilaranta 14)
02101 Espoo, Finland
Tel. +358 (0)9 457 2821 (operator)

Business ID: 0920632-0

(hereinafter referred to as "we" or "CSC")

2. Contact person for register-related matters

Data asset owner: Chief Administrative Officer, BIS

Data Protection Officer:

3. What are the purposes and legal grounds for processing personal data?

The processing of personal data is based on the implementation of an employment contract or at the request of the data subject prior to entering into an employment contract.

Personal data is processed in matters and obligations relating to recruitment for CSC – IT center for science Ltd.

No automated decisions are made using the applicant register.

4. What data do we process?

We will request the following information from you:

  • Applicant’s basic details and personal data such as name, home address, email and phone number

  • Data reported by the applicant such as information about education, previous work experience, qualifications and other competences, language skills and references

  • Data obtained from the applicant or obtained from a third party with the applicant’s consent (such as references from previous employers)

  • Other recruitment-related data

5. Where do we get your data from?

Per se, CSC gathers all applicant related data from the applicant themselves. In some cases, CSC might also gather data from sources other than the applicant themselves within the limits of the legislation and with the applicant’s consent or when the legislation allows it.

6. To whom do we disclose your data?

Data is not disclosed to entities outside of CSC.

7. How do we protect your data and for how long do we keep it?

The data will only be retained for as long as it is necessary for the purposes defined in this Privacy Statement or for the retention period determined by legislation. For example, equality legislation requires us to retain your information for one year after the end of the recruitment process. When the retention period of personal data has expired and there is no longer any reason to process it within the limits allowed by data protection law, the personal data will be deleted.

The data subject may request in writing that their data be erased completely from the recruitment system. The data subject may also request in writing that their data be deleted completely. Requests should be addressed to the controller.

CSC may use external service providers to assist in its recruitment. In this case, the Service Providers will process personal data exclusively and in accordance with CSC's instructions and on behalf of CSC. CSC has made sure that the processing of personal data has then been agreed to as required by data protection law.

For the purpose of personal assessments, personal data is transferred to the United Kingdom. CSC guarantees that the transfer of personal data is subject to appropriate safeguards.

Manual sources:
Documents are kept in locked premises with access control. Access to documents is restricted to persons who, for their job, have the right to process the data of data subjects.

Data in information systems:

Files containing the data are accessed only by persons working on recruitment in accordance with their job description. Access to the applicant register is restricted and users are identified with a username and password. The programs and data are located on the servers of external service providers.

CSC has agreed with the outsourced service providers on the necessary data protection obligations in accordance with the Data Protection Regulation.

8. What are your rights as a data subject?

Data subjects have the right under the Data Protection Regulation, among others, to check the information in the register and request the correction of false information concerning themselves. The right of access or consultation shall be exercised without undue delay on the basis of resources, but in any case no later than the time limit set by the Data Protection Regulation. The identity of the data subject is verified before the information is provided. Upon request, the information shall be provided in writing.

The controller must correct or complete incorrect data, either independently or upon the request of the data subject. The controller must delete unnecessary or expired data, either independently or upon the request of the data subject, unless legislation or agreements justify or require the retention of the data by the controller.

The data subject has the right to request the restriction of the processing or to object to the processing within the limits and in accordance with the applicable data protection law.

Data subjects have the right to transfer data from one system to another, in other words, to receive their personal data in a structured and commonly-used format, and to transfer it to another controller within the limits and in accordance with the applicable data protection legislation.

You may send the aforementioned requests and questions regarding this Privacy Statement and the processing of CSC's personal data to

You also have the right to appeal to the Data Protection Officer. Contact details of the Data Protection Officer can be found on the Data Protection Officer's website at

9. Who should you contact?

All contacts and requests concerning this statement must be made in writing or in person to the contact person specified in section 2.

10. Changes to the privacy policy

Any changes made to this document will be presented with dates. If the changes are significant, we may inform you about them by email or by issuing a notification on our website.