Recruitment Privacy Notice

Privacy Notice for Recruitment of Comatec Group, Insinööritoimisto Comatec Oy and Its Subsidiaries

Customer and Marketing Register Privacy Notice

1. Controller and Contact Details

Insinööritoimisto Comatec Oy (business ID: 0946936-6) and its subsidiaries ”Comatec”, ”controller”, ”we”)

Information about Comatec Group and its group companies: Comatec Group


Address: Kalevantie 7 C, 33100 Tampere, Finland

Comatec Group has joint data protection operations and a Data Protection Officer who acts as the contact person for data protection matters:

E-mail: dpo@comatec.fi

Tel. +358 29 000 2000 (operator)

2. Scope of the Privacy Notice

This privacy notice describes how Insinööritoimisto Comatec Oy and its subsidiaries process personal data related to recruitment within Comatec Group.

The controller is the Comatec Group group company that is recruiting in each specific case.

With regard to the Comatec Group recruitment system, the controller is Insinööritoimisto Comatec Group Oy.

3. Purpose and Legal Basis for the Processing of Personal Data

Personal data are processed for the purpose of carrying out the recruitment process, including:

  • receiving and processing job applications
  • communicating with applicants
  • assessing the applicant’s competence, suitability, and capabilities
  • making decisions related to recruitment
  • preparing a potential employment contract

The legal bases for the processing of personal data are:

  • the legitimate interest of the controller
  • measures taken prior to entering into a contract
  • the consent given by the data subject

Where processing is based on legitimate interest, Comatec has assessed that the rights and freedoms of the data subject do not override the legitimate interests of the controller.

4. Register Data Content (Categories of Personal Data Processed)

We may process necessary identification details of the data subject as well as other information required for the stated purpose, such as:

  • the applicant’s identification and contact details (name, email address, telephone number)
  • the job application, CV, and other attachments submitted by the applicant
  • information concerning the applicant’s education, work experience, and skills
  • interview notes and assessments prepared
  • results of any suitability or aptitude tests
  • links to public professional profiles (e.g. LinkedIn, if provided by the applicant)
  • contact details of referees and statements provided by them
  • technical usage data of the recruitment system

5. Regular Sources of Personal Data

Personal data are primarily collected directly from the data subject. In addition, data may be collected from:

  • the recruitment system (e.g. Teamtailor)
  • public sources, such as professional online profiles, based on information disclosed by the applicant
  • referees, with the applicant’s consent

6. Regular Disclosure of Personal Data

Personal data may be disclosed between companies belonging to the same group as the controller within Comatec Group, in accordance with data protection legislation, for the purpose of carrying out recruitment.

In such cases, the legal basis for the disclosure of personal data is legitimate interest (enhancing business efficiency and reducing overlapping processing activities).

Various service providers and other third parties (so-called processors), such as providers of recruitment systems and suitability assessment services, may also be used in the processing of personal data. Personal data are disclosed to Comatec’s client companies only to the extent necessary and appropriate for filling the open position.

If the controller or a company belonging to the same group is involved in a merger, business acquisition, or other corporate arrangement, personal data may be disclosed to parties involved in or assisting with such arrangement.

Personal data may also be disclosed to third parties where required by law or an authority, or for the investigation of misuse and to ensure security.

Further information about recipients of personal data can be provided upon request.

7. Transfer of Data Outside the EU/EEA

Personal data are not routinely transferred or disclosed outside the European Union or the European Economic Area. However, service providers involved in the processing of personal data may be established outside the European Union or the European Economic Area, or they may transfer personal data to so‑called third countries.

When personal data are transferred outside the European Union or the European Economic Area, the controller ensures an adequate level of protection for personal data, inter alia by agreeing on matters related to the processing of personal data in accordance with applicable data protection legislation, such as by using standard contractual clauses approved by the European Commission or on the basis of an adequacy decision issued by the European Commission.

Further information regarding transfers of personal data and the safeguards used can be provided upon request.

8. Retention of Personal Data

Personal data are stored and processed confidentially and in appropriately secured systems. Access to the data is restricted to persons whose job duties require such access. The systems are protected by access rights, passwords, and technical security measures.

Personal data are retained only for as long as necessary to carry out the processing purposes described in this privacy notice or to comply with statutory obligations applicable to the controller.
Applications relating to a specific position are generally retained for a maximum of 12 months from the end of the recruitment process.

Open applications are retained for a maximum of 24 months from the date consent is given, unless the consent is withdrawn earlier.

Unnecessary data are deleted or anonymised without undue delay.

Data related to cookies are retained as described in the website’s cookie notice.

Further information on personal data retention practices can be provided upon request.

9. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling in our recruitment processes.

10. Rights of the Data Subject

Data subjects have the rights provided under data protection legislation in relation to their personal data. However, the application of these rights in each individual case depends on the legal basis, purpose, and context of the processing of personal data.

  • Right of access to personal data. The data subject has the right to obtain confirmation as to whether their personal data are being processed and to receive the other information required under data protection legislation concerning the processing of their personal data. The data subject also has the right to obtain a copy of their personal data.
  • Right to rectification of personal data. Subject to certain limitations, the data subject has the right to request the rectification or deletion of incorrect or inaccurate personal data.
  • Right to erasure of personal data. The data subject has the right, under the conditions set out in data protection legislation, to request the erasure of their personal data. Upon request, we will erase the personal data unless legislation or another applicable exception under data protection legislation requires us to retain the personal data.
  • Right to restriction of processing. Under the conditions laid down in data protection legislation, the data subject has the right in certain situations to request the restriction of the processing of their personal data.
  • Right to data portability. The data subject has the right to request the transfer of their personal data to another controller. The right to data portability generally applies to personal data that the data subject has provided to the controller in a structured, commonly used, and machine‑readable format, where the processing is based on the data subject’s consent or a contract, and/or where the processing is carried out by automated means.
  • Right to object to processing. Under the conditions set out in data protection legislation, the data subject has the right to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for compelling and legitimate grounds of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and to profiling related to such direct marketing.
  • Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent to the processing of their personal data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Exercising Your Rights

We encourage you to contact us if you have any questions regarding the processing of your personal data.

You may submit a request concerning your rights as a data subject by post or by email using the contact details provided in this privacy notice.

The identity of the person making the request may be verified before the request is processed. The request will be responded to within a reasonable time and, as a rule, within one month from the submission of the request and verification of identity. If the request cannot be granted, the refusal will be communicated separately.

11. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that their personal data have been processed in violation of data protection legislation.

The contact details of the Finnish data protection authority can be found at: www.tietosuoja.fi

12. Updating the Privacy Notice

We may update the content of this privacy notice and our practices related to the processing of personal data if there are changes in our operations or in applicable legislation.

This privacy notice was last updated on 4 May 2026.