1. Introduction
It is important to us at Momentous that you can trust us to handle your personal data in a careful and transparent manner and with respect for your privacy when working with us. When processing your personal data, we strictly comply with the General Data Protection Regulation (GDPR) and other data protection legislations, and we always strive to act in accordance with good data protection practices.
This privacy statement describes how we collect, process and protect your personal data in all our operations.
2. What personal data do we process and for what purposes?
We only collect and use your personal data for the following separately specified purposes. Personal data are processed to carry out executive search and management development assignments given by Momentous’s client companies at the time (executive search, management development, personnel assessments) and to manage, maintain and develop client relationships; to develop the business activities and services of Momentous, and to carry out market research and candidate communication, candidate and client feedback surveys and the compilation of statistics. Personal data are used and stored in connection with other assignments only with the consent of the data subject. We collect personal data only for the above-mentioned purposes.
- The data processed in the register include the following information necessary for the purpose of the register:
- basic personal details, such as the candidate’s name, contact details (address, e-mail address, telephone number) and date of birth
- specific information related to the candidates necessary for evaluating their suitability for the vacancy, such as education, vocational competence and specialist knowledge (e.g. language skills)
- the results of personal and aptitude evaluations
- information related to the candidate’s previous or current employment, such as their employers, the start date and duration of employment and job descriptions
- information concerning the candidate’s job search, such as job preferences, desired salary, preferred location of the job and possible commencement and termination information regarding the job
- the name, title and contact details (address, e-mail address, telephone number) of the contact persons of the client organisation
- information on the client organisation required for the client relationship, such as order details, information on meetings, possible direct marketing permissions and prohibitions as well as other communication between the parties and possible recordings of telephone conversations and meetings
- information related to the service, such as information on which client companies the controller has sent an overview of the candidate.
3. On what legal basis do we process your personal data?
Data protection legislation requires that all processing of personal data is based on a legal basis in accordance with the General Data Protection Regulation. We process your personal data on the basis of the following legal grounds:
Agreement: The personal data of the client companies’ contact persons are processed on the basis of an assignment-specific agreement.
Legal obligation: We directly process some personal data under the law. Such information includes information on the suitability for a task for which statutory suitability requirements have been set.
Legitimate interest: When a legitimate interest is used as a basis for processing, we carefully assess and weigh the existence and relevance of the interest as required by data protection legislation and ensure that the processing does not cause you unreasonable inconvenience or risk. The personal data of executive search candidates may be collected on the basis of a legitimate interest in the initial assessment. Initial assessment means in executive searches that persons suitable for open jobs are surveyed from the labour market. Information collected include, besides contact information, also information on work history and education. After the initial assessment, we will contact the executive search candidate within a reasonable period and ask for their consent to participation in the executive search assignment and the processing of personal data.
Consent: The legal basis for the processing of personal data of persons participating in our assignments is consent.
4. How do we obtain the personal data we process?
The personal data is mainly collected from the candidates themselves. The personal data of the participants in the assignment (executive search, management development, personnel assessments) comes directly from the material, interviews and personnel assessments of the person in question. In specific situations defined by law, we may also collect data from external sources, such as the registers of the authorities. As initial assessment, personal data of executive search candidates may also be collected from the data sources and registers kept by third parties, such as public companies or authorities. Momentous is part of the Bravedo Group, so we may also receive your personal data from other Group companies, as described in the section Disclosure of personal data.
5. To whom do we disclose or transfer your personal data?
We process your data confidentially and do not, for example, sell, rent or otherwise unnecessarily disclose your personal data to third parties.
5.1. Disclosure of personal data
The disclosure means an event in which the controller (hereafter Momentous) provides personal data to a third party and that third party uses the data for its own purposes – not for the account of Momentous. Personal data may be disclosed to the following operators:
- The contact details of the representatives of client companies may be disclosed to other companies belonging to the Bravedo group.
- Some information may be disclosed to the authorities if required by law
- In connection with an assignment, an evaluation report or other information related to the reporting of the assignment may be disclosed to a client company
- In the context of a merger and acquisition transaction, the acquiring party may gain access to the information
5.2. Transfer of personal data
The transfer of personal data means a situation in which the controller provides personal data to a third party for processing on behalf of the controller. For example, the outsourcing of a processing activity, such as payroll, to another company usually requires transfer of personal data.
The information we collect is stored and processed partly outside the European Economic Area when the service provider we use is located or stores the information outside the European Economic Area. The service providers we use are contractually committed to ensuring that an adequate level of data protection is ensured in all processing of your personal data.
6. How do we protect your personal data?
We take appropriate technical and organisational security measures to protect your personal data from loss, unauthorised access and other misuse. Our electronic databases are protected, for example, with firewalls, passwords and restricted personal access rights. Only employees with the right to process the data as part of their duties are entitled to use the system containing personal data. Possible physical databases are located in locked and guarded premises. Access to your personal data is internally restricted through electronic and physical access control, as well as through policies for granting and controlling access to different systems.
7. Automated decision-making and profiling
Automated decision means a decision that is made entirely automatically (for example, by an algorithm) without the participation of a human in the decision-making process. The processing of your personal data does not include automated decision-making or profiling.
8. Personal data retention period
We only retain your personal data for as long as is necessary for fulfilling the purposes for which we process your personal data, unless the law obliges us to retain it for a longer period.
At the end of the retention period, the data are either erased from the users’ data, backups and system background data, or rendered unrecognisable by irrevocably changing the data to a form from which an individual is no longer recognisable. Manual data are deleted in a secure manner in accordance with a specified deletion process. The deletion of data is carried out by designated responsible persons in accordance with the policies of Momentous.
We store your personal data as follows:
- The data of the person participating in the assignment is stored for a maximum of two (2) years from the date of the service implementation
- The personal data of client company representatives are stored for the duration of the client relationship and for a reasonable period after the termination of the client relationship
- If the executive search candidate is selected for the job of the client company, we will retain the information about the person’s name, company and job title, according to Momentous’s contractual obligations, as long as the person is employed by the said company, however, for a maximum of five (5) years
- Information on the statutory suitability for the job is stored in accordance with the legislation for ten (10) years
As a rule, the retention period is calculated from the moment the personal data is created.
9. What rights do you have?
9.1. The right to receive information regarding the processing of your personal data
You have the right to receive information from us regarding the processing of your personal data in a concise, transparent, easily understandable and accessible form in clear and simple language.
The purpose of this statement is to fulfil your right to receive information and to help you understand how and for what purposes we process your personal data. If this statement does not provide adequate information to some of your questions, you can contact us in accordance with the “Contact information” section.
9.2. Right of access
You have the right to receive confirmation from us on what personal data we process about you. This gives you the opportunity to assess and verify the lawfulness of the processing. In addition, you have the right to request and receive a copy of the personal data we process. Instructions for making a request for information can be found in the section “How can you exercise your rights?”
9.3. Right to data portability
In certain situations, you have the right to have your personal data, which you have provided to us, transmitted directly to another controller (such as an employer) in a commonly used and machine-readable format. Such a right exists when we process said data on the basis of your consent or agreement and the processing is automated (digital).
9.4. Right to rectification
Our goal is to keep your personal data up to date and to delete or complete incorrect, incomplete or inaccurate personal data without delay if necessary. You also have the right to request that we rectify inaccurate or incorrect personal information, or that we complete information that has been left incomplete.
9.5. Right to restriction of processing
The restriction of processing means that, in addition to storage, the personal data subject to the restriction can only be processed
- With your consent
- For the establishment, exercise or defence of legal claims
- For the protection of the rights of another natural or legal person or
- For reasons of important public interest of the Union or a Member State.
- The right exists in the following cases:
- You contest the accuracy of the personal data. In such cases, the processing will be restricted for a period enabling the verification of the accuracy of the personal data
- The processing is unlawful, but you oppose the erasure of the personal data
- We no longer need the personal data and we would otherwise delete them, but you need them for the establishment, exercise or defence of legal claims.
- You have objected to the processing of personal data on the basis of the legitimate interest of the controller and are awaiting verification of whether the interests of the controller override those of the data subject.
9.6. Right to object to the processing of personal data
In certain situations, you have the right to object to the processing of your personal data, that is, request the controller not to process it at all. In situations where we process your personal data for the performance of a task carried out for reasons of public interest, in the exercise of official authority or for the purposes of pursuing legitimate interests, you have the right to object to the processing on grounds relating to your particular situation.
- In such cases, the processing must be stopped unless
- We can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or
- The processing is necessary for the establishment, exercise or defence of legal claims.
If the personal data is processed for direct marketing, you have the right to object to the processing without any specific grounds. After objection, the data may no longer be processed for purposes of direct marketing.
9.7. Right to erasure and to be forgotten
In certain cases, you have the right to be “forgotten”, that is, to have some of the personal data we process erased completely. This is usually the case, for example, where the processing of personal data has been based on consent and you withdraw your consent, if the processing of personal data has been unlawful in the first place, or if the personal data that has been reasonably collected as such are no longer needed for the original or other acceptable purposes (e.g. a legal obligation to store the data).
9.8. Right to withdraw consent
In cases where we process your data with your express consent, you have the right to withdraw your consent at any time. If you withdraw your consent, the processing or storage of your personal data will not be continued unless some other legal basis (such as a legal obligation) requires further processing. For example, you can withdraw your consent to subscribe to the newsletter with the "unsubscribe" function in the message.
9.9. Right to lodge a complaint with a supervisory authority
In addition to the rights above, you have the right to lodge a complaint with a supervisory authority if you believe that we are in breach of the Data Protection Regulation in the processing of your personal data. For example, you may file a complaint if your rights as described in this statement are not properly enforced. The Office of the Data Protection Ombudsman acts as the supervisory authority for data protection in Finland.
10. How can you exercise your rights?
If you have any questions about your rights as mentioned above, if you wish to review your information or otherwise exercise your rights, please contact us; the contact details are provided at the end of this statement.
- The exercise of these rights is, in principle, free of charge; in certain exceptional cases defined by law (for example, if you request multiple copies of your data), we may ask you in advance for a fee corresponding to the cost of fulfilling the request.
- We will respond to all requests without undue delay (at the latest within one month of receipt of the request) and will let you know what action we have taken in response to your request. If for any reason we have to decline your request, we will also notify you of the refusal and the reasons for it within one month of receipt of the request at the latest.
- If there are multiple requests or they are complex, we may sometimes need more time (up to 2 months) to process them. In such case, we will inform you of the need and reasons for the extension no later than 1 month after the request was made.
If you wish to lodge a complaint with the supervisory authority, you can find more information on the website of the Office of the Data Protection Ombudsman. https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing
11. Data controller and contact information
The controller means the entity that determines how and for what purposes personal data is processed. Momentous determines the purposes and means of the processing of personal data, and is therefore the controller of such data.
The data controller’s contact information:
Momentous Oy
Business ID 2443137-4
Mannerheiminaukio 1 A, 00100 Helsinki, Finland
privacy@momentous.fi
12. Updates to the statement
We are constantly improving our privacy practices, which is why we may make changes to this privacy policy from time to time. Changes may also be based on changes in legislation. We recommend that you visit this privacy statement page from time to time to see the changes. If necessary, we can also notify you directly about the changes.