Data Retention Policy

Last Updated: November 2025

This policy sets out the limits for and scope of the retention of personal data and special category data to ensure that those limits, as well as the rights to erasure, rectification, and data portability, are fully respected. It also ensures compliance with the EU General Data Protection Regulation (EU 2016/679) and the Finnish Data Protection Act (1050/2018).

1. Purpose
The purpose of this policy is to:

Ensure Intelligent Employment Oy complies with its legal obligations and data subject rights under GDPR.

Define the retention periods for different types of personal data.

Improve the speed, efficiency, and security of managing, storing, and deleting data.

This policy applies to all personal data held by Intelligent Employment Oy (“the Company”) and by any third-party processors acting on our behalf.

2. Data Storage
Personal data is stored securely in the following ways and locations:

  • Secure cloud-based servers located within the European Economic Area (EEA).
  • Computers and laptops used by Intelligent Employment Oy employees in Finland and approved remote locations.
  • Company-managed recruitment and CRM systems (e.g. ATS, database, email).
  • Secure backup environments used for business continuity purposes.

3. Definitions
Personal Data means any information relating to an identified or identifiable natural person (“data subject”).
An identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, ID number, location data, online identifier, or factors specific to the individual’s physical, economic, or social identity.

Special Category Data (also known as sensitive personal data) includes, but is not limited to: race or ethnic origin, political opinions, religion, trade union membership, genetic or biometric data, health information, or sexual orientation.

4. Retention Principles
Under GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the purpose for which the data was collected.

In certain cases, data may be retained longer for:

  • Archiving in the public interest.
  • Scientific or historical research.
  • Statistical purposes — where appropriate safeguards are in place.
  • Data subjects also have the right to erasure (“right to be forgotten”) in the following circumstances:
  • The personal data is no longer required for its original purpose.
  • Consent is withdrawn and no other lawful basis applies.
  • The individual objects to processing and no overriding legitimate interest exists.
  • The personal data has been unlawfully processed.
  • The personal data must be deleted to comply with a legal obligation.

 

5. Retention Periods
The Company will not retain personal data longer than necessary. Standard retention periods are as follows:

  • Candidate and applicant data – retained for up to 7 years after last meaningful contact, unless consent is withdrawn sooner.
  • Client and contact data – retained for up to 7 years after last interaction, in line with commercial record-keeping requirements.
  • Marketing data – retained until the individual unsubscribes or requests deletion.
  • Employee and payroll records – retained for periods required under Finnish employment, tax, and accounting law.
  • Financial and invoice records – retained for 6 years as required by Finnish bookkeeping regulations.

Retention periods are reviewed regularly to ensure compliance and necessity.

6. Data Review and Deletion
All personal data held by the Company is periodically reviewed against retention schedules.
Where data is no longer required, it will be securely deleted or anonymised.

Deletion methods:

  • Electronic records – permanently deleted from systems and backups.
  • Paper records – securely shredded.
  • Special category data – securely deleted using enhanced destruction methods.

 

7. Security Measures
The following security measures are applied to ensure data protection:

  • All emails containing personal data are encrypted.
  • Access to personal data is restricted to authorised personnel only.
  • Company systems use strong password protection and two-factor authentication.
  • All laptops and mobile devices use encryption and automatic screen lock.
  • Personal data is transmitted only via secure networks (HTTPS, VPN).
  • Physical copies of data are stored in locked cabinets and disposed of securely.
  • No software may be installed on company devices without approval.

 

8. Access, Training, and Responsibilities
Only employees, contractors, and agents who require access to personal data to perform their duties may process such data.

  • All staff are trained in data protection and GDPR awareness.
  • All staff are required to handle personal data confidentially and securely.
  • Breaches or data incidents must be reported immediately to the Company’s Data Protection Officer.

9. Data Subject Rights
All personal data is processed in line with the Company’s Privacy Policy.
Data subjects are informed of their rights, including:

  • Right of access, rectification, and erasure.
  • Right to restrict processing or object to processing.
  • Right to data portability.
  • Rights related to automated decision-making and profiling.
  • Requests must be sent to info@intelligentemployment.com
     and will be addressed within one month.

10. Disposal of Data
Upon the expiry of data retention periods or when a data subject exercises the right to erasure, personal data will be securely deleted, destroyed, or anonymised.

  • Electronic data: deleted from active and backup systems.
  • Hard copies: shredded securely.
  • Special category data: destroyed using advanced secure methods.

11. Review of This Policy
This policy will be reviewed annually or sooner if required by changes in legislation, data protection guidance, or internal procedures.

Contact:
Intelligent Employment Oy
Itämerenkatu 3, 00180 Helsinki, Finland
Tel: +358 9751 54111
Email: info@intelligentemployment.com

Compliant with: EU GDPR (EU 2016/679) | Finnish Data Protection Act (1050/2018) | Privacy and Electronic Communications Regulations (PECR EU)

Intelligent Employment - Shaping the future of Recruitment
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.