Privacy Statement


The protection of your privacy is important to us. Barona Oy (henceforth “Barona”) is therefore committed to protecting your privacy in the best way possible, and to processing your personal data transparently, in accordance with the law in force at a given time, and in accordance with good data protection practices.

This data protection privacy statement reflects how we collect, process and protect your personal data throughout our business.


1. Use and processing of personal data

We collect and process personal data only to the extent that this data is necessary for our our business operations, and in order to offer and develop our services. We collect and process your personal data in order to be able to provide and offer employment search services, to bring job applicants and employing organisations together, to develop the services that are associated with these functions at any given time, to manage customer communication and customer relationships, and to implement marketing and advertising. We also process personal data when the law requires us to do so, or when our legitimate interests enable us to do so.

Personal data is generally collected directly from you during the time we have a customer relationship. In certain situations, we also collect data from other external sources with your expressed permission, or within the bounds permitted by law.

The purpose of the processing determines what sort of data we collect in each situation, and for what purpose. We process the following personal data only when there are lawful grounds for doing so, for the purposes specified below.

Purpose of processing personal data Legal basis for processing
Provision of services
In order to form a customer relationship and to provide employment search services, we collect the following data from the job applicant: contact information and other individually-identifying data (e.g. date of birth), data that is necessary for the assessment of the job applicants suitability (e.g. training, vocation, special competencies, driving licence information, ability to use an automobile as part of work duties), data concerning the job applicant’s employment search (his/her desire for a position that he/she has applied to, desired wages, desired workplace, and any information related to the initiation and termination of a job), and data related to the job applicant’s work experience (e.g. information related to the job applicant’s previous or current employment relationship, such as who the employers have been, times when employment relationships have begun, the duration of these employment relationships, the nature of past/current job duties, and recommendations given by employers). Additionally, we may record e.g. a recruiter’s assessment of a person’s suitability for a given role, any references, and communications related to the service that takes place between the employment seeker and an employing organisation.

Insofar as legislation permits and requires, we also collect the following from the employment seeker: credit information, the results of any security screenings, the presentation of a criminal records extract and unique ID information associated with it, and data related to personal and aptitude assessment tests and drug tests. To verify a person’s right to work, we conduct a verification of citizenship.

From employing organisations, we collect basic information such as name and contact details, and the name and contact information of the contact person.



Legitimate interest

Statutory requirement

Rendering of services
In order to render services, we process and record such items as the following during the service process: ordering information, information on meetings between people, any other contact between parties, possible recordings of such meetings and of telephone calls, data related to the service — such as information on which employing organisation that is also a client of the data controller has the introduction of the applicant been sent to –, and particular data related to a client organization of the data controller, such as its industry of operation and size. Consent

Legitimate interest

Customer service, customer communication and customer billing
In customer service, customer communication and customer billing, we process data related to customer relationships, payment data, and data regarding newsletter subscriptions and customer feedback. Legitimate interest
Analysis, compilation of statistics, and development of the business and services
For the purpose of analysis, compilation of statistics, and development of the business and services, we collect and process information regarding customer relationships and client organizations, such as services preferred by the customers and customer feedback, as well as information related to job search, such us use of services, city, and age. Legitimate interest
Direct marketing and marketing campaigns
We process personal data (e.g. contact information and data on services used by job applicantsand employing organisations) in order to market our services. We use personal data for direct e-marketing (via e-mail and text message) only on the basis of consent provided beforehand.

We may also engage in marketing by telephone or mail, if this is permitted by law.


Legitimate interest

Analysis of the use of our website
On the basis of consent provided by the customer, we analyse the use of our website: such as IP addresses, operating systems, browser versions and workstation models, as well as the websites from which people have reached Barona’s web service. Consent


2. Automatic decision-making

Processing of your personal data does not entail any automatic decision-making. “Automatic decision-making” refers to decisions made entirely automatically, without a person participating in the decision-making process.


3. Sensitive data

Special forms of personal data, so-called ”sensitive personal data” include personal data from which race or ethnic origin, political opinions, religious or philosophical conviction, trade union membership, genetic and biometric information, or information related to health status, sexual behaviour or sexual orientation of a natural person becomes apparent.

Processing of your personal data does not include the processing of sensitive data.  


4. Handover and transfer of data

We process your data confidentially, and do not hand it over to third parties except in the following cases:

  • Internally within our corporate group: The data is processed within Barona Companies’ registries that are related to the purposes mentioned in this privacy statement and
  • Public authorities: we may need to hand over certain data to authorities or administrators of the law in cases where there is a legally mandated requirement to do so. We do so only upon a valid decision from a court, or upon an order or subpoena from a public authority.
  • Mergers and acquisitions: when a corporate acquisition or corporate reorganisation takes place, the acquiring party may obtain access to essential customer data.
  • Consent: we may hand over your personal data to third parties if you have given your consent for us to do so. Your application for a open position at a specified employing organisation will be regarded as consent to surrenderapplicant information for the employing organisation.

In processing the data we have collected, we also use subcontractors and service providers (e.g. for technical maintenance and for the implementation of campaigns and direct marketing) that only have the right to process your data to the extent required by the agreed-on service. This means that they will not be able to use your data for their own purposes. We contractually require them to ensure a sufficient level of data protection, as well as the legality of the processing.

The data we collect is in part stored and processed outside the European Economic Area in cases where e.g. our service provider is located, or stores data, outside the European Economic Area. The service provider we use is contractually bound to ensure that a sufficient level of data protection is guaranteed in all processing of your personal data.


5. Data security

We have appropriate technical and organisational means of data security in order to safeguard your personal data from loss, misuse or other equivalent illegal access. Such means include e.g. the use of firewalls, encryption techniques, and secure areas for IT hardware.

Access to your personal data is also internally restricted through physical and electronic access control, granting of user rights, and the monitoring of such rights. Your personal data is only processed by employees who have the right to do so within the framework of their work duties.


6. Access to data and exercise of rights

You have the right to inspect what data we have collected in our registry regarding you, and to have an effect on how we use it. You have the ability to decide whether you wish to receive direct marketing, and in certain cases, you have the right to be forgotten or request the transfer of your data to another data controller. Below, we describe what rights pertain to you within the framework of the legislation currently in effect:

  • Right to revoke consent

As the processing of personal data is based on your consent, you have the right to revoke your consent at any time. For example, you may revoke consent you have given for direct e-marketing at any time.

  • Right of review and correction

At any time, you have the right to review what data we have collected regarding you, or to receive assurance that there is no personal data on you in our registry. If your data are erroneous, inaccurate or insufficient, you may send us a rquest for correction or addition.

  • Restriction of or opposition to processing

If your data is incorrect in some aspect, you have the right to demand a temporary restriction on processing, until we have verified that the data is correct. In certain situations, you will also have the right to oppose the processing of your data entirely.

  • Right to prohibit direct marketing

Additionally, you may prohibit direct marketing at any time (including profiling for direct marketing purposes).

  • Right to be forgotten

In certain situations, you have the right to be forgotten. We will delete all data that we have collected regarding you if the personal data is no longer needed for the purposes for which it was originally collected. We will also delete the data if the processing of personal data was based on consent and you withdraw your consent, or if you express opposition to the processing of your personal data, unless there are other grounds for the processing.

  • Right to transfer data from one system to another

You may request transfer of your personal data, in which case we will deliver your personal data to you in machine-readable form, so that you may keep it yourself or transfer it to another data controller (e.g. to another service provider). If it is technically possible, we will also transfer your information directly to another data controller upon your request. This is possible only in situations where we process your personal data on the basis of your consent or an agreement, and it only applies to data that you yourself have submitted to us (for example, a CV).

  • Right of appeal

In addition to the formerly mentioned rights, you have the right to make an appeal to a supervisory authority regarding the processing of your personal data.
If you want to file a claim, or if you have questions related to your rights or this data protection privacy statement, contact us by e-mail at or by mail at Barona Privacy, Töölönlahdenkatu 3B, 00100 Helsinki.


7. Storage of data

We store your personal data for as long as is required for the purposes of processing, as long as the law requires us to do so, or until we receive a deletion request.

We store your data only for as long as is needed to fulfil the purposes specified in Section 1, always within the bounds set by currently-effective law. All information related to the seeking of employment is stored in our registry for 2 years following the final step taken or the final contact made.  

Customer data related to employing organisations will be deleted within a reasonable amount of time from when the customer relationship ends. With regard to data associated with other purposes that have been mentioned in this privacy statement, the data will be preserved for as long as the consent remains in effect.

After this, your data will first be removed from the view of our users, and following the cautionary period, it will finally be deleted from our backup copies as well, or will be made unidentifiable, via being irreversibly modified into a form from which the individual person is no longer recognisable.


8. Use of cookies

We may collect information concerning your computer via the use of cookies and other equivalent techniques. A cookie is a small text file that the browser saves onto your computer. Cookies contain a unique identifier, and are used so that we can identify and count the number of browsers visiting our website. You have the right to block the use of cookies, but this may affect the functionality of our service. You may empty cookies from the settings of your browser.


9. Changes to the data protection privacy statement

We are continually developing our data protection practices, and for this reason, we may change this data protection privacy statement from time to time. The changes may also be based on a change in legislation. We recommend that, from time to time, you revisit this page containing the data protection privacy statement in order to make note of any changes. If needed, we may also notify you of changes directly.


10. Data controller and contact information

Barona Oy is the data controller for your personal data. If you have any questions or comments, contact us:

Barona Oy

Business ID         2808477-9

Address              Töölänlahdenkatu 3 B, 00100 Helsinki, Finland


Telephone           +35820 198 3460