TIITUS GROUP OY’S PRIVACY POLICY AS A CONTROLLER

(updated 17.5.2018)

This Tiitus Group Oy’s (hereinafter Tiitus Group Oy may also be referred to as “we” or “us”)
privacy policy describes the personal data processing activities of Tiitus Group Oy as the
controller (hereinafter “Privacy Policy”). This Privacy Policy contains Tiitus Group Oy’s
records of processing activities as the controller, and it also acts as a communication from us
to our data subjects (hereinafter our data subjects may also be referred to as “you”) through
which we inform the data subjects of the ways Tiitus Group Oy processes their personal data.
Thus, this Privacy Policy contains at least the information that Articles 13, 14 and 30 of the
EU’s General Data Protection Regulation (679/2016) (hereinafter “GDPR”) require of us.

Tiitus Group Oy aims to ensure that this Privacy Policy is always publicly, transparently and
easily applicable at Tiitus Group Oy’s websites.

1) CONTROLLER
Name: Tiitus Group Oy
Business ID: 2736664-3
Address: Fabianinkatu 28, 00100 Helsinki

2) PERSON IN CHARGE OF DATA FILES
Name: Niklas Litmala
Contact details: +358 44 5757358, niklas.litmala@tiitus.fi

3) CATEGORIES OF DATA SUBJECTS
Tiitus Group Oy’s Privacy Policy as the controller concerns the following categories of data
subjects:
1) persons who act as contact persons of our customers;
2) persons who use our service as jobseekers and other similar individuals;
3) persons who are employed by Tiitus Group Oy or seek employment from Tiitus Group Oy;
and
4) persons who contact us through email or other similar means.

4) CATEGORIES OF PERSONAL DATA
The data files concerning the data subjects of Section 3.1) may contain the following
categories of personal data:
• contact information, such as full name, address, phone numbers and e-mail addresses;
• nationality, age, gender, title or profession and mother tongue; and
• possible other information gathered with the data subject’s consent.

The data files concerning the data subjects of Sections 3.2) – 3.4) may contain the following
categories of personal data:
• contact information, such as full name, address, phone numbers, e-mail addresses and
personal identification numbers;
• videos and pictures;
• nationality, age, gender, title or profession and mother tongue;
• other information derived from the CVs, such as the work experience, educational
background and other such skills;
• bank account data;
• location data;
• possible registration information, such as username, pseudonym, password and other
unique identification;
• information relating to the implementation of communications and information
relating to use of services, such as browsing and search information; and
• possible other information gathered with the data subject’s consent.

5) PURPOSE OF THE PROCESSING OF PERSONAL DATA
Personal data of the data subjects of Section 3.1) can be processed for the following
purposes:
• management and development of the customer relationship;
• customer service;
• management and development of the customer relationship;
• to enable us to comply with our legal and regulatory obligations; and
• analysis and statistics.

Personal data of the data subjects of Section 3.2) can be processed for the following
purposes:
• management and development of the customer relationship;
• customer service;
• profiling;
• marketing;
• to enable us to comply with our legal and regulatory obligations; and
• analysis and statistics.

Personal data of the data subjects of Sections 3.3) – 3.4) can be processed for the following
purposes:
• management and development of the employee and jobseeker relationships;
• management of employment contracts and other related matters;
• customer service;
• marketing;
• management and development of the customer relationship;
• to enable us to comply with our legal and regulatory obligations; and
• analysis and statistics.

6) LEGAL BASIS FOR PROCESSING
The controller has the right to process the personal data of the data subjects based on the:
• consent received from the data subject;

• performance of a contract to which the data subject is party or request of the data
subject prior to entering into a contract; or
• legal obligation to which the controller is subject.

7) REGULAR SOURCES OF INFORMATION
Information regarding the data subject are regularly gathered:
• from data subjects themselves through our service, via phone, internet, e-mail or in
other similar fashion;
• with cookies and other similar tech;
• by Tiitus Group Oy’s other Finnish affiliate companies; and
• from the Population Register Center/Population Information System, Posti’s address
database, phone companies’ databases and other similar private and public registries.

8) PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
1) We shall retain the data of the data subjects of Section 3.1) for a period of five (5) years
following the end of customer relationships.

2) We shall retain the data of the data subjects of Section 3.2) for a period of one (1) year
following the end of customer relationships.

3) We shall retain the data of our employees of Section 3.3) for a period of ten (10) years
following the end of their employment in our company, because we have a legal obligation
to provide our former employees with references during that period.

4) We shall not retain the data of the jobseekers of Section 3.3) if the data subjects do not
explicitly give us their consent to do so. Having received such a consent, we may retain
the data of the data subjects for a period of six (6) months following explicit consent

5) We shall retain the data of the data subjects of Section 3.4) for a period of one (1) year
following the contact.

6) However, we may retain the data of the data subjects of Sections 3.1) – 3.4) for longer
than is described above, where we are required to do so by law, it is necessary due to
legal proceedings and it is necessary for any similar reason. We shall be careful not to
apply this Section in vain.

7) We inspect the necessity of the personal data stored every six (6) months and keep
records of the inspections.

9) CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The recipients of personal data may consist of the following categories:
• Tiitus Group Oy’s affiliate and customer companies;
• parties who offer cloud services;
• parties who offer accounting and auditing services;
• parties who help Tiitus Group Oy to fulfill its legal obligations; and
• Tiitus Group Oy’s customers.

10) INFORMATION TRANSFER OUTSIDE OF EU OR THE EUROPEAN ECONOMIC AREA
Personal data is not transferred to third countries.

11) DATA SUBJECTS’ RIGHTS
The data subject has a right to use all of the below mentioned rights.
The contacts concerning the rights shall be submitted to the person in charge of the data file
stated in Section 2. The rights of the data subject can be put into action only when the data
subject has been satisfactorily identified.

Right to inspect
Having presented the adequate and necessary information, the data subject has the right to
know what, if any, data the controller has stored of her/him. While providing the requested
information to the data subject, the controller must also inform the data subject of the
controller’s regular sources of information, to what are the personal data used for and where
is it regularly disclosed to.

Right to rectify and erasure
The data subject has a right to request the controller to rectify the inaccurate and
incomplete personal data concerning the data subject.

The data subject can request the controller to erase the personal data concerning the data
subject, if:
• the personal data are no longer necessary in relation to the purposes for which they
were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based on;
• the personal data have been unlawfully processed; or
• the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject.

Let it be known that the data subjects’ rights to rectify and erase data does not concern the
data which the controller must retain due to its legal obligations.

If the controller does not accept the data subject’s request to rectify or erase the personal
data, it must give a decision of the matter to the data subject in a written form. The decision
must include the reasons for which the request was not granted. The data subject may refer
the matter to the relevant authorities (the Data Protection Ombudsman in Finland).

The controller must inform the party to whom the controller has disclosed the personal data
to or has received the personal data from of the rectification or erasure of personal data.
However, there is no such obligation where the fulfilment of the obligation would be
practically impossible or otherwise unreasonable.

Right to restriction of processing
The data subject can request the controller to restrict the processing of the personal data
concerning the data subject where one of the following applies:
• the accuracy of the personal data is contested by the data subject, for a period
enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the personal
data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing,
but they are required by the data subject for the establishment, exercise or defense
of legal claims; or
• the data subject has objected to processing pursuant to Article 21(1) of the GDPR
pending the verification whether the legitimate grounds of the controller override
those of the data subject.

If the controller has based the restriction of the processing of personal data on the
abovementioned criteria, the controller shall give a notification for the data subject before
removing the restriction.

Right to object
Where personal data are processed for direct marketing purposes, the data subject shall have
the right to object at any time to processing of personal data concerning her/him for such
marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to data portability
The data subject shall have the right to receive the personal data concerning her/him, which
he or she has provided to a controller, in a structured, commonly used and machine-readable
format and have the right to transmit those data to another controller without hindrance
from the controller to which the personal data have been provided, where the processing is
based on consent or a contract.

Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or her
or similarly significantly affects him or her.

However, the data subject shall not have the aforementioned right if the decision is:
• necessary for entering into, or performance of, a contract between the data subject
and us;
• is authorised by Union or Member State law to which the controller is subject and
which also lays down suitable measures to safeguard the data subject’s rights and
freedoms and legitimate interests; or
• is based on the data subject’s explicit consent.

Right to withdraw consent
Where the legal basis for the processing of personal data is the consent of the data subject,
the data subject shall have the right to withdraw her/his consent.

12) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
Data subject shall have the right to lodge a complaint with a supervisory authority, if the data
subject considers that the processing of personal data relating to him or her infringes the
GDPR. The complaint can be lodged in the Member State of her/his habitual residence, place
of work or place of the alleged infringement.

13) COOKIES
Our service uses cookies which are used in order to make it more user-friendly and
anonymously track your use of the Service. This is a standard policy regarding most websites.

Cookies are small text files that a website stores on your device when you browse that
website. Cookies store data of your website use.

Cookies are not used for identifying a person.

You can control and/or remove cookies freely at the individual browser level. Instructions can
be found for example in here: aboutcookies.org

In order to improve our service, we gather, measure and analyze data concerning your use of
the service including (but not limited to) activity, page views, unique visitors and bounce
rate.

14) SECURITY OF PROCESSING
We implement at least the following technical and organizational measures to ensure appropriate level of safety to the processing of personal data:
• We encrypt our data files and user passwords by using appropriate means available.
• We use only reliable software that provides our service the appropriate usability, availability and security. We also use tokens to provide our service more security.
• Our databases are backed up regularly and can be restored very quickly.
• Our Service is audited regularly and on demand, through which we are able to ensure that our Service does not contain any leaks or security concerns that can leak sensitive and/or personal data.

15) PROFILING
In order to use Tiitus as a new user, you’ll need to create a profile. In order to create a profile a new account need to be created. To register you either choose an account name and set a password or you register by using Facebook credentials. In order to use Facebook login, the user accept the use of Facebook API. When Facebook login is used, the password won’t be saved.

In order to suggest the possible work positions, Tiitus service asks for other information to be added on profile. In this way the employers also get a better picture of the jobseeker. Obligatory information contains service area, name, email, phone, location, birthdate and gender. Optional information includes profile photo, current work situation, skills, education, personality, work experience and competences. The user can also add photos and videos on profile. The employers can see information about the jobseeker if the job seeker has applied for the position in the company or the jobseeker has accepted the contact request from the employer.

User accounts are by default anonymous for companies acting as employers. Companies seeking for new employees can scroll through anonymous user accounts and send contact requests to the jobseekers. If the jobseeker accepts the contact request, the company receives a permit to see all of the personal data of the user account. The jobseeker has the sole right to decide whether or not to keep his/her profile public or not.

Primarily the job announcements with the highest match percent are shown first if the user has selected to use artificial intelligence. The match percent is calculated using user’s language, location, skills and tags which are compared to equal information in the job announcement.

16) DATA PROTECTION PRINCIPLES
Tiitus Group Oy uses all reasonable efforts to maintain physical, electronic, and
administrative safeguards to protect personal information from unauthorized or inappropriate
access, but Tiitus Group Oy note that the Internet is not always a secure medium. Tiitus
Group Oy restricts access to information about data subjects only to the personnel of Tiitus
Group Oy that need to know the information e.g. for responding to inquiries or requests made
by the data subjects.