Data Protection Policy
Data protection policy describes user data management and complying with GDPR. If you have any questions, don't hesitate to contact us.

Purpose of this Document

The purpose of Jobilla Oy Data Protection Policy is to describe how Jobilla approaches protecting our customers and users data and privacy, and how we’re complying with GDPR & the national data protection policies & laws.

Definitions of Key Terms

Data Privacy Officer (DPO)

An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.

Data Controller (DC)

The entity that determines the purposes, conditions and means of the processing of personal data.

Data Processor (DP)

The entity that processes data on behalf of the Data Controller.

Data Subject (DS):

A natural person whose personal data is processed by a controller or processor.


Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Personal Data

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.

Right to Access

Also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.


The processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution.


Any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour.

Principles of Data Processing

See Jobilla’s ‘Privacy Policy’ for detailed documentation on Personal Data we’re gathering & the Personal Data gathering purposes.

Jobilla will never disclose nor sell the gathered personal data for third parties without an explicit written consent from all of the data subjects affected.

Personal Data processing activities within Jobilla can be broken down into 2 separate categories as follows.

1 Processing performed by Jobilla

Jobilla’s authorized personnel will be processing the personal data gathered solely for the purpose of helping our customers do better hires in a more cost effective manner, and within the boundaries of implementing the contracts between Jobilla and our customer companies.

Jobilla can perform automated machine learning powered analysis on the gathered data, in order to gain better understanding of the users of our platform and to better connect them with possibly interesting companies using our services.

Jobilla will never use the gathered data for anything else except for activities driven by the purpose of advancing our customers hiring process & it’s efficiency directly or indirectly.

2 Processing performed by Jobilla’s customer companies

Jobilla’s customer companies processors participating in the processing activities are always explicitly specified in a separate attachment provided for the data subjects in beforehand in conjunction with this document & Jobilla’s official Privacy Policy.

Jobilla’s customers shall only be performing data processing activities for the following purposes:

1 Gathering & nurturing companies own ‘Talent register’ database for more efficient hiring activities 1. Discovering their gathered candidates from the database based on given criteria 2. Performing & storing all hiring related communications with the talent through the Jobilla platform

2 Performing regular hiring activities using Jobilla’s ‘Application Tracking System’ (ATS) 1. Receiving applicants job applications & CVs into Jobilla ATS 2. Performing the recruitment process of communicating with the candidate, evaluating the candidate, and selecting the most suitable candidate using the Jobilla’s ATS

Every individual data processor is required to digitally sign and confirm an agreement where the processor agrees to honor the privacy of our data subjects and to obey this data privacy policy document + any possible additional national data privacy code of conducts available at the time of signing the contract.

All data subjects have a legal Right to Access and Right to be Forgotten as per GDPR. Due to this data subjects are able to request a record of all data Jobilla has about them via email, or can request an erasure of stored data regarding them. In order to fulfil this request the requester has to be able to identify themselves via the same email address they’re requesting the data about.

Key Requirements and Control Procedures All parties involved in the data processing activities either as Jobilla’s personnel or Jobilla’s customers are required to sign a contract binding them to comply with this Data Protection Policy & Jobilla’s Privacy Policy. All in beforehand undisclosed processing, unlawful processing, or processing that does not obey Jobilla’s Privacy Policy & Data Protection Policy are forbidden.

All customer facing communication with Jobilla’s servers are protected via TLS (HTTPS) encrypted connections to prevent accidental disclosure of confidential data by our users when using eg. a public wi-fi access point.

All production servers are being hardened and maintained according to industry’s best security practises to minimize the chance of accidental data breaches and incidents. Data is regularly, redundantly and automatically being backed up into multi-location storage solutions for incident recovery situations. Backups are being stored for a maximum duration of 12 months from their creation date.

Jobilla’s data is protected by an Access Control List (ACL) layer integrated into our web application that makes sure only authorized personnel are allowed to process certain personal data objects belonging to their company. All data processing activities are being automatically logged for later auditing purposes to ensure processing to be always lawful.

All data is being physically processed and stored within the borders of EU nations (Finland, Ireland, Germany, Netherlands), and will not be transfer-red outside of EU without a prior consent and notice of all data subjects being affected.

Jobilla’s DPO ensures and monitors that all data processing activities of Jobilla’s data are only being performed by authorized parties and in compliance with this policy, our Privacy Policy, and the related laws and regulations.

Jobilla’s DPO co-operates regularly with the local supervising data privacy authority to ensure compliance with the latest laws and regulations, and to ensure safety and privacy of our users.