Skip to content

Personnel Privacy Notice

Date of drafting: 16.1.2026 (version 10.2)

Orion Corporation (the controller,” Orion”) is committed to protecting your privacy in compliance with all applicable regulation and ensuring the security of your personal data.

This privacy notice explains how we collect, use, and protect personal data in recruitment processes, employment relationships, other contractual relationships with Orion, or when individuals are recipients of a commission.

1. How we collect personal data 

We generally collect personal data directly from you. Your data is mainly collected during the recruitment process or at the beginning of the employment relationship. The personal data is also gathered as part of our regular operations.

We may also use third-party channels to collect your personal data as part of the recruitment process. We may also collect your personal data from publicly available sources when permitted in the respective jurisdiction.  In addition, authorities may provide the company with personal data, for which it acts as the controller, to fulfil statutory obligations such as taxation and security clearances.

2. What data we collect about you

We will only collect personal data that we are permitted to collect by regulation on a jurisdictional basis in each country, and to the extent necessary to exercise the rights and obligations of the data subject and the controller.  We have set out below a list of the types of personal data that we most commonly collect:

Type of personal Data  Description of Personal Data and phase in which it is collected e.g.: 
  Recruitment  Employment (In addition to the Recruitment data) 
Identity and right to work information Name, title, nationality, home address, email address, phone numbers, and residency or citizenship information required to verify the right to work, as well as identification documents such as a driving licence, passport, identity card, visa, or work or residency permit.  Date of birth, former names, gender, home address, social security number (or equivalent national ID), marital status, number of dependents, immigration history (including residency and work permit status).

Professional background and background screening

 Educational history and credentials, prior employment history, professional and language skills, application documents (such as CV, cover letter and reference letters), background and security check results (including criminal and credit checks where lawful), and role-related capability or suitability assessments collected as part of the recruitment process, including results of pre-employment medical examinations and drug testing where such assessments are legally permitted, necessary for the role, and conducted in accordance with applicable employment, occupational health, and data protection legislation.  
Training and qualification  Information identifying mandatory qualifications or certifications required for the role (but not general CV‑level education or work history). Records of completed training and qualifications, training completion status, assessment results, training dates and duration, the content or subject matter of training, regulatory and compliance training records, and information relating to professional qualifications, certifications, licences and competencies.
Payroll & tax information   Bank account details, tax‑related information, and data required for payroll and statutory reporting.
Employment details and HR records   Business title, compensation, benefits and pension information, organization details, employment start and end dates, historical employment changes, working time, sick leave and other absence information, wellbeing and occupational health information, performance management information, and travel management information such as passport expiration date, travel fees and allergies.
Video and photos Recorded or remote video interviews and photos included in the CV or application. Photo used in internal systems, technical video monitoring, and voluntary photos or videos taken at events. 

3. How we use your data 

We process your personal data for the following purposes, e.g.:

  • Recruitment purposes
  • Payment of salary and/or commission
  • Management of benefits
  • Administration of the employment relationship
  • People management, planning, control, audits, statistics as well as operational planning and risk management
  • Training and qualification
  • Administration of training and qualification records 
  • Travel management
  • Internal services and system testing
  • Internal and external communication

4. Legal Basis 

We process your data based on the following Legal Grounds: 

Legal Ground  Purpose 
Consent of the data subject 

  • To process voluntary photographs and video recordings taken at events.

  • To store application data in a talent pool for future recruitment opportunities.

  • To process any other optional personal data where explicit consent is required.
Performance of a contract 
  • To manage and administer employment relationships, including onboarding, payroll, benefits, performance management, and termination processes. 
  • To fulfil obligations arising from other contractual relationships. 
  • To process information relating to commission recipients and compensation arrangements. 
  • To manage business travel arrangements, reimbursements and related reporting. 
  • To administer training, qualification, certification and education-related activities. 
  • To support internal communication and cooperation necessary for contractual performance.
Compliance with legal obligations 
  • To comply with statutory, regulatory and reporting obligations under labor, tax, social security, occupational safety and other applicable laws. 
  • To maintain legally required records and documentation.
  •  To support audits, inspections and regulatory reporting.
  • To ensure continuity of operations and manage operational, legal and compliance risks.
  • To process training and qualification data where required by mandatory legal obligations.
Legitimate interests 
  • To support recruitment, candidate evaluation and workforce planning.
  • To manage and develop HR processes and organizational development.
  • To maintain, develop and test internal systems, services and business operations.
  • To protect business operations, information security and corporate assets.
  • To ensure continuity of business activities and effective risk management.
  • We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.

5. How we share your data 

We may share your data with the following recipients in accordance with global data protection regulations:

  • Third Parties: We may share your data with third parties who assist us in performing technical operations, such as data storage and hosting services.
  • Travel service providers: In case of business travel, we may share your travel management information with travel agencies or transportation companies for travel management purposes.
  • Change of Ownership: If there is a change in ownership or control of our company, including any of our products, services, or assets, we may disclose your personal data to the new owner, successor, or assignee.
  • Intranet and Communication Tools: Personal data within our data files may be accessible via our intranet and communication tools, which are available to our employees, including those located in countries outside the European Union (EU) and the European Economic Area (EEA).
  • International Data Transfers: Personal data, including recruitment data, may be transferred within our organization to countries outside the EU and EEA, specifically to India, Kazakhstan, and Ukraine. By default, personal data will not be transferred or disclosed outside the EU or EEA. However, in certain situations, such as when a service provider’s servers are located outside the EU or EEA or when data processing occurs outside these regions for technical support purposes, personal data may be transferred. In such cases, the data will be transferred and processed in a legal manner with appropriate safeguards, such as standard contractual clauses approved by relevant data protection authorities, or other applicable mechanisms to ensure adequate protection of your data.
  • Authorities: Training and qualification data may be shared with authorities in case Orion would be audited, and authorities would request evidence regarding person’s training and/or qualification records.
  • Learning management system service provider: Training and qualification data may be shared with platform service provider in case of troubleshooting and issue resolution. 

6. How we store data and the retention period of your data 

We store data manually and electronically. The manual data is stored in an area with restricted access, available only to authorized persons. The protection of the electronic data files utilizes technical data protection (several security mechanisms), and electronically stored information is accessible only to authorized persons.

We retain your personal data for no longer than is necessary for the purposes defined in this notice, unless the data is required to be preserved in connection with a litigation or investigation process. However, local regulations may have more detailed requirements to be followed depending on the local Orion Subsidiary you are associated with. Please contact us if you want more information on how local requirements may differ from the below retention periods. When personal data is no longer necessary for these purposes, the data will be securely deleted.  

Type of Data  Common Retention Period 
Recruitment 
  •  Recruitment data and application documents will be deleted 2 years after the application process is completed and the position has been filled.
  • Candidate profile will be deleted corresponding to your application documents. If you apply for more than one positions, the latest application will trigger the deletion of your candidate profile.
 
Employment 
  • Detailed* information regarding the employment relationship will be deleted within 2 years after the end of the employment or contractual relationship. 
  • Basic** information regarding the employment relationship will be deleted no later than 10 years after the end of the employment relationship.
    Minimum*** information requirements based on the pharmaceutical industry regulation to verify the employee’s training and qualification information will be deleted no later than 25 years after the end of the employment relationship in exception with Pharmacovigilance training and qualification records which will be archived permanently.
  • Deviating retention period: 
    Training and qualification data used for testing purposes in a test environment will be deleted within 1 year after the end of employment or contractual relationship.
Other contractual relationship with the controller and recipients of a commission
  • Basic information regarding the contract or a payment of commission will be deleted within 10 years of the payment.

*Detailed information can include, for example, documentation, training and qualification, health-, and performance-related data.

**Basic information can include, for example, identification data, employment-related data, travel management data, or timelines.

***Minimum information can include, for example person identification data, the start and end dates of employment, and job title(s). 

7. How we use Artificial Intelligence

We may use Artificial Intelligence (AI)–based tools to support certain aspects of our recruitment and talent acquisition processes. AI may be used, for example, to assist with administrative or preparatory tasks such as organizing, structuring, or reviewing application materials, identifying relevant qualifications or experience, or supporting communication and scheduling activities.

AI tools are used only to support human decision-making and do not replace it. We do not use AI to make automated decisions that produce legal or similarly significant effects on applicants, nor do we carry out fully automated decision-making or profiling within the meaning of applicable data protection laws. All recruitment decisions are ultimately made by human reviewers.

AI is used in accordance with applicable data protection legislation, and appropriate safeguards are in place to ensure fairness, transparency, data minimization, and the protection of applicants’ rights.

8. Your rights and options

You have the right to:

  • Access your data: You can request information and a copy of the personal data collected and stored about you in connection with our operations / this information notice.
  • Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as described in chapter 12.
  • Erase your data: You can contact us if you think the processing of your personal data is unlawful, and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 6 if the data in question is erroneous, unnecessary, incomplete, or obsolete as regards the purpose of the processing.
  • Restrict processing: If you want to restrict our processing of your personal data, please contact us.
  • Object to processing: If you want to object to the processing of your data in connection with processing activities relying on our legitimate interests, please contact us. When making the request, please specify the scope of your request.
  • Data portability: You have the right to data portability, i.e. the right to receive the personal data, that you have  provided to Orion and that is being processed by automated means, in a structured and machine readable format and the right to transmit this data to another controller, where the basis for the processing of personal data is consent or the fulfilment of a contract between the other controller and you.
  • Withdraw consent: You can withdraw any consent that you may have given us for data processing activities. After withdrawing your consent, we will no longer process your personal data for the purposes the consent was asked for. Please note that the withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawfully.

9. Cookies and Tracking Technologies

We use cookies and similar technologies. For more information on how we use cookies, please read our Cookie Policy.

10. Security Measures

We hold your personal data in a combination of secure computer storage facilities.

We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.

We have put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:

  • locks and security systems;
  • encryption
  • usernames and passwords;
  • virus checking;
  • auditing procedures and regular data integrity checks; and
  • recording file movements.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.

We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.

11. Changes to this Notice 

We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.

12. Contact Us

If you wish to use your rights as a data subject described in chapter 8, or if you have any questions or concerns, please contact us at privacy@orion.fi.

Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your rights as a data subject.

Data Protection Officer (DPO): Jyri Wesanko, privacy@orion.fi