Data Protection


This data protection policy defines the internally approved data protection principles for processing of personal data within Horton International Oy (“Horton” or “we”). Data protection and privacy are very important to Horton.

This data protection policy sets out how we will endeavour to ensure lawful processing of personal data and high level of data protection. This policy will apply to Horton and executive search activities performed by it.


Scope and goals of this data protection policy

This policy will endeavour to ensure that the legal rights of Horton customers, job candidates, own employees as well as of other constituencies are enforced with respect to processing of personal data by us and our data processors We pay special attention to confidentiality of and access rights to personal data. We want to ensure that nobody will be harmed by processing of his/her personal data and that rights of the data subjects are implemented.

Data protection is closely linked to data security. We will describe this in detail under the “data security and confidentiality”-paragraph of this policy.

Processing personal data – our principles

In this policy personal data means any information relating to an identified or identifiable natural person. Identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online of that natural person.

The processing of personal data in Horton’s operations will be planned and the processing and collecting of the data is carried out according to Horton’s Data Protection Policy, guidelines and data protection legislation.

Horton follows the following principles when processing any personal data.

Lawful, fair and transparent processing of personal data

We will ensure that the processing of personal data is lawful, fair and transparent for the data subject. We will inform the data subjects e.g. of what personal data is collected from them, for what purpose, where the data is collected from and where the data is transferred.

A data protection statement will be drafted for Horton executive search register and we will take care that the data subject is informed of the processing of personal data in a timely manner. The information concerning existing personal data register and the data protection statement is available at Responsible person is named in the data protection statement for the respective data register. You can always turn to him/her if you have any questions concerning that data register.

The collection and processing of personal data is always based on legislation, customer agreement, the legitimate interest of Horton or other pertinent connection, or the consent of the data subject.

Respecting the rights of the data subject

We will ensure that we will inform the data subjects appropriately and in a timely manner of the processing of data and their rights regarding data processing. The data subject has the right to inspect data, the right to be forgotten, the right to data portability, the right to object automated individual decision making such as profiling, demand the rectification and the deletion of data, as well as the right to object and restrict the processing of data belong to the rights of a data subject.

We act in a transparent manner. We will ensure in our operations that the rights of the data subject will be taken care of, and that the data subjects are appropriately informed, and that his/her requests are responded swiftly.

Restriction to a specific, explicit and legitimate purpose

We will collect personal data only for a specific purpose, defined in advance. Data collected for a specific purpose may not be used for other purposes. Unless it is obvious that personal data is required for a specific justified purpose, data should not be collected and stored, and it should be erased.

Data Minimizing

We will collect only the appropriate and essential data that is necessary for the purpose in question. The data collected may not be too excessive for the purposes they are collected. Principally, we will not collect sensitive data such as racial and ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sexual preferences, health, illness or disability to the personal data files of Horton.

Keeping personal data accurate and up to date

We will not process erroneous or outdated personal data and we will update or delete the data when necessary. We will update, e.g. the contact details of the data subject at necessary intervals using a trusted source or provide the data subject with an opportunity to do it him-/herself.

Third parties

Horton will only transfer your personal data to its executive search assignment clients and consultancy companies who own Horton and perform assignments for Horton.

Horton engages subcontractors to perform parts of the service, such as companies performing candidate testing services. They may have access to personal data so that they can perform their duties but only to the extent required for their performance.

We may also provide access to information to our affiliated companies and other parties belonging to Horton group of companies globally.

When transferring personal data to third parties, Horton always agrees in a separate written agreement the rights and obligations of the service provider in accordance with the applicable laws.

Data transfer

Personal data collected by Horton International Oy can be transferred to another European Economic Area member state (EU member countries and Iceland, Liechtenstein and Norway) in accordance with the same principles allowing transfer and processing within Finland. We will transfer data outside Finnish borders only if it is required in the executive search assignment.

We will only transfer personal data outside the EEA Area or to an international organisation where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. In the absence of the aforesaid decision we transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Such appropriate safeguards may consist of relying on Privacy Shield (US) or using the EU Model Clauses.

Data retention period

We strive to store the personal data in a form from which the data subject is identifiable for as long as it is necessary to achieve the purpose of the data processing. We will define retention periods for the collected personal data. The premise concerning the retention of data is that we will only use the data for as long as necessary considering the purpose of the data, but for no longer than two years, after which we will renew consent for data processing or delete the personal data (unless due to a statutory special retention obligation).

Data security and confidentiality

We strive to ensure the appropriate data security of personal data by protecting the data from unauthorized and unlawful processing and destruction of data by using the appropriate technical and organizational measures. Technical and organizational measures shall mean various security measures, which are used to ensure the data security of personal data in electric and paper form. Such measures may be, e.g. personnel training and guidelines, non-disclosure commitments, premises supervision, supervision of use, information system data security and technical restrictions, monitoring, inspection and supervision systems, data encryption, anonymization (removal of personally identifiable information where it is not required) and pseudonymizing of data (replacing personally identifiable information with pseudonyms).

We will restrict access to databases containing personal data to persons, who require access to the personal data due to their duties.

Liability of the controller and accountability

We will assess the processes concerning personal data processing and the related risks regularly and ensure that Horton carries out the necessary measures. We will ensure that e.g. appropriate agreements, up-to-date data protection statements and guidelines, as well as functioning and limited access rights are applied in our operations.

Responsibilities and Processing data on behalf of Horton

Horton has appointed a person who develops and steers implementation of data protection within Horton. We have not appointed data protection officer specified in General Data Protection Regulation.

When transferring personal data to third parties, Horton always agrees in a separate written agreement the rights and obligations of the service provider in accordance with the applicable laws.

Ensuring data protection

Data protection training is part of induction of new people in Horton. We also train our staff regularly on data protection and privacy issues. Taking good care of data protection and privacy aligns well with our values.

All persons having access to personal data will be bound by obligation of confidentiality as specified in the applicable laws and their employment or other agreements.

We will investigate of any suspected data breaches without delay. We will inform supervisory authorities and data subjects as required. The person responsible for the data protection issues in Horton will issue more detailed guidance on this.

Informing personnel, data subjects and constituencies

At Horton, the employees are offered guidance and training concerning data protection matters. Each person is obligated to follow the Horton Data Protection Policy. Data subjects and other constituencies are also obliged to follow the Horton Data Protection Policy which is always available for inspection at We will update this policy as required and issue any necessary further instructions of data protection.

Approval of the data protection policy

The Board of Directors of Horton International Oy has approved this policy 07.05.2018

Find a Consultant