Joint controllers: how Fuzu and Employers share responsibility for your data

When you use Fuzu, your personal data is sometimes handled by Fuzu and by an Employer or other organisation together — both of us decide what happens with it, and both of us have responsibilities for protecting it. This is called "joint controllership" under data-protection law.

Joint controllership doesn't apply to everything we do with your data — it applies to specific situations, which we explain below. Where it does apply, the law requires us to tell you how Fuzu and the other organisation share responsibility for your data. This page is that explanation.

If you want the formal legal version, the full Joint Controller Arrangement ("JCA") sets out the technical allocation between Fuzu and Customers. The full Fuzu Privacy Policy describes everything Fuzu does with your data, including the situations where joint controllership doesn't apply.

Fuzu Ltd is a company registered in Helsinki, Finland (business ID FI25462252). Fuzu Ltd is the data controller for most processing on the Fuzu platform globally.

In Nigeria, Fuzu Nigeria Ltd is the local data controller for Nigerian operations. Fuzu Nigeria Ltd is part of the Fuzu group and operates under the same standards, but it's the entity legally responsible for your data if you're in Nigeria.

Whichever entity is involved, we use "Fuzu" on this page for simplicity.

Joint controllership applies in three specific situations on the Fuzu platform. We've named them Scenarios A, C, and D to align with how they're labelled in the full JCA — Scenario B is a fourth situation where joint controllership does NOT apply, which we also explain below.

Scenario A — When you apply to a job posted by an Employer on Fuzu

If you apply to a vacancy that an Employer has posted on Fuzu, your profile information, your application, your communications with the Employer through the platform, the Employer's assessor notes about you, interview records, and the eventual hire outcome are all jointly processed by Fuzu and the Employer.

This is joint controllership because: the majority of candidates applying to vacancies on Fuzu originate from the Fuzu talent pool (so Fuzu's role is more than just providing a job board); Fuzu keeps access to the Employer's campaign data for a defined period after the campaign closes; and Fuzu and the Employer have overlapping purposes in operating the recruitment workflow.

After the Employer closes the campaign for applications (the "Recruitment Process End Date" or "RPED"), Fuzu keeps the campaign data for 30 months. We do this because: Employers often return to a shortlist if the preferred candidate doesn't accept or doesn't perform well, sometimes weeks or months later. The data needs to be available for that. The 30-month period also gives Fuzu what it needs for platform integrity (so Employers can't bypass the platform to avoid fees) and for defending any legal claims that might arise.

If you exercise your right to be forgotten during that 30-month period, your profile is deleted and your identifier in the campaign records is anonymised. A narrow anonymised record of your application is kept for 24 months from the campaign closure date for legal-defence purposes only — after that, it's permanently deleted.

Scenario C — When Fuzu Atlas matches you to a workforce opportunity

Fuzu Atlas connects skilled workforce participants with organisations that need them for specific projects, AI training and evaluation, or other work. From the point you're matched to a Customer to the point you start delivering work for them, Fuzu Atlas and the Customer are joint controllers.

This is joint controllership because both of us make decisions: Fuzu Atlas decides whose profiles to surface, conducts the screening, handles identity verification; the Customer decides who to engage, on what terms, and for what work.

Once you've started delivering work for the Customer, joint controllership ends. After that, the Customer is the sole controller for everything about your performance and engagement. Fuzu Atlas may continue to run the platform that hosts your work — that part is a separate processor relationship.

Scenario D — When Fuzu Elite runs a recruitment process on an Employer's behalf

Some Employers engage Fuzu Elite (or an equivalent managed-recruitment service) to run all or part of a recruitment process on their behalf. In that case, Fuzu's consultants select candidates from the recommendation pool, present a shortlist, and the Employer makes the contracting decision.

This is joint controllership because Fuzu's consultants apply professional judgment to select candidates — Fuzu isn't just providing the platform, Fuzu is actively making selection decisions on the Employer's behalf. The same retention model applies as in Scenario A (30 months from campaign closure).

Scenario B — When joint controllership does NOT apply: passive recommendations

Outside of those three scenarios, Fuzu and Employers act in different capacities. The most important one to know about is what happens when Fuzu just recommends your profile to an Employer based on profile-fit with a job description (without you having applied).

In that case, Fuzu and the Employer are independent controllers — each of us is the sole controller for our own decisions:

• Fuzu is the sole controller of the recommendation step: which profiles get surfaced to an Employer and on what basis.
• The Employer is the sole controller of the decision to add you to their pipeline or to contact you.

Joint controllership only begins if you actually apply or accept contact (at which point Scenario A applies).

Your rights under data-protection law apply against both Fuzu and the Employer in joint-controllership scenarios. You can exercise them against either of us — you don't have to contact both.

In practice, Fuzu acts as the primary point of contact:

• If you contact Fuzu about the joint processing, Fuzu responds. Where the matter relates to processing the Employer carries out as sole controller (such as the Employer's hire decision), Fuzu will refer you to the Employer.
• If you contact the Employer directly, the Employer responds. Where the matter relates to the joint processing, the Employer will coordinate with Fuzu.
• Either of us will tell the other within 5 business days about a request that affects the joint processing.

This applies to every right you have under data-protection law: the right to know what data is held about you, the right to correct inaccurate data, the right to be forgotten (subject to the legal-defence exceptions described above), the right to restrict processing, the right to portability, the right to object, and the right to complain to a supervisory authority.

Beyond your rights, Fuzu and Employers split a number of other responsibilities in joint-controllership scenarios. Here's the practical summary:

• Telling you about the joint processing: Fuzu is the primary owner through the Privacy Policy and this page; Employers may also describe it in their own privacy notices.
• Keeping your data secure: each of us is responsible for security in our own systems. Fuzu's measures are described in our Internal Access Control Policy and Data Processing Addendum.
• Notifying authorities if something goes wrong (a personal data breach): we each have our own statutory duty, but we've contractually committed to notify each other within 24 hours of any incident — well inside the legal 72-hour deadline — so we can coordinate.
• Cross-border transfers of your data: we each manage our own transfers under appropriate legal mechanisms. Fuzu uses EU Standard Contractual Clauses for transfers outside the EEA, and local-law equivalents in Kenya, Uganda, and Nigeria.

Joint controllership requires that Fuzu has appropriate technical and organisational measures to protect joint data. Within Fuzu, access to your campaign data is role-based: not every Fuzu employee can see your assessor notes or interview records. The Fuzu Internal Access Control Policy describes who can access what and under what circumstances. The policy is available to Customers and supervisory authorities on request under appropriate confidentiality.

If you have questions about joint controllership, want to exercise a data-protection right, or want to complain, you can contact Fuzu at:

• Email: privacy@fuzu.com
• Post: Fuzu Ltd, Data Protection Officer, Lapinlahdenkatu 16, 00180 Helsinki, Finland
• Through your account: account settings or the in-product support flow

If you're in Nigeria, you can also contact Fuzu Nigeria Ltd at the details in the Nigeria Addendum to the Privacy Policy.

If you contact the Employer directly, look for the Employer's privacy contact details in their own privacy notice, which will be referenced when they first communicate with you through the platform.

If you're not satisfied with our response to a data-protection issue, you have the right to lodge a complaint with the data-protection supervisory authority in your country:

• Finland and EU/EEA: the Office of the Data Protection Ombudsman of Finland (Tietosuojavaltuutetun toimisto), or another competent EEA supervisory authority where applicable.
• Kenya: the Office of the Data Protection Commissioner (ODPC), www.odpc.go.ke.
• Uganda: the Personal Data Protection Office (PDPO), www.pdpo.go.ug.
• Nigeria: the Nigeria Data Protection Commission (NDPC), www.ndpc.gov.ng.

You're encouraged to contact us first — we want to resolve issues directly — but the right to complain to a supervisory authority is yours, and you can exercise it at any time.

If you want to dig deeper:

• Fuzu Privacy Policy: the full description of how we process your data, including in non-joint-controllership scenarios.
• Fuzu Service Terms: the agreement between you and Fuzu.
• Country-specific addenda: additional information for users in Kenya, Uganda, and Nigeria. Available at fuzu.com/legal/privacy and fuzu.com/legal/terms.
• Fuzu Cookie Notice: how we use cookies.
• Fuzu Atlas data flows: a more detailed FAQ for workforce participants and Atlas Customers. Available at fuzu.com/atlas/data-protection.

For the full legal text of the Joint Controller Arrangement, Fuzu Customers can request a copy through their account contact.