Data Privacy Statement for Recruitment

This Data Privacy Policy Statement explains how Beiersdorf will use  personal data you submit with your application when you apply for a position advertised by us. It also describes your data protection rights, including the right to object to some of Beiersdorf’s processing operations. For more information on your rights and how you can exercise them, please refer to the section “Legal rights in relation to personal data and how to exercise them”.

This Data Privacy Policy Statement supplements our existing General Data Privacy Statement, which gives you specific information on how we process personal data obtained from you visiting our website and related to non-application-specific topics. 

1. Data controller and contact details
2. Collection of personal data
3. Use of personal data
4. Legal basis for processing
5. Data Sharing
6. Legal rights in relation to personal data and how to exercise them
   6.1. Right of access
   6.2. Right to rectification and erasure
   6.3. Right to restriction of processing
   6.4. Right to data portability
   6.5. Right to object
7. Data retention
8. Objection or Withdrawal of your consent to the Processing of Personal Data   

Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is: Beiersdorf Hong Kong Limited (see our imprint).

Alternative:
Responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is the company stated in the job application. You can find the contact details of the Data Protection Officers in the German Beiersdorf affiliates under following link: https://www.beiersdorf.de/meta-pages/datenschutzerklaerung/beiersdorf-datenschutzbeauftragter-webseite. 

During the recruitment process, we collect and store the following categories of personal data about you:

• Data which you have provided to us in your candidate profile, including first and last name, country, e-mail address, phone number.
  Data which you have entered on our  application form, including desired annual salary, your motivation, information about disabilities (if and to the extent that it is relevant for the job offered).
• Data which you have provided to us in your application documents (curriculum vitae CV, cover letter) including work experience, qualifications and language skills.
• Data from online assessments (e.g. personality tests, cognitive ability tests) and video interviews (if applicable).
• Data provided to us by your referees (if applicable). These are reference points that you have given us to contact.
  

We evaluate the results of your cognitive ability tests using relevant reference groups to assess your profession and level of experience.

We collect personal data directly from you or from our external partners, e.g. headhunters. We can also obtain information from professional social networks, such as LinkedIn, job boards such as Monster, and from other publicly accessible sources (only information relevant to your professional life) for the purposes of actively approaching you with job offers or for the purpose of confirming the accuracy of the information presented by you within the course of the application. 

Your personal data may be used for following purposes:

• To assess your application for the job offered and to communicate with you within the recruitment process.
• To contact you in case of an alternative career opportunity within the Beiersdorf group (you can restrict the visibility of your candidate profile to the team involved in your current application or grant it to Beiersdorf’s recruiters worldwide).
• Based on your consent to ask you about your experience within the recruitment process.
• To contact you following your unsolicited application.

Personal data collected in the course of the recruitment process will be used to assess your application, and if an employment relationship is established, also for the execution of the employment relationship. For specific positions, you may be required to take online cognitive ability test and personality test. The legal basis for the cognitive ability test is DDP1(1)(c)(see Schedule 1). Provision of  personal data is obligatory for the application process, which is required for the processing and conclusion of your application for an employment contract with us.  The legal basis for the personality test is your consent pursuant to DDP1(3)(a)(i)&(ii), DDP1(3)(b)(i) and DDP1(A). 

When we obtain information from your public profile on professional social networks, such as LinkedIn, we base this processing on our legitimate interest to build a decision base in order to establish an employment relationship with you. The legal basis is DDP1(2) and DPP3.

When we invite you to participate in a survey on your satisfaction with the application process at Beiersdorf the relevant legal basis is DDP1(1)(c). Furthermore, we may process personal data about you where this is necessary to defend ourselves against legal claims arising from the application process that are brought against us. The legal basis for this is section 60B under Part 8, Cap. 486, Laws of Hong Kong.

We may transfer your personal data to companies affiliated with us provided this is permissible within the scope of the purposes and legal bases outlined above. For the processing activities in our online recruiting system Beiersdorf Group companies are jointly responsible. The essence of the arrangement of this joint determination is that Beiersdorf AG, Germany, is predominantly responsible to fulfill information duties according to data protection law and provide information on the joint processing. We might share your candidate profile with other recruiting teams in the Beiersdorf Group. You can manage the visibility options of your profile by selecting whether your profile should be visible to the recruiting team involved in your current application or recruiting teams within the Beiersdorf Group worldwide. If you do not wish to be further considered for relevant job offerings, you can request the deletion of your candidate profile, see section “Data retention”. 

Furthermore, personal data may be processed on our behalf on the basis of contracts pursuant to DPP2(3) & DPP4(2), especially by providers of systems for applicant management and selection procedures. We do not share data with third parties that have no reference to our application management and application procedures or other use cases we describe in section “Use of personal data”.

In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies. The legal basis is section 60B under Part 8, Cap. 486, Laws of Hong Kong.

6.1. Right of access

You can request information about your personal data (commonly known as data subject access request). You can exercise this right by contacting us under the above mentioned contact details of the controller.

6.2. Right to rectification and erasure

If you wish to update the personal data provided to us, you can send us an email to recruitment@beiersdorf.com or you can modify the data yourself in the relevant application within your candidate profile. Under certain conditions, you can ask us to erase your personal data.

6.3. Right to restriction of processing

Under certain conditions you have the right to restrict the processing of your personal data, e.g. when you want us to verify the accuracy of your personal data. You can adjust the visibility of your profile at any time or opt out of notifications.

6.4. Right to data portability

Under certain conditions you have the right to receive the personal data concerning you which you provided to us in a structured, commonly used and machine-readable format.

6.5. Right to object

If we process your data to protect legitimate interests, you may object to such processing for reasons arising from your particular situation. For more information see section “Objection or Withdrawal of your consent to theProcessing of Personal Data”. Furthermore, you have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data. 

We retain your data for a period of 24 months after your last log in date in your profile. This is necessary for the burden of proof in the event of a legal claim based on section 60B under Part 8, Cap. 486, Laws of Hong Kong. We further retain your personal data in that period in case there is a relevant job offering for which you will be a fitting candidate. You can manage the visibility settings of your candidate profile as described in 5. “Data sharing”. In addition, you can request the deletion of your candidate profile or the withdrawal of your application by contacting our recruitment experts at recruitment@Beiersdorf.com.

In case your application is successful we may store your personal data within the subsequent employment in compliance with the applicable legal regulations. More information can be found in the Data Privacy Statement for employees that we will provide to you on acceptance of the job. 

This does not apply in Hong Kong If you have given your consent DDP1(3) to the processing of your data (e.g. when we invite you to participate in a survey on your satisfaction with the application process at Beiersdorf), you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us. If we base the processing of your personal data on the weighing of interests DDP1(3), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the Chapter “Use of data”. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing. 

[ss. 2(1) & (6)]

Data Protection Principles

Principle 1—purpose and manner of collection of personal data

(1) Personal data shall not be collected unless—

(a) the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;

(b) subject to paragraph(c), the collection of the data is necessary for or directly related to that purpose; and

(c) the data is adequate but not excessive in relation to that purpose.

(2) Personal data shall be collected by means which are—

(a) lawful; and

(b) fair in the circumstances of the case.

(3) Where the person from whom personal data is or is to be collected is the data subject, all practicable steps shall be taken to ensure that— 
(Amended 18 of 2012 s. 40)

(a) he is explicitly or implicitly informed, on or before collecting the data, of—

(i) whether it is obligatory or voluntary for him to supply the data; and

(ii) where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and

(b) he is explicitly informed—

(i) on or before collecting the data, of—

(A) the purpose (in general or specific terms) for which the data is to be used; and

(B) the classes of persons to whom the data may be transferred; and

(ii) on or before first use of the data for the purpose for which it was collected, of—
(Amended 18 of 2012 s. 40) 

(A) his rights to request access to and to request the correction of the data; and

(B) the name or job title, and address, of the individual who is to handle any such request made to the data user,
(Replaced 18 of 2012 s. 40)

unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data was collected and that purpose is specified in Part 8 of this Ordinance as a purpose in relation to which personal data is exempt from the provisions of data protection principle 6.
(Amended 18 of 2012 s. 40; E.R. 1 of 2013)

Principle 2—accuracy and duration of retention of personal data

(1) All practicable steps shall be taken to ensure that—

(a) personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used;

(b) where there are reasonable grounds for believing that personal data is inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used— 
(Amended 18 of 2012 s. 40)

(i) the data is not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or

(ii) the data is erased;

(c) where it is practicable in all the circumstances of the case to know that—

(i) personal data disclosed on or after the appointed day to a third party is materially inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used by the third party; and

(ii) that data was inaccurate at the time of such disclosure, that the third party—

(A) is informed that the data is inaccurate; and

(B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.
(Amended 18 of 2012 s. 40) 

(2) All practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used.
(Amended 18 of 2012 s. 40)

(3) Without limiting subsection (2), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.
(Added 18 of 2012 s. 40)

(4) In subsection (3)—

data processor(資料處理者) means a person who—

(a) processes personal data on behalf of another person; and

(b) does not process the data for any of the person’s own purposes.
(Added 18 of 2012 s. 40)

Principle 3—use of personal data

(1) Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose.
(Amended 18 of 2012 s. 40)

(2) A relevant person in relation to a data subject may, on his or her behalf, give the prescribed consent required for using his or her personal data for a new purpose if—

(a) the data subject is—

(i) a minor;

(ii) incapable of managing his or her own affairs; or

(iii) mentally incapacitated within the meaning of section 2 of the Mental Health Ordinance (Cap. 136);

(b) the data subject is incapable of understanding the new purpose and deciding whether to give the prescribed consent; and

(c) the relevant person has reasonable grounds for believing that the use of the data for the new purpose is clearly in the interest of the data subject.
(Added 18 of 2012 s. 40) 

(3) A data user must not use the personal data of a data subject for a new purpose even if the prescribed consent for so using that data has been given under subsection (2) by a relevant person, unless the data user has reasonable grounds for believing that the use of that data for the new purpose is clearly in the interest of the data subject.
(Added 18 of 2012 s. 40)

(4) In this section— new purpose(新目的), in relation to the use of personal data, means any purpose other than—

(a) the purpose for which the data was to be used at the time of the collection of the data; or

(b) a purpose directly related to the purpose referred to in paragraph (a).
(Added 18 of 2012 s. 40)

Principle 4—security of personal data

(1) All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to— 
(Amended 18 of 2012 s. 40; 17 of 2018 s. 129)

(a) the kind of data and the harm that could result if any of those things should occur;

(b) the physical location where the data is stored; (Amended 18 of 2012 s. 40)

(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
(Amended 18 of 2012 s. 40)

(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and

(e) any measures taken for ensuring the secure transmission of the data.

(2) Without limiting subsection (1), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
(Added 18 of 2012 s. 40)

(3) In subsection (2)— data processor (資料處理者) has the same meaning given by subsection (4) of data protection principle 2.
(Added 18 of 2012 s. 40)

Principle 5—information to be generally available

All practicable steps shall be taken to ensure that a person can—

(a) ascertain a data user’s policies and practices in relation to personal data;

(b) be informed of the kind of personal data held by a data user;

(c) be informed of the main purposes for which personal data held by a data user is or is to be used.
(Amended 18 of 2012 s. 40)

 Principle 6—access to personal data

A data subject shall be entitled to—

(a) ascertain whether a data user holds personal data of which he is the data subject;

(b) request access to personal data—
(i) within a reasonable time;

(ii) at a fee, if any, that is not excessive;

(iii) in a reasonable manner; and

(iv) in a form that is intelligible;

(c) be given reasons if a request referred to in paragraph (b) is refused;

(d) object to a refusal referred to in paragraph (c);

(e) request the correction of personal data;

(f) be given reasons if a request referred to in paragraph (e) is refused; and

(g) object to a refusal referred to in paragraph (f). 

60B. Legal proceedings etc.

Personal data is exempt from the provisions of data protection principle 3 if the use of the data is—

(a) required or authorized by or under any enactment, by any rule of law or by an order of a court in Hong Kong;

(b) required in connection with any legal proceedings in Hong Kong; or

(c) required for establishing, exercising or defending legal rights in Hong Kong.
(Added 18 of 2012 s. 34)