PRIVACY NOTICE FOR CANDIDATES AND APPLICANTS (RECRUITMENT)

This Privacy Notice, also referred to as Data Privacy Policy explains how the Beiersdorf group of companies (each Beiersdorf entity being "we", "us", "our") process your personal data when you apply for a position advertised by us. It also describes your data protection rights, including the right to object to some of Beiersdorf’s processing operations.

For more information on your rights and how you can exercise them, please refer to the section “Legal rights in relation to personaldata and how to exercise them”.

Where applicable, this Privacy Notice supplements our existing General Privacy Notice, which gives you specific information on how we process personal data obtained from you when visiting our website and when we process your personal data in relation to non-application-specific topics.

For certain regions, we provide supplementary information about our use and processing of your personal data in accordance with the laws of the respective jurisdictions. If you reside in or work from any of these regions, please also review the respective annexes (see also section 8. Supplementary information for certain regions).

LIST OF CONTENT

Data controller and contact details
Collection of personal data
Purposes of and legal bases for processing
Data Sharing
Legal rights in relation to personal data and how to exercise them
5.1. Right of access
5.2. Right to rectification and erasure
5.3. Right to restriction of processing
5.4. Right to data portability
5.5. Right to object
5.6. Right to withdraw consent
Data retention
Objection or Withdrawal of your consent to the Processing of Personal Data
Supplementary Information for Certain Regions

1. DATA CONTROLLER AND CONTACT DETAILS

Responsible for the processing of personal data within the meaning of Article 4 (7) of the General Data Protection Regulation ("GDPR") or the equivalent under applicable data protection laws is the company stated in the job application and with regard to global HR management and management of global HR systems, Beiersdorf AG, Beiersdorfstraße 1-9, 22529 Hamburg, Germany, Tel.: +49 40 4909-0, E-Mail: dataprotection[at]Beiersdorf.com.

You can find the contact details of the Data Protection Officers of the Beiersdorf affiliates under the following link: https://www.beiersdorf.de/meta-pages/datenschutzerklaerung/beiersdorf-datenschutzbeauftragter-webseite.

2. COLLECTION OF PERSONAL DATA

Within the recruitment process, we collect and store the following categories of personal data about you:

Data which you have provided to us in your candidate profile, including first and last name, gender, nationality, address, country, e-mail, phone number ("Candidate Profile Data").
Data which you have entered on our candidate application form, including desired annual salary, your motivation, information about disabilities (if and to the extent that it is relevant for the job offered) ("Application Form Data").
Data which you have provided to us in your application documents (curriculum vitae CV, cover letter) including work experience, qualifications and language skills ("Application Documents Data").
Data from online assessments (e.g. personality tests, cognitive ability tests) and video interviews (if applicable) ("Online Assessment Data").
Data provided to us by your referees (if applicable). These are reference points that you have given us to contact ("Referee Data").

During the recruitment we may evaluate the results of cognitive ability tests using relevant reference groups considering your profession and level of experience.

We collect personal data directly from you or from our external partners, e.g. headhunters. We can also obtain information from professional social networks, such as LinkedIn, job boards and from other publicly accessible sources (only information relevant to your professional life) for the purposes of actively approaching you with job offers or for the purpose of confirming the accuracy of the information presented by you within the course of the application ("Public Professional Data").

Providing your personal data as part of the application process is voluntary. However, the provision of personal data that is marked as mandatory is necessary for the processing of your application or the conclusion of an employment contract with us.

If you provide personal data of another person (e.g. referees) to us, you should show them a copy of this Privacy Notice prior to providing us with their personal data.

3. PURPOSES OF AND LEGAL BASES FOR PROCESSING

We process your personal data to make our hiring decision, operate our business and comply with our legal obligations. More specifically, we process your personal data for the purposes and rely on the legal bases set forth in the table below, subject to applicable data protection laws. Where relevant, the legitimate interest is included in the table below as well.

The relevant legal bases include:

Processing necessary to take steps at your request prior to entering into a contract (i.e. processing necessary to make a hiring decision and enter into an employment contract with you) (Article 6 (1) b) GDPR or the equivalent basis under applicable data protection laws).
Compliance with legal obligations (Article 6 (1) c) GDPR or the equivalent basis under applicable data protection laws).
Legitimate interests (Article 6 (1) f) GDPR or the equivalent basis under applicable data protection laws).
Consent (Article 6 (1) a) GDPR or the equivalent basis under applicable data protection laws).

Where we process special categories of personal data (e.g. data concerning health) it will be justified by one of the abovementioned legal bases and one of the following additional conditions:

The processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or us in the field of employment law, social security, social protection law, as well as any other applicable law (Article 9 (2) b) GDPR or the equivalent basis under applicable data protection laws).
The processing is necessary for the establishment, exercise or defense of legal claims (Article 9 (2) f) GDPR or the equivalent basis under applicable data protection laws).
In exceptional circumstances the processing may be carried out subject to your explicit consent (Article 9 (2) a) GDPR or the equivalent basis under applicable data protection laws).
The processing relates to personal data which are manifestly made public by you (Article 9 (2) e) GDPR or the equivalent basis under applicable data protection laws).

Purpose of processing	Legal basis	Legitimate interest (where relevant)	Categories of personal data
To communicate with you within the recruitment process.	Taking steps at your request prior to entering into a contract.	Not applicable ("N/A")	Candidate Profile Data
To assess your application for the job you applied for, to make a decision whether to offer you employment and to provide the employment contract if an offer is accepted.	(i) Compliance with legal obligations (e.g., ensuring that we do not unlawfully discriminate in our hiring decisions) or (ii) taking steps at your request prior to entering into a contract where (i) does not apply.	N/A	Candidate Profile Data, Application Form Data, Application Documents, Referee Data
To consider adjustments or accommodations for the recruitment process if you have a disability.	Consent In case you voluntarily provide us with the information that you have a disability we process this information only to the extent this is necessary for the purposes of carrying out the obligations and exercising the rights of you or us in the field of employment law, social security and social protection law.	N/A	Application Form Data, Application Documents
To verify your qualifications and suitability for the job you applied for (as permitted under applicable law and necessary for the specific position). We may use software (including Artificial Intelligence) that assists us to extract skills from your CV and to evaluate whether they match with the job requirements. In exceptional cases we may also rely on professional information available about you on professional social networks, job boards, and other publicly accessible sources for his purpose.	Legitimate interests. Should any special categories of personal data on professional social networks, job boards, and other publicly accessible sources be processed in this context, this will be limited to such data which was manifestly made public by you.	We have a legitimate interest to find suitable candidates for our vacancies.	Candidate Profile Data, Application Form Data, Application Documents, Referee Data, Public Professional Data
To carry out tests in order to assess your suitability for a role Note: Participating in a personality test is voluntary. Otherwise, tests are generally only carried out for specific roles (such as cognitive ability test).	(i) consent or (ii) taking steps at your request prior to entering into a contract We process special categories of personal data in this context only to the extent (i) we received your explicit consent and/or (ii) that is necessary for the purposes of carrying out the obligations and exercising the rights of you or us in the field of employment law, social security and social protection law.	N/A	Candidate Profile Data, Online Assessment Data
To contact you in case there are (alternative) career opportunities with us and/or at the Beiersdorf group of companies. Note: you can restrict the visibility of your candidate profile to the team involved in your current application or grant it to Beiersdorf’s recruiters worldwide.	Consent In respect to the processing of professional information about you on professional social networks, job boards, and other publicly accessible sources: Should such processing include processing of special categories of personal data, the processing is limited to such data which was manifestly made public by you.	N/A	Candidate Profile Data, Application Form Data, Application Documents, Public Professional Data
We may proactively approach you based on professional information available about you on professional social networks, job boards, and other publicly accessible sources.	(i) Legitimate interests or (ii) consent where we obtained consent for this purpose. In respect to the processing of professional information about you on professional social networks, job boards, and other publicly accessible sources: Should such processing include processing of special categories of personal data, the processing is limited to such data which was manifestly made public by you.	We have a legitimate interest in finding suitable candidates for our vacancies and other entities of the Beiersdorf group.	Public Professional Data
To ask you for feedback about your experience with the recruitment process.	Consent	N/A	Candidate Profile Data
To safeguard our rights.	(i) Legitimate interests or (ii) where processing is necessary for our regular exercise of rights in judicial, administrative or arbitration procedures. We process special categories of personal data in this context only to the extend necessary for the purpose of establishment, exercise and defense of legal claims.	We have a legitimate interest in the establishment, exercise and defense of legal claims.	Candidate Profile Data, Application Form Data, Application Documents, Referee Data, Online Assessment Data, Public Professional Data
To comply with legal obligations to which we are subject (e.g. deriving from tax law, foreign trade law or sanctions regulations).	(i) Compliance with legal obligations or (ii) legitimate interests where the compliance with legal obligations legal basis does not apply. We process special categories of personal data in this context only to the extent that is necessary for the purposes of carrying out the obligations and exercising the rights of you or us in the field of employment law, social security and social protection law.	We have a legitimate interest in complying with legal obligations to which we are subject, i.a. to avoid sanctions that may result from non-compliance.	Candidate Profile Data, Application Form Data, Application Documents, Referee Data, Online Assessment Data, Public Professional Data
For any of the above listed purposes it might be necessary to transfer data to other entities of the Beiersdorf group of companies.	(i) Consent where the relevant processing activity listed above relies on consent or (ii) taking steps at your request prior to entering into a contract where (i) and (iii) do not apply or (iii) legitimate interests where (i) and (ii) do not apply.	We, as part of the Beiersdorf group of companies, have a legitimate interest in transferring your personal data within the group for internal administrative purposes where this is necessary for the purposes of effective recruitment.	Candidate Profile Data, Application Form Data, Application Documents, Referee Data, Online Assessment Data, Public Professional Data

4. DATA SHARING

We may transfer your personal data to companies affiliated with us provided this is permissible within the scope of the purposes and legal bases outlined above. For the processing activities in our online recruiting system Beiersdorf Group companies are jointly responsible. The essence of the arrangement of this joint determination is that Beiersdorf AG, Germany, is predominantly responsible to fulfill information duties according to data protection law and provide information on the joint processing. We might share your candidate profile with other recruiting teams in the Beiersdorf Group if you chose this option in the application form. You can manage the visibility options of your profile by selecting whether your profile should be visible to the recruiting team involved in your current application or recruiting teams within the Beiersdorf Group worldwide. If you do not wish to be further considered for relevant job offerings, you can request the deletion of your candidate profile or use the self-service function.

Furthermore, personal data may be processed on our behalf on the basis of data processing agreements pursuant to Article 28 GDPR, or other applicable laws, especially by providers of systems for candidate management and selection procedures. We do not share data with third parties that have no reference to our application management and application procedures or other use cases we describe in this privacy notice.

Where applicable such transfers may involve the transfer of personal data to recipients outside the European Union / European Economic Area. Standard contractual clauses (from the implementing decision (EU) 2021/914 of 4 June 2021) have been concluded with these recipients, unless they are based in countries with an adequacy decision pursuant to Article 45 GDPR (a list of these countries is available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) or GDPR provides for an exception under Article 49 GDPR. Where the transfer in this context is made to a recipient acting as a processor for us (i.e., processing personal data on our behalf), Module Two (transfer from controller to processor) of the standard contractual clauses is relevant; where the transfer is made to third party controllers, Module One (transfer from controller to controller) is relevant. In case the transfers are carried out by a service provider, which we have engaged as a processor, to a sub-processor, Module Three (transfer from processor to processor) may be implemented to govern such transfers.

To request a copy of standard contractual clauses (to the extent we rely on such) you may contact us (see section "Data controller and contact details"). Please note that such copy may be redacted to the extent necessary to protect business secrets or other confidential information.

Further recipients can be found in the general recipients section 1.4 of the General Data Privacy Policy.

In the event of a legal obligation, we reserve the right to disclose information about you if we are required to surrender it to competent authorities or law enforcement bodies to comply with legal obligations or this is necessary to safeguard our rights.

5. LEGAL RIGHTS IN RELATION TO PERSONAL DATA AND HOW TO EXERCISE THEM

Depending on where you are located or the location of the entity to which you are applying, you have the following rights in relation to your personal data. If the entity is located in the European Economic Area, you have these rights provided that the relevant legal requirements under GDPR are met.

5.1. Right of access

You can request information about your personal data (commonly known as data subject access request). You can exercise this right by contacting us under the above mentioned contact details of the controller.

5.2. Right to rectification and erasure

If you wish to update the personal data provided to us, you can send us an email to RC[at]Beiersdorf.com or you modify the data yourself in the relevant application within your candidate profile. Under certain conditions, you can ask us to erase your personal data.

5.3. Right to restriction of processing

Under certain conditions you have the right to restrict the processing of your personal data, e.g. when you want us to verify the accuracy of your personal data. You can adjust the visibility of your profile at any time or opt out of notifications.

5.4. Right to data portability

Under certain conditions you have the right to receive the personal data concerning you which you provided to us in a structured, commonly used and machine-readable format.

5.5. Right to object

If we process your data to protect legitimate interests, you may object to such processing for reasons arising from your particular situation. For more information see section “Objection or Withdrawal of your consent to the Processing of Personal Data”.

5.6. Right to withdraw consent

You have the right to withdraw consent we have obtained from you at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For more information see section “Objection or Withdrawal of your consent to the Processing of Personal Data”.

To exercise your rights, you may contact us (see section "Data controller and contact details") or log in to your Candidate Profile and use the self-service function for rectification, erasure and access to your account data.

6. DATA RETENTION

Your personal data will generally only be stored until the personal data are no longer necessary in relation to the purposes for which they were collected (or otherwise processed).

We retain your Candidate Profile Data for as long as your candidate profile is active. We delete such profile and related Candidate Profile Data after 12 months of inactivity (South Africa 6 months). Application Form Data, Application Documents Data, Online Assessment Data, Referee Data and Public Professional Data regarding a specific application will be retained for 6 months after finalizing the recruitment process related to a specific application and deleted afterwards.

We further retain your personal data in that period in case there is a relevant job offering for which you will be a fitting candidate and you set the visibility of your candidate profile as described in 4 Data sharing. In addition, you can request the deletion of your candidate profile or the withdrawal of your application by contacting our recruitment experts at RC[at]Beiersdorf.com.

As an exception, personal data may be stored longer where their processing is necessary for compliance with a legal obligation – including compliance with statutory retention periods – to which we are subject or for the establishment, exercise or defense of legal claims.

You can access your Candidate Profile and the information stored there via the link you received in our Mails. You can also unsubscribe from the Beiersdorf Job Agent and stop receiving information on current job postings in the menu of your candidate profile.

In case your application is successful we may store your personal data within the subsequent employment in compliance with the applicable legal regulations. More information can be found in the Privacy Notice for employees that we will provide to you on acceptance of the job or during your onboarding.

7. OBJECTION OR WITHDRAWAL OF YOUR CONSENT TO THE PROCESSING OF PERSONAL DATA

If you have given your consent (Article 6 (1) a) GDPR or the equivalent basis under applicable laws) to the processing of your data, you can withdraw your consent at any time. Such a withdrawal influences the permissibility of processing your personal data after you have given it to us.

If we base the processing of your personal data on legitimate interests (Article 6 (1) f) GDPR or the equivalent basis under applicable laws), you may object to the processing. This is the case if processing is not necessary in particular to fulfil a contract with you, which is described by us in the Section Purposes of and Legal Bases for Processing. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue processing.

8. SUPPLEMENTARY INFORMATION FOR CERTAIN REGIONS

If you are located or are applying to work outside of the European Union/EEA, please also review the Annexes applicable to your region for further information about our collection, use and processing of your personal data:

• Annex III – Middle East and Africa ("Middle East and Africa Annex)"

In the event of conflict between the content of this Privacy Notice and the applicable regional annex, the latter shall prevail.

Annex III – Middle East and Africa ("Middle East and Africa Annex")

Reference to controller, data subject, personal data, process, special categories of personal data and supervisory authority in this Privacy Notice and Middle East and Africa Annex shall include the equivalent terms under applicable laws in the Middle East and Africa region.

DATA CONTROLLER AND CONTACT DETAILS

The Beiersdorf entity that you are making an application to work for is the data controller collecting and processing your personal data as described in this Privacy Notice. Details of the relevant Beiersdorf entity is available here: Global Business | About Us - Beiersdorf .

You can find the contact details of the Data Protection Officers or representative of the relevant Beiersdorf entity below.

For each of Kenya, South Africa, and Nigeria, the contact details for privacy-related inquiries are as follows:

Data Protection Officer: Thobeka Dandala
Email: Thobeka.Dandala@Beiersdorf.com
Postal Address: refer to the postal address of the controller (available here: Global Business | About Us - Beiersdorf), with correspondence marked for the attention of the “Data Protection Officer.”

COLLECTION OF PERSONAL DATA

In principle, your personal data will be collected directly from you by automated and non-automated means.

In line with local data protection laws, where we collect your personal data from third parties, we will do so only as permitted by law. This includes where you have consented, made the data publicly available, or where collection is necessary for a legitimate purpose (such as verifying application details). The legal basis for this collection, as well as the types of personal data and sources involved, are outlined in the relevant sections of this Privacy Notice.

PURPOSES OF AND LEGAL BASES FOR PROCESSING

In the Middle East and Africa, where the legal basis set out in the Legal Basis for Processing section in the Privacy Notice above does not apply under applicable law, or where required by applicable law, we will obtain your consent to the collection, use, transfer and other processing of your personal data or we will rely on another lawful basis for processing as recognized by applicable data protection laws.

The specific legal basis we rely on will depend on the nature of the processing and the applicable local law. Where consent is required, we will ensure that it is obtained in accordance with applicable data protection laws.

DATA RETENTION

Supplemental Information for South Africa: Notwithstanding the general data retention principles outlined above, for South Africa, we retain both your Candidate Profile Data and your Application Form Data, Application Documents Data, Online Assessment Data, Referee Data, and Public Professional Data for 6 months after the last activity or finalization of the recruitment process, respectively, in line with the applicable limitation periods for employment-related claims under South African law.

In each case, personal data may be retained longer where required to comply with legal obligations or for the establishment, exercise, or defense of legal claims, as further described above.

DATA SHARING

Where we share your personal data with third parties, we will put in place adequate measures such as binding contractual arrangements with the third parties to ensure they process your personal data in accordance with our instructions and applicable laws; including undertakings that the third parties will adopt appropriate security measures to protect your personal data.

DATA SHARING OVERSEAS TRANSFERS

To the extent required by applicable laws, and where we will be sharing, transferring, or storing your personal data outside of the location where you reside and/or work and/or the location in which the personal data was initially collected, including in the European Union, the APAC region, the Americas, and the EMEA region, including any subsequent onward transfers through additional countries (for example, data first hosted in the European Economic Area and then accessed from another location), we will ensure that every step of such transfers of personal data comply with applicable laws and this Privacy Notice and that the recipient entities provide an adequate level of data protection that is at least comparable to the protection set out under applicable laws to protect the integrity and security of your personal data. Where the recipient entities are not subject to adequate data protection laws the recipient entities will be required to enter into a binding agreement containing adequate data protection provisions and restrictions on further transfers of personal data. To the extent that the transfer of any personal data (including special category or sensitive personal data – such as health or disability information) requires any additional requirements under applicable laws are satisfied prior to transfer such as prior authorisation / regulatory approval from the relevant supervisory authority in a particular country, we will ensure that such prior authorisation / regulatory approval has been obtained prior to transferring the personal data.

LEGAL RIGHTS IN RELATION TO PERSONAL DATA AND HOW TO EXERCISE THEM

Depending on where you are located, you may have one or more of the following data subject rights, subject to applicable laws (including without limitation as listed in Article 11 of the Turkish Law No. 6698 on the Protection of Personal Data):

right to request access to a copy of your personal data;
right to request rectification or correction of your personal data;
right to request the destruction or deletion of your personal data (in certain circumstances)
right to object on reasonable grounds to the processing of your personal data (such as where the processing is on the basis that it protects your legitimate interests or is necessary for pursuing our legitimate interests or the legitimate interests of a third party to whom the personal data is supplied);
right to object to the processing of your personal data for the purposes of direct marketing and for the purposes of conducting statistical surveys (unless the processing is necessary for purposes of public interest or in violation of any applicable laws);
right not to be subject to a decision which is based solely on the basis of automated processing of your personal data;
right to withdraw consent (where such consent was obtained and relied on for the purposes of the processing);
right to institute civil proceedings;
right to be informed of a violation or breach of your personal data within the legally prescribed timeframe, where required under applicable data protection laws (for example, in some jurisdictions, when the breach is likely to result in a material risk to your rights and freedoms);
right to request data portability (in a format that is technically feasible); and
right to lodge a complaint with the relevant supervisory authority. Information about the relevant supervisory authority is as follows:

- South Africa:
Information Regulator
Website: https://inforegulator.org.za/
Complaints form: POPIA Form 5
Email: POPIAComplaints@inforegulator.org.za

- Kenya:
Office of the Data Protection Commissioner
Website: https://www.odpc.go.ke/
Complaints form: https://www.odpc.go.ke/file-lodge-a-complaint/

- Nigeria:
Nigeria Data Protection Commission
Website: https://ndpc.gov.ng/
Email: info@ndpc.gov.ng

If you are based elsewhere, you may contact the supervisory authority relevant to your jurisdiction as outlined in this Annex or in the general privacy notice.

You are encouraged to report any complaint or concern about your data privacy through the representative of the data controller or applicable data protection officer as set out in the Data Controller and Contact Details section of the Privacy Notice. We shall take action to redress any grievance within a reasonable timeframe and in any event within 30 working days, or as otherwise prescribed under applicable data protection laws. If this extends for any reason, you will be duly notified and appropriate measures will be taken to ensure that your rights and interests are protected. If you have any questions on whether you have these rights, or how to exercise these rights, please contact the data controller or applicable data protection officer as set out in the Data Controller and Contact Details section of the Privacy Notice.

DATA SECURITY

We use appropriate technical and organizational measures aimed at the protection of your personal data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access.

Where we share your personal data with service providers or third parties, we instruct them in writing to hold your data securely and in line with the requirements of applicable law. Service providers and third parties must implement appropriate technical and organizational measures to ensure the security of your data. Where we share your personal data with processors / operators who process personal data on our behalf we conclude binding agreements with such processors / operators containing the mandatory provisions required by applicable laws.

Beiersdorf Chronicle

The NIVEA family

The new Beiersdorf Campus