Annex III – Middle East
and Africa ("Middle East and Africa Annex)"
In the event of conflict
between the content of this Privacy Notice and the applicable regional annex,
the latter shall prevail.
Reference to controller, data subject, personal data, process, special categories of
personal data and supervisory authority in this Privacy Notice and Middle East and Africa Annex shall include the equivalent terms under applicable
laws in the Middle East and Africa region.
DATA CONTROLLER AND
CONTACT DETAILS
The Beiersdorf entity
that you are making an application to work for is the data controller
collecting and processing your personal data as described in this Privacy
Notice. Details of the relevant
Beiersdorf entity is available here: Global Business | About Us - Beiersdorf
You can find the contact
details of the Data Protection Officers or representative of the relevant
Beiersdorf entity below.
For each of Kenya,
South Africa, and Nigeria, the contact details for privacy-related
inquiries are as follows:
COLLECTION OF PERSONAL
DATA
In principle, your personal data will be collected
directly from you by automated and non-automated means.
In
line with local data protection laws, where we collect your personal data from
third parties, we will do so only as permitted by law. This includes where you
have consented, made the data publicly available, or where collection is
necessary for a legitimate purpose (such as verifying application details). The legal basis for this collection, as well as the types
of personal data and sources involved, are outlined in the relevant sections of
this Privacy Notice.
PURPOSES OF AND LEGAL
BASES FOR PROCESSING
In the
Middle East and Africa, where the legal basis set out in the Legal Basis for
Processing section in the Privacy Notice above does not apply under
applicable law, or where required by applicable law, we will obtain your
consent to the collection, use, transfer and other processing of your personal
data or we will rely on another lawful basis for processing as recognized by
applicable data protection laws.
The
specific legal basis we rely on will depend on the nature of the processing and
the applicable local law. Where consent is required, we will ensure that it is
obtained in accordance with applicable data protection laws.
DATA RETENTION
Supplemental
Information for South Africa: Notwithstanding the general
data retention principles outlined above, for South Africa, we retain both your
Candidate Profile Data and your Application Form Data, Application Documents
Data, Online Assessment Data, Referee Data, and Public Professional Data for 6
months after the last activity or finalization of the recruitment process,
respectively, in line with the applicable limitation periods for
employment-related claims under South African law.
In
each case, personal data may be retained longer where required to comply with
legal obligations or for the establishment, exercise, or defense of legal
claims, as further described above.
DATA SHARING OVERSEAS TRANSFERS
To the extent required by applicable laws, and where we will be
sharing, transferring, or storing your personal data outside of the location
where you reside and/or work and/or the location in which the personal data was
initially collected, including in the European Union, the APAC region, the
Americas, and the EMEA region, including any
subsequent onward transfers through additional countries (for example, data
first hosted in the European Economic Area and then accessed from another
location), we will ensure that every step of such transfers of personal data
comply with applicable laws and this Privacy Notice and that the recipient
entities provide an adequate level of data protection that is at least
comparable to the protection set out under applicable laws to protect the
integrity and security of your personal data. Where the recipient entities are
not subject to adequate data protection laws the recipient entities will be
required to enter into a binding agreement containing adequate data protection
provisions and restrictions on further transfers of personal data. To the
extent that the transfer of any personal data (including special category or
sensitive personal data – such as health or disability information) requires any
additional requirements under applicable laws are satisfied prior to transfer such
as prior authorisation / regulatory approval from the relevant supervisory
authority in a particular country, we will ensure that such prior authorisation
/ regulatory approval has been obtained prior to transferring the personal data.
LEGAL RIGHTS IN
RELATION TO PERSONAL DATA AND HOW TO EXERCISE THEM
Depending on where you are located, you may have one or more of
the following data subject rights, subject to applicable laws (including
without limitation as listed in Article 11 of the Turkish Law No. 6698
on the Protection of Personal Data):
- right to request access to a copy of your
personal data;
- right to request rectification or correction
of your personal data;
- right to request the destruction or deletion
of your personal data (in certain circumstances)'
- right to object on reasonable grounds to the
processing of your personal data (such as where the processing is on the basis
that it protects your legitimate interests or is necessary for pursuing our
legitimate interests or the legitimate interests of a third party to whom the
personal data is supplied);
- right to object to the processing of your
personal data for the purposes of direct marketing and for the purposes of
conducting statistical surveys (unless the processing is necessary for purposes
of public interest or in violation of any applicable laws);
- right not to be subject to a decision which is
based solely on the basis of automated processing of your personal data;
- right to withdraw consent (where such consent
was obtained and relied on for the purposes of the processing);
- right to institute civil proceedings;
- right to be informed of a violation or breach of your personal data
within the legally prescribed timeframe, where required under applicable data protection laws (for example, in some jurisdictions, when the breach is likely
to result in a material risk to your rights and freedoms);
- right to request data portability (in a format
that is technically feasible); and
- right to lodge a complaint with the relevant supervisory
authority. Information about the relevant supervisory
authority is as follows:
- South Africa:
Information Regulator
Website: https://inforegulator.org.za/
Complaints form: POPIA Form 5
Email: POPIAComplaints@inforegulator.org.za
- Kenya:
Office of the Data Protection Commissioner
Website: https://www.odpc.go.ke/
Complaints form: https://www.odpc.go.ke/file-lodge-a-complaint/
- Nigeria:
Nigeria Data Protection Commission
Website: https://ndpc.gov.ng/
Email: info@ndpc.gov.ng
If you are based elsewhere, you may contact the supervisory
authority relevant to your jurisdiction as outlined in this Annex or in the
general privacy notice.
You are encouraged to report any complaint or
concern about your data privacy through the representative of the data
controller or applicable data protection officer as set out in the Data Controller and Contact
Details section of the Privacy Notice. We shall take action to redress any
grievance within a reasonable timeframe and in any event within 30 working days,
or as otherwise prescribed under applicable data protection laws. If this
extends for any reason, you will be duly notified and appropriate measures will
be taken to ensure that your rights and interests are protected. If you have any questions on whether you have these
rights, or how to exercise these rights, please contact the data controller or
applicable data protection officer as set out in the Data Controller and
Contact Details section of the Privacy Notice.
DATA SECURITY
We use appropriate technical and organizational measures aimed
at the protection of your personal data against accidental or unlawful
destruction, loss, alteration, and unauthorized disclosure or access.
Where we share your personal data with service providers or
third parties, we instruct them in writing to hold your data securely and in
line with the requirements of applicable law. Service providers and third
parties must implement appropriate technical and organizational measures to
ensure the security of your data. Where we share your personal data with
processors / operators who process personal data on our behalf we conclude
binding agreements with such processors / operators containing the mandatory provisions
required by applicable laws.