What does this Privacy Notice apply to?
Avon Cosmetics (M) Sdn. Bhd., as part of Natura &Co Groupof Companies, its affiliates and subsidiaries (“Natura &Co”, “we”, “us”, “our”), are fully committed to the responsible collection, use and care of the personal data of our job candidates. This Global Privacy Notice for Job Candidates (“Privacy Notice”) provides you with information on how Natura &Co collect, use, and share personal data when you apply for a job with us.
If you are in a jurisdiction that recognizes the concept of a Data Controller or similar, the Natura &Co entity (including Group of Companies) where you apply for the job will be the Data Controller. If you have a query about how your Personal Data is being used, you can contact the data controller through the Data Protection Officer (DPO) team here.
Key Definitions
Capitalised terms not otherwise defined in this Notice have the following meanings:
- Personal Data means any information relating to an identified or identifiable living individual.
- Sensitive Personal Data means any information relating to an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, criminal records/history or processing of genetic data or biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. Depending on the country you are based sensitive personal data may also refer to personal information that, once leaked or illegally used, may cause harm to natural persons, including but not limited to information on specially designated status, financial accounts, individual location tracking, as well as the personal information of minors or information on social security, driver’s license, state identification, and passport numbers, precise geolocation, combination of email address, debit card, or credit card with security or access code, password, or other credentials allowing access to financial account.
- Processing means the use of personal data including collection, recording, organization, structuring, adaptation or alteration, analysis, retrieval, consultation, providing or blocking access to (including remote access), disclosure, dissemination, aligning, copying, transfer, storage, deletion, hosting, combination, destruction, disposal, or other use or handling of personal data.
- Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In our company, the ultimate data controller is Natura & Co., our holding company.
- Job Candidate means an individual who have applied to be full or part-time employee of Natura &Co Group of Companies, including apprentices, student trainees, interns and trainees, and temporary workers (also referred to as “you”).
- Third Party means any natural person or legal entity, public authority, agency or any other body other than Data Subject, Data Controller, any vendor, supplier or service provider who solely or jointly process personal data on behalf of the Data Controller and acts on the Data Controller’s instructions.
- Data Subject means the identified or identifiable living individual to whom the Personal Data relates.
- Natura &Co Group of Companies: the full listing can be found here.
Personal Data we collect and process
We collect, store, and process your Personal Data in a number of ways including when you:
- You disclose to us such Data in the context of your application, including applications sent by job application platforms;
- We obtain such Data from recruitment agencies with which we engage;
- We obtain such Data through publicly accessible, professionally used and lawfully obtained social media for maintaining existing and making new business contactsSubmit a review regarding our products at our websites, and branded pages and applications.
In certain cases, we may also receive relevant Personal Data from risk management service providers which support us, to the extent necessary and legally permitted, in carrying out a pre-employment compliance check of your suitability for the desired position.
Categories of Personal Data | Examples of Personal Data |
Basic Personal Data |
|
Sensitive Personal Data |
|
Educational background Data |
|
Professional background Data |
|
Immigration Data |
|
Background check Data (only if applicable/required for the position) |
|
Please note that you are neither under any contractual nor legal obligation to provide us with your data. However, we may not be able to fully process your application if you do not provide the data necessary to process your application.
Recruitment of job candidates:we collect and process any Personal Data that you have published via job application platforms or publicly accessible and professionally used social media platforms, in order to contact you with regard to suitable job vacancies or upcoming opportunities. The legal basis for processing your Personal Data in this regard depends on the country you are based. Usually, it will be the necessity of the processing to safeguard our legitimate interest (where applicable and depending on the country you are based) in recruiting suitable job applicants for our company and making them aware of suitable roles, or otherwise as permitted by law.
During your job application:we process your Personal Data in the context of your application only to the extent necessary for the processing of your application (including if applicable performing pre-employment compliance checks) and for the decision on establishing an employment relationship with you. The legal bases for processing your Personal Data in such context will depend on the country you are based. Usually, it will be:
The necessity of the processing for the decision on establishing an employment relationship with you, as well as to implement an employment relationship, where applicable;
To comply with statutory and/or regulatory requirements and obligations, such as equality and immigration legislation;
If necessary for pre-employment compliance checks, we may ask for your prior consent before processing your Personal Data, depending on the country you are based. You are free to refuse giving consent without any effect on your application process. If necessary, we may ask you in this case for further evidence enabling us to perform a full pre-employment compliance check.
If an employment relationship is established with you: we will include your relevant Personal Data obtained during your job application process in our personnel database and process it in accordance with our internal Global Privacy Notice for Associates, which will be shared with you during the onboarding process.
If no employment relationship is established: we will store your Personal Data for a period of 6 months after the end of the application process. The legal basis for storing the Personal Data will depend on the country you are based. Usually, it will be the necessity of the processing to protect our legitimate interests (where applicable and depending on the country you are based) in the establishment, exercise or defense of legal claim, or as otherwise permitted by law.
If we have received your application via a recruitment agency:we may further store limited Personal Data (in particular your name, the channel via which we received your application and the date of your application) for an additional 6 months (12 months in total after the end of the application process), to the extent necessary to be able to meet our contractual obligations to pay a recruitment fee to the recruitment agency in the event of a possible reapplication and recruitment of you within 12 months of your first application. The legal basis for storing the Personal Data will depend on the country you are based. Usually, it will be the necessity of the processing to protect our legitimate interests (where applicable and depending on the country you are based) in fulfilling our contractual obligations to recruitment agencies, or as otherwise permitted by law.
We may also contact you to ask if you would like to have your Personal Data recorded in a job applicant pool, always at your express consent, so that we can contact you again when filling any future vacancies aligned to your experience. In this case, we will store your Personal Data in the job applicant pool in accordance with our retention periods determined as per the legal requirements in the country you are based.
Where you are asked to provide Personal Data for the purpose of monitoring equal opportunities(including Sensitive Personal Data), this will be voluntary and on the basis of your consent, unless a legal requirement to which we are subject requires us to collect this data.
How long we store your Personal Data
We store your Personal Data for the purposes stated in this Notice. To the extent storage of your Personal Data is no longer necessary for these purposes, your data will be deleted, unless your data is required for other purposes set out in this Privacy Notice, or further storage is mandatory by applicable laws and/or necessary to fulfil legal or regulatory obligations or to protect our legitimate interests (where applicable depending on the country you are based), including the establishment, exercise, or defence of any existing or potential legal claims. Our retention periods are being determined as per the legal requirements of the country you are based.
How we share and disclose your Personal Data
Your Personal Data will be kept strictly confidential and disclosed internally only to:
- The departments/employees that need to process your Personal Data for handling your application;
- To affiliated companies of the Natura &Co Group – to the extent necessary due to any international team and matrix structures, as well as the use of group wide integrated centralized HR functions and systems;
- To external service providers, for example providers of IT services (such as technical service providers for storing your data) and compliance review, who have been carefully selected and are contractually bound in accordance with applicable data protection legislation.
- Law enforcement and other government authorities. To do so, the authority requires an appropriate judicial order or warrant, for which they need to demonstrate that the disclosure of the requested or intercepted information is required. We reserve the right to challenge these requests.
We may share or transfer your Personal Data in the course of any direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies, and sales of all or part of our assets. Your Personal Data may be shared following the completion of such transaction and/or during the assessment pending transfer (subject to confidentiality requirements). If transferred, your Personal Data will remain subject to this Privacy Notice or a policy that, at a minimum, protects your privacy to an equal degree as this Privacy Notice unless you otherwise consent.
International Data Transfers: We may transfer your Personal Data to our affiliates and subsidiaries or to other third parties, in accordance with applicable local law, depending on the country you are based. We may also transfer your Personal Data from your country or jurisdiction to other countries or jurisdictions in accordance with legal requirements.
- For international data transfers subject to EEA, UK and Swiss law: we primarily use European Union Commission Standard Contractual Clauses.
- For transfers between other jurisdictions, we may rely on other legal mechanisms for international transfers, as appropriate under the relevant law.
- We have also concluded and executed an Intra-Group Agreement to ensure safe and lawful transfers of personal data take place among entities within the Natura Group of Companies, and also among different countries around the world, where such transfers are necessary in the course of business.
We carry out Transfers Impact Assessments to implement supplementary measures to ensure your personal data is processed under the standards that apply to your territory.
Your Sensitive Personal Data will not be used for any additional purposes that are incompatible with the purposes listed above unless we provide you with notice of those additional purposes.
We do not sell your Personal Data or your Sensitive Personal Data, nor do we share it with third parties for cross-context behavioural advertising.
How we protect your Personal Data
We implement comprehensive technical, physical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process and to ensure compliance with applicable legal requirements. These measures are aimed at safeguarding the ongoing integrity and confidentiality of personal data. We evaluate and improve these measures on an ongoing basis.
Your rights in relation to the processing of your Personal Data
Depending on the country you are based, you may have some or all of the following rights:
To obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification) (please let us know if and to what extent your data stored by us has changed, so that we can rectify or update the respective data);
If there are legitimate reasons, to request the deletion of the personal data (right to erasure);
To request the restriction of the processing of the personal data, if the legal requirements are met (right to restriction of processing);
To withdraw your consent at any time, if the data processing is based on consent, provided that such withdrawal does not affect the lawfulness of the previous processing of your data (consent withdrawal);
To receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by us (right to data portability); and
Not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met (not to be subject to automated processing).
To object, where applicable law provides, to the processing of your data (right to object):
which is being processed for the purposes of our legitimate interests (where applicable and depending on the country you are based) unless such interests outweigh your individual rights; and/or
for direct marketing purposes, without any special reason.
In order to exercise your rights, including the withdrawal of your consent, please contact us here here. You may also designate an authorized agent to make a request on your behalf. In order to protect your data from unauthorized access or alteration by third parties, all requests regarding your personal information will be subject to verification of the identity of the requesting individual. We endeavour to respond to a verifiable request within required time frames.
A Data Subject who feels that we are not adhering to this Notice or applicable data protection laws with respect to his or her Personal Data may contact us to register a complaint; submit requests for exercising rights; or address any other issue arising under this Notice. Complaints by any person may also be referred to the DPO team by email here.
Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time.
Changes we make
We may update this Notice periodically and will revise the date at the bottom of this Notice to reflect the date when such update occurred. If we make any material changes in the way we collect, use, and/or share the personal information that you have provided, we will endeavour to provide you with notice before such changes take effect, such as by posting prominent notice on our Company website.
Effetive Date: 22 December 2022
Updated: 20 September, 2023