Processing Your Personal Data - The Headlines
Your privacy is important to us and we want to be transparent about what we do with your personal data. This summary explains at a high level how we may process your personal data if you apply for a role with us. Please do read the more detailed notice for further information.
What categories of personal data does Wella collect about me and why?
"Personal data" means any information relating to you. During the application process, we will collect, process and use your personal data, for a range of different purposes. For example:
What personal data?
- Identification data - your name, nationality, national identifiers (e.g. national ID/passport, national insurance number, Social Security number)
- Personal information, such as your age, date of birth and gender
- Contact details
- Education and work experience
- Other application data (e.g. information contained in your CV and obtained from recruiters)
- Information collected as part of your interview process and application
- Background check information
Why?
- To process your application
- To determine your eligibility for the role you have applied for
- To conduct background checks as part of your application
- To communicate with you and with Wella employees and third parties
- To comply with the law and our legal obligations
- To comply with our financial and regulatory obligations
Sometimes we may also need to process sensitive personal data about you such as health and medical data, criminal records data, and/or race or ethnicity data, in connection with your application for employment. For example, we may need information about, your racial/ethnic origin and/or any disabilities for the purposes of equal opportunities monitoring, to comply with local equality laws, or to meet government reporting obligations; or your health-related data, such as any physical or mental conditions, to consider reasonable accommodations for the recruitment process and/or subsequent job role.
Find out more about what data we process and why by reading our detailed Global Applicant Privacy Notice, a copy of which can be found below. This also sets out any specific rules that apply in your country.
Who will Wella share my personal data with, and what happens if it's transferred out of the country where the entity I am applying to work for is registered?
As Wella Company is made up of a group of entities across the world, other entities within the group, as well as the one you are applying to work for, will be involved in processing your data.
We might also need to transfer your data to other third parties - e.g., recruitment or executive search agencies involved in your recruitment, background screening providers, and other third parties who provide us with advice and support (such as in relation to legal, financial, health and safety), or those third parties which process data on our behalf (including data storage, shared services and recruitment platform providers, IT developers, etc.), as well as acquiring entities, regulators or other authorities when necessary. Our policy is to limit who has access to your data as much as we can. If we need to share your data with anyone or transfer it out of your jurisdiction, we will take all necessary measures to ensure it is adequately protected.
Find out more about who your data is shared with, and what steps we take to protect it.
How long will Wella keep my personal data for?
We won't keep it for any longer than we need to, either to comply with the law or to ensure that we are complying with our obligations to you. Generally, this means your personal data will be retained either in accordance with the retention periods as described in Wella's Employee Privacy Notice (where successful in your application), or, unless restricted by local data protections laws, for a period of 12 months after confirmation that your application was unsuccessful unless you request that we delete your application sooner.
What rights do I have in respect of my personal data?
Depending on the laws in the country where you live, your rights in relation to your data may include a right to access, correct and erase your data as well as more technical rights to restrict the way we process it, and to transfer your data.
Your rights are important, and we've set them out in detail.
Who can I contact if I have questions?
If you have concerns or questions regarding your personal data, please contact your local HR contact in the first instance, or the Wella Privacy Team at wella.data.privacy@wella.com.
Wella Global Applicant Privacy Notice
At Wella we want you to feel confident that you can trust us with your personal data. We have prepared this Global Applicant Privacy Notice ("Notice") explaining how we collect and process personal data when you apply to join us, and your rights in relation to that information.
Wella Company operates in many different countries. Some of those countries have laws that govern the way we process individuals’ personal data. Many of those laws operate in similar ways, but there are also differences in how the laws apply in different countries. This Notice provides a global overview of our approach and how we address compliance with global data privacy laws. Where a particular country has specific requirements in relation to the processing of personal data, or different interpretations, we have explained that below under the section headed "Additional Provisions for Specific Countries".
We may sometimes need to ask for your specific consent to process your personal data. For example, this may be necessary to allow us to conduct certain background checks before you start working with us. However, in most cases we will process your personal data for the reasons set out in this Notice and it won't be appropriate or necessary for you to provide consent as the legal basis for us to process your personal data.
When we say "Wella", "we" or "us" in this document, we mean the Wella entity that you're applying to work for. In addition, you will see references to "Wella Company", which includes all other Wella entities globally. If you would like confirmation of the identity of the data controller in your jurisdiction, please contact your local Human Resources team in the first instance, or the Wella Privacy Team at wella.dataprivacy@wella.com. Wella Company includes Wella International Operations Switzerland S.à.r.l. (our headquarters) and its affiliates and subsidiaries. We may update this document from time to time, for example if we implement new systems or processes that involve a change to the way we use personal data. We will send an updated Notice if you are still in the application process.
If you have concerns or questions regarding your personal data, please contact your local Human Resources Team or the Wella Privacy Team at wella.data.privacy@wella.com.
What categories of personal data does Wella collect about me?
‘Personal data’ means any information relating to you from which you are or could be identified. Under most data privacy laws there's a distinction between 'ordinary' personal data and 'sensitive' personal data. We've set out here in as much detail as we can what those different categories are, and why we will process that data. Depending on your jurisdiction, we may treat some of the 'ordinary' personal data listed below as 'sensitive', as referenced under the Additional Provisions for Specific Countries section.
We will collect, process and use some or all of the following categories of 'ordinary' personal data about you:
- identification data, such as your name, citizenship, nationality, passport/ID data, photo (if voluntarily provided by you), drivers' licence information, national insurance number and/or social security number (as applicable);
- personal information, such as your age, date and place of birth, emergency contact details, and gender;
- contact details, such as your home address, telephone number(s) and email address
- education and work experience, such as contact details for your current/former employer, information about your educational background, your work experience and other experience (including academic/ professional job qualifications);
- other application data, such as the information included in your application form/CV;
- information collected as part of the interview process, such as notes taken from your interview and assessment centre or information provided from recruitment agencies; and
- background check information, such as information obtained through reference checks and confirmation about your work/educational background,
for this Notice, we'll refer to that as "Applicant Data".
We may receive any of the above Applicant Data from recruiters, who are deemed to be separate data controllers to us, and so we recommend that you regularly update your personal data with them.
In addition to Applicant Data, we collect, process and use some or all of the following special categories of personal data about you which we describe as "Sensitive Applicant Data":
- health and medical data, such as information on disability;
- criminal records data;
- race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation and information which you voluntarily provide to us for the purposes of our equal opportunities and diversity monitoring and initiatives; and
- sexual orientation and gender identity data where you provide this to us voluntarily for the purposes of our equal opportunities and diversity monitoring and initiatives.
We recognise that this category of Sensitive Applicant Data is particularly sensitive and we process this data in accordance with the requirements and recommendations of local law.
Why does Wella need to collect, process and use my Applicant Data and Sensitive Applicant Data and what is the legal basis for doing so?
We collect and use Applicant Data and Sensitive Applicant Data for a variety of reasons linked to processing your application for a role with us. We call those the "Processing Purposes". However, we will only collect and use this data if we have a valid legal basis for doing so. We're required to explain the various legal bases that we rely on to you. This section is primarily based on the European and UK General Data Protection Regulation, and uses terms from that legislation. Please see the section headed Additional Provisions for Specific Countries for any variations specific to the country of in which the entity you are applying to work for is located.
To give you the full picture, we have set out each of the Processing Purposes below, mapped against the different legal bases that Wella relies on.
Processing Purposes (and corresponding data categories)
- Administering and processing your application (including processing a job offer should you be successful). This will involve processing identification data, contact details, information about your qualifications and employment history, information obtained during your interview and information contained in your CV.
- To determine your eligibility for the role you applied for by assessing your skills, qualifications, and background. This will involve processing identification data, contact details, information about your work and education experience, information obtained during your interview and information contained in your CV.
- Conducting background checks as part of your application. This will involve processing identification data, contact details, information about your qualification and employment history.
- Complying with applicable laws and employment-related requirements, such as income tax, national insurance deductions, and employment and immigration laws. This involves the processing of identification data and contact details.
- Monitoring and ensuring compliance with applicable policies and procedures and laws. This involves processing your identification data and contact details, information about your job, salary and benefits and equity compensation, and the operation of a whistleblowing hotline.
- Communicating with you, Wella employees and third parties, (such as existing or potential business partners, suppliers, or government officials), including informing you of future opportunities with Wella. This involves processing identification data, your contact details and details about the roles you have applied for, your qualification and employment history.
- Responding to and cooperating with regulators or other authorities as required in or outside of your home country. This involves the processing of identification data and contact details, education and work experience, information about the role(s) you have applied for and information about your salary and benefits.
- Complying with corporate financial responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control. This involves the processing of identification data, contact details, information about the role you have applied for, including the role's salary and benefits.
Legal Bases
Processing Purposes 1 to 3:
- Necessary for performing or entering into a contract with you;
- Compliance with Wella's legal obligations, including those under immigration and employment laws;
- Pursuing Wella's legitimate interests; and
- In some limited circumstances, your consent.
Processing Purposes 4 to 5:
- Compliance with Wella's legal obligations; and
- Pursuing Wella's legitimate interests.
Processing Purpose 6:
- Necessary for performing or entering into a contract with you;
- Consent (‘opt in’) where appropriate;
- Compliance with Wella's legal obligations; and
- Pursuing Wella's legitimate interests.
Processing Purpose 7:
- Compliance with Wella's legal obligations.
Processing Purpose 8:
- Pursuing Wella's legitimate interests (i.e., we need to ensure that we manage our business effectively); and
- Compliance with Wella's legal obligation
Below are the Processing Purposes and corresponding legal bases for Sensitive Applicant Data:
Processing Purpose (and corresponding data categories)
- To accommodate your application and interview and for compliance with legal obligations, we may use health and medical data.
- Criminal records background checks in relation to you in the process of your application, where relevant and appropriate to the role you are applying for.
- Right to work or visa and immigration checks may involve us using race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation.
Legal Bases
Processing Purpose 1:
- Your explicit consent where appropriate; and
- Processing is necessary to carry out the obligations and to exercise specific rights of Wella or you in the field of employment and social security and social protection law.
Processing Purpose 2:
- Your explicit consent where appropriate;
- Processing is necessary to carry out the obligations and to exercise specific rights of Wella or you in the field of employment and social security and social protection law; and
- Necessary for reasons of substantial public interest where this is a valid basis in your jurisdiction.
Processing Purpose 3:
- Processing is necessary to comply with Wella’s obligations in the field of employment and social security and social protection laws; and
- Necessary for reasons of substantial public interest where this is a valid basis in your jurisdiction.
What is meant by legitimate interests?
'Legitimate interests' is a legal term used under the GDPR, and it is one of the ways in which we are permitted to process your personal data. We'll only rely on this basis where we are satisfied that there is a fair balance between our interests and yours. Where we talk about ‘legitimate interests’ in this context, this will include:
- assessing your suitability for employment/engagement with Wella;
- sharing information within the group to understand where your role fits in the organisational structure;
- for our own internal reporting purposes;
- to protect the rights and interests of Wella, our employees, applicants and others; and
- to conduct internal investigations, for example if a whistleblowing report is made.
Got it - but who will Wella share my personal data with?
We take care to restrict access to your personal data on a ‘need to know’ basis. Whenever we share your data with a third party we will implement appropriate measures to ensure it is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.
Here is some more information about when we will share your personal data:
- Within Wella Company. We have offices located across the globe, which all partially share management, human resources, legal, compliance, finance, and audit responsibilities. We will share your personal data with, or otherwise allow access to your data by, other entities within Wella Company when they are involved in the recruitment process; have management oversight or financial responsibilities for the role you are applying for; to monitor and assure compliance with applicable policies and procedures, and applicable laws; and/or to respond to requests and cooperate with regulators and other authorities.
- Regulators, authorities, and other third parties. Sometimes we may be under a legal obligation to share your personal data with regulators, courts, and other authorities (e.g., tax and law enforcement authorities).
- Data processors and third party service providers. We use recruitment or executive search agencies, background screening providers, and other third parties to provide us with advice and support (such as in relation to legal, financial, health and safety), or to process data on our behalf (including data storage, shared services and recruitment platform providers, IT developers, etc.). These third parties will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard your personal data, and to process your personal data only as instructed by us. Note that some third parties mentioned here are independent data controllers (such as recruiters) and as such, you should read their own privacy notices.
For a list of the Wella Group entities and third parties that we may share your data with, please contact us as set out below ("Who can I contact about data privacy?").
As you may expect, some of the recipients we share personal data with may be in countries outside the European Union and/or European Economic Area ("EEA").
Some of these countries have a legal regime which provides an adequate level of protection for this data.
If recipients are in countries which do not provide adequate protections for personal data, we will take all necessary measures to ensure that transfers of personal data to these countries are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the EU Standard Data Protection Clauses. You can ask for a copy of such appropriate safeguards by contacting us as set out below ("Who can I contact about data privacy?").
How long will Wella keep my personal data for?
We won't keep personal data for longer than is necessary. We will, for example, keep your personal data for a reasonable time after your application process is completed, in case we have future job opportunities that we consider you are suitable for. Generally, this means your personal data will be retained either in accordance with the retention periods set out in Wella's Employee Privacy Notice (where successful in your application), or, unless restricted by local data protection laws, for a period of 12 months after confirmation that your application was unsuccessful unless you request that we delete your application.
Where personal data is kept, that period will be determined based on the applicable local law. Please contact us as set out below to request further information on how long Wella will retain your personal data ("Who can I contact about data privacy?").
What rights do I have in respect of my personal data?
You have rights in relation to your personal data. These can differ by country, but can be summarised in broad terms as follows:
(i) Right of access
You have the right to confirm with us whether we process your personal data, and if it is, to request access to that personal data, including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients of that data. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.
(ii) Right to rectification
You may have the right to rectify inaccurate or incomplete personal data concerning you. We encourage you to review any information you have provided to us regularly to ensure that it is accurate and up to date, and to inform us of any changes as soon as possible.
(iii) Right to erasure (right to be forgotten)
You may have the right to ask us to erase personal data concerning you. This is not an absolute right but if a request is refused in whole or in part we will provide reasons for the refusal.
(iv) Right to restriction of processing
In limited circumstances, you may have the right to request that we restrict processing of your personal data, unless we think we have a legitimate interest for processing your data which overrides your request.
(v) Right to data portability
You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly-used and machine-readable format, and you may have the right to transmit that data to another entity.
(vi) Right to object and rights relating to automated decision-making
Under certain circumstances you may have the right to object, on grounds relating to your situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.
To exercise any of these rights, please contact us as set out below ("Who can I contact about data privacy?").
If you have any concerns about how we handle your personal data, you may lodge a complaint with the Wella Privacy Team at wella.data.privacy@wella.com, and the Wella Privacy Team will assess your complaint. You also have the right to lodge a complaint with the competent data protection supervisory authority. Please see here for a list of European supervisory authorities: Our Members | European Data Protection Board (europa.eu) (https://edpb.europa.eu/about-edpb/about-edpb/members_en). For other relevant bodies, please see information for your jurisdiction under Additional Provisions for Specific Countries, or contact the Wella Privacy Team for advice.
Who can I contact about data privacy?
If you have any other concerns or questions regarding this Notice or if you would like to exercise your rights as a data subject, you can get hold of the right person, including the Global Data Privacy Officer here: Wella Privacy Team. wella.data.privacy@wella.com or by contacting your local Human Resources team.
1. Additional Provisions for the Americas
1.1 Brazil
Wella applies the Brazilian General Data Protection Law (Law No. 13,709/2018 - LGPD) in Brazil. In accordance with the LGPD, Wella Brazil does not rely on a substantial public interest ground for the processing of sensitive personal data.
What rights do I have in respect of my personal data?
Under the LGPD, you have the following additional express rights in relation to your personal data:
(vii) Right to anonymization
You have the right to request the anonymization, blocking or deletion of unnecessary or excessive data or data that has not been processed in compliance with applicable law.
(viii) Right to information on data recipients
You have the right to request information about public and private entities with which your personal data has been shared.
(ix) Right to withdraw consent
If you have consented to any processing of your personal data, you have the right to withdraw your consent.
(x) Right not to provide consent and be informed of the consequences thereof
You have the right to obtain information about the possibility of not giving consent and the consequences thereof.
(xi) Right to object to the processing based on one of the waiver of consent situations
Under certain circumstances you may have the right to object to the processing of your personal data that is based on one of the waiver of consent situations (for example, where data is manifestly made public by the data subject), where such processing is not in compliance with applicable privacy laws.
If you have any concerns about how we handle your personal data, you may lodge a complaint as described in the Notice or with the Brazilian National Data Protection Authority (ANPD).
1.2 Mexico
What categories of personal data does Wella collect about me?
Federal law for the protection of personal data held by private entities (the "Mexican data protection law") requires us to disclose information regarding the categories of personal information that we process from individuals in Mexico (as those terms are defined by applicable law):
- identification data: your name, citizenship, nationality, passport/ID data, photo (if voluntarily provided by you), drivers' licence information, national insurance number and/or social security number (as applicable);
- personal information: date and place of birth, emergency contact details, and gender;
- contact details, such as your home address, telephone number(s) and email address;
- education and work experience: contact details for your current/former employer, information about your educational background, your work experience and other experience (including academic/ professional job qualifications);
- other application data: the information included in your application form/CV;
- information collected as part of the interview process: notes taken from your interview and assessment centre or information provided from recruitment agencies; and
- background check information: information obtained through reference checks and confirmation about your work/educational background,
for this Notice, we’ll refer to that as “Applicant Data”.
In addition to Applicant Data, we collect, process and use some or all of the following special categories of personal data about you which we describe as "Sensitive Applicant Data":
- health and medical data, such as information on disability;
- criminal records data;
- race or ethnicity data: information contained in your passport or other citizenship and right to work documentation and information which you voluntarily provide to us for the purposes of our equal opportunities and diversity monitoring and initiatives; and
- sexual orientation and gender identity data where you provide this to us voluntarily for the purposes of our equal opportunities and diversity monitoring and initiatives.
We will obtain you express consent before processing any Sensitive Applicant Data.
ARCO Rights
If you are in Mexico, you do not have the (v) right to data portability. Each right is subject to certain exceptions detailed in the Mexican data protection law. You also have the right to revoke any consent previously granted.
To request such rights, or for any questions, please email wella.data.privacy@wella.com and in the subject line of your email, please indicate “Mexico Privacy Rights Request ARCO RIGHTS: (Insert Your Name)”. In addition please confirm: (i) name of the data subject and email address or means to communicate the respective response; (ii) documents proving your identity, or the identity of legal representative; (iii) clear and precise description of the personal data in respect of which you seek to exercise any of your ARCO Rights; and (iv) documents or information that facilitates the location of the respective personal data.
To the extent that you elect to designate an authorized agent to make a request on your behalf, they must provide appropriate documentation including written signed permission from you, proof of your identity, and verification of their identity; or a valid, designated power of attorney as defined under the Mexican Civil Code.
The competent data protection supervisory authority in Mexico is the National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales).
1.3 US (California only)
We address additional disclosures towards you where you reside in California under the California Consumer Privacy Act of 2018, as amended, and its regulations ("CCPA") at or before the point of collection of data. These disclosures do not reflect our personal data handling practices with respect to California residents' personal data where an exception or exemption applies under the CCPA.
Where we say ‘personal data’ under this Notice, we mean ‘personal information’ as defined and used under the CCPA.
The list below sets out the categories of personal data and sensitive personal data that we collect as defined and specified under the CCPA:
Personal Data
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
- Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, but excluding publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Characteristics of protected classifications under California or federal law.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website application, or advertisement.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
Sensitive Personal Information
- Your social security, driver's license, state identification card, or passport number.
- Your account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- Your racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of your mail, email, and text messages unless the business is the intended recipient of the communication.
- Personal data collected and analyzed concerning a consumer's health.
We use personal data about you:
- to perform the services or provide the goods reasonably expected by our employees in their role as our employees, including those services and goods that are reasonably necessary for us to administer the employment relationship and for our employees to perform their duties such as to fulfill an individual’s employee terms of employment, to manage our relationship with our employees from recruitment through post-employment and to ensure the safety of our employees;
- to prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information, including in or via our premises, computers, software, networks, communications devices, and other similar system;
- to resist malicious, deceptive, fraudulent or illegal actions directed at us and to prosecute those responsible for those actions;
- for short-term, transient use;
- to perform services on behalf of us;
- to verify or maintain the quality or safety of our services and products;
- to improve, upgrade, or enhance our services and products; and
- to collect or process it where such collection or processing is not for the purpose of inferring characteristics about a consumer such as to perform functions that are required under laws that apply to us and to support any claim or defense that we could face before any jurisdictional and/or administrative authority, arbitration, or mediation panel, and cooperating with – or informing – law enforcement or regulatory authorities to the extent required by law.
We do not sell or share for cross-context behavioral advertising any of the categories of personal information that we collect from California resident employees.
If you have a visual disability, please contact your HR department for accommodations. Our CCPA Privacy Policy is available at https://www.wellacompany.com/privacy-policy.
The competent data protection supervisory authority in California is the California Privacy Protection Agency.
2. Additional Provisions for Asia Pacific
2.1 Australia
You have the following rights in relation to your personal data:
- right of access; and
- right to rectification.
The following rights do not apply to you:
- right to erasure (right to be forgotten);
- right to restriction of processing;
- right to data portability; or
- right to object and rights relating to automated decision-making.
If you have any concerns about how we handle your personal data, you may lodge a complaint as described in the Notice or with the Office of the Australian Information Commissioner (OAIC). More information on the OAIC is available at https://www.oaic.gov.au/.
2.2 China
As mentioned in the Notice, the Chinese subsidiary of Wella for which you are working will be considered the personal data controller for the purpose of the Notice, or in other words, the personal data processor as provided in the Personal Information Protection Law of the PRC (“PIPL”). “Wella”, “we”, or “us” shall be construed accordingly.
In China, some categories of ‘Employee Data’ may be deemed as ‘Sensitive Employee Data’ and the Notice should be read as so to include such categories of data under the relevant sections. Specifically, the following data may, for example, also be considered Sensitive Applicant Data: your national insurance number and/or social security number.
In any case, we will make sure that the processing of your Applicant Data is for specific purposes as described in the Notice and is necessary, and our processing of your Sensitive Applicant Data will be subject to strict security measures and be conducted in a manner having the least impact on your personal rights and interests.
Where applicable under the PIPL, we additionally rely on some or all of the following legal basis for the processing of your personal data: (i) the necessity to conclude or perform a contract to which you are a party, or to conduct human resources management pursuant to employment regulations formulated according to law and pursuant to collective contracts concluded pursuant to law; and (ii) other circumstances provided for in the PIPL.
3. Additional Provisions for Europe
3.1 Europe
By ensuring appropriate safeguards, we have established that all other recipients located outside the EEA will provide an adequate level of data protection for the personal data and that appropriate technical and organizational security measures are in place to protect the personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer (including to our affiliates outside the EEA) is subject to appropriate onward transfer requirements as required by applicable law.
3.2 Austria
The legal basis for the processing purpose of criminal records and background checks in relation to you, where relevant and appropriate to your role, is our legitimate interest.
The competent data protection supervisory authority in Austria is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).
3.3 France
Wella may collect, process and/or use some or all of the Sensitive Employee Data (e.g., health and medical data) only if required or permitted by law. For example, Wella acknowledges that the processing of race and ethnicity data is prohibited in France.
You also have the following additional right:
(i) You have the right to determine what should be done with your personal data after your death
The competent data protection supervisory authority in France is the Commission Nationale de l’Informatique et des Libertés.
3.4 Germany
The competent data protection supervisory authority in Germany depends on the relevant federal state. Find out more information by contacting wella.dataprivacy@wella.com or by contacting your local Human Resources team.
3.5 Greece
We recognise that the processing of Sensitive Employee Data is prohibited in most cases within the employment context, unless you voluntarily reveal this data in order to establish an employment right.
The competent data protection supervisory authority in Greece is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
3.6 Netherlands
The competent data protection supervisory authority in the Netherlands is the Dutch Personal Data Authority (Autoriteit Persoonsgegevens).
3.7 Poland
In Poland, the data protection supervisory authority responsible for reviewing complaints is the President of the Office for Personal Data Protection (address: 2 Stawki Street, Warsaw; website: www.uodo.gov.pl).
3.8 Spain
The competent data protection supervisory authority in Spain is the Agencia Española de Protección de Datos.
3.9 United Kingdom (UK)
We may transfer your personal data outside of the UK. Some of these countries are recognized by the UK as providing an adequate level of protection according to UK standards. The UK will continue to permit the transfer of personal data to the EEA and any countries that were covered by a European Commission adequacy decision as of December 31, 2020 (the full list of these countries is available http://europa.eu). With regard to transfers from the UK to countries not considered adequate, we have put in place adequate safeguards, such as EU Standard Contractual Clauses, to protect your personal data. You may obtain a copy of these measures by contacting us at wella.data.privacy@wella.com or in writing to the following address: St. George's House, 5 St. George's Street, Wimbledon, London. SW19 4DR, UK. You may also contact our Global Data Privacy Officer if you have questions about the interpretation or operation of this notice. You may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK. More information on the ICO is available at https://ico.org.uk.