PRIVACY POLICY Recruitment
Information pursuant to Articles 13 and 14 of the EU and UK General Data Protection Regulation (GDPR)
In this privacy policy, HIMA, as a group of companies, provides you with the legally required information regarding the processing of your personal data and the safeguarding of your rights as a data subject in accordance with applicable data protection laws, including the EUGeneral Data Protection Regulation (“EU GDPR”), the UK General Data Protection Regulation (“UK GDPR”) and applicable national data protection law such as the German Federal Data Protection Act (BDSG) and the UK Data Protection Act 2018.
In this privacy notice, the EU GDPR and the UK GDPR are referred to separately where relevant, and collectively as the “GDPR” where provisions apply to both.
This privacy notice for applicants explains how we collect, use, store and protect your personal data when you
- apply for a job,
- create an applicant profile,
- join our talent community, or
- interact with our recruitment systems.
Our recruitment processes are supported by the cloud-based platform Workday Recruiting, which processes personal data on our behalf.
1. Data Controller and Data Protection Officer
The data controller responsible for your personal data under this privacy policy depends on the specific position and location to which you are applying, as well as the applicable data protection law.
The HIMA Group is an international group of companies with global operations.
EU GDPR – EU-based Controller: Where you are applying to a position within the European Union or European Economic Area, the relevant HIMA group entity in that jurisdiction acts as the data controller within the meaning of Article 4(7) of the EU GDPR. The specific EU controller responsible for your application is identified based on the entity or location to which you are applying. A full list of EU-based HIMA entities acting as controllers, together with their respective contact details, is:
· HIMA Pauld Hildebrandt GmbH, registered at Albert-Bassermann-Str. 28, 68782 Brühl, Baden-Württemberg, Germany.(E-Mail:datenschutz@hima.com or privacy@hima.com)
· HIMA Benelux B.V.
Tinstraat 3, 4823 AA Breda, NL
Contact: privacy@hima.com
· HIMA FRANCE S.A.R.L.
CARRE HAUSSMANN, 1 Cours de la gondoire, Bâtiment A, 77600 Jossigny, FR
Contact: privacy@hima.com
· HIMA ITALIA SRL
Via Trieste n. 26/28, 20871 Vimercate MB, IT
Contact: privacy@hima.com
· HIMA Slovakia s.r.o
Vodná 23, 94901 Nitra, SK
Contact: privacy@hima.com
· HIMA Paul Hildebrandt GmbH
Concorde Business Park 1 / A / 2 / 14A, 2320 Schwechat, AT
Contact: privacy@hima.com
· HIMA Paul Hildebrandt GmbH
Blue Factory / Passage du Cardinal 5 (Bâtiment B) , CH-1700 Fribourg, CH
Contact: privacy@hima.com
UK GDPR – UK-based Controller: Where you are applying to a position based in the United Kingdom, the relevant HIMA group entity established in the UK acts as the data controller within the meaning of Article 4(7) of the UK GDPR as incorporated into UK law by the Data Protection Act 2018. The specific UK controller responsible for your application is identified based on the entity or location to which you are applying.
A full list of UK-based HIMA entities acting as controllers, together with their respective contact details, is:
· Sella Controls, registered at Carrington Field Street, Chesfire Stockport, SK1 3 JN, United Kingdom (E-mail: sellacontrols@activemind.legal[YE1])
Other Jurisdictions: For positions based outside the EU/EEA and the UK, the relevant HIMA group entity in that jurisdiction acts as the data controller in accordance with applicable local data protection law. Details of the responsible entity are set out in the list of controllers referenced below and in the documentation provided as part of the application process.
For your convenience, you will find a list of the data controllers, including their contact details, here:
· Origo Solutions AS (A HIMA company)
Andøyfaret 31, 4623 Kristiansand, Norway
Contact: recruitment@origo-s.no
· HIMA TURKEY INDUSTRIAL AUTOMATION COMPANY LIMITED
Yildiz Teknik Üniversitesi Davutpasa Kampüsü, Teknoloji Gelistirme Bölgesi1. Faz C Block No: C-204, Istanbul, Turkey
Contact: Recruitment.MiddleEast@hima.com
· HIMA Middle East FZE
Freezone - Jabal Ali Industrial Second - Dubai -UAE, United Arab Emirates
Contact: Recruitment.MiddleEast@hima.com
· HIMA Safety Automation India Private Limited
91 Springboard SBC, 9th Floor, 104/1, NH 48, Baner Gaon, Pune City, Pune- 411045, Maharashtra, India
Contact: Recruitment.MiddleEast@hima.com
· HIMA Saudi Arabia Industrial Applications I.L.L.C.
3908, King Abdul Aziz Rd., 7514, Al Badi Dist., DAMMAM, 32415, Kingdom of Saudi Arabia
Contact: Recruitment.MiddleEast@hima.com
· HIMA Asia Pacific Pte Ltd
438B Alexandra Rd, #01-05/06, Alexandra Technopark Block B, 119968 Singapore, Singapore
Contact: HR.REA@Hima.com
· HIMA S.E.A Sdn Bhd
Taman Sains Selangor, B-05-06 & 07, Kompleks Perindustrian Emhub, Persiaran Surian, Seksyen 3, Kota Damansara, 47810 Petaling Jaya, Selangor, Malaysia
Contact: HR.REA@Hima.com
· HIMA AUSTRALIA Pty Ltd
Level 2, 105 St Georges Terrace, 6000 Perth Western Australia, Australia
Contact: hapl.hse@hima.com
· HIMA Safety Automation Colombia SAS
CALLE 127 # 70G – 68 OF. 304, Bogotá - Colombia
Contact:
· HIMA ARG S.A.S.
Av. L.N. Alem 693 3rd Floor C1001AAB Buenos Aires Argentina
Contact: privacy@hima.com
· HIMA Americas Inc.
5353 West Sam Houston Parkway N, Suite 130, 77041 Houston, Texas, USA
Contact: privacy@hima.com
Please note that, due to its role in the central management of applications for all companies within the HIMA Group, HIMA Paul Hildebrandt GmbH may also process personal data as a data processor and, in this context, processes all applications received via the centrally provided application channels.
If, during the application process, we give you the opportunity to give your consent, for example to be included in applicant pools, your personal data will be processed exclusively for the purposes stated in the declaration of consent. In such cases, all HIMA companies act as joint controllers for the processing of personal data in connection with the applicant pool. This processing is carried out on the basis of Article 6(1)(a) of the GDPR. Insofar as the consent covers special categories of personal data (such as health data), the processing is based on Article 9(2)(a) of the GDPR.
You can contact the external data protection officer for HIMA Paul Hildebrandt GmbH, at the following address:
activeMind AG
Management and Technology Consultancy
Kurfürstendamm 56
10707 Berlin
Telephone: 030 / 770 19 10 70
Email:datenschutz@hima.com or privacy@hima.com
Enquiries regarding EU-based group companies, as well as entities in Argentina and the USA, may also be directed to the above address. Local contacts may also be available for other group companies. Further details can be found here:
Please see above under section 1 the list of NON‑EU/UK contacts.
You can contact the external data protection officer for Sella Controls, at the following address:
c/o activeMind.legal UK Ltd.
No 1 Royal Exchange
London, EC3V 3DG
Registered #11814518
Email: sellacontrols@activemind.legal
2. Categories of personal data collected
As part of the recruitment process, we may collect the following categories of personal data from the information you provide:
Basic details, qualifications
· Name and contact details
· Address
· CV
· Professional background
· Education and qualifications
· Skills and certifications
· Language skills
· Salary expectations
· References
Information about the recruitment process
· Notes on the interview
· Assessment results
· Recruiters’ assessments
· Hiring decisions
Compliance and verification data
Where required by law:
· Identity verification
· Work permit
· Visa status
· Results of the background check
Technical data
When using the recruitment portal:
· IP address
· Browser type
· Device information
· System usage data.
Applicants are asked not to include any sensitive personal data in their application documents (such as information regarding political opinions, religious beliefs, health data, sexual orientation or similar), unless this is expressly requested or required by law.
3. Purposes of processing
We process applicants’ personal data for the following purposes:
Recruitment management
- Review and assessment of applications,
- Assessing applicants’ qualifications and suitability for the role,
- Organising and conducting interviews, and
- Communicating with applicants throughout the recruitment process.
Talent pool and future opportunities
Where appropriate, applicant profiles can be stored in a talent pool to consider applicants for future vacancies.
Job notifications and communication with applicants
Provided that applicants have registered for such services, we may use their contact details to provide information about relevant job vacancies and news.
Compliance with legal and regulatory requirements
- Verification of an applicant’s right to work and
- compliance with applicable legal and regulatory obligations.
Recruitment
In the event of a successful application, personal data will be processed to create employment records and to facilitate the induction process.
Legal claims
Where necessary, personal data may also be processed for the purpose of establishing, exercising or defending legal claims arising in connection with recruitment activities.
4. Legal basis for processing
Where the GDPR applies, the processing of personal data is based on one or more of the following legal bases:
- Legitimate interests (Art. 6(1)(f) GDPR), in particular for the efficient management and optimisation of recruitment processes; Defence in legal disputes (e.g. General Equal Treatment Act (AGG))
- Pre-contractual measures (Art. 6(1)(b) GDPR), insofar as the processing is necessary to carry out the application process at the applicant’s request;
- Compliance with legal obligations (Art. 6(1)(c) GDPR), provided that the processing is necessary to comply with applicable legal or regulatory requirements; and
- Consent (Art. 6(1)(a) GDPR), where necessary, for example in connection with inclusion in talent pools or the processing of diversity-related information.
Where processing is based on consent, applicants have the right to withdraw their consent at any time with effect for the future.
5. Recipients of the data
Applicant data may be disclosed to:
· internal HR teams
· hiring managers
· affiliated companies within the HIMA Group
· Recruitment agencies
· assessment providers
· Background check providers
· IT service providers that support the recruitment platforms .
· Relevant recipients within the HIMA Group: Please see above under section 1 the list of NON‑EU/UK contacts.
All recipients process personal data in accordance with applicable data protection laws. Where necessary, appropriate data processing agreements (DPAs) and confidentiality agreements have been concluded with the data processors to ensure the lawful and secure processing of personal data.
To support recruitment activities, the company uses Workday Recruiting, a cloud-based human resources management system.
Workday processes personal data as a data processor on behalf of the company and provides enterprise-level security measures to ensure the security of the data processed, including
· encryption measures
· role-based permissions and access controls
· system monitoring
· secure IT infrastructure.
6. International data transfers
As a global company, the HIMA Group may transfer personal data to countries in which the company or its service providers operate.
These may include:
- Member States of the European Union,
- the United States,
- countries in the Middle East (e.g. Saudi Arabia or Oman),
- countries in Asia (e.g. China) and
- other jurisdictions in which the company operates.
Where personal data is transferred to countries outside the European Economic Area (EEA) or the UK, such transfers are carried out in accordance with the requirements of Chapter V of the EU GDPR and, where applicable, the corresponding provisions of the UK GDPR, in order to ensure an adequate level of protection for your personal data.
Within the HIMA Group, there is a corresponding intercompany agreement governing data transfers within the group.
In particular, where no adequacy decision has been issued by the European Commission, or where no adequacy regulation has been adopted by the UK Government, as applicable, appropriate safeguards are implemented. These may include, in particular
· the conclusion of Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR),
· the use of the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, where required under the UK GDPR,
· the implementation of binding corporate rules (BCRs), where applicable (Art. 47 GDPR),
· other valid transfer mechanisms recognised under the EU GDPR or UK GDPR, as applicable.
7. Retention period
In particular, the following retention periods apply:
- Ongoing application process until completion: for the duration of the application process and, following rejection, for a period of 6 months
- Talent pool: generally up to 24 months after the last contact with the applicant;
- Legal obligations: for as long as necessary to comply with applicable legal and regulatory requirements.
- In the event of recruitment: for the duration of the employment relationship and for as long as necessary to comply with applicable legal and regulatory requirements.
Once the applicable retention period has expired, personal data will be securely deleted or anonymised in accordance with applicable law.
8. Data security
The company takes appropriate technical and organisational measures to protect personal data, including:
· Access controls
· Encryption measures
· Network security measures
· System monitoring
· secure cloud hosting.
9. Rights of data subjects
Subject to applicable data protection laws, applicants may have the following rights in relation to their personal data:
- the right of access (Art. 15 GDPR),
- the right to rectification of inaccurate or incomplete data (Art. 16 GDPR),
- the right to erasure (‘right to be forgotten’) (Art. 17 GDPR),
- the right to restriction of processing (Art. 18 GDPR),
- the right to data portability (Art. 20 GDPR) and
- the right to withdraw consent at any time, provided that the processing is based on consent (Art. 7(3) GDPR).
To exercise these rights under the EU GDPR, requests may be addressed to:
Email: datenschutz@hima.com or privacy@hima.com
To exercise your rights under the UK GDPR, please contact the UK-based controller responsible for the position to which you applied. Contact details for the relevant UK controller are available in the list of group companies referenced in Section 1.
Data subjects also have the right to lodge a complaint with the relevant supervisory authority.
For the EU/EEA, a list of supervisory authorities, including their contact details, is available at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
For the UK, complaint may be lodged with the Information Commissioner´s Office (“ICO”). Further information is available at:
https://ico.org.uk/make-a-complaint/
10. Am I obliged to provide personal data?
Within the framework of the contractual relationship, you are obliged to provide the personal data necessary for the establishment, performance and termination of the contractual relationship, as well as for the fulfilment of the associated contractual obligations, or which we are legally obliged to collect.
Without this data, we are generally unable to conclude or fulfil the contract with you.
11. Updates to this privacy policy
This privacy policy may be updated from time to time.
The current version is always available on the company’s careers website.
|
Information regarding your right to object under Article 21 of the General Data Protection Regulation (GDPR)Right to object on grounds relating to your particular situationYou have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(f) of the GDPR (processing on the basis of legitimate interests).If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.Recipient of the objectionIf you wish to exercise your right to object, simply send an email to the following address:Email: privacy@hima.com |
12.1 Addendum Australia - Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
This addendum applies where personal information is collected or handled in connection with Australia and is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Notification of the collection of personal information
Your personal information will be collected, used, and disclosed solely for the purposes of assessing your suitability for employment and managing the recruitment and hiring process. We may collect personal information directly from you and, where relevant to the recruitment process, from third parties such as referees nominated by you, recruitment agencies, background check providers, publicly available sources (including professional networking sites such as LinkedIn), and other sources permitted by law.
Consequences if Information is Not Provided
If you do not provide requested information, we may be unable to consider your application.
Disclosure of Data
Primary purpose (recruitment) or related purpose expected by candidate.
If any personal information is provided to the Company by a Third party such as. Recruitment agencies you will be notified of the name of the entity.
Reference Check
You consent to the Company contacting the referees provided for the purpose of conducting reference checks as part of the recruitment and hiring process, in accordance with this Privacy Policy.
Access and correction
You may request access to or correction of your personal information by contacting us, subject to applicable legal requirements.
Cross-Border Disclosure
Where personal information is disclosed overseas, we will take reasonable steps to ensure the overseas recipient does not breach the APPs and we may remain accountable for any breach by the overseas recipient.
Retention and Disposal
We take reasonable steps to protect your information. We will retain your information for recruitment purposes; and for future opportunities (unless you request deletion).
Information will be securely destroyed or de-identified when no longer required.
International transfers
Your personal information may be disclosed to recipients located outside Australia. We take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with the Australian Privacy Principles (APPs). However, you acknowledge that overseas recipients may not be subject to Australian privacy laws and may not provide the same level of privacy protection as is available under Australian law.
Storage, Security and Retention
We take reasonable steps to protect your personal information from unauthorised access, use, disclosure, loss, or misuse. We will retain your personal information for the recruitment and hiring process and, with your consent, for future employment opportunities. You may request the deletion of your personal information at any time, subject to applicable legal requirements.
Information will be securely destroyed or de-identified when no longer required.
Complaints
If you have concerns about privacy, you may contact us. You may also contact the Office of the Australian Information Commissioner (OAIC).
Contact information
For any questions or request relating your personal data, please contact us using the contact details set out in Section 1 of this Privacy Notice.
12.2 Addendum Norway – Candidate Privacy Notice (GDPR)
If you are applying for a position in Norway, the following applies in addition to the general Privacy Notice:
Data controller
The data controller for your personal data is Origo Solutions AS, company registration no. 982 726 247. Privacy-related enquiries may be directed to HR by email: hr@origo-s.no.
Legal basis for processing
We process your personal data in accordance with the Norwegian Personal Data Act and the EU General Data Protection Regulation (GDPR) where:
– processing is necessary to take steps at your request prior to entering into a contract (assessment of your application and conduct of the recruitment process)
– there is a legitimate interest, for the retention and documentation of the recruitment process following a rejection decision.
– consent has been given, where you have permitted us to retain your details in a talent pool for future relevant vacancies.
Categories of personal data
We process ordinary personal data such as name, contact details, CV, cover letter, employment history, education, certificates and reference information. We do not request special categories of personal data such as health, religion or trade union membership, unless this is required by law for the position in question.
Source of personal data
Personal data is collected primarily directly from you. Where applicable, we may also receive information from recruitment agencies, referees you have nominated, or publicly available sources such as LinkedIn.
Disclosure of personal data
Your data may be shared with relevant internal decision-makers at Origo Solutions AS, with third-party service providers acting as data processors, and with referees you have nominated. We do not share your data with other third parties unless a legal basis exists for doing so.
Retention period
We retain your personal data for as long as necessary for the purposes for which it was collected. Data relating to unsuccessful candidates is normally deleted within three months of the conclusion of the recruitment process. We may retain data beyond this period where required by law or to protect our legitimate interests, for example in connection with a potential complaint or dispute relating to the recruitment process. Where you have consented to inclusion in a talent pool, your data will be retained for up to twelve months from the date of consent. Data relating to successful candidates is transferred to the personnel file and processed in accordance with the employment relationship.
Your rights
– the right to access the personal data we hold about you (GDPR Article 15)
– the right to request rectification of inaccurate data (Article 16)
– the right to erasure in certain circumstances (Article 17)
– the right to restriction of processing (Article 18)
– the right to data portability (Article 20)
– the right to object to processing based on legitimate interests (Article 21)
Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To exercise your rights, please contact us at hr@origo-s.no.
Provision of personal data
Certain personal data is required for us to process your application. Failure to provide such data may affect our ability to consider or progress your application.
International transfers
Your personal data is processed primarily within the EU/EEA. Where data is transferred to countries outside the EU/EEA, such transfers take place in accordance with GDPR , including through the use of the EU Standard Contractual Clauses or another valid transfer mechanism.
Security measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or disclosure. These measures include access controls, encryption of data in transit, and regular review of our security practices
Right to lodge a complaint
You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe we are processing your personal data in breach of applicable data protection law. Datatilsynet can be contacted at www.datatilsynet.no or telephone: +47 22 39 69 00. We encourage you to contact us first so that we have the opportunity to address any concerns.
Contact
Any questions or requests regarding the processing of your personal data should be directed to HR at Origo Solutions AS at hr@origo-s.no.
12.3 Addendum United States -
Applicant Privacy Notice
Global Recruitment – Workday System
1. Introduction
This Privacy Notice describes how HIMA Group ("HIMA", "we", "us") collects, uses, and discloses personal information of applicants residing in the United States in connection with recruitment processes. This applies to data collected via Workday and other recruitment channels.
2. Categories of Personal Information We Collect
Identifiers (name, email, IP address); Professional and employment information (CV, work history); Education information; Recruitment data (interviews, assessments); Compliance data (work authorization, background checks); Technical data; Inferences; Sensitive personal information limited to legal requirements.
3. Sources of Personal Information
We collect personal information from applicants, recruitment agencies, references, background check providers, and internal HR systems including Workday.
4. Purposes of Processing
Managing recruitment, evaluating candidates, communication, verification, legal compliance, analytics, and legal claims defense.
5. Disclosure of Personal Information
We may disclose data within the HIMA Group, to IT providers (including Workday), recruitment agencies, background check providers, and advisors under contractual safeguards.
6. Sale or Sharing
HIMA does not sell personal data and does not share personal data for cross-context behavioral advertising.
7. Retention
Personal data is retained as long as necessary for recruitment, legal, and compliance obligations.
8. Your Rights
Applicants may have rights to access, delete, correct, and obtain copies of their personal data, limit use of sensitive data, and not be discriminated against.
9. Exercising Your Rights
Requests can be made to privacy@hima.com or dataprotection.recruiting@hima.com. Identity verification may be required.
10. California Disclosure
Personal information is handled in accordance with CCPA/CPRA. No sale of personal data. Use limited to business purposes.
11. Background Checks
Where permitted, HIMA conducts background checks in compliance with the Fair Credit Reporting Act (FCRA).
12. Security
HIMA maintains administrative, technical, and organizational safeguards to protect personal information.
13. Updates
This Privacy Notice may be updated periodically. The latest version is available on our careers website.
HIMA Group | Global Data Protection | privacy@hima.com
12.4 Addendum Singapore – Personal Data Protection Act (PDPA)
If you are applying for a position in Singapore, the following applies:
Collection, use and disclosure
We collect, use and disclose your personal data for the purposes described in this Privacy Notice, unless otherwise permitted or required under applicable law.
Consent
By submitting your application, you agree to the collection, use and disclosure of your personal data for the purposes set out in this Privacy Notice, except where processing is permitted or required under applicable law without consent.
Purpose limitation
We will not use or disclose your personal data for purposes other than those notified to you, unless permitted or required by law, or with your consent.
Access and correction
You may request access to or correction of your personal data held by us by contacting us using the contact details provided in this Privacy Notice.
Withdrawal of consent
You may withdraw your consent at any time by contacting us. Upon receipt of your request, we will cease processing your personal data for the relevant purposes, unless permitted or required by law.
Contact
If you have any questions regarding the processing of your personal data, please contact us using the contact details set out in Section 1 of this Privacy Notice.
12.5 Addendum Malaysia – Personal Data Protection Act 2010 (PDPA)
If you are applying for a position in Malaysia, the following applies:
Notice of processing
We process your personal data for the purposes described in this Privacy Notice, including recruitment and related activities.
Categories of personal data
The categories of personal data processed are described in Section 2 of this Privacy Notice.
Source of personal data
Your personal data is generally collected directly from you and, where applicable, from recruitment agencies, referees or publicly available sources.
Disclosure
Your personal data may be disclosed to the categories of recipients described in Section 5 of this Privacy Notice.
Provision of personal data
Where personal data is required for the application process, failure to provide such data may affect our ability to process or consider your application.
Choice and limitation
You may withdraw your consent to, or request limitation of, the processing of your personal data by contacting us using the contact details provided in this Privacy Notice.
Access and correction
You may request access to or correction of your personal data held by us, subject to applicable legal requirements.
International transfers
Your personal data may be transferred to locations outside Malaysia for the purposes described in this Privacy Notice, in accordance with applicable legal requirements.
Language
This Privacy Notice is provided in English. A Bahasa Malaysia version may be made available where required.
Contact
For any questions or requests relating to your personal data, please contact us using the contact details set out in Section 1 of this Privacy Notice.
12.6 Addendum India- Privacy Policy for Job Applicants
This Addendum supplements the Company’s Data Protection Policy (the “Policy”) and shall be read in conjunction therewith.
This Addendum applies to the processing of personal data of applicants for roles with HIMA Safety Automation India Pvt.Ltd. in Republic of India.
The primary applicable data protection legislation is Digital Personal Data Protection Act 2023 (“DPDPA”) as amended from time to time.
1. Data Fiduciary
In line with the Policy (Section 1) the data fiduciary for the processing of personal data of job applicants in India is:
- Entity: HIMA Safety Automation India Pvt.Ltd.
- Address: 11-13/14, 91 Springboard, Sadanand Business Center, Pashan Highway Side Road,Pune-411045, INDIA
- Contact: Recruitment.MiddleEast@hima.com
- HIMA Paul Hildebrandt GmbH: Data processor for central management of applications.
- Other HIMA Group companies: Joint data fiduciary s for applicant pools where consent is obtained.
- Workday: Data processor providing recruitment platform services, processing data on documented instructions from the data fiduciary .
- Recruitment agencies, assessment providers, background check providers, IT service providers: Data processors, subject to appropriate data processing agreements.
- Under Article 8 of the DPDPA , the data fiduciary shall implement appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, or destruction.
- Personal Data Breach Notification
- A “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
- All processors and internal users must notify the INDIA data fiduciary /privacy contact immediately upon becoming aware of a suspected or actual personal data breach.
- HIMA will assess notification obligations under the DPDPA and notify the Data Protection Board and the Affected Data Principals without undue delay where required.
In accordance with the DPDPA, the data fiduciary shall be responsible for:
- determining the purposes and means of processing personal data as provided;
- taking the appropriate technical and organizational measures and procedures to apply the necessary standards to protect and secure the personal data; and
- maintain record of the processing activities to ensure these are carried out in accordance with the DPDPA for the purpose, duration and under the terms provided in the Policy.
Provisions related to other entities which shall act as data processors shall be as provided in the Policy, and considering the following INDIA-specific requirements.
Each processor and sub-processor shall: (i) process applicant data only on documented instructions from the data fiduciary ; (ii) maintain confidentiality of personal data; (iii) implement appropriate technical and organisational security measures; (iv) assist the data fiduciary with data subject requests and breach notifications; (v) delete or return personal data at the end of services; (vi) keep processing records where required under the DPDPA; and (vii) impose equivalent obligations on any sub-processors (if any).
2. Categories of personal data collected
The provisions of the Policy (Clause 2) apply without modification.
It is further reinforced that applicants should not provide personal data unless requested by the Company or required by law.
Any personal data will be processed only where a valid lawful basis exists under the DPDPA . Where consent is relied upon for the processing of personal data, explicit consent will be obtained. Personal data will be subject to the provisions of the DPDPA.
For purposes of this section "Personal data" means any data about an individual who is identifiable by or in relation to such data; (Section 1 (t), DPDPA).
3. Purposes of processing
Personal data will be processed only with the clear, specified, consent of the Data Principle and for legitimate purposes outlined in the Policy (Clause 3). Processing shall be adequate, relevant, and limited to what is necessary for the stated purposes.
4. Legal basis for processing
In INDIA, where the DPDPA applies, as per Section 4 of the DPDPA the processing of personal data shall be supported on one or more of the following legal bases:
1.Consent of the Data Principal provided as per provisions of Section 6 of the DPDPA;
2.Certain Legitimate Uses as specified under Section 7 of the DPDPA.
Explicit consent will be required for the processing of sensitive personal data under Section 6 of the DPDPA .
Consent under the DPDPA must be Free, specific, informed, unconditional and unambiguous Must involve clear affirmative action Limited to data necessary for the specified purpose. Personal data may be processed without consent for certain Legitimate Uses as specified under Section 7 of the DPDPA which include:
- Voluntary provision of data by the Data Principal Example: Customer shares phone number to receive purchase receipt.
- State functions and public services Subsidies, benefits, licences, certificates, etc.
- Legal obligations or compliance with court orders
- Medical emergencies or public health situations Epidemics, emergencies threatening life or health.
- Disaster management or breakdown of public order
- Employment-related purposes HR functions, safeguarding trade secrets, preventing corporate espionage.
5. Recipients of the data
For the purposes of INDIA, data recipients include the categories outlined in the Policy, with their respective roles, as follows:
Under Section 8 (2) of the DPDPA , data processors must be contractually bound to process data only on the data fiduciary 's documented instructions.
The data fiduciary must ensure that recipients implement appropriate technical and organizational measures in accordance with Section 8 (4) of the DPDPA .
The provisions of the Policy (Clause 5) apply without modification.
6. International data transfers
Under Section 16 of the DPDPA read with Rule 15 of the DPDP Rules , Personal data processed by a Data Fiduciary in India may be transferred outside India, subject to restrictions imposed by the Central Government. However, it is pertinent to note that the Government may:
Restrict transfer of personal data to specific countries or territories by notification. Prescribe conditions or requirements for making personal data available to foreign states or foreign entities.
Further, Section 16(2) clarifies that cross-border transfers must also comply with other Indian laws that may impose stricter restrictions on data transfers.
The provisions of the Policy (Section 6) apply without modification.
7. Retention period
Under Rule 8(3) of the of the DPDP Rules, requires Data Fiduciaries to retain personal data, traffic data, and processing logs for a minimum of 1 year as Rule 23 allows the Government to require Data Fiduciaries or intermediaries to furnish information.
As such, the provisions of the Policy (Clause 7) apply without modification.
8. Data security
The provisions of the Policy (Clause 8) apply without modification.
In addition, the following local law requirements apply:
9. Rights of data subjects
Under the DPDPA , in line with the provisions of the Policy, data subjects have the following rights in relation to their personal data:
- Right of access to personal data (Article 11);
- Right to Correction, Completion, Updating and Erasure (Article 12);
- Right to Nominate (Article 14);
- Right to withdraw consent at any time (Article 6 (4));
- Right to Grievance Redressal (Article 13);
Requests to exercise any of the above rights should be directed by email to Recruitment.MiddleEast@hima.com. HIMA will verify the identity of the requester and respond in accordance with the DPDPA . Lawful limitations on rights may apply in certain circumstances. Where a request is refused or restricted, the applicant will be informed of the reasons.
10. Am I obliged to provide personal data?
The provisions of the Policy (Clause 10) apply without modification.
11. Updates to this privacy policy
The provisions of the Policy (Clause 11) apply without modification, provided that material changes to the Company’s data processing and practices will be informed to the data subjects pursuant to provisions of the DPDPA . Material changes will be notified via the recruitment portal. Where a change affects consent-based processing, renewed consent will be obtained where required.
12.7 Addendum United Arab Emirates (UAE)- Privacy Policy for Job Applicants
This Addendum (the “Addendum”) supplements the Company’s Data Protection Policy (the “Policy”) and shall be read in conjunction therewith.
Applicable Law
The primary applicable data protection legislation is Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) as amended from time to time.
1. Data Controller
In line with the Policy (Section 1) the data controller for the processing of personal data of job applicants in the UAE is:
- Entity: HIMA Middle East FZE
- Address: X495+8RP, Mina Jebel Ali Dubai - U.A.E., United Arab Emirates
- Contact: Recruitment.MiddleEast@hima.com
- HIMA Paul Hildebrandt GmbH: Data processor for central management of applications.
- Other HIMA Group companies: Joint controllers for applicant pools where consent is obtained.
- Workday: Data processor providing recruitment platform services, processing data on documented instructions from the controller.
- Recruitment agencies, assessment providers, background check providers, IT service providers: Data processors, subject to appropriate data processing agreements.
- Where processing is based on consent, applicants have the right to withdraw their consent and request erasure of their personal data at any time with effect for the future.
- Where processing is supported in other grounds other than consent, the applicant may request the erasure of its personal data where any of the grounds available in Article 15 of the PDPL including, where such information is no longer required for the purposes collected and/or there are no legitimate reasons for the controller to keep processing.
- Under Article 8 of the PDPL, the controller shall implement appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, or destruction.
- Personal Data Breach Notification
- A “personal data breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- All processors and internal users must notify the UAE controller/privacy contact immediately upon becoming aware of a suspected or actual personal data breach.
- HIMA will assess notification obligations under the PDPL and notify the UAE Data Office without undue delay where required.
- Affected applicants will be notified where the breach is likely to result in significant harm. Incident records will be maintained documenting the nature of the breach, affected data, remedial actions and notifications made.
In accordance with the UAE PDPL, the controller shall be responsible for:
- determining the purposes and means of processing personal data as provided;
- taking the appropriate technical and organizational measures and procedures to apply the necessary standards to protect and secure the personal data; and
- maintain record of the processing activities to ensure these are carried out in accordance with the UAE PDPL for the purpose, duration and under the terms provided in the Policy.
Provisions related to other entities which shall act as processors shall be as provided in the Policy, and considering the following UAE-specific requirements.
Each processor and sub-processor shall: (i) process applicant data only on documented instructions from the controller; (ii) maintain confidentiality of personal data; (iii) implement appropriate technical and organisational security measures; (iv) assist the controller with data subject requests and breach notifications; (v) delete or return personal data at the end of services; (vi) keep processing records where required under the PDPL; and (vii) impose equivalent obligations on any sub-processors (if any).
2. Categories of personal data collected
The provisions of the Policy (Section 2) apply without modification.
It is further reinforced that applicants should not provide sensitive personal data unless requested by the Company or required by law.
Any sensitive personal data will be processed only where a valid lawful basis exists under the PDPL. Where consent is relied upon for the processing of sensitive personal data, explicit consent will be obtained. Sensitive personal data will be subject to enhanced access controls, data minimisation and retention limits.
For purposes of this section "Sensitive personal data" includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal data, biometric data, genetic data, health data, data concerning sexual life, and data of minors (Article 1, PDPL).
3. Purposes of processing
Personal data will be processed for the clear, specified, and legitimate purposes outlined in the Policy (Section 3). Processing shall be adequate, relevant, and limited to what is necessary for the stated purposes.
4. Legal basis for processing
In the UAE, where the PDPL applies, the processing of personal data shall be supported on one or more of the following legal bases:
- The data subject has given consent; or
- Processing is necessary to protect the vital interests of the data subject (Article 4.7, PDPL);
- Processing is necessary for compliance with legal obligations applicable to the controller (Article 4.8, PDPL);
- Processing is necessary for the performance of an obligation as per the data subject's request (Article 4.9, PDPL);
- Processing is in the public interest (Article 4.1);
- Processing is necessary for the establishment, exercise or defence of legal claims (Article 4, PDPL).
Explicit consent will be required for the processing of sensitive personal data under Article 7 of the PDPL.
Consent under the PDPL must be freely given, specific, informed and capable of withdrawal. Withdrawal of consent will not affect processing lawfully carried out before withdrawal.
5. Recipients of the data
For the purposes of the UAE, data recipients include the categories outlined in the Policy, with their respective roles, as follows:
Under Article 9 of the PDPL, data processors must be contractually bound to process data only on the controller's documented instructions.
The controller must ensure that recipients implement appropriate technical and organizational measures in accordance with Article 8 of the PDPL.
The provisions of the Policy (Section 5) apply without modification.
6. International data transfers
Under Article 22 of the PDPL, the cross-border transfer of personal data is permitted where:
- The receiving country has an adequate level of protection as determined by the UAE Data Office;
- Appropriate safeguards are in place
- The data subject has given explicit consent after being informed of the risks associated with the transfer;
- The transfer is necessary for the performance of a contract, legal proceedings, or the protection of vital interests.
UAE applicant data may be transferred to the destination countries outlined in the Policy and other jurisdictions in which the HIMA Group or its service providers operate.
In any case, transfers are made in accordance with the PDPL on the following bases: (i) the receiving country provides adequate protection and (ii) contractual safeguards contained in the HIMA intercompany agreement governing data transfers within the Group and/or service providers data processing agreements.
The provisions of the Policy (Section 6) apply without modification.
7. Retention period
Under Article 5(7) of the PDPL, personal data must not be kept longer than necessary for the specified purposes of processing. As such, the provisions of the Policy (Section 7) apply without modification.
In addition, the following local law requirements apply:
8. Data security
The provisions of the Policy (Section 8) apply without modification.
In addition, the following local law requirements apply:
9. Rights of data subjects
Under the PDPL, in line with the provisions of the Policy, data subjects have the following rights in relation to their personal data:
- Right of access to personal data (Article 13);
- Right to rectification of inaccurate personal data (Article 15);
- Right to erasure of personal data (Article 15);
- Right to restrict processing (Article 16);
- Right to request transfer of personal data (Article 14);
- Right to object to automated individual decision-making (Article 18);
- Right to withdraw consent at any time (Article 6(2));
- Right to object to processing in accordance with Article 17.
Requests to exercise any of the above rights should be directed to Recruitment.MiddleEast@hima.com. HIMA will verify the identity of the requester and respond in accordance with the PDPL. Lawful limitations on rights may apply in certain circumstances. Where a request is refused or restricted, the applicant will be informed of the reasons.
10. Am I obliged to provide personal data?
The provisions of the Policy (Section 10) apply without modification.
11. Updates to this privacy policy
The provisions of the Policy (Section 11) apply without modification, provided that material changes to the Company’s data processing and practices will be informed to the data subjects pursuant to Article 12 of the PDPL. Material changes will be notified via the recruitment portal. Where a change affects consent-based processing, renewed consent will be obtained where required.
12.8 Addendum Kingdom of Saudi Arabia (KSA)- Privacy Policy for Job Applicants
This Addendum (the “Addendum”) supplements the Company’s Data Protection Policy (the “Policy”) and shall be read in conjunction therewith.
Applicable Law
The primary applicable data protection legislation is Cabinet Decision No. 98/1443 as amended by Cabinet Decision No. 604/1444 (the “PDPL”) and Administrative Decision No. 1516/1445 (the “Implementing Regulations”).
1. Data Controller
The data controller for the processing of personal data of job applicants in KSA is:
• Entity: HIMA Saudi Arabia
• Address: Second Industrial City, 166 St., Dammam, Saudi Arabia
• Contact: Recruitment.MiddleEast@hima.com
2. Categories of personal data collected
The provisions of the Policy (Section 2) apply without modification.
In addition, the following local law requirements apply:
- "Sensitive data" under Article 1 of the PDPL includes: personal data related to the individual's ethnic or tribal origin, or religious, intellectual or political belief, as well as criminal and security data, identifying biometric data, Genetic Data, Health Data, and data that indicates that one or both parents of the individual are unknown.
- Applicants should not include sensitive personal data in their applications unless expressly requested or required by law. Consent will be the only legal basis for such processing.
- Processors of Personal Data shall follow the instructions of the controller, as determined in suitable written agreements, and comply with the obligations of the PDPL (Article 17 of the Implementing Regulations).
- Under Article 29(1) of the PDPL, a controller may transfer personal data outside KSA, or disclose it to a party outside KSA, to achieve, among others, performance of an obligation to which the data subject is a party.
- The HIMA Group's intercompany agreement and Standard Contractual Clauses referenced in the Policy (Section 6) served as an appropriate safeguard for the purposes of Article 29(2)(b) of the PDPL.
- Under Article 18(1) of the PDPL, the controller must, without undue delay, destroy personal data once it is no longer necessary for the purpose for which it was collected.
- Under Article 18(2) of the PDPL, the controller must retain personal data beyond the purpose of collection where there is a legal basis requiring retention for a specific period (in which case the data must be destroyed on expiry of that period or satisfaction of the purpose, whichever is later).
- Under Article 23 of the Implementing Regulations, the controller shall implement appropriate organizational, administrative, and technical measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
- Under Article 24(1) and (5) of the Implementing Regulations, the controller shall notify the competent authority of personal data breaches within a period not exceeding (72) hours from the time it became aware of the incident. The controller must also notify affected data subjects without undue delay where the breach is likely to cause them material harm.
3. Purposes of processing
The provisions of the Policy (Section 3) apply without modification.
4. Legal basis for processing
Processing of applicant personal data will generally be carried out on the basis of consent obtained from the applicant under Article 5 of the PDPL.
Where consent cannot reasonably be obtained or relied upon, the controller may rely on one of the exceptions in Article 6 described below:
- The processing serves the actual interests of the data subject, but communicating with the data subject is impossible or difficult (Article 6(1));
- The processing is pursuant to another law or in implementation of a previous agreement to which the data subject is a party (Article 6(2)); and
- The processing is necessary for the legitimate interest of the controller, without prejudice to the rights and interests of the data subject, provided that no sensitive data is processed (Article 6(4)).
Any processing of sensitive data shall be carried out on the basis of consent.
5. Recipients of the data
The provisions of the Policy (Section 5) apply without modification.
In addition, the following local law requirements are considered:
6. International data transfers
The provisions of the Policy (Section 6) apply without modification.
In addition, the following local law requirements are considered:
7. Retention period
The provisions of the Policy (Section 7) apply without modification.
In addition, the following local law requirements apply:
8. Data security
The provisions of the Policy (Section 8) apply without modification.
In addition, the following local law requirements apply:
9. Rights of data subjects
Under the PDPL, data subjects have the following rights in relation to their personal data:
- Right to be informed of the legal basis and purpose of the collection of personal data (Article 4(1));
- Right to access personal data held by the controller, subject to the conditions and limitations in Article 9 (Article 4(2));
- Right to request that personal data held by the controller be provided in a readable and clear format (Article 4(3));
- Right to request the correction, completion, or updating of inaccurate, incomplete, or outdated personal data (Article 4(4));
- Right to request destruction of personal data held by the controller when no longer needed by the data subject, subject to Article 18 (Article 4(5));
- Right to withdraw consent at any time, where consent is the basis for processing (Article 5(2)).
Requests to exercise any of the above rights should be directed to Recruitment.MiddleEast@hima.com.
Response shall be given within a time period not exceeding thirty (30) days, as provided in Article 3 of the Implementing Regulations.
10. Am I obliged to provide personal data?
The provisions of the Policy (Section 10) apply without modification.
11. Updates to this privacy policy
The provisions of the Policy (Section 11) apply without modification.
Material changes will be notified via the recruitment portal. Where a change affects consent-based processing, renewed consent will be obtained where required.
12.9 Addendum TURKEY- Privacy Policy for Job Applicants
As Hıma Turkey Endüstriyel Otomasyon Limited Şirketi (“HIMA” or “the Company”), we attach great importance to the protection of personal data and exercise the utmost care regarding personal data security in all our activities. In this context, through this Job Applicant Information Notice, the Company, acting as the data controller, wishes to inform our job applicants in accordance with Article 6698 of the Law on the Protection of Personal Data (“KVKK”) and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Provide Information.
1. Our Methods of Collecting Your Personal Data and Legal Grounds
Your personal data is collected electronically or physically, using partially or fully automated methods, through our Company’s global application platforms, digital human resources management systems, and information and documents you have provided electronically, verbally, or in person via email and/or during your job interview, and/or by obtaining information from the individuals you have listed as references.
Your personal data is processed based on one or more of the following processing conditions set forth in Article 5 of the Personal Data Protection Law (KVKK):
• it is directly related to the conclusion or performance of a contract (Art. 5/2-c);
• it is necessary for the Company to fulfill its legal obligations (Art. 5/2-ç);
• it is necessary for the establishment, exercise, or protection of a right (Art. 5/2-e);
• it is necessary for the Company’s legitimate interests, provided that it does not infringe upon the data subject’s fundamental rights and freedoms (Art. 5/2-f);
• the data subject’s explicit consent (Art. 5/1).
Explicit consent may be freely withdrawn at any time and remains valid until it is withdrawn; the statement of explicit consent is obtained separately from this privacy notice.
When your sensitive personal data is processed, the legal grounds relied upon are as follows: as provided by law pursuant to Article 6 of the KVKK; legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance; the establishment, exercise, or protection of a right; or your disclosure of the data or your explicit consent. In the processing of sensitive personal data based on explicit consent, consent is obtained separately and explicitly.
2. Purposes of Processing Your Personal Data and the Personal Data Processed
Your Personal Data, including your special category personal data, is processed within the framework of the personal data processing conditions specified in Articles 5 and 6 of the Law, in accordance with the Company’s human resources policies and within the scope of job application evaluation and hiring activities, for the purposes of Conducting Job Applicant Application Processes and Conducting Job Applicant Placement Processes.
|
Personal Data Category |
Description |
|
Identity Data |
First name, surname, date of birth, place of birth, nationality, gender, Turkish ID number, signature, and all other personal data contained in your identification documents |
|
Contact Data |
Contact information such as residence, address, phone number, and e-mail address |
|
Financial Data |
Salary expectations |
|
Professional Experience Data |
Graduation information, education details and qualifications, professional background, job title, work experience, foreign language proficiency, skills and certificates, course and seminar information, etc. |
|
Personnel Data |
Work permit and visa status, interview notes, assessment results, recruiters’ assessments, and hiring decisions |
|
Transaction Security Data |
In case of using the recruitment portal; IP address, browser type, device information, system usage data |
|
Visual and Audio Data |
Your photo, if included in your resume |
|
Criminal Convictions and Security Measures |
Results of the background check |
|
Health Data |
Information regarding specific health conditions, disability status, and your blood type, if included in your resume |
|
Other |
Military status information, reference information |
Candidates are strongly advised not to include sensitive personal data (e.g., health, religion, membership, criminal convictions, biometric/genetic data, etc.) in their application documents unless explicitly requested or required by law. In accordance with Article 6 of the Personal Data Protection Law (KVKK), special category personal data is processed only if there is a valid legal basis.
3. Transfer of Your Personal Data to Third Parties and/or Abroad
Your personal data will be transferred in accordance with the transfer conditions specified in Articles 8 and 9 of the KVKK, for the purpose(s) outlined in the “Purposes of Processing Your Personal Data” section of this Privacy Notice; (i) With the recruitment platform Workday, which is used to conduct global application and evaluation processes, and primarily with our parent company HIMA Paul Hildebrandt GmbH and our group companies, (ii) To third parties located domestically and/or abroad that provide support in areas such as storage, archiving, and hosting (servers, hosting, software, cloud computing) for the purpose of carrying out our company’s information security processes, primarily with our parent company and group companies for the sake of data integrity, (iii) To third-party service providers acting on our behalf, such as recruitment agencies, assessment providers, and background check providers, to assist with the evaluation and recruitment processes, (iv) To the individuals you have listed as references as part of the reference check process, and (v) may be shared with all relevant authorized institutions, organizations, and authorities to the extent required upon request.
Currently, the transfer of personal data abroad, in the context of our ordinary business activities, is carried out in accordance with Article 9 of the Law and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad; subject to the existence of appropriate safeguards, such as an adequacy decision issued by the Board binding corporate rules approved by the Board or a standard contract, which includes matters such as data categories, the purposes of the data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data. However, pursuant to Article 9/6 of the Law, our Company may transfer your personal data abroad on an ad hoc basis if one of the following conditions is met:
a) The data subject’s explicit consent to the transfer, provided that the data subject has been informed of the potential risks.
b) The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject’s request.
c) The transfer is necessary for the conclusion or performance of a contract to be entered into between the data controller and another natural or legal person for the benefit of the data subject.
d) The transfer is necessary for an overriding public interest.
e) The transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim.
f) The transfer for the protection of the life or physical integrity of the data subject or another person, where the data subject is incapable of disclosing his/her consent due to actual impossibility or where consent is not legally valid.
g) The transfer is made from a publicly available registry, provided that the conditions for accessing the registry prescribed by the relevant legislation are met and the request is made by a person with a legitimate interest.
4. Retention Periods
Your personal data will not be retained for a period longer than is necessary for the purpose of processing, in accordance with Article 4 of the KVKK.
• Ongoing application process: throughout the process and for 6 months if the outcome is negative (subject to applicable statute of limitations);
• Talent pool: Based on explicit consent, generally up to 24 months from the last contact;
• Legal obligations: for the duration required by applicable legislation and statute of limitations periods.
Data for which retention periods have expired is securely deleted, destroyed, or anonymized.
5. Access to Your Personal Data and Your Rights Under the KVKK
Within the scope of Law No. 6698 on the Protection of Personal Data, you can exercise the following rights by applying to the data controller HIMA;
a) To learn whether his/her personal data are processed or not,
b) To demand for information as to if his/her personal data have been processed,
c) To learn the purpose of processing of his/her personal data and whether these personal data are used in compliance with the purpose,
d) To know the third parties to whom his/her personal data are transferred in country or abroad,
e) To request the rectification of the incomplete or inaccurate data, if any and to request reporting of the operations carried out within this scope to third parties to whom personal data is transferred,
f) To request the erasure or destruction of his/her personal data in the event that the reasons requiring its processing disappear and to request reporting of the operations carried out within this scope to third parties to whom personal data is transferred,
g) To object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
h) To claim compensation for the damage arising from the unlawful processing of his/her personal data.
You may submit your requests under Article 11 of the Law, which governs the rights of data subjects, by preparing them in accordance with Communiqué on the Procedures and Principles of Application to Data Controllers, including the necessary information to verify your identity and an explanation of the right you wish to exercise, and sending them via email to or by mail to our address hazırlayarak Esentepe Mah. Talat Paşa Cad. No:5 İç Kapı No:1 Şişli/İstanbul/Türkiye, or via email to Recruitment.MiddleEast@hima.com. Your requests will be responded to within a maximum of thirty (30) days, as provided by the law. In the event that there is an incomplete or unclear issue in the information or documents submitted to us, we may contact you to resolve the deficiency or ambiguity in order to fulfill your request. Although it is essential not to charge any fee for the requests, the Company reserves the right to charge a fee based on the fee tariff determined by the Personal Data Protection Board. Please verify the current application procedures in the relevant legislation before submitting your request.
6. Updates
This privacy notice may be updated from time to time. Substantial changes will be communicated to candidates in accordance with the disclosure obligations under the Personal Data Protection Law (KVKK); if the change affects a processing activity based on explicit consent, explicit consent will be obtained again as necessary. The current version is published on the Company’s career page.