Updated: March 20, 2023
The BNY Mellon affiliate responsible for your personal information will be the BNY Mellon affiliate identified in your employment contract or contract for services (“BNY Mellon”, “we”, “us”), and will be the data controller of your personal information. In addition, where the personal information is processed by other members of BNY Mellon Group for their own independent purposes, those BNY Mellon Group members will be independent controllers of your personal information.
This EMEA Personal Information Privacy Notice (“Notice”) replaces the existing EMEA Personal Information Privacy Notice. This Notice explains how we collect, use and share employees’ personal information, including:
We may amend this Notice from time to time to keep it up to date with legal requirements and the way in which we operate our business. If we make changes to this Notice, we will seek to inform you by notice on the BNY Mellon intranet or email ("Notice of Change").
What Information Do We Process?
Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may collect the following personal information about you for the purposes described in this Notice:
- Personal details: your title, name, previous or maiden name, gender, nationality, civil/marital status, date of birth, age, personal contact details (e.g. address, telephone or mobile number, e mail), national ID number, immigration and eligibility to work information, driving licence, passport/national ID card languages spoken, next of kin/dependant/emergency contact information, details of any disability and any reasonable adjustments required as a result;
- Recruitment and candidate selection information: skills and experience, qualifications, references, CV and application, interview and assessment data, background and verification information (e.g. results of credit reference check, financial sanction check and a basic disclosure criminal record check relating to unspent convictions), right to work verification, information related to the outcome of your application, details of any offer made to you;
- Information related to your engagement: contract of employment or engagement, work contact details (e.g. corporate address, telephone number, e mail), employee or payroll number, photograph, work location default hours, default language, time zone and currency for location, your worker ID and various system IDs, your work biography, your assigned business unit or group, your reporting line, your employee/contingent worker type, your hire/contract begin and end dates, terms and conditions of engagement, your cost centre, your job title and job description, your working hours and patterns, whether you are full or part time, your termination/contract end date, the reason for termination, your last day of work, exit interviews, references to be provided to prospective employers, status (active/inactive/terminated), position title, the reason for any change in job and date of change;
- Regulatory information: records of your registration with any applicable regulatory authority, your regulated status, including any criminal record or credit background checks which may be necessary, and any regulatory certificates and references;
- Remuneration and benefits information: your remuneration information (including salary/hourly plan/contract pay/fees information as applicable, allowances, overtime, bonus and commission plans), payments for leave/absence (e.g. holiday pay, sick pay, family leave pay), bank account details, grade, social security number, tax information, third party benefit recipient information (e.g. expression of wish and dependants information), details of any benefits you receive or are eligible for, benefit coverage start date, expense claims and payments, loans, deductions, salary sacrifice arrangements, childcare vouchers, share scheme participation, information and agreements;
- Leave information: attendance records, absence records (including dates and categories of leave/time off requests and approvals), holiday dates, requests and approvals and information related to family leave or other special or statutory leave;
- Absence management information: absence history, fit notes, details of incapacity, details of work impact and adjustments, details of treatment and prognosis, manager and Human Resources (HR) communications, return to work interviews, meeting records, medical reports, occupational health reports;
- Flexible working procedure information: requests, consideration, correspondence, meeting notes and outcome records;
- Restructure and redundancy records: change plans, organisation charts, consultation records, selection and redeployment information;
- Performance management information: colleague and manager feedback, your appraisals and performance review information, outcomes and objectives, talent programme assessments and records, succession plans, formal and informal performance management process records;
- Training and development information: data relating to training and development needs or training received or assessments completed;
- Disciplinary and grievance information: allegations, complaints, investigation and proceeding notes, records and outcomes;
- Health and safety information: health and safety audits, health and safety screening requests and results, risk assessments, incident reports;
- Monitoring information: closed circuit television footage, system and building login and access records, download and print records, call or meeting recordings, information captured by IT security programmes and filters;
- Employee claims, complaints and disclosures information: subject matter of employment or contract based litigation and complaints, pre claim conciliation, communications, settlement discussions, claim proceeding records, employee involvement in incident reporting and disclosures;
- Equality and diversity information (where authorised by law and provided voluntarily): information regarding gender, age, race, nationality, religious belief and sexuality (reported anonymously for equal opportunities monitoring purposes); and
- Any other personal information that you choose to provide to us during the course of your employment, whether verbally or in written form.
Sensitive and special categories of personal information
Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may collect and process a limited amount of the following personal information falling into special categories, sometimes called "sensitive personal information":
- Health-related details, including any reasonable adjustments that we may be required by law to make to your working arrangements (note this is not permitted in Austria, Belgium, Germany, the Netherlands);
- Information revealing racial, ethnic or communal origin (note this is not permitted in Belgium, France, Germany, Ireland, Luxembourg, the Netherlands, Poland);
- Judicial information, including the results of criminal or police records checks which can include details of offences, alleged offences and sentences and information from other intelligence sources (subject to relevant local laws and record retention periods) (Processes will vary by country in accordance with varying local law requirements; this is not permitted in Germany unless the processing of such personal information is directly related to the role which will be carried out by the applicant, or the role of the employee);
- Employee Representative Body Membership;
- Marital status and next of kin;
- Political opinions, religious beliefs or other similar beliefs and sexual orientation, should you choose to provide any such information to us (note this is not permitted in Belgium, France, Germany (except for church tax), the Netherlands, Poland); and
- Biometric data, in the form of individual voice prints, which can be used by employees to automatically lock or unlock their accounts, with the consent of the employee.
How Does BNY Mellon Collect Information?
We collect your personal information from a variety of sources, but in most circumstances directly from you. You will usually provide this information directly to your managers or local HR contact, or enter it into our systems (for example, through Employee Self Service (eSS), your participation in HR processes, emails and instant messages which may be recorded electronically or manually). In addition, further information about you will come from your managers, HR or occasionally from your colleagues.
Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may also obtain some information from third parties, e.g. references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or where we employ a third party to carry out a background check or, occasionally, from clients.
In some circumstances, personal information may be collected indirectly from monitoring devices (including personal devices used to access the secure BNY Mellon network; collection of personal information from personal devices is limited only to BNY Mellon containers within the devices used to access the secure BNY Mellon network, technical information about the device and records of when it was last used to access BNY Mellon applications) or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, instant message logs, email and Internet access logs, web and removable media (e.g. USB) upload logs and printer logs, including information sent from the secure BNY Mellon network to home printers) if and to the extent authorised by applicable laws. In these circumstances, the personal information may be collected by BNY Mellon or a third party provider of the relevant service. Access may occur, for instance, where permissible by law, in situations where BNY Mellon is reviewing occupancy and building access information, investigating possible violations of Company policies, or conducting random reviews of its systems to ensure appropriate activities are being carried out.
The personal information BNY Mellon collects will usually be required to enable us to fulfil a contract or provide a service, or to fulfil our regulatory or legal obligations. Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and, in the event that particular information is required by the contract or statute, this will be indicated. The failure to provide mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases it may mean that we are unable to continue with your employment or engagement, as BNY Mellon will not have the personal information we believe to be necessary for the effective and efficient administration and management of our relationship with you. If the provision of personal information is voluntary, you will be informed of this at the point of collection and there will be no consequences to you if personal information is not provided.
Apart from personal information relating to you, you may also provide BNY Mellon with personal information of third parties, notably your dependants and other family members, for purposes of HR administration and management, including the administration of benefits and someone to contact in an emergency. Before you provide such third party personal information to BNY Mellon you must first inform these third parties of any such information that you intend to provide to BNY Mellon and of the processing to be carried out by BNY Mellon, as detailed in this Notice.
What are the Purposes for Which Personal Information is Processed and What is Our Legal Basis for Carrying Out the Processing?
Your personal information is collected and processed for various purposes, in accordance with EU law, the law of the jurisdiction in which your employer is located and/or any applicable collective bargaining agreements. We have set out in this Notice the purposes for which we may use your personal information. Personal information may occasionally be used for purposes not obvious to you where the circumstances warrant such use, e.g. in investigations or disciplinary proceedings. We may, where we think it is necessary, provide you with additional information in relevant HR policies to ensure that you understand how your personal information may be used.
The legal basis on which we process your personal information
We will only collect, use and share your personal information where we are satisfied that one or more of the following lawful bases apply (subject to any local law derogations stated herein):
- The processing is necessary for compliance with a legal obligation under EU law, EU member state law or applicable local law for non-EU jurisdictions, to which BNY Mellon is subject, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations;
- The processing is necessary for the performance of a contract to which you are a party or in order to take steps, at your request, prior to entering into such a contract, for example collecting bank details to pay your salary or processing information to provide you with the contractual benefits to which you are entitled;
- The processing is necessary for the legitimate interests pursued by BNY Mellon or (in limited circumstances) by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information; or
- The processing is based on your consent. Consent will be used where there is voluntary processing for special category data where no other legal justification applies, where the processing is at an employee’s request or where the processing is required under EU law or the law of the jurisdiction in which your employer is located. Where consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from BNY Mellon, and that there will be no negative impact if you do not agree.
Where we rely on our legitimate interests, we will do so on the basis that the activity:
- is necessary for us to meet our business or commercial objectives and to provide services to our clients and cannot be achieved without reliance on our legitimate interests;
- is proportionate and would not cause unjustified harm;
- is aligned to, or would not conflict with, your reasonable expectations;
- does not undermine your individual rights, interests or freedoms; and
- on balance, does not outweigh your privacy rights.
BNY Mellon considers that it has a legitimate interest in processing personal information to support the achievement of its immediate and long-term business goals and outcomes for the purposes set out in the table below.
For permanent employees of BNYM entities in Germany (excluding persons engaged by such German entity by way of a service contract) (“German Employees”) we will only collect, use and share your personal information for employment-related purposes where we are satisfied that one or more of the following lawful bases apply:
- The processing is necessary for (i) hiring decisions, and (ii) after hiring, for carrying out or terminating the employment contract, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations, collecting bank details to pay your salary or processing information to provide you with the contractual benefits to which you are entitled;
- The processing is necessary to investigate crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason;
- The processing is necessary to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and works council; or
Consent
Where permitted by EU law or the law of the jurisdiction in which your employer is located, the processing of your personal information may, in specific circumstances, be based on your consent. Consent will be used where there is voluntary processing for special category data where no other legal justification applies, where the processing is at an employee’s request or where ‘consent’ is required under EU law, EU member state law or other applicable local law. Where consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from BNY Mellon, and that you have a right to revoke your consent at any time, by contacting your local HR representative.
Additional legal basis we rely on where we process special categories of personal information
We will only collect, use and share your special categories of personal information where one of the following additional lawful bases apply:
- The processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or BNY Mellon in the fields of employment law, social security and social protection law and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the personal information;
- The processing is necessary for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment;
- The processing is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency);
- The processing is necessary for purposes permitted by EU law, EU member state law or any other law for specific purposes to which BNY Mellon is subject, such as preventing fraud, preventing terrorist financing, diversity monitoring;
- The processing is necessary for the establishment, exercise or defence of legal claims; or
- In exceptional circumstances the processing is carried out subject to your explicit consent (as explained above).
The purposes for which we use your personal information and the lawful bases which apply
We have identified a number of purposes for collecting and processing your personal information. These are set out below together with the lawful bases which apply for each case: