BNY Mellon EMEA Personal Information Privacy Notice

Updated: March 20, 2023

 

The BNY Mellon affiliate responsible for your personal information will be the BNY Mellon affiliate identified in your employment contract or contract for services (“BNY Mellon”, “we”, “us”), and will be the data controller of your personal information. In addition, where the personal information is processed by other members of BNY Mellon Group for their own independent purposes, those BNY Mellon Group members will be independent controllers of your personal information.

 

This EMEA Personal Information Privacy Notice (“Notice”) replaces the existing EMEA Personal Information Privacy Notice. This Notice explains how we collect, use and share employees’ personal information, including: 

We may amend this Notice from time to time to keep it up to date with legal requirements and the way in which we operate our business. If we make changes to this Notice, we will seek to inform you by notice on the BNY Mellon intranet or email ("Notice of Change").

 


What Information Do We Process?

 

Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may collect the following personal information about you for the purposes described in this Notice:

  • Personal details: your title, name, previous or maiden name, gender, nationality, civil/marital status, date of birth, age, personal contact details (e.g. address, telephone or mobile number, e mail), national ID number, immigration and eligibility to work information, driving licence, passport/national ID card languages spoken, next of kin/dependant/emergency contact information, details of any disability and any reasonable adjustments required as a result;
  • Recruitment and candidate selection information: skills and experience, qualifications, references, CV and application, interview and assessment data, background and verification information (e.g. results of credit reference check, financial sanction check and a basic disclosure criminal record check relating to unspent convictions), right to work verification, information related to the outcome of your application, details of any offer made to you;
  • Information related to your engagement: contract of employment or engagement, work contact details (e.g. corporate address, telephone number, e mail), employee or payroll number, photograph, work location default hours, default language, time zone and currency for location, your worker ID and various system IDs, your work biography, your assigned business unit or group, your reporting line, your employee/contingent worker type, your hire/contract begin and end dates, terms and conditions of engagement, your cost centre, your job title and job description, your working hours and patterns, whether you are full or part time, your termination/contract end date, the reason for termination, your last day of work, exit interviews, references to be provided to prospective employers, status (active/inactive/terminated), position title, the reason for any change in job and date of change;
  • Regulatory information: records of your registration with any applicable regulatory authority, your regulated status, including any criminal record or credit background checks which may be necessary, and any regulatory certificates and references;
  • Remuneration and benefits information: your remuneration information (including salary/hourly plan/contract pay/fees information as applicable, allowances, overtime, bonus and commission plans), payments for leave/absence (e.g. holiday pay, sick pay, family leave pay), bank account details, grade, social security number, tax information, third party benefit recipient information (e.g. expression of wish and dependants information), details of any benefits you receive or are eligible for, benefit coverage start date, expense claims and payments, loans, deductions, salary sacrifice arrangements, childcare vouchers, share scheme participation, information and agreements;
  • Leave information: attendance records, absence records (including dates and categories of leave/time off requests and approvals), holiday dates, requests and approvals and information related to family leave or other special or statutory leave;
  • Absence management information: absence history, fit notes, details of incapacity, details of work impact and adjustments, details of treatment and prognosis, manager and Human Resources (HR) communications, return to work interviews, meeting records, medical reports, occupational health reports;
  • Flexible working procedure information: requests, consideration, correspondence, meeting notes and outcome records;
  • Restructure and redundancy records: change plans, organisation charts, consultation records, selection and redeployment information;
  • Performance management information: colleague and manager feedback, your appraisals and performance review information, outcomes and objectives, talent programme assessments and records, succession plans, formal and informal performance management process records;
  • Training and development information: data relating to training and development needs or training received or assessments completed;
  • Disciplinary and grievance information: allegations, complaints, investigation and proceeding notes, records and outcomes;
  • Health and safety information: health and safety audits, health and safety screening requests and results, risk assessments, incident reports;
  • Monitoring information: closed circuit television footage, system and building login and access records, download and print records, call or meeting recordings, information captured by IT security programmes and filters;
  • Employee claims, complaints and disclosures information: subject matter of employment or contract based litigation and complaints, pre claim conciliation, communications, settlement discussions, claim proceeding records, employee involvement in incident reporting and disclosures;
  • Equality and diversity information (where authorised by law and provided voluntarily): information regarding gender, age, race, nationality, religious belief and sexuality (reported anonymously for equal opportunities monitoring purposes); and
  • Any other personal information that you choose to provide to us during the course of your employment, whether verbally or in written form.

 

Sensitive and special categories of personal information

 

Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may collect and process a limited amount of the following personal information falling into special categories, sometimes called "sensitive personal information":

 

  • Health-related details, including any reasonable adjustments that we may be required by law to make to your working arrangements (note this is not permitted in Austria, Belgium, Germany, the Netherlands);
  • Information revealing racial, ethnic or communal origin (note this is not permitted in Belgium, France, Germany, Ireland, Luxembourg, the Netherlands, Poland);
  • Judicial information, including the results of criminal or police records checks which can include details of offences, alleged offences and sentences and information from other intelligence sources (subject to relevant local laws and record retention periods) (Processes will vary by country in accordance with varying local law requirements; this is not permitted in Germany unless the processing of such personal information is directly related to the role which will be carried out by the applicant, or the role of the employee);
  • Employee Representative Body Membership;
  • Marital status and next of kin;
  • Political opinions, religious beliefs or other similar beliefs and sexual orientation, should you choose to provide any such information to us (note this is not permitted in Belgium, France, Germany (except for church tax), the Netherlands, Poland); and
  • Biometric data, in the form of individual voice prints, which can be used by employees to automatically lock or unlock their accounts, with the consent of the employee.

 


How Does BNY Mellon Collect Information?

 

We collect your personal information from a variety of sources, but in most circumstances directly from you. You will usually provide this information directly to your managers or local HR contact, or enter it into our systems (for example, through Employee Self Service (eSS), your participation in HR processes, emails and instant messages which may be recorded electronically or manually). In addition, further information about you will come from your managers, HR or occasionally from your colleagues.

 

Where permitted by EU law or the law of the jurisdiction in which your employer is located, we may also obtain some information from third parties, e.g. references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or where we employ a third party to carry out a background check or, occasionally, from clients.

 

In some circumstances, personal information may be collected indirectly from monitoring devices (including personal devices used to access the secure BNY Mellon network; collection of personal information from personal devices is limited only to BNY Mellon containers within the devices used to access the secure BNY Mellon network, technical information about the device and records of when it was last used to access BNY Mellon applications) or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, instant message logs, email and Internet access logs, web and removable media (e.g. USB) upload logs and printer logs, including information sent from the secure BNY Mellon network to home printers) if and to the extent authorised by applicable laws. In these circumstances, the personal information may be collected by BNY Mellon or a third party provider of the relevant service. Access may occur, for instance, where permissible by law, in situations where BNY Mellon is reviewing occupancy and building access information, investigating possible violations of Company policies, or conducting random reviews of its systems to ensure appropriate activities are being carried out.

 

The personal information BNY Mellon collects will usually be required to enable us to fulfil a contract or provide a service, or to fulfil our regulatory or legal obligations. Where we ask you to provide personal information to us on a mandatory basis, we will inform you of this at the time of collection and, in the event that particular information is required by the contract or statute, this will be indicated. The failure to provide mandatory information will mean that we cannot carry out certain HR processes. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases it may mean that we are unable to continue with your employment or engagement, as BNY Mellon will not have the personal information we believe to be necessary for the effective and efficient administration and management of our relationship with you. If the provision of personal information is voluntary, you will be informed of this at the point of collection and there will be no consequences to you if personal information is not provided.

 

Apart from personal information relating to you, you may also provide BNY Mellon with personal information of third parties, notably your dependants and other family members, for purposes of HR administration and management, including the administration of benefits and someone to contact in an emergency. Before you provide such third party personal information to BNY Mellon you must first inform these third parties of any such information that you intend to provide to BNY Mellon and of the processing to be carried out by BNY Mellon, as detailed in this Notice.

 


What are the Purposes for Which Personal Information is Processed and What is Our Legal Basis for Carrying Out the Processing?

 

Your personal information is collected and processed for various purposes, in accordance with EU law, the law of the jurisdiction in which your employer is located and/or any applicable collective bargaining agreements. We have set out in this Notice the purposes for which we may use your personal information. Personal information may occasionally be used for purposes not obvious to you where the circumstances warrant such use, e.g. in investigations or disciplinary proceedings. We may, where we think it is necessary, provide you with additional information in relevant HR policies to ensure that you understand how your personal information may be used.

 

The legal basis on which we process your personal information

 

We will only collect, use and share your personal information where we are satisfied that one or more of the following lawful bases apply (subject to any local law derogations stated herein):

  • The processing is necessary for compliance with a legal obligation under EU law, EU member state law or applicable local law for non-EU jurisdictions, to which BNY Mellon is subject, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations;
  • The processing is necessary for the performance of a contract to which you are a party or in order to take steps, at your request, prior to entering into such a contract, for example collecting bank details to pay your salary or processing information to provide you with the contractual benefits to which you are entitled;
  • The processing is necessary for the legitimate interests pursued by BNY Mellon or (in limited circumstances) by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information; or
  • The processing is based on your consent. Consent will be used where there is voluntary processing for special category data where no other legal justification applies, where the processing is at an employee’s request or where the processing is required under EU law or the law of the jurisdiction in which your employer is located. Where consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from BNY Mellon, and that there will be no negative impact if you do not agree.

Where we rely on our legitimate interests, we will do so on the basis that the activity:

  • is necessary for us to meet our business or commercial objectives and to provide services to our clients and cannot be achieved without reliance on our legitimate interests;
  • is proportionate and would not cause unjustified harm;
  • is aligned to, or would not conflict with, your reasonable expectations;
  • does not undermine your individual rights, interests or freedoms; and
  • on balance, does not outweigh your privacy rights.

BNY Mellon considers that it has a legitimate interest in processing personal information to support the achievement of its immediate and long-term business goals and outcomes for the purposes set out in the table below.

 

For permanent employees of BNYM entities in Germany (excluding persons engaged by such German entity by way of a service contract) (“German Employees”) we will only collect, use and share your personal information for employment-related purposes where we are satisfied that one or more of the following lawful bases apply:

  • The processing is necessary for (i) hiring decisions, and (ii) after hiring, for carrying out or terminating the employment contract, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations, collecting bank details to pay your salary or processing information to provide you with the contractual benefits to which you are entitled;
  • The processing is necessary to investigate crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason;
  • The processing is necessary to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and works council; or

Consent

 

Where permitted by EU law or the law of the jurisdiction in which your employer is located, the processing of your personal information may, in specific circumstances, be based on your consent. Consent will be used where there is voluntary processing for special category data where no other legal justification applies, where the processing is at an employee’s request or where ‘consent’ is required under EU law, EU member state law or other applicable local law. Where consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your employment to agree to any request for consent from BNY Mellon, and that you have a right to revoke your consent at any time, by contacting your local HR representative.

 

Additional legal basis we rely on where we process special categories of personal information

 

We will only collect, use and share your special categories of personal information where one of the following additional lawful bases apply:

  • The processing is necessary for the purposes of carrying out the obligations and exercising the rights of you or BNY Mellon in the fields of employment law, social security and social protection law and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the personal information;
  • The processing is necessary for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment;
  • The processing is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent (for example in exceptional emergency situations, such as a medical emergency);
  • The processing is necessary for purposes permitted by EU law, EU member state law or any other law for specific purposes to which BNY Mellon is subject, such as preventing fraud, preventing terrorist financing, diversity monitoring;
  • The processing is necessary for the establishment, exercise or defence of legal claims; or
  • In exceptional circumstances the processing is carried out subject to your explicit consent (as explained above).

The purposes for which we use your personal information and the lawful bases which apply

 

We have identified a number of purposes for collecting and processing your personal information. These are set out below together with the lawful bases which apply for each case:

 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • Evaluate applications for employment and make decisions in relation to on-boarding of employees
  • Appropriate pre-employment screening including, where relevant and appropriate, identity check, right to work verification, reference check, credit check, financial sanction check, criminal record checks (in Sweden such criminal record checks are not permitted)
  • Making job offers, providing contracts of employment or engagement and preparing to commence  your employment or engagement where you accept an offer from us
  • To contact you if you are not successful in your initial application should another potentially suitable vacancy arise
  • To deal with any query, challenge or request for feedback received in relation to our recruitment decisions
  • Monitoring programmes to ensure equality of opportunity and diversity

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Legitimate interests
  • Consent (where required)

The following lawful bases shall apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract
  • Consent (where required)

The following lawful bases shall apply to employees of our Swedish entity (Swedish Employees):

  • Legal obligation
  • Legitimate interests
  • Consent (only in relation to candidates)

 

Our legitimate interests

  • Assessing the suitability of applicants to recruit the best person for each vacancy
  • Ensuring that candidates for employment or engagement do not pose an unacceptable risk to BNY Mellon or its clients
  • Maintaining an appropriate pool of talent who have shown an interest in working for BNY Mellon and who are potentially suitable candidates for employment
  • Providing feedback to candidates and defending a challenge or claim made in connection with our recruitment decision 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • To manage and maintain HR records, files and systems, including technical support and maintenance for HR systems and managing electronic and hard copy records in line with BNY Mellon’s retention schedules
  • Providing and administering remuneration, benefits, pensions and incentive schemes
  • Reimbursement of business costs and expenses
  • Making appropriate tax and social security deductions and contributions
  • Allocating and managing duties and responsibilities and the business activities to which they relate, including business travel
  • To set and change building and system access permissions
  • Identifying and communicating effectively with employees
  • Including personal information in Group directories, skills databases and management information reporting
  • Where appropriate, publishing appropriate internal or external communications or publicity material, including via social media in appropriate circumstances
  • Managing and operating performance reviews, capability, attendance and talent programmes
  • Managing grievances, disciplinary and performance, allegations (e.g. whistleblowing, harassment), complaints, investigations and disciplinary processes, and making related management decisions 
  • Training, development, promotion, career and succession planning and business contingency planning
  • Consultations or negotiations with employees or representatives of employees
  • Where required by local law, processing details of membership of trade unions, works councils and other employee representative bodies  and, with employee consent, to administer any associated subscriptions paid direct from salaries
  • Conducting surveys for benchmarking and identifying improved ways of working and employee relations and engagement at work (these will often be anonymous and/or optional but may include profiling information such as age to support analysis of results)
  • Monitoring programmes to ensure equality of opportunity and diversity

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Contractual obligation
  • Legitimate interests
  • Consent (where required)

The following lawful bases shall apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract
  • Consent (where required)
  • Processing is necessary to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and works council

The following lawful bases shall apply  to employees of our Swedish Employees:

  • Legal obligation
  • Legitimate interests

 

Our legitimate interests

Managing BNY Mellon’s workforce and operating our business

  • Ensuring effective employee remuneration and management
  • Ensuring the effective allocation and organisation of work amongst employees
  • Ensuring clarity of employee duties and responsibilities
  • Facilitating access to appropriate locations and systems
  • Ensuring appropriate protection of BNY Mellon assets and third party assets we may hold
  • Facilitating effective communication and collaboration with, and between, employees and clients
  • Measuring and reporting on financial management and business performance
  • Setting objectives for employees
  • Setting appropriate standards of attendance, behaviour and performance, and taking appropriate action where standards are not met or
  • Supporting career development and succession planning
  • Supporting fair, consistent, objective performance related reward
  • Addressing employee related concerns and issues
  • Seeking the views of its workforce and those that represent them on proposals which will impact on employees such as the development of new policies or working practices
  • Seeking the views of its workforce and giving them the opportunity to raise concerns or suggest improvements
  • Taking action to prevent discrimination and promote an inclusive and diverse workplace Defending a challenge or claim made in connection with employment 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

 

To the extent authorised by applicable laws:

  • Processing information about absence
  • Processing medical information regarding physical or mental health or condition to:
    • assess eligibility for incapacity or permanent disability related remuneration or benefits;
    • determine fitness for work;
    • facilitate a return to work;
    • make adjustments or accommodations to duties or the workplace; 
    • make management decisions regarding employment or engagement or continued employment or engagement or redeployment; and
    • conduct related management processesses

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Contractual obligation
  • Legitimate interests
  • Processing is necessary assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
  • Consent (where required)

The following lawful bases shall only apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract
  • Consent (where required)

The following lawful bases shall apply to employees of our Swedish Employees:

  • Legal obligation
  • Contractual obligation
  • Legitimate interests
  • Processing is necessary assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment

 

Our legitimate interests

  • Managing health and safety risk
  • Supporting the welfare of employees, including referral to occupational health advisers
  • Taking steps to identify and mitigate risks to employees’ health, safety or welfare
  • Ensuring fitness for work
  • Managing absence and incapacity impacting on the ability of employees to perform their roles 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • Measuring the performance analytics of BNY Mellon IT systems, monitor usage of BNY Mellon resources and systems, analyse times, locations and activities whilst logged into the network and improve the usability of BNY Mellon technology and tools in accordance with applicable local laws (and subject to local works council approval where necessary)
  • Ensuring the security of BNY Mellon IT systems and information assets 
  • Auditing, monitoring, investigation and compliance monitoring activities in relation to BNY Mellon policy, the BNY Mellon’s Code of Conduct, applicable law, the prevention and detection of criminal activity and to protect BNY Mellon’s assets and premises
  • Accessing, monitoring, recording, and using information contained in emails, instant messages, telephone calls and other electronic communications, as well as internet access and use via BNY Mellon systems in accordance with local laws
  • Preventing and investigating crime against employees, clients, BNY Mellon property and premises (which includes CCTV monitoring)
  • Undertaking ongoing criminal record checks where legally required, e.g. as part of financial services certification regimes
  • Transaction monitoring to prevent and detect financial market abuse, in accordance with local laws

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Legitimate interests

The following lawful bases shall apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract
  • Processing is necessary to investigate crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason

 

Our legitimate interests

  • Putting in place appropriate policies and procedures for employees, measuring compliance, detecting breaches and taking action to address non-compliance
  • Carrying out risk assessments, detecting and preventing crimes or criminal activity or other unlawful or unethical activity
  • Ensuring compliance with other legal or regulatory requirements placed upon us or related official guidance
  • Providing ways for employees and others to report conduct or compliance issues
  • Considering and investigating matters drawn to BNY Mellon’s attention
  • Protecting BNY Mellon’s IT network, systems and business devices to maintain the integrity and security of data and business information and facilitating records management
  • Locating information through searches where required for a legitimate business purpose
  • Ensuring the safety and security of employees, clients and the public

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • Planning, managing and carrying out restructuring or redundancies or other change programmes including appropriate consultation, selection, alternative employment searches and related management decisions
  • Planning, due diligence and implementation in relation to a commercial transaction or service transfer involving BNY Mellon that impacts on your relationship with BNY Mellon, e.g. mergers and acquisitions or a transfer of your employment under applicable automatic transfer rules
  • For tenders for work or client team records or to operate the relationship with clients or support client delivery or vetting requirements including the use of contact or professional CV details or photographic images 
  • To operate the relationship with other third parties such as suppliers including disclosure of information to data processors for the provision of services to BNY Mellon

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Legitimate interests

The following lawful bases shall apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract
  • Processing is necessary to exercise or satisfy rights and obligations of employees’ representation laid down by law or by collective agreements or other agreements between the employer and works council

Our legitimate interests

  • Managing BNY Mellon’s business operations in the most effective and efficient way
  • Making decisions relating to the future of the business
  • Ensuring appropriate employee engagement in transformation or change proposals
  • Ensuring fair and effective implementation of BNY Mellon decisions impacting employees
  • In the event of an outsourcing, acquisition or business transfer transaction, ensuring that the workforce, employee costs and liabilities are sufficiently understood prior to committing to the transaction and ensuring a smooth transition of employees if a transaction goes ahead
  • Ensuring effective business development and building/maintaining successful client relationships
  • Ensuring effective communication with, and engagement of, suppliers 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • To comply with lawful requests by public authorities, discovery requests, or where otherwise required or authorised by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), whether within or outside your country

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Legitimate interests

 

Our legitimate interests

  • Co-operating with relevant public authorities, government bodies or regulators for the provision of information, subject to the appropriate internal controls and approvals and after considering the impacted individuals’ privacy rights.  BNY Mellon wishes to maintain its reputation as a good corporate citizen and to act ethically and appropriately in all the countries in which it does business 

What we use your information for (if and to the extent permitted by EU law or the law of the jurisdiction in which your employer is located)

  • Complying with reference requests where BNY Mellon is named by the individual as a referee
  • Administering termination and post-termination matters, e.g. outplacement services, liaison with employee legal representatives, enforcing restrictive covenants, loan repayments, overpayments, expense reimbursements, employee benefits
  • Conduct termination and post-termination litigation

 

Lawful Basis

Subject to any local law derogations stated herein the following lawful bases shall apply:

  • Legal obligation
  • Legitimate interests

The following lawful bases shall apply to German Employees:

  • Processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract

 

Our legitimate interests

  • Legitimate interests of a new employer to receive confirmation of basic employment details from BNY Mellon for the purposes of confirming a former employee's employment history including dates of employment and role
  • Ensuring an effective exit process for employees Lodging or defending a challenge or claim made in connection with employment termination

Additional information on the use of artificial intelligence and machine learning

 

BNY Mellon uses both manual and automated methods of processing. In particular, we may use automated methods of processing such as Artificial Intelligence (“AI”) and Machine Learning (“ML”), which are a set of technologies programmed to perform tasks and actions that are commonly associated with human beings. We may use AI and/or ML to optimize and increase the efficiency of business processes (e.g. to support customer service desks that receive inbound inquiries) and/or to support and enhance existing security controls.

 

Automated methods of processing are subject to regularly tested controls designed to ensure accuracy and fairness of the output. By using AI and/or ML, we do not intend to make automated decisions about you and therefore its application would not produce legal or similarly significant effects concerning you, unless stated otherwise in a specific privacy notice provided to you directly.

 


Retention of Personal Information

 

BNY Mellon endeavours to keep personal information as current as possible and to delete or anonymise irrelevant or excessive personal information as soon as reasonably practicable.

 

BNY Mellon will retain your personal information:

  • for as long as required for the purposes for which it was collected, as explained in this notice where we are required to do so in accordance with legal, regulatory, tax, accounting, or necessary technical requirements
  • for longer periods of time in specific circumstances so that we have an accurate record in the event of any complaints or challenges, or if we reasonably believe that it may be required in defense of a legal claim

In these circumstances the retention of personal information relating to both current and former employees and contractors will endure in accordance with the I-D-202: Data and Records Management Standard and Corporate European Records and Retention Schedules (where applicable) that provide a framework for managing BNY Mellon records. For more information on the retention of your personal information, you can contact us.

 


Security of Personal Information

 

BNY Mellon takes the protection of your personal information very seriously. BNY Mellon has appropriate organisational and technical measures in place, as required by EU law or the law of the jurisdiction in which your employer is located, to ensure the security of the personal information it collects. Further details in relation to the control, processing, storage, transmission and communication of information, including personal information, can be found on the Compliance and Information Risk Management intranet sites.

 


Disclosure and International Transfer of Personal Information

 

For the above purposes and subject to EU law or the law of the jurisdiction in which your employer is located, personal information may be transferred within or outside of the jurisdiction where you are employed or perform work, either within BNY Mellon or to third parties, including, but not limited to:

  • Any holding company, subsidiary, affiliate or any other associated entity of BNY Mellon, where such disclosure is necessary to provide employment related services or to manage our business;
  • Certain third party including suppliers and service providers including; labour law consultants; government departments; travel agencies; actuaries; fund managers; banks; insurers; insurance brokers; credit reference agencies (note this does not apply to Belgium, Germany, the Netherlands, Poland, Switzerland(in certain circumstances)); credit institutions; pension providers; trustees; auditors; legal and tax advisers; investigators; medical practitioners; IT personnel; business consultants or professional advisors; courts and tribunals; law enforcement agencies; relevant regulatory authorities; prospective employers; employment and recruitment agencies; educators and examining bodies; mentors; counsellors; your immediate family, associates or authorised representatives and outplacement service providers.

BNY Mellon may disclose personal information when required by law or court order, or as requested by any government or regulator or law enforcement authority or agency, or if it determines in good faith that disclosure is otherwise necessary or advisable, including and without limitation to protect BNY Mellon's rights or property or in circumstances which BNY Mellon or its advisers consider it to be appropriate or related to any of the purposes for which the personal information is collected.

 

Where permitted by EU law or the law of the jurisdiction in which your employer is located, BNY Mellon may also disclose personal information to a third party where it is necessary to do so in order to protect or pursue BNY Mellon’s legitimate interests (ensuring this is proportionate and limited to that information which is strictly necessary in the circumstances). This may include, but not be limited to, disclosure to a party with whom BNY Mellon is in negotiation for the sale or transfer of a business, assets or services. BNY Mellon will take appropriate steps to ensure that the recipient of personal information in such circumstances puts in place an adequate level of protection for such personal information in accordance with applicable legal requirements.

 

BNY Mellon operates on a global basis. Accordingly, your personal information may be transferred and stored in countries outside the EU, European Economic Area (EEA) and Switzerland, including the United States, that are subject to different standards of data protection. Where BNY Mellon transfers personal information internally within BNY Mellon or to any third party between different jurisdictions, for the purposes outlined in this document, it will take appropriate steps to ensure that transfers are in accordance with applicable law and carefully managed to protect your privacy rights and interests, and that transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. To this end:

  • Transfers within BNY Mellon will be covered by an agreement entered into by members of BNY Mellon (an intra-group agreement based on data transfer clauses approved by the relevant regulatory body, such as the EU Commission approved Standard Contractual Clauses for data transfers) which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred within BNY Mellon;
  • Where we transfer your personal information outside BNY Mellon, or to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information with equivalent standards; or
  • Where we receive requests for information from law enforcement or regulators, including those from countries outside the EU, European Economic Area (EEA) and Switzerland, including the United States, we carefully validate these requests before personal information is disclosed.

You have a right to contact our Data Protection Officer (details provided at the end of this document) for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above. 

 


Your Rights as a Data Subject

 

Please note that in certain circumstances, as provided by EU law or the law of the jurisdiction in which your employing legal entity is located, your rights may be subject to some extensions or limitations.

 

Right to access, correct and delete your personal information

  • BNY Mellon aims to ensure that all personal information is correct, subject to changes to personal information and personal circumstances (for example, change of address and bank accounts) being notified promptly.
  • You have the right to request access to/ a copy of any of your personal information that BNY Mellon may hold, and to request correction of any inaccurate information relating to you. You furthermore have the right to request deletion of any irrelevant information we hold about you. 
  • You can see and update some of this information yourself via Employee Self Service. However, to correct/update other information, you will need to contact local Human Resources.

In addition:

  • Employees of our French entities shall have the right to give general or specific instructions on how their personal information should be processed and used after death. 

Data portability

 

Subject to EU law or the law of the jurisdiction in which your employer is located, where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to BNY Mellon in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.

 

Right to restriction of processing:

  • You have the right to restrict our processing of your personal information where:
    • You contest the accuracy of the personal information until we have taken sufficient steps to correct or verify its accuracy;
    • The processing is unlawful but you do not want us to erase the personal information;
    • We no longer need the personal information for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
    • You have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether BNY Mellon has compelling legitimate grounds to continue processing.
  • Where personal information is subject to the above restrictions we will only process it with your consent or for the establishment, exercise or defence of legal claims.

Right to withdraw consent

 

Where we have relied on your consent to process particular information and you have provided us with your consent to process the information, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant information from the relevant HR system (although note that in this case it may remain in back‑ups and linked systems until it is deleted in accordance with our I-D-202: Data and Records Management Standard and Corporate European Records and Retention Schedules (where applicable)) or (ii) contacting your local Human Resources contact. It will only however be rarely that we rely on your consent to process personal information for your employment or engagement. 

 

Right to object to processing justified on legitimate interest grounds

 

Where we are relying upon legitimate interest to process personal information, then you have the right to object to that processing.  If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the personal information for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

 

Right to complain

 

You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal information infringes applicable law.

 

If you have any questions, concerns or complaints regarding our compliance with this notice and applicable data protection laws, or if you wish to exercise your rights, we encourage you to first contact your local HR representative or our Data Protection Officer. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws. 

 

The Data Protection Officer can be contacted in the following ways:

 

By email: global_privacy_compliance@bnymellon.com

 

By post:
The Data Protection Officer
BNY Mellon (Poland) Sp. z o. o
Swobodna 3
50-088 Wroclaw, Poland

 

By post (UK):
The Data Protection Officer
BNY Mellon London Branch 
One Piccadilly Gardens
Manchester, M1 1RN

 

Where relevant, BNYM establishments outside of the European Economic Area have appointed BNY Mellon (Poland) Sp. z o. o.  as its EU GDPR Representative ("EU Representative”) and BNYM establishments outside of the UK have appointed BNY Mellon, London Branch as their UK GDPR Representative (UK Representative). The EU and UK Representatives can be contacted using the DPO contact information above.

 

Additional fair processing notices

 

We may undertake certain processing of personal information which is subject to additional Fair Processing Notices and we shall bring these to your attention.