Retention of personal information
BNY Mellon endeavours to keep personal information as current as possible and to delete or anonymise irrelevant or excessive personal information as soon as reasonably practicable. The retention of personal information relating to both current and former employees and contractors will endure in accordance with the Global Records Management Policy I-D-200 and Corporate European Records Retention Schedules (where applicable) that provide a framework for managing BNY Mellon records.
Security of personal information
BNY Mellon takes the protection of your personal information very seriously. BNY Mellon has appropriate organisational and technical measures in place, as required by EU law or the law of the jurisdiction in which your employer is located, to ensure the security of the personal information it collects. Further details in relation to the control, processing, storage, transmission and communication of information, including personal information, can be found on the Compliance and Information Risk Management intranet sites.
Disclosure and international transfer of personal information
For the above purposes and subject to EU law or the law of the jurisdiction in which your employer is located, personal information may be transferred within or outside of the jurisdiction where you are employed or perform work, either within BNY Mellon or to third parties, including, but not limited to:
- any holding company, subsidiary, affiliate or any other associated entity of BNY Mellon, where such disclosure is necessary to provide employment related services or to manage our business;
- certain third party including suppliers and service providers including; labour law consultants; government departments; travel agencies; actuaries; fund managers; banks; insurers; insurance brokers; credit reference agencies (note this does not apply to Belgium, Germany, the Netherlands, Poland, Switzerland(in certain circumstances)); credit institutions; pension providers; trustees; auditors; legal and tax advisers; investigators; medical practitioners; IT personnel; business consultants or professional advisors; courts and tribunals; law enforcement agencies; relevant regulatory authorities; prospective employers; employment and recruitment agencies; educators and examining bodies; mentors; counsellors; your immediate family, associates or authorised representatives and outplacement service providers.
BNY Mellon may disclose personal information when required by law or court order, or as requested by any government or regulator or law enforcement authority or agency, or if it determines in good faith that disclosure is otherwise necessary or advisable, including and without limitation to protect BNY Mellon's rights or property or in circumstances which BNY Mellon or its advisers consider it to be appropriate or related to any of the purposes for which the personal information is collected.
Where permitted by EU law or the law of the jurisdiction in which your employer is located, BNY Mellon may also disclose personal information to a third party where it is necessary to do so in order to protect or pursue BNY Mellon’s legitimate interests (ensuring this is proportionate and limited to that information which is strictly necessary in the circumstances). This may include, but not be limited to, disclosure to a party with whom BNY Mellon is in negotiation for the sale or transfer of a business, assets or services. BNY Mellon will take appropriate steps to ensure that the recipient of personal information in such circumstances puts in place an adequate level of protection for such personal information in accordance with applicable legal requirements.
BNY Mellon operates on a global basis. Accordingly, your personal information may be transferred and stored in countries outside the EU ,European Economic Area (EEA) and Switzerland, including the United States, that are subject to different standards of data protection. Where BNY Mellon transfers personal information internally within BNY Mellon or to any third party between different jurisdictions, for the purposes outlined in this document, it will take appropriate steps to ensure that transfers are in accordance with applicable law and carefully managed to protect your privacy rights and interests, and that transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. To this end:
- transfers within BNY Mellon will be covered by an agreement entered into by members of BNY Mellon (an intra-group agreement based on the EU Commission approved Standard Contractual Clauses for data transfers) which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred within BNY Mellon;
- where we transfer your personal information outside BNY Mellon, or to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information with equivalent standards. Some of these assurances are well recognized certification schemes like the EU-US and the Swiss-US Privacy Shield for the protection of personal information transferred from within the EU or Switzerland to the United States; or
- where we receive requests for information from law enforcement or regulators, we carefully validate these requests before personal information is disclosed.
You have a right to contact our Data Protection Officer (details provided at the end of this document) for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above.
Your rights as a data subject
Right to access, correct and delete your personal information
- BNY Mellon aims to ensure that all personal information is correct, subject to changes to personal information and personal circumstances (for example, change of address and bank accounts) being notified promptly.
- You have the right to request access to/ a copy of any of your personal information that BNY Mellon may hold, and to request correction of any inaccurate information relating to you. You furthermore have the right to request deletion of any irrelevant information we hold about you.
- You can see and update some of this information yourself via Employee Self Service. However, to correct/update other information, you will need to contact local Human Resources. For all other requests you can contact us directly.
- Employees of our French entities shall have the right to give general or specific instructions on how their personal information should be processed and used after death.
Subject to EU law or the law of the jurisdiction in which your employer is located, where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to BNY Mellon in a structured, commonly used and machine readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to restriction of processing:
You have the right to restrict our processing of your personal information where:
- you contest the accuracy of the personal information until we have taken sufficient steps to correct or verify its accuracy;
- the processing is unlawful but you do not want us to erase the personal information;
- we no longer need the personal information for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether BNY Mellon has compelling legitimate grounds to continue processing.
Where personal information is subject to the above restrictions we will only process it with your consent or for the establishment, exercise or defence of legal claims.
Right to withdraw consent
Where we have relied on your consent to process particular information and you have provided us with your consent to process the information, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant information from the relevant HR system (although note that in this case it may remain in back ups and linked systems until it is deleted in accordance with our Global Records Management Policy I-D-200 and Corporate European Records Retention Schedules (where applicable)) or (ii) contacting your local Human Resources contact. It will only however be rarely that we rely on your consent to process personal information for your employment or engagement.
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process personal information, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the personal information for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Right to complain
You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal information infringes applicable law.
If you have any questions, concerns or complaints regarding our compliance with this notice and applicable data protection laws, or if you wish to exercise your rights, we encourage you to first contact your local HR representative or our Data Protection Officer. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws.
The Data Protection Officer can be contacted in the following ways:
By email: firstname.lastname@example.org
The Data Protection Officer
160 Queen Victoria Street
London EC4V 4LA
Additional fair processing notices
We may undertake certain processing of personal information which is subject to additional Fair Processing Notices and we shall bring these to your attention.