Privacy Notice – Staff-related personal data (Czech Republic)

Rules for the processing and protection of personal date of employees of employer MUFG Bank (Europe) N.V. Prague Branch, published as at 25 May, 2018.

I. Purpose and Scope of the Rules

1. These Rules for Processing and Protection of Personal Data of Employees (hereinafter referred to as the “Rules") regulate the processing and protection of the personal data of Employees of the employer who is MUFG Bank (Europe) N.V. Prague Branch, with registered office in Prague 5, Klicperova 3208/12, postcode: 15000, ID No.: 27427901, registered in the Commercial Register maintained at the Municipal Court in Prague under File Number A53641, through which MUFG Bank (Europe) N.V. operates in the Czech Republic, with registered office in Strawinskylaan 1887, 1077 XX Amsterdam, Netherlands, registered in the Commercial Register of the Chamber of Commerce and Industry in Amsterdam, under registration number 33132501 (hereinafter referred to as the “Employer") .

2. The basic purpose of these Rules is to ensure that when processing personal data the Employer respects the principles prescribed by applicable legislation. A further purpose of the Rules is to provide Employees with information about:
a) under what legal titles and for what purposes the Employer processes the Employees' personal data,
b) what Employees' personal data (category of personal data) the Employer processes and from what sources the Employer obtains them,
c) in what manner and means the Employer processes and protects Employees' personal data,
d) to whom can the Employer access or hand over the Employees' personal data,
e) for how long the Employer processes and stores the Employees' personal data,
f) what are the rights of the Employees as data subjects.

3. These Rules apply to the processing of the Employer's Employees' personal data which means natural persons in an employment relationship with the Employer based on an Employment Contract.

In what specific scope and purposes are the personal data of the Specific Employee processed depends above all on what specific conditions of the employment relationship are agreed with the Employee or required by the Employee based on the Employment Contract. With regard to this the Employer points out that not always all parts of these Rules must necessarily affect every Employee.

4. For simpler reference in the text the following terms have the meaning:
a) “ personal data", “data controller", “data subject", “personal data processing" meaning laid down by the applicable Legislation;
b) the term “ Employment Contract" any employment contract, agreement to perform work and agreement for work concluded between the Employer and Employee;
c) the term “ Legislation":
- Regulation /EU) 2916/679 of the European Parliament and of the Council of 27 April 2016, General Data Protection Regulation (hereinafter referred to as the “Regulation");
- Act on the Protection of Personal Data (close specification shall be supplemented after its publication in the Collection of Laws);
d) the term “ MUFG Group" includes MUFG Bank (Europe) N.V. Prague Branch and its founder MUFG Bank (Europe) N.V., with registered office in Strawinskylaan 1887, 1077 XX Amsterdam, Netherlands (including other branches in Austria, Poland, Spain, Germany and Belgium) and other members of the MUFG Group, particularly MUFG Bank, Ltd., London Branch with registered office in Ropemaker Place, 25 Ropemaker Street, London EC2Y 9AN, United Kingdom and MUFG Securities EMEA plc, with registered office in Ropemaker Place, 25 Ropemaker Street, London EC2Y 9AJ United Kingdom; details of the MUFG Group can be found at www.mufg.jp/english/profile/globalnetwork/.

5. The Employer point out that these Rules shall be updated, i.e. amended and supplemented in accordance with the relevant “Legislation", interpretations of the Office for Personal Data Protection in the Czech Republic or other relevant interpretations of other supervisory authorities and common principles for the protection and processing of the personal data of employees in the MUFG Group, provided that they shall be relevant for the processing of the personal data of Employees in the Czech Republic. The Employer shall promptly acquaint the Employees with such updated version of the Rules.

II. Legal Basis and Purposes of the Processing of Employees' Personal Data

1. The Employer processes the Employees' personal data on this legal basis:

1.1. processing of the personal data of the Employee is necessary for the fulfilment of the Employment Contract concluded between the Employer and Employees in the meaning of Article 6 (1) b) of the Regulation,

1.2. processing of the personal data of the Employee is necessary for the fulfilment of the Employer's legal obligations in the meaning of Article 6 (1) c) of the Regulation in connection with the following legislation:
- Act No. 262/2006 Coll., Labour Code, as amended,
- Act No. 435/2004 Coll., on Employment, as amended,
- Act No. 582/1991 Coll., on the Organisation and Implementation of Social Security, as amended,
- Act No. 48/1997 Coll., on Public Health Insurance, as amended,
- Act No. 586/1992 Coll., on Income Taxes, as amended,
- Act No. 89/1995 Coll., on the State Statistical Service, as amended,
- Act No. 563/1991 Coll., on Accounting, as amended,
- Act No. 187/2006 Coll., on Sickness Insurance, as amended.

Specific purposes:

The Employer processes Employees' personal data:
• To keep a personal file in the meaning of Section 312 of the Labour,
• For the correct calculation of monthly tax advances under the Act on Administration of Taxes and Fees (type of pension),
• Declaration of the income taxpayer (under the Act on Administration of Taxes and Fees):
• For the correct wage calculation (data on education and previous experience),
• For payment of health insurance according to Section 10 of the Act on Public Health Insurance (data on the health insurance company)
• for pension insurance record sheets sent to the Regional Social Security Administration (RSSA) under Section 37 of the Act on Organisation and Implementation of Social Security (date and place of birth, all former surnames, birth number, place of permanent residence; if the citizen contributed to pension insurance abroad and the Employer is the Employee's first employer after ending pension insurance abroad, also data on the name and address of foreign holder of insurance and foreign insurance number),
• for the purpose of reporting the employment of foreigners (nationality),
• if the Employee claims tax allowance and the spouse is employed: surname and name of the spouse, name and address of the employer,
• if the Employee claims child benefit: name, surname and birth number of the child;
• to ascertain the precise date of the claim for old-age retirement according to the Act on the Organisation and Implementation of Social Security (number of children if a women),
• for fulfilling further legal registration and reporting obligations to the relevant authorities and insurance companies;
• for the fulfilment of tax, safety, hygiene regulations and employment regulations;
• for the fulfilment of the mandatory proportion of disabled persons employed per the total number of employees (under Section 83 of the Act on Employment): disability

1.3. processing is necessary for the purposes of the legitimate interests of the Employer in the meaning of Article 6 (1) f) of the Regulation for MUFG Bank (Europe) N.V. Prague Branch, as well its founder, i.e. MUFG Bank (Europe) N.V. (including other branches) or other members of the MUFG Group, particularly MUFG Bank, Ltd., London Branch and MUFG Securities EMEA plc.

2. The Employer points out that in case of processing on a legal basis according to par. 1.3 of this Article the Regulation does allow processing to be carried out without the Employee's consent as the data subject, however the scope of reasons allowing this is limited and therefore the Employer and other members of the MUFG Group always carefully assesses the existence of the legitimate interest; more details are provided below in Article V of these Rules

III. Category of Employees' Personal Data and their Sources

1. Category of personal data:
a) data on the Employee's identity (name and surname, academic or other title, address, date and place of birth, nationality), i.e. data obtained from ID cards,
b) data on family (e.g. marital status, information about children),
c) information about qualifications and previous experience,
d) contact data,
e) sensitive data on medical condition,
f) data on the assessment of integrity/no criminal record (extract from the Criminal Register),
g) data on the job position,
h) data stated above in Article II for specific purposes,
ch) data on wage and employee benefits, level of health and social security payment and bank account data;
i) data on the fulfilment of work duties and performance and talent (personal development plans, records on completion of training, regulation certificates),
j) data on working hours, overtime, taking leave, absence from work.
k) data obtained from the Employee's conduct in the meaning stated below in paragraph 2.2.

2. Sources of personal data:

2.1. The Employer usually obtains personal data directly from the Employees, or future employees. At the start of employment the Employer concludes an Employment Contract with the future employee which under the Labour Code contains the Employee's identification data (name, surname, academic or other title, date of birth and residential address) and signature.
With regard to the line of the Employer's business which is banking, each Employee submits to the Employer before signing the Employment Contract:
- an extract from the Criminal Register,
- a doctor's confirmation documenting medical fitness for work at the Employer,
- a completed personal questionnaire a template of which constitutes an annex to these Rules.

The submitted documents are part of the Employee's personal file in the meaning of Section 312 of the Labour Code.

2.2. The Employer also obtains personal data:
- from publicly available sources, from other members of the MUFG Group or third parties, if this is in compliance with the Legislation;
- from own information and technological systems, which record the content of mutual email, telephone or other electronic communication and use of websites on systems and devices used for the purposes of work.

3. Sensitive personal data:

In accordance with the Labour Code, the Employer has the right to obtain and process so-called sensitive data of the Employee, i.e. general information about his medical condition if this is necessary for work safety reasons and for observing labour legislation or fulfilment of insurance terms and conditions and for submitting documents in connection with:
a) absence from work (i.e. sick note containing information about the Employee's medical condition) for the purposes of payment of the relevant compensation,
b) maternity leave,
c) parental leave.

4. Each Employee shall be obliged to report to the Employer all changes to personal data stated in the personal questionnaire, or in further submitted documents, which arise during employment.
5. Given that the Employer processes personal data on a legal basis described in Article II of these Rules, the Employer does not need the Employee's consent to the processing. If the Employer were to intend to process Employees' personal data in future beyond the defined framework, then it would only be possible with the Employee's consent. In these cases the Employer would ask the Employee for such consents in time and provide the Employee with all the relevant information. The consent would be given totally voluntarily.

IV. Manner of Processing and Protection of Personal Data and Obligations of the Employees

1. Personal data are processed automatically and manually and these data are constantly under physical and electronic control and the Employer protects them by the relevant security mechanisms against unauthorised access or transfer, against their loss or destruction, as well as against other possible abuse, against unauthorised or illegal processing and accidental damage or loss.

2. The Employer's Employees who process the personal data of other Employees are obliged to follow these Rules when processing the personal data.

3. In case of breach of the security of personal data, the Employer shall:

a) inform the Employee of cases of breach of the security of his/her personal data, however the Employer shall not proceed in this manner if in a specific case, as a consequence of selected technical and organisational measures (e.g. encryption), breach of the affected personal data shall be incomprehensible for anybody who is not authorised to have access to them;

b) be obliged to report to the Office for Personal Data Protection cases of breach of the security of Employees' personal data (if it is likely that the breach would result in risk for the rights and freedoms of natural persons), without undue delay, if possible within 72 hours.

4. Employees are obliged to immediately notify the Employer and their direct superior and/or branch head (Managing Director), if they suspect a breach of personal data security.

5. During any inspection by the Office for Personal Data Protection all Employees shall cooperate with this authority if so requested.

V. Access and Handover of Personal Data

1. Only the following persons have access to Employees' personal files that process the personal data in them:
- branch head (hereinafter referred to as the “Managing Director"),
- Employee's direct superior,
- external persons whose job it is to process payroll and personal agenda for the Employer based on the relevant contract.

The Employer shall ensure that no unauthorised persons shall have access to these files and personal data and prevent their possible abuse. The Employee has the right to have access to his/her personal file and make a copy of all the documents that the file contains at the Employer's costs.

2. The Employer is authorised to access the Employee's personal data without the Employee's consent to:
- the relevant authorities and institutions in accordance with the abovementioned generally binding legislation such as to the financial authority; social security administration; health insurance companies; work safety inspectorate,
- further persons if it is necessary for the protection of the Employer's rights in the scope necessary for the successful enforcement of a claim (e.g. insurance companies when making an insurance claim, courts, executors, etc.);
- the Bank's specialised external subjects (such as. proxies, legal, tax or other consultants and third parties authorised by the Employer to fulfil contractual or legal obligations).

3. The Employer and members of the MUFG Group have a legitimate interest in connection with human resources management to hand over personal data of Employees from the Czech Republic abroad to its founder, i.e. MUFG Bank (Europe) N.V., with registered office in Strawinskylaan 1887, 1077 XX Amsterdam, Netherlands and further persons as part of the MUFG Group, particularly MUFG Bank, Ltd., London Branch and MUFG Securities EMEA plc. 6. The Employer points out that within the MUFG Group the personal data of all employees are processed in accordance with the principles for the protection and processing of personal data published as a “PRIVACY NOTICE – STAFF-RELATED PERSONAL DATA", which are available on the bank's intranet.

Given that this is the processing of personal data which is necessary for the purposes of legitimate interests, the Employer points out that the Regulation allows processing without the Employee's consent, however the Employee does have the right to raise an objection to such processing in the meaning of Article VIII (1.3) of these Rules.

4. In other cases the Employee's consent is required for handing over the Employee's personal data abroad. In case personal data are handed over abroad to third countries outside the European Union (or EEC) that have no adequate level of protection of personal data (including Japan and USA), the relevant protective measures are introduced such as a data transfer contract based on standard contractual provisions of the European Commission in accordance with paragraph 2 of Article 46 of the Regulation.

VI. Camera Surveillance

1. In view of the nature of its business activity – banking - the Employer has a binding reason to install and operate a camera system to provide security of its business premises. Footage is produced from the camera surveillance including movements of the Employees and so the footage contains Employees' personal data which, however, are not primarily used to monitor Employees.

2. This footage is archived by the Employer on a recording device. The Managing Director and Compliance Officer have access to it.

VII. Period of Storage and Processing of Personal Data

1. The Employer is authorised to process personal data for the period of the duration of the employment relationship. Once the employment relationship is terminated the Employer is authorised to continue processing some of the personal data applying to the former employees in cases when such processing has a legal basis in relevant generally binding legislation (for example for the purposes of pension insurance, health insurance, tax administration, archiving, in case of a legal dispute), for the necessary period as laid down by the relevant legislation. Details and specific examples are stated in par. 2 of this article.

2. In case of the Employees' personal data a review is performed after the termination of the employment relationship of the personal file and some documents are destroyed, i.e. immediately after the termination of the employment relationship those documents are destroyed that are not archived under the law and the Employer would not need for any possible labour dispute with a former employee (e.g. copy of personal documents, professional CV, various certificates). The Employer destroys other personal data only after the expiry of the legal archiving period. The archive period is laid down by the law for which the Employer is required to archive certain documents for a fixed period (e.g. record and wage sheets or accounting documents). Archiving period for employment documents are regulated or ensue from different legislation and the following are specific examples:

according to the Act on Accounting a period of 5 years is laid down for storing accounting records commencing at the end of the accounting period to which they apply;
• sickness insurance documents – 10 years, after the year to which they apply. Among these records are the Employee's identification data, of the above agreed assessable income, the level of assessable income for an individual wage period, period of temporary sick, maternity or parental leave, unexcused working days, record of pension, level of the assessment base for premium or name of the health insurance company,
• tax documents – tax declaration, application for annual accounting, billing – 10 calendar years following the year to which they apply,
• documents applying to wage deductions – for a period of 30 years following the year to which they apply,
• records of social security premiums and state employment policy contribution – for a period of 6 calendar years following the month to which the record applies; however always for a period of 3 calendar years following the month in which the due premium was paid for that month,
• counterparts of pensions insurance record sheets – for a period of 3 calendar years after the year to which they apply,
• records of data required for the purposes of pensions insurance (specifically identification data, start and end of the employment relationship, assessment base for the policy holder, period of temporary sickness leave, period of work leave without a compensatory income, record of an old-age pension and period of military service) – 10 years after the year to which they apply,
• wage sheets or accounting records on data required for the purposes of pension insurance – 30 years after the year to which they apply (if this concerns the recipient of an old-age or disability pension 10 years).

3. With regard to the processing of personal data according to par. 1 the former employee has the same rights in relation to the Employer according to Article VII of these Rules as he/she had during the employment relationship.

VIII. Rights of Employees as Data Subjects

1. Under the Regulation Employees, as personal data subjects, have the following rights:

1.1. Right of access to their personal data, which the Employer processes and to a copy as stated in Article IV of these Rules.

1.2. Right to correction and supplementation of personal data – if the Employer believes that the personal data which the Employer processes about him/her are inaccurate or incomplete, he/she has the right to ask the Employer for their correction and/or supplementation.

1.3. Right to raise an objection to the processing of personal data:

The Employee may raise an objection to the processing of personal data which the Employer processes exclusively for a legitimate interest, i.e. on a legal basis specific in Article II (1.3.) of these Rules, including their handover within the MUFG Group. Based on the objection the Employer shall perform a so-called test of the proportionality of interests and takes into account facts which the Employee stated in the objection. If the assessment of the proportionality test turns out badly for the Employer, the Employer shall delete the personal data for this purpose in accordance with Article 17 (1) c) of the Regulation.

1.4. Right to restrict the processing of personal data – the Employee has the right to ask for a restriction to the processing of his/her personal data in the following situations:
a) if the Employee denies the accuracy of his/her personal data for the period required to verify the accuracy of the personal data, or
b) the processing is illegal if, at the same time, the Employee refuses the deletion of such personal data and instead asks for restriction of use or
c) the Employee raised an objection to the processing for a period before it is verified that the legitimate interest of the Employer or other members of the MUFG Group for the processing prevails over the Employee's legitimate interests; or
d) after the personal data shall not be required for the purpose for which they were processed by the Employer, but the Employee personally asks the Employer to process selected personal data for identification, performance or defence of legal claims.

1.5. Right to deletion of personal data (right to be forgotten) – the Employee has the right to ask for the deletion of his/her personal data in the following situations:
a) if they are no longer required for the purpose for which they were processed on some legal basis specified in Article II of these Rules,
b) were processed illegally,
c) must be deleted to fulfil the legal obligation laid down for the Employer by the law.

1.6. Right to the transfer of personal data – the Employee may ask the Employer to provide him/her with his/her recorded personal data in machine legible form (e.g. on CD or flash drive), however the implementation of this right is limited because it only applies to personal data processed by automated means.

2. The Employee may contact the Employer for the enforcement of his/her rights in the following manner:
- personally at the branch head (“Managing Director"),
- in writing by email to dpo@nl.mufg.jp
- or particularly for the enforcement of an objection against the transfer of his/her personal data abroad, he may contact the Data Protection Officer at the founder MUFG Bank (Europe) N.V., with registered office in the Netherlands, World Trade Center, Tower I, Strawinskylaan 1887, 1077 XX Amsterdam, as by email to dpo@nl.mufg.jp

3. Right to lodge a complaint at the supervisory authority

The procedure described above in par. 2 does not rule out for the Employee to directly contact the Office for Personal Data Protection, if he/she believes that a breach has occurred during the processing of his/her personal data specified in the Legislation. Contact data: Office for Personal Data Protection, with registered office in Pplk. Sochora 27, 170 00 Prague 7, telephone: +420 234 665 1111.