This notice is relevant to you if you are, are applying to be or were formerly an employee, consultant, contractor, worker, assignee, secondee, trainee, apprentice, work experience student, director or officer of ours, whether on a temporary or permanent basis. It informs you about how we collect, use, store, transfer and otherwise process your personal data for the effective running of our business before, during and after your working relationship with us and about your rights in relation to your personal data. This privacy notice does not form part of any contract of employment or other contract to provide services.

This privacy notice was last updated on 25 May 2018; we may provide you with other privacy notices on specific occasions. You can contact us at the details provided below for the latest version. Furthermore, we will inform you in an adequate manner if material changes (especially in case of changes in the purposes) are made.

Controller

The controller of your personal data is the MUFG entity with who you are in, applying to be in, or were formerly in an employment, consultant, independent contractor, agency worker, assignee, secondee, trainee, apprentice, work experience student, director or officer relationship, whether on a temporary or permanent basis. If you are interested whether any other MUFG entity acts as a (joined) controller, you may request such information with regard to the processing of your personal data for a specific purpose.

Personal data we collect about you

Much of the personal data we collect about you will have been given to us directly, but it may also come from other internal sources, such as your manager and colleagues, or in some cases, external sources, such as referees, background check providers and employment agencies or from publicly available sources. To the extent permitted by EU or local law, this personal data includes, but is not limited to:

Personal details:

your title, name, e-mail and telephone details, home address, date of and place birth, gender, marital or civil partnership status, emergency contact information, outside business interests, personal account dealings, images of you;

Background:

your application letters, resume/CV, work background, references, education history, professional qualifications, membership of professional associations, other skills, interview feedback, credit check and criminal record check (where authorised by EU or local law);

Right to work/immigration:

your citizenship/nationality, passport/identity card information, and residency/work permit information;

Role:

your position, title, job grade, division, department, location, managers, reports, staff identification number, employment status and type, terms of employment including benefits information, employment contract, start date, termination date, length of service, and reason for leaving;

Pay and benefits:

your pay, pay reviews, benefits, benefits selections, details of your beneficiaries, dependants and next of kin, tax/social security identification numbers, contributions to social, healthcare and pensions funds, and bank account details;

Performance and conduct:

facts and opinions regarding your performance, performance and talent ratings, development plans, promotions, training records, regulatory certifications, correspondence regarding your conduct and activities, performance improvement plans, records of disciplinary and grievance procedures and related correspondence; and

Work schedule and absences:

your hours worked, building access, overtime, holiday, sickness leave and other absence records.

Please note that in some cases we are required by law or as a consequence of a contractual relationship we have with you to collect certain personal data about you. In case we require any information from you and have informed you thereof and you fail to provide the personal data, this may prevent or delay the fulfilment of these obligations.

We may also collect personal data about you through:

• our information technology systems, which record emails, telephone conversations and other electronic communications and web usage on work systems and devices; and
• closed circuit TV systems and building access controls, which may record your attendance at our premises.

How we process your personal data

We process your personal data as necessary and where applicable law permits or requires it, including where the processing is necessary for the performance of any contract we may have with you (Art. 6 para. 1 b GDPR), where the processing is necessary to comply with a legal obligation that applies to us (Art. 6 para. 1 c GDPR), or for our legitimate interests or the legitimate interests of third parties (Art. 6 para. 1 f GDPR).

We do not generally rely on your consent to allow us to process your personal data if there is another lawful ground available. If we do rely on your consent we will make this clear to you at the time of the collection of the data.
The purposes for which we process your personal data as necessary include, to the extent permitted by applicable law and regulation:

To manage our relationship with you:

We process your personal data for performing any contract we have with you and for our legitimate interest in administering, managing and exercising rights and obligations in relation to our relationship with you. This includes, but is not limited to, performing background checks and interviews as part of our recruitment process, assessing qualifications or suitability for a particular role or task, applying for work permits and confirming rights to work, assessing training and development needs, conducting performance reviews and determining performance requirements, managing absences, determining remuneration, administering payroll and benefits including making required income tax and social security deductions, processing work-related claims (for example expenses claims and insurance claims), investigating and managing grievances and disciplinary matters, resolving disputes, providing references, and varying or terminating our relationship.

To comply with laws and regulation/rely on legitimate business interest:

We process your personal data for the purpose of complying with laws and regulation. We sometimes process your personal data to pursue our legitimate interests in directly or indirectly facilitating compliance with the requirements of the law, co-operating with our regulators and other authorities, complying with foreign laws, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of the financial markets. This includes, but is not limited to, maintaining insider lists, personal account dealings, outside business interests, gifts and entertainment records, managing conflicts of interest, administering and keeping records of training, monitoring compliance with laws and internal policies including through monitoring telephone calls, email and other messaging and web usage, investigating, recording and reporting breaches or potential breaches of laws and internal policies and procedures including suspicious transactions or activities, making available and administering whistleblowing schemes, providing regulatory certifications and references, making registrations with regulatory bodies or other authorities, making conduct-related remuneration adjustments, and complying with information requirements and requests from regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries or counterparties and courts.

To ensure our systems and premises are secure:

We process your personal data for our legitimate interests in ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems, preventing malicious software distribution, testing our cyber resilience and ensuring compliance with our information security policies. This includes, but is not limited to, monitoring of emails, messaging and web usage, and undertaking phishing tests. We also process personal data obtained through closed circuit TV systems and building access controls to ensure the security and safety of our premises.

To manage our workforce and conduct our business:

We process your personal data for our legitimate interests in managing our workforce and resources, conducting our business, planning for the future and protecting our rights. This includes, but is not limited to, for the purposes of promotions, talent and succession planning, managing staff absences, staff transfers, secondments and assignments, compiling staff directories, investigating and managing staff grievances, disciplinary matters and terminations, making business travel arrangements, administering corporate credit cards, conducting business with our clients and counterparties, processing of expenses, administering our insurance, budgeting, accounting and auditing, managing and reporting our financial and non-financial performance, equal opportunities monitoring, performing workforce analysis and planning, undertaking staff surveys, managing mergers, acquisitions, disposals and business reorganisations, assessing and managing the risks facing our business, managing and improving our systems, processes and productivity, protecting the health and safety of staff and others, facilitating staff communication in an emergency, arranging events, seminars and CSR activities, including staff profiles in our publications, business continuity planning, handling complaints and enforcing and defending our legal rights and those of our clients, staff and affiliates.

If you provide us with personal data (including special categories of personal data - see below) about others, such as beneficiaries and emergency contacts, please inform them of the purpose for which you are providing the personal data and relevant information from this notice.

Special categories of personal data

Special categories of personal data includes race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health and sexual life and sexual orientation. We only collect special categories of personal data where there is a lawful ground for doing and to the extent permitted by local laws. As a general rule, we will seek your explicit consent for processing special categories of personal data. However, we would not obtain your consent if we have another lawful basis, such as where the processing is necessary for us to exercise rights or carry out obligations in connection with employment (for example, processing health information for statutory sick pay purposes, making reasonable adjustments for disabilities, complying with health and safety obligations or administering health and life insurance policies and equal opportunities monitoring where permitted by local law) and for conducting, establishing, exercising or defending legal claims.

To whom do we disclose your personal data?

We disclose personal data about you, where reasonably necessary for the various purposes set out above, to a number of categories of recipients, including:

• our staff, agents and third-party service providers who provide services to us or on our behalf. Third-party service providers include payroll processors, benefits administration providers (including pension administration, insurance and occupational health and safety service providers), employment and recruitment agencies, background check providers, training providers, cloud providers of our HR databases, archive service providers, business travel agencies, travel security service providers, corporate credit card providers and providers of emergency staff notification systems;
• other members of the worldwide MUFG group of companies. Details of the group may be found at http://www.mufg.jp/english/profile/globalnetwork/;
• our auditors and our legal, accounting and other professional advisors;
• regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries, and courts;
• clients, counterparties and other persons from whom we receive, or to whom we make payments or with whom we conduct transactions;
• persons who take over our business and assets, or relevant parts of them; and
• other persons where we are required by law to disclose your personal data.

Because we operate as part of a global business, the recipients mentioned above may also be located outside the country in which you are based, including countries outside the European Economic Area.

These third countries outside the European Economic Area to which your data may be transferred are the following: Japan.

These third countries may not have similarly strict data privacy laws. Where the recipients are located in countries which are not acknowledged by the European Commission to provide for an equivalent level of protection compared to the laws of the European Economic Area to protect your personal data, we will put in place appropriate safeguards (such as data transfer agreements based on the European Commission's standard contractual clauses) in accordance with applicable legal requirements (article 46(2) of the EU General Data Protection Regulation). You may contact us for further information on how we have ensured sufficient protection.

Security

We maintain appropriate technical and organisational measures to protect against accidental, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data that are being processed. For determining the technical and organisational measures that are appropriate, we will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of you. The technical and organisational measures shall be subject to regular monitoring and review. Where we engage third parties to process personal data on our behalf, we select processors that provide adequate technical and organisational security measures. These measures are aimed at ensuring the on-going integrity and confidentiality of your personal data.

For how long do we keep your personal data?

We retain personal data only for as long as reasonably necessary for the purposes described above or as long as required by law or to resolve potential legal claims or disputes.

Your data protection rights

You have certain rights under data protection law regarding your personal data. These include rights to be informed, rights to access your personal data, rectify the personal data we hold about you, erase your personal data, restrict our processing of your personal data, object to our processing of your personal data, and to receive your personal data in a usable electronic format and have it transmit to a third party (right to data portability), and the right not to be subject to automated decision making in case such processing produces legal or similarly significantly affects you, in each case in the circumstances provided by data protection law. If you would like to discuss or exercise your data protection rights, please contact us at the details provided below.

You can also lodge complaints with the local data protection authority, either where you live or work or where the relevant MUFG office is located.

If we have obtained your consent for the processing of personal data, you may withdraw such consent at any time for the future by contacting us at the details below.

We also encourage you to contact us to update or correct your personal data if it changes or if any personal data we hold about you is inaccurate.

Who to contact

If you have any questions about this privacy notice or our processing of your personal data, or if you wish to exercise your data protection rights, please use the contact details below.

We are committed to working with you to obtain a fair resolution of any complaint or concerns about privacy.

MUFG Bank (Europe) N.V. Germany Branch
Tobias Erdmann
Data Protection Officer
MUFG Bank (Europe) N.V. Germany Branch
Breite Strasse 34, 40213 Dusseldorf
Germany
erdmann@sicdata.de