This notice is relevant to you if you are, are applying to be, or were formerly, an employee, consultant, contractor, assignee, trainee, apprentice, work experience student, director or officer of ours, whether on a temporary or permanent basis. It informs you about how we collect, use, store, transfer and otherwise process your personal data for the effective running of our business before, during and after your working relationship with us and about your rights in relation to your personal data. This privacy notice does not form part of any contract of employment or other contract to provide services.
This privacy notice was last updated on 25 May 2018. You can also contact us at the details provided below for the latest version. We may provide you with other privacy notices on specific occasions.
Personal data we collect about you
Much of the personal data we collect about you will have been given to us directly, but it may also come from other internal sources, such as your manager and colleagues, or in some cases, external sources, namely referees, background check providers, employment agencies or from publicly available sources such as LinkedIn. To the extent permitted by EU or local law and depending on the legal basis of your employment, this personal data includes, but is not limited to:
name, business e-mail and telephone details, home address, contact data of job applicants, date of birth, gender, marital status, emergency contact information, outside business interests, personal account dealings, images of you, personal identification card number and PESEL number;
your application letters, resume/CV, work background, references, education history, professional qualifications, membership of professional associations, other skills, interview feedback and criminal record check (as authorised by Polish law);
Right to work/immigration:
your citizenship, passport/identity card information, and residency/work permit information;
your position, job title, job grade, division, department, place of work, managers, reports, staff identification number, employment status and type, terms of employment including benefits information, employment contract, start date, termination date, length of service, and reason for leaving;
Pay and benefits:
your pay, pay reviews, benefits, benefits selections, beneficiaries, data of your children and next of kin, tax identification number, contributions to social and healthcare insurance schemes, and bank account details;
Performance and conduct:
facts and opinions regarding your performance, performance and talent ratings, development plans, promotions, training records, regulatory certifications, correspondence regarding your conduct and activities, performance improvement plans, records of disciplinary and grievance procedures and related correspondence; and
Work schedule and absences:
your hours worked, building access, overtime, holiday, sickness leave and other absence records.
Please note that in some cases we are required by law or as a consequence of a contractual relationship we have with you to collect certain personal data about you, and your failure to provide the personal data may prevent or delay the fulfilment of these obligations.
Personal data about you is also collected through our information technology systems which record emails, telephone conversations and other electronic communications and web usage on work systems and devices. Closed circuit TV systems and building access controls may record your attendance at our premises.
How we use your personal data
We process your personal data where applicable law permits or requires it, including where the processing is necessary for the performance of any contract we may have with you, where the processing is necessary to comply with a legal obligation that applies to us, or for our legitimate interests or the legitimate interests of third parties.
We do not generally rely on your consent to allow us to process your personal data if there is another lawful ground available. If we do rely on your consent we will make this clear to you at the time.
The purposes for which we process your personal data include, to the extent permitted by applicable local law:
To manage our relationship with you:
We process your personal data for performing any contract we have with you and for our legitimate interest in administering, managing and exercising rights and obligations in relation to our relationship with you. This includes, but is not limited to, performing background checks and interviews as part of our recruitment process, assessing qualifications or suitability for a particular role or task, applying for work permits and confirming rights to work, assessing training and development needs, conducting performance reviews and determining performance requirements, managing absences, determining remuneration, administering payroll and benefits including making required income tax and social security deductions, processing work-related claims (for example expenses claims and insurance claims), investigating and managing grievances and disciplinary matters, resolving disputes, providing references, and varying or terminating our relationship.
To comply with laws and regulations:
We process your personal data for the purpose of complying with laws and regulation. We sometimes go beyond the strict requirements of the law, but only as necessary to pursue our legitimate interests in directly or indirectly facilitating compliance with the requirements of the law, co-operating with our regulators and other authorities, complying with foreign laws, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of the financial markets. This includes, but is not limited to, maintaining insider lists, personal account dealings, outside business interests, gifts and entertainment records, managing conflicts of interest, administering and keeping records of training, monitoring compliance with laws and internal policies including through monitoring telephone billings, email and other messaging and web usage, investigating, recording and reporting breaches or potential breaches of laws and internal policies and procedures including suspicious transactions or activities, making available and administering whistleblowing schemes, providing regulatory certifications and references, making registrations with regulatory bodies or other authorities, making conduct-related remuneration adjustments, and complying with information requirements and requests from regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries or counterparties and courts.
To ensure our systems and premises are secure:
We process your personal data for our legitimate interests in ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems, preventing malicious software distribution, testing our cyber resilience and ensuring compliance with our information security policies. This includes, but is not limited to, monitoring of emails, messaging and web usage, and undertaking phishing tests. We also process personal data obtained through circuit TV systems and building access controls to ensure the security and safety of our premises.
To manage our workforce and conduct our business:
We process your personal data for our legitimate interests in managing our workforce and resources, conducting our business, planning for the future and protecting our rights. This includes, but is not limited to, for the purposes of promotions, talent and succession planning, managing staff absences, staff transfers, secondments, compiling staff directories, investigating and managing staff grievances, disciplinary matters and terminations, making business travel arrangements, administering corporate credit cards, conducting business with our clients and counterparties, processing of expenses, administering our insurance, budgeting, accounting and auditing, managing and reporting our financial and non-financial performance, equal opportunities monitoring, performing workforce analysis and planning, undertaking staff surveys, managing mergers, acquisitions, disposals and business reorganisations, assessing and managing the risks facing our business, managing and improving our systems, processes and productivity, protecting the health and safety of staff and others, facilitating staff communication in an emergency, arranging events, seminars and CSR activities, including staff profiles in our publications, business continuity planning, handling complaints and enforcing and defending our legal rights and those of our clients, staff and affiliates.
Where we rely on legitimate interests we carry out a balancing test to ensure that our processing of your personal data does not affect your rights and freedoms. If you would like to know more about the test that we carry out you may contact us for further information.
If you provide us with personal data (including special categories of personal data - see below) about others, such as beneficiaries and emergency contacts, please inform them of the purpose for which you are providing the personal data and share with them this notice.
Special categories of personal data
Special categories of personal data includes race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health and sexual life. We only collect special categories of personal data where there is a lawful ground for doing and to the extent permitted by local laws, in particular when the processing is necessary for us to fulfil regulations connected with employment (for example, processing health information for statutory sick pay purposes, making reasonable adjustments for disabilities or complying with health and safety obligations) and for establishing, exercising or defending legal claims.
To whom do we disclose your personal data?
We disclose personal data about you, where reasonably necessary for the various purposes set out above, to a number of categories of recipients, including:
- our staff, agents and third-party service providers who provide services to us or on our behalf. Third-party service providers include payroll processors, benefits administration providers (including pension administration, insurance and occupational health and safety service providers), employment and recruitment agencies, background check providers, training providers, cloud providers of our HR databases, archive service providers, business travel agencies, travel security service providers, corporate credit card providers and providers of emergency staff notification systems;
- other members of the worldwide MUFG group of companies for the purposes of compliance with internal policies and procedures, administering whistleblowing schemes, complying with requests from regulatory authorities, testing cyber resilience and compliance with MUFG group's information security policies, performing workforce analysis and planning, managing staff transfers and secondments, budgeting, accounting and auditing. Details of the group may be found at http://www.mufg.jp/english/profile/globalnetwork/;
- our auditors and our legal, accounting and other professional advisors;
- regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries, and courts;
- clients, counterparties and other persons from whom we receive, or to whom we make payments or with whom we conduct transactions;
- persons who take over our business and assets, or relevant parts of them; and
- other persons where we are required by law to disclose your personal data.
Because we operate as part of a global business, the recipients mentioned above may be located outside the country in which you are based, including countries outside the European Economic Area, which do not have similarly strict data privacy laws, such as Japan and the United States of America. Where the recipients are located in countries where data protection laws may not provide an equivalent level of protection to the laws of the European Economic Area, to protect your personal data, we will put in place appropriate safeguards (such as data transfer agreements based on the European Commission's standard contractual clauses in line with article 46(2) of the GDPR) in accordance with applicable legal requirements. You may contact us for further information.
We maintain appropriate technical and organisational measures to protect against unauthorised or unlawful processing of your personal data and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage to your personal data. Where we engage third parties to process personal data on its behalf, we select processors that provide adequate technical and organisational security measures. These measures are aimed at ensuring the on-going integrity and confidentiality of your personal data. In particular, only employees having our written consent will be allowed to process employees' special categories of data.
For how long do we keep your personal data?
We retain personal data only for as long as reasonably necessary for the purposes described above or as long as required by law or to resolve potential legal claims or disputes.
Personal data will be retained throughout the period of employment, and after its termination – based on the category of data – throughout the period required by applicable provisions of law or period necessary to process any claims or for such claims to expire. In particular we inform that the period of retention of your personal files will be 50 years since termination of employment.
Personal data of candidate will be deleted after the end of recruitment process, unless they are or may be necessary to process any claims – in such case they will be retained for period necessary to process any claims or for such claims to expire.
Your data protection rights
You have certain rights under data protection law regarding your personal data. These include rights to access your personal data, rectify the personal data we hold about you, erase your personal data, restrict our use of your personal data, and to receive your personal data in a usable electronic format and transmit it to a third party (right to data portability), in each case in the circumstances provided by data protection law. If you would like to discuss or exercise your data protection rights, please contact us at the details provided below.
You also have the right to object to our processing of your personal data based on legitimate interests. If you would like to exercise this right please contact us at the address below. We also encourage you to contact us to update or correct your personal data if it changes or if any personal data we hold about you is inaccurate.
Who to contact
If you have any questions about this privacy notice or our processing of your personal data, or if you wish to exercise your data protection rights, please use the contact details below.
We are committed to working with you to obtain a fair resolution of any complaint or concerns about privacy. You can also lodge complaints with the local data protection authority (in Poland – with Personal Data Protection Office), either where you live or work or where the relevant MUFG office is located.
MUFG Bank (Europe) N.V. Poland
Data Protection Officer
MUFG Bank (Europe) N.V.
World Trade Center, Tower I, Strawinskylaan 1887
1077 XX Amsterdam