• 0

    • Waar ben je naar op zoek?

    Privacy Statement for ABN AMRO Staff - UK

    Date of most recent version; 28 April 2020. This Privacy Statement applies to all current, prospective and former employees, workers, secondees and contractors (known throughout this Privacy Statement as ‘staff’) of ABN AMRO UK (ABN AMRO Bank N.V, UK Branch, ABN AMRO Clearing Bank N.V., London Branch and ABN AMRO Asset Based Finance N.V., UK Branch). For the sake of convenience, the term ‘the bank’ is used in the rest of this Privacy Statement to refer to all ABN AMRO UK entities.

    Who is responsible for your personal data?

    The bank is responsible for your personal data. The bank's details are as follows:  ABN AMRO Bank N.V. Gustav Mahlerlaan 10 1082 PP  Amsterdam Registered in the Trade Register of Amsterdam Chamber of Commerce under number 35334259.

    Data Protection Officer

    The bank has a Data Protection Officer. The Data Protection Officer monitors the application of, and compliance with, the EU General Data Protection Regulation (GDPR) within the ABN AMRO organisation. This role has been allocated to the Privacy Office (privacy.office@nl.abnamro.com). 

    The Data Protection Officer is supported in each country by a Data Privacy Officer.  In the UK, for all business lines apart from ABN AMRO Asset Based Finance N.V., UK Branch, that is the Country Compliance Head. For ABN AMRO Asset Based Finance N.V., UK Branch it is the Compliance Manager based in Haywards Heath.

    What is personal data?

    This Privacy Statement explains how the bank uses your personal data. But what exactly is personal data? The best known forms of personal data are your name, address, age and date of birth. Personal data also includes work e-mail addresses, telephone numbers, bank account numbers and your national identification number. There are several special categories of personal data. These concern data that is of such a sensitive nature its use may have a serious impact on an individual's privacy. These include data concerning your health, sexual orientation, ethnic origin or membership of a trade union. Another special category concerns biometric data. Biometric data is data resulting from the use of various forms of technology for measuring and establishing the physical, physiological or behavioural characteristics of an individual (e.g. for providing access to secure spaces). Data Privacy Statement for ABN AMRO Staff - UK -  protection legislation imposes strict requirements on the use of special categories of personal data. The bank cannot process this type of personal data unless it is required or permitted to do so by law or if you have given your explicit consent for this.

    Does the bank also use personal data relating to you that it did not obtain from you directly? 

    Yes, the bank also uses personal data relating to you that it did not obtain from you directly. Personal data may be obtained from sources such as:  

    • An employment or recruitment agency
    • Public registers that contain your personal data, such as the Financial Services register or Companies House
    • The Disclosure and Barring Service (for a criminal records check)
    • The occupational health service
    • In the context of pre-employment or in-employment screening (see ‘What does the bank use your personal data for?’ under item 2), the bank may make use of public sources such as search engines and public sections of social media accounts. 

    On what basis does the bank process your personal data?

    The bank must have a reason for asking for or using your personal data. This is referred to in the law as ‘a basis for processing’ your personal data. As your employer, the bank uses your personal data for one or more of the following reasons.
    Employment agreement or other contract
    The bank uses your personal data so that it can comply with the employment agreement concluded with you, for example, so that it can pay your salary. The bank has to make use of your personal data in order to do this.
    Legal obligation
    In addition, the bank processes your personal data because it is required to do so under various laws and regulations.
    Legitimate interest
    The bank also has the right to use your personal data if this is in its interest. This is referred to as a ‘legitimate interest’. For this to apply, the bank's interest in using your personal data must outweigh your right to privacy. In situations such as these, the bank balances all the interests.The following are examples of situations in which the bank has a legitimate interest in using your personal data:

    • Protecting the bank's property and data
    • Ensuring the security and safety of the bank and its employees
    • Improving services
    • Appraising employees
    • Studying the impact of HR strategy and policy on employees and corporate objectives
    • Enabling the bank to prove its case in legal proceedings

    Vital interest
    There may be cases in which the bank uses your personal data because this is necessary to protect your life or that of another person, for instance if the bank has to share personal data relating to you with a hospital.

    Using personal data with your consent

    The bank will not ask you to consent to the use of your personal data except for in exceptional situations. If you have given consent you can withdraw it at any time. Withdrawing your consent may have consequences, however. If, for example, you have consented in an app to the use of information concerning your location, withdrawing your consent may mean that the app works differently.

    What does the bank use your personal data for?

    As your employer, the bank uses your personal data for the following purposes.
    1. Employment agreement or other contract. The bank needs your personal data for the conclusion and performance of its employment agreement or service contract with you. In this context, examples of the purposes for which the bank processes your personal data include: 

    • paying your salary, withholding tax and national insurance; 
    • processing Employee Benefits; 
    • recording absences; 
    • training and appraising employees; 
    • job mobility, transfers and promotions; and
    • succession management. 

    2. Ensuring integrity and security. The bank uses personal data to protect itself, its property, its data and its staff from all kinds of breaches, damage and losses insofar as possible. Examples include the following: 

    • Your access pass, which the bank uses to keep track of your presence in the building. 
    • Security cameras within the bank's buildings and in their surroundings.
    • Additional security measures are in place in some of the bank's buildings and spaces, If you were involved in an incident, the bank will perform an investigation and may use your personal data in this context.
    • The bank performs pre-employment screening as well as in-employment screening. This means that you undergo screening when you start as a member of staff, including a basic criminal records check.  We may also perform additional checks if you switch to a role for which a different or more stringent form of screening is required. Personal data obtained from public sources may also be used for this purpose.
    • Certain roles, including approved person, certification employee or senior management functions, require the bank to conduct extra checks on you. These checks will include regulatory references and criminal records checks (including spent convictions but not protected convictions).  You will be aware if this is the case.
    • For security purposes, the bank may monitor activity on your computer, including your emails.
    • If your role involves chat sessions with Bloomberg and Reuters, the bank may monitor your chat sessions.
    • If you have the Microsoft Teams app suite on your mobile device, this must also be downloaded with the SEP Mobile by Symantec app.  This is set up using some basic personal data and will scan your mobile device for viruses, with some limited data on potential viruses being sent back to the bank’s Corporate Information Security Office.  You can find more information about SEP Mobile and the use of personal data on the intranet and in emails from the bank rolling-out the software.

    3. HR management. The bank uses personal data so that it can pursue a responsible, effective and efficient HR people plan. Examples include the following:

    • Workforce and succession planning; 
    • People analytics and statistical analysis; and
    • The bank's diversity policy. The bank seeks to ensure that greater diversity within society is reflected throughout the bank. It therefore wants to monitor diversity in all levels of the organisation, so that it can develop intervention procedures if necessary.

    4. Improvements to services. If you use the bank's telephone for contact with clients for business purposes, the bank may record your telephone calls, chat messages or video chat sessions with clients in order to improve the quality of these calls.  

    5. Obligations under legislation and regulations. Finally, the bank uses personal data relating to staff in order to comply with applicable legislation and regulations, such as: 

    • MiFID II. The bank is required to record telephone calls between advisers and clients that concern investing. 
    • Tax laws. By law, the bank must share specific information relating to its staff with HMRC.
    • Financial supervision regulations: in some situations the bank has to provide personal data relating to staff to a supervisory authority in the context of an investigation under supervisory law or in the context of a licence application. 
    • Criminal law: the bank may be required to provide personal data relating to staff to the police or other authorities in the context of a criminal investigation.  

    Logging and monitoring

    As you will have gathered from the information provided above, the bank uses various logging and monitoring techniques. What do logging and monitoring entail?
    Monitoring
    Monitoring is not the same as logging. When the bank performs monitoring activities, it actively keeps a record of what happens in a specific place or specific channel and intervenes if something goes wrong. One monitoring technique involves the use of personnel tracking systems. The bank monitors its employees for various purposes.

    • Security: examples include monitoring emails and chat messages.
    • Complying with legal obligations: for instance, the bank's monitoring of securities transactions by employees depends on the relevant employee's compliance status.

    Logging
    When it comes to logging, the bank does not play an active role. When the bank logs information, it records the personal data so that it can view it at a later date, for example if the supervisory authority carries out an investigation. The following are examples of logging:

    • Recording who has had access to a specific space, and when.
    • Under European rules, the bank is also required to record telephone calls between advisers and clients that concern investing.

    Does the bank use your personal data for other purposes than the purpose for which it was initially obtained

    The bank may also use your personal data for a purpose other than the purpose for which you initially provided it. This is, however, subject to the condition that the new purpose must be in line with the purpose for which you initially provided your personal data to us. To determine whether this is the case, the bank looks at the following aspects as a minimum:

    • Is this purpose clearly related to the purpose for which you initially provided the personal data? Is the new purpose appropriate to the initial purpose?
    • How was the personal data originally obtained from you? Was the personal data obtained directly from you or in another way?
    • What kind of personal data is concerned exactly? Does it concern sensitive data, or data that is not so sensitive?
    • What would be the implications for you if the bank were to use the personal data in another way? Would you benefit, suffer or neither?
    • What can the bank bank do to ensure the highest possible level of data protection when reusing your personal data? Examples include anonymisation and encryption.

    Does the bank share your personal data with others?

    Yes, in some situations the bank has to share your personal data with others.
    Employee benefits 
    The bank shares personal data with benefits providers so that they may process your benefits in line with your individual choices under the flexible benefits programme 

    Occupational health service 
    In certain circumstances occupational health will share data with the bank. 

    Public authorities 
    There are some situations in which the bank is required to disclose your personal data to public authorities such as HMRC. The bank's supervisory authorities may also ask for data and the bank must share this if it is required to do so by law, even if this data includes your personal data. The police may ask for camera images in which you appear in connection with an incident. The bank will provide these images to the police if it is required to do so.  

    Other companies 
    The bank works with other companies who may, in turn, require your personal data in order to perform their work for the bank effectively. For example, Concur may process certain of your personal data in order to manage expense claims. Everbridge will also process certain personal data such as phone numbers and email addresses for our business continuity plans. The bank takes due care when selecting the companies with which it works and reaches clear contractual agreements with these companies on how they are to handle your personal data. The bank continues to be responsible for your personal data when it engages another company to carry out work on its behalf.  The bank may change the suppliers for these services from time to time. 

    Profiling

    The bank makes use of profiling. This is understood to mean putting people into groups (profiles). Profiling allows the bank to evaluate and analyse personal aspects and make predictions.  Examples of this are set out below. 

    Preventing unauthorised transactions 
    The bank monitors securities transactions by employees depending on their compliance status. The purpose of this monitoring is to prevent unauthorised transactions, such as insider trading. The bank uses profiles for this purpose. A profile consists of characteristics which the bank uses to identify unauthorised transactions. If potentially unauthorised transactions are detected, the bank will carry out an investigation. If it is established that you have executed an unauthorised transaction, you may be dismissed with immediate effect. 

    People analytics  
    The bank may perform analyses, for instance on the basis of the Employee Engagement Survey, in which aggregate HR data is used to optimise staff planning in a specific department, for example (see also paragraph 3 under ‘What does the bank use your personal data for?’). 

    You have the right to object to the use of your personal data for profiling purposes. You can submit your objection through HR. The bank is not obliged to grant your request in all cases.

    Personal data protection

    The bank does its utmost best to ensure the highest possible level of protection for its employees' personal data. In connection with this, the bank invests heavily in its people, systems and procedures. The way of working is constantly geared to the sensitivity of the relevant data. Employees are trained how to keep data safe and secure.
    For security reasons, details of the precise data protection measures taken by the bank cannot be provided. Examples of the measures taken by the bank to protect the personal data of employees can be found in Ensuring integrity and security. The bank uses personal data to protect itself, its property, its data and its employees from all kinds of breaches, damage and losses insofar as possible. Examples include the following:. Other security measures you may have come across include:

    • access to bank systems using login codes or even two-step verification;
    • restricted access to personal data: personal data can only be accessed by authorised individuals;
    • requirements for sending confidential documents.

    Is your personal data processed outside Europe too?

    The bank and its group companies may decide to share personal data with each other, even when the group companies are located outside Europe. For example, if you were to work for the Sydney office as an expat, the bank would share personal data relating to you with that office so that you can be included in its systems. In doing so, the bank must comply with the local rules.

    The sharing of personal data with group companies outside Europe is governed by the bank's global internal policy, the Binding Corporate Rules (BCRs). This policy has been approved by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). 

    The bank may also make use of IT suppliers that are based outside Europe or that also offer services from countries outside Europe. In that case, the bank will ensure that personal data is transferred in accordance with the data protection legislation. 

    How does the bank determine the period for which your personal data is stored?

    The bank stores personal data relating to you, such as your HR file (including your employment agreement and official appraisals), emails, chat session history and documents produced by you (including documents which do not relate to contact with clients). It does this for various reasons as set out in 'What does the bank use your personal data for?'  

    When determining the storage periods for such personal data, the guiding principle followed by the bank is that it must keep the personal data for at least as long as is necessary in order to fulfil the purpose for which that personal data was obtained. The following information is also relevant in this context. 

    • The data protection legislation does not stipulate specific storage periods for personal data. Other legislation may specify minimum storage periods, however. If it does, the bank must observe these periods. Examples of such legislation include the PRA Rulebook, the FCA Handbook, tax laws and financial legislation such as MiFID II and the Money Laundering Regulations).  
    • If the bank becomes involved in a lawsuit or other legal proceedings, the bank may use data that includes personal data relating to you (such as emails from you relating to the dispute) in order to prove its case. It may store this personal data in an archive until any claims have expired and legal proceedings can no longer be brought against it.   

    The bank has formulated storage periods for several categories of personal data in its Local Retention Schedule (an appendix to the bank's Records Management Policy). The storage periods for HR documents can be found in section 10.

    What rights do you have?

    Right of inspection and right to rectification
    You have the right to inspect the personal data relating to you that the bank processes. You can also ask the bank to correct any inaccuracies in your personal data. You can view and change much of your personal data yourself in the relevant HR systems. If you have an additional request, you can submit this via the HR department at human.resources@uk.abnamro.com.

    Right to be forgotten
    In some cases, you can also ask the bank to delete your personal data. The bank is not obliged to grant your request for the deletion of your personal data in all cases. For example, it is not under an obligation to do so if the law requires it to keep your personal data for a longer period of time.

    Right to restriction of processing
    You can also ask the bank to restrict the use of your personal data on a temporary basis. This is possible in the following situations:

    • You think that your personal data are incorrect;
    • The bank uses your personal data wrongfully;
    • The bank wants to destroy your personal data (for instance after the storage period has ended) but you still need it.

    Requests for the deletion of your personal data or the restriction of its processing can also be  via the HR department at human.resources@uk.abnamro.com. Always clearly indicate the reason for your request.  

    More information about your rights and how to submit a request can be obtained via the HR department at human.resources@uk.abnamro.com.

    Right to data portability

    The bank can arrange for you to obtain your personal data that you provided to it and which is stored by automated means. The bank will not do this unless it processes your personal data on the basis of your consent or the employment agreement or contract it has concluded with you. This is referred to as data portability. You can also ask the bank to transfer your personal data directly to another party, such as a subsequent employer.   

    Requests to receive your personal data or provide it to another party can be submitted via the HR department at human.resources@uk.abnamro.com.

    Please keep your personal data secure. Check whether any party you want to provide your personal data to can be trusted and keeps your personal data as safe as the bank does. If you want to receive your personal data, please make sure that your own equipment is adequately secure and has not been, or cannot be, hacked.

    Is anything unclear or do you have a complaint?

    If so, please get in touch with HR. If you are not happy with the conclusion, you can contact the Privacy Office. You can also lodge a complaint with the Information Commissioner’s Office. 

    Changes to the Privacy Statement

    The way your personal data is used may change over time due to changes in laws and regulations or in internal procedures or systems that will directly affect the bank's use of your personal data. If this happens, the Privacy Statement will be changed and the bank will notify you of these changes on the intranet.