Staff Data Privacy Notice
|SUBJECT:||Staff Data Privacy Notice|
|CONCERNED PARTIES:||All staff members|
|LAST UPDATE:||January 18, 2021|
|CONTACT PERSON:||Tarik MOUSTAHIB, email@example.com,|
|INTRANET DOCUMENT LINK:||Please click BNPP TH Echonet HR|
This Staff Data Privacy Notice applies to all candidates, employees, staff, contractors, temporary workers, secondees, intern, temp staff or other personnel (“Staff” or “you”) applying for a position in, working for, and/or providing services to, BNP Paribas Bangkok branch (“BNPP” or “we”).
This document is a statement outlining BNPP’s practices that apply to the collection, use and disclosure (“Processing”) of personal data of Staff. This document also serves as a privacy notice, notifying Staff about the types of personal data that may be collected, purposes of Processing the personal data, whether the collection of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, whether the Staff is obliged to provide the personal data and the possible consequences of failure to provide such data, the classes of person to whom the data may be transferred or disclosed, identity and the contact details of BNPP and data privacy rights of Staff.
Reference in this Notice to “BNPP Group” includes a subsidiary, branch or affiliate of BNP Paribas.
1. What Personal Data BNPP May Process
BNPP may collect, use and disclose (“Process”) the following types of personal data about Staff and their family member:
- Personal details, such as name, address, date of birth, nationality, gender, specimen signature, marital status, religion, name and age of children, number of children/ dependent, emergency contact details (include name of contact persons, relationship with staff, and contact number), country of residence and address, national identification number, salary, raise, bonus, tax status, income, revenues, investment, value of assets, social media, leave entitlement, leave taken, purpose of leave taken, support documents for leave taken, bank account details, criminal record, medical certificate, medical receipt and medical conditions including any other information that identifies or allows to identify Staff.
- Professional details, such as email address, postal address, telephone number, CV, qualifications, professional membership information, relevant experience and skills including any certificate and/ or degree relevant thereto.
- Identification documentation, such as work permit, visa, a photocopy of passport, driving license, certification of changing name, business card, ID card, household registration, children/ dependent birth certificate, marriage certificate, adoption certificate, Tax ID or other documentation required by local law. Copies of these documents may include photographs of Staff and of their family member.
- Human resources related records, such as date of work commencement, employee ID, training and certificate, performance assessments, feedback, absence and time-keeping records, disciplinary, grievance, certificate of employment, payslip from other company, payslip, and background checks.
- Security protection data which includes CCTV and access control information.
- Logs such as Staff telephone calls, emails, chat logs, use of BNPP systems and internet logs in connection with their work with BNPP or other person. (For further details about monitoring of IT resources and communication systems that may be carried out by BNPP, please see APAC Staff Monitoring Policy).
We will not ask for any other sensitive personal data such as data related to your racial or ethnic origins, labour union membership, political opinion, genetic data, biometric data or data concerning your sex life or sexual orientation, unless it is necessary for our operation (including provision of employment with you) and we have a lawful basis to do so. Please note that before our Processing, we may permanently mask, remove, black out or hide any of your information which is considered sensitive personal data and not necessary for our operation, and in no intention to alter, fabricate or forge the document or information received from you.
2. What BNPP Uses Staff Personal Data for and on What Bases
The purposes for which BNPP Processes personal data relating to Staff are as follows:
a. Employment Pre-conditions (to take steps at Staff’s request before entering into a contract)
- Consideration for position with BNPP.
- Completing employment pre-requisites.
- Conducting periodic background screening.
- Confirmation on Staff references and educational background.
b. Salaries, Benefits and Progression (to perform a contract with Staff, to fulfill a legitimate interest of BNPP or other persons or per Staff’s consent)
- Reviewing and administering salaries, bonuses, pensions and other benefits.
- Evaluating performance and position of Staff.
- Consideration for and administration of staff benefits and recreational activities.
- Administering medical benefits and processing sick leave and medical claims.
- Consideration for and administering of promotion, training, secondment or transfer.
- Conducting employee appraisals, reviews and disciplinary proceedings.
- Providing employment references (with prior consent obtained from the relevant Staff).
c. Legal and Regulatory Obligations (to comply with our legal and regulatory obligations)
- Compliance with legal and regulatory obligations applicable to any member of the BNPP Group anywhere in the world, including reporting to and/or being audited by national and international regulatory, enforcement or exchange bodies.
- Compliance with court orders, tribunal of competent jurisdiction, proceedings, judicial authorities, arbitrators and exercise and/ or defend the members of the BNPP Group’s legal rights.
- Making regulatory notifications including administration of licences.
- Compliance with request or order of regulators, supranational, governmental, state agencies, public bodies, governed authorities and any other authorities of any member of BNPP Group.
d. Business Operation and Administration (to fulfill a legitimate interest of BNPP or other persons)
- Managing the BNPP Group business and operations, including disclosure and Processing necessary to conduct business, use services or perform BNPP Group obligations with current or potential project partners, customers and/or any third party, which may require disclosing Staff personal information with such counterparties.
- Conducting business reorganization, mergers, acquisitions and related due diligence.
- Administering and reporting tax matters.
- Administering employee surveys, events and competitions.
- Arranging travel and accommodation.
- Managing and performing human resource operations/ business including any human resource management and other general business management.
- Personnel administration including but not limited to PeopleSoft system, shared services, control, monitoring and supervision.
e. Security and Compliance (to fulfill a legitimate interest of BNPP or other persons)
- For security purposes in relation to the protection and access of BNPP Group premises systems, platforms and secured websites and applications.
- Preventing, detecting and investigating breaches of law, regulation or the BNPP Group internal rules and policies.
- Conducting legal or compliance investigations and proceedings.
- Reviewing and monitoring personal account dealing, conflicts of interests and outside business interests.
- Contacting Staff or their family in the event of an emergency.
- Compliance with internal policy, procedure or standard applicable to any member of the BNPP Group
f. Benefit benchmarking survey (to fulfill a legitimate interest of BNPP or other persons)
- To disclose certain personal data to third-party surveyor to conduct benefit benchmarking survey on market standard of employee benefits
g. Actuarial valuation service (to fulfill a legitimate interest of BNPP or other persons)
- To disclose certain personal data to third-party vendor to receive actuarial valuation service.
If you fail to provide your personal data to us
Where are required by law to collect your information (for instance, in relation to Social Security Act) or need to collect your information under the terms of a contract we have with you and you fail to provide your information when requested, we may not be able to perform the contract we have or plan to enter into with you (for example, contribution to social security fund). In this case, we may have to decline to employ or continue to employ you as our employee or staff, but we will notify you if this is the case at the time your information is collected.
3. WHO BNPP may Disclose Staff Personal Data to
a. Disclosing information within BNPP Group
We are part of BNPP Group that is a group of companies working closely together all over the world. We may share your personal data within our organization, to any member of BNPP Group including its directors, officers, employees, representatives or agents. Please refer to the details in Section 2 (What BNPP Uses Staff Personal Data for and on What Bases) above.
b. Disclosing information outside BNPP Group
Staff personal data held by BNPP will be kept confidential but, for any of the purposes specified above, BNPP may provide such information to any of the following parties in any jurisdiction in the world:
- Third parties who Process Staff personal data to provide BNPP or Staff with a service on behalf of BNPP (such as travel and accommodation agents, payroll service provider, visa & work permit agent, tax consultant, or provident fund asset management company, etc).
- Third parties including service provider, advisor, agent or any person who provide administrative, telecommunications, computer or other services to BNPP in connection with human resources management function, operation of our business or general business management.
- Persons seeking employee references (with prior consent obtained from the relevant Staff).
- Third parties in the form of directories of names and office contact details (including email address and telephone numbers) of key officers of BNPP for promotional and administrative purposes.
- Any financial, tax, regulator, supranational, governmental, administrative, criminal or judicial authorities, court, tribunal of competent jurisdiction, arbitrators or mediators, law enforcement, state agencies, public bodies, including industry or professional association, governed authorities and any other authorities, we or any member of BNPP Group is required to disclose to pursuant to:
- their request;
- defending or responding to a matter, action or proceeding; or
- complying with law, regulation or guidance from authority applicable to us or any member of BNPP Group;
- Counsel, lawyers in connection with legal proceedings, to obtain legal advice or to support members of the BNPP Group’s legal rights.
- Auditors and investigators in connection with internal and external audits and investigations.
- Any professional advisors.
- Publication companies (e.g. magazine or newspaper).
- Insurance companies, insurance broker.
- Any third party to whom BNPP may transfer its rights and obligations under any agreement it may have in connection with the acquisition, sale or restructuring of any member of BNPP Group.
- Any person to whom any member of BNPP Group is allowed or required to provide such information under the law.
- Any other person under a duty of confidentiality to BNPP Group.
4. International Transfers of Personal Data
In case of international transfers originating from Thailand to another country, the transfer of your personal data may take place where the Thailand Personal Data Protection Committee has recognised such country as providing an adequate level of data protection, your personal data may be transferred on this basis.
For transfers to the countries where the level of protection has not been recognised as adequate by the Thailand Personal Data Protection Committee, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you) or implement one of the following safeguards to ensure the protection of your personal data:
- Standard contractual clauses;
- Binding corporate rules approved by the Office of Thailand Personal Data Protection Committee.
For more information, you can contact us via details as set out in Section 8 (How to Contact Us).
5. Security and Retention Practices
BNPP will take appropriate security measures to protect Staff personal data against unauthorized or accidental access, Processing or erasure of that data.
BNPP will only retain Staff personal data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. For instance, most of your data is kept for the duration of the employment relationship and 10 years after the end of the employment, in accordance with statute of limitation in relation to employment litigation case under Thai law.
BNPP will take all practicable steps to ensure that the data it holds about Staff is accurate having regard to the purpose for which the data is used.
6. Rights of Staff as a Data Subject
In accordance with applicable regulations and where applicable, you have the following rights:
- To access: you can obtain information relating to the Processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law. Note that this is not a blanket right to require all your personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the Processing of your personal data.
- To restrict: you can request the restriction of the Processing of your personal data in certain circumstances. This right arises: (a) if you are disputing the accuracy of your information; (b) if the Processing of your information is unlawful but you requested for a restriction of Processing instead of an erasure of personal data; (c) if your information is no longer necessary but you require the personal data to be retained to establish, exercise or defend a legal claim; or (d) if we require your information in assessing your request to object Processing of information;
- To object: you can object to the Processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the Processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. You also have a right to object if (a) we are Processing your personal data based on legitimate interests or for the performance of a task in the public interest; or (b) if your personal data is being Processed for scientific or historical research or statistical purposes.
- To withdraw consent: where you have given your consent for the Processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party. The right to data portability only applies if our data Processing is based on your consent or if the personal data is Processed for the performance of a contract.
- To file a complaint: you have the right to file a complaint in the case where, in your view, we or our employees or contractors violates fails to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder.
If you wish to exercise the rights listed above, please submit a data subject request form which is available here through our website or send a letter or e-mail to the following address firstname.lastname@example.org. We may need to request specific information from you to help us confirm your identity and ensure your right to access your information (or to exercise any of your other rights). This is a security measure to ensure that your information is not disclosed to any person who has no right to receive it. Please include a scan/copy of your proof of identity for identification purpose when required.
You will not have to pay a fee to access your information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint where, in your view, we violates or fails to comply with the Personal Data Protection Act B.E. 2562 (2019) or notifications issued thereunder, with the Personal Data Protection Committee.
We try to respond to all legitimate requests within 30 days. Occasionally, it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
7. Update to this Staff Data Privacy Notice
In a world of constant technological changes, we may need to regularly update this Staff Data Privacy Notice.
We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.
8. How to Contact Us
If you have any questions relating to our Processing of your personal data under this Staff Data Privacy Notice, please contact our data protection officer Tarik MOUSTAHIB, email@example.com, who will handle your query.