Data Protection Policy and Procedures

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

RECRUITMENT DATA PROTECTION NOTICE

I. INTRODUCTION

Bank of America Corporation, its group companies, its affiliates and branches (collectively, the “Bank”) has
prepared this Recruitment Data Protection Notice (“Notice”) to outline its practices regarding the collection,
use, storage, transfer and other processing of individually identifiable information collected from or about
individuals being applicants (“Personal Data”). For the purposes of this Notice, “Applicant” means any
individual who submits Personal Data or about whom Personal Data has been acquired in order to be
considered for an actual or potential job vacancy or career event.

II. PERSONAL DATA COLLECTION AND PURPOSES OF USE

Good recruitment and talent management practices and the effective running of our business require the Bank
to collect, use, store, transfer and otherwise process certain Personal Data.

A. PERSONAL DATA COLLECTION

The Bank collects Personal Data that is directly relevant to its business, required to meet its legal obligations,
or is otherwise permissible to collect under local laws. In particular, the Personal Data the Bank may collect,
use, store, transfer or otherwise process may include, but is not limited to, the following categories of Personal
Data, except where restricted by local law:

(1) Personal information: name (including any former names)*; contact information (address, email address
and telephone numbers)*; date and place of birth; gender; entitlement to residency*; nationality; citizenship;
national identification number, social insurance number or other tax identifier number; passport number; race
and/or ethnic origin; information regarding physical and/or mental health*

(2) Work related information: job title and/or position and description of responsibilities/duties*; location;
seniority; department; Compensation details*; employer name*; employment history*; academic record and
educational record*; professional information (professional training, licenses and certifications; financial or
other regulatory registration)*; and language(s) spoken*

Personal Data marked with an asterisk in this Section is mandatory for Applicants to provide to the Bank
(unless otherwise indicated during the application process). It is voluntary for Applicants to provide other
types of Personal Data and information about themselves.

B. PERSONAL DATA USE AND PROCESSING

The Bank may use the Personal Data listed above for the following purposes during and in connection with
the recruitment and talent identification process, except where restricted by local law:

(1) Facilitation of recruiting activities, talent management and succession planning; (2) general administration;
(3) human resources information systems (“HRIS”) and application support and development; (4) information
technology and information security support; (5) authentication/identification of Applicants (6) initial application
review, communication with Applicants about any actual or potential job vacancy or career event, conduct of
interviews, consideration of eligibility for selection as candidate for employment, and offer approval; (7)
complying with applicable government reporting and other local law requirements (including the requirements
of the US Sarbanes-Oxley Act or other applicable internal control regulations and in such areas as
immigration, tax or statutory financial regulation) and other legal obligations; (8) defending, preparing for,
participating in and responding to potential legal claims, investigations and regulatory inquiries (all as allowed
by applicable law); (9) internal business processes such as data analysis, monitoring and testing, audits; and
(10) purposes relating to any of the above.

The Bank does not use the Personal Data of any Applicant for direct or indirect marketing purposes, except
where the Bank obtains the Applicant’s express consent to do so and provides the Applicant with the
subsequent right to object at any time and at no charge to the use of Personal Data for direct or indirect
marketing purposes.

(MASTER Version 2) 23 May 2017 Page 1 of 4


C. SENSITIVE PERSONAL DATA

Subject to local law the Bank may collect and process certain special or other significant categories of
Personal Data (“Sensitive Personal Data”) about Applicants where required by local law, where necessary for
the establishment, exercise or defense of legal claims, where the Bank has legitimate grounds to process
such Sensitive Personal Data and, where necessary, the Applicant has provided explicit consent or otherwise
volunteered such information. In particular, the Bank processes information regarding gender, race and/or
ethnic origin for the purposes of complying with government reporting requirements and other legal obligations
(such as monitoring equal opportunity) and tracking diversity; information regarding physical and/or mental
health for the purposes of addressing workplace health and safety issues (such as appropriate
accommodation of Applicants during interviews). The Bank may also collect and store biometric data, such as
fingerprints and iris scans, for the purposes of electronic identification, authentication and corporate security,
at secured Bank premises.

D. PERSONAL DATA ABOUT OTHER INDIVIDUALS

If an Applicant provides the Bank with Personal Data about other individuals (e.g., individuals listed by
Applicants as referees), it is the Applicant’s responsibility to inform such individuals of their rights and to
obtain their explicit consent, where necessary under applicable law, to the processing (including transfer) of
that Personal Data as set out in this Notice.

E. MEANS OF COLLECTION AND USE

During and in connection with the recruitment and talent identification process, the Bank may collect Personal
Data directly from Applicants through the completion and submission of online application forms and profiles,
through resumes or curriculum vitaes, or through interviews or other communications (both verbally and in
writing) with Applicants. The Bank may also collect Personal Data from other sources, including specialist
third party providers of recruitment services and publicly available sources. Personal information will be
collected to the extent permitted by applicable laws and as appropriate for the actual or potential job vacancy
or career event for which the Applicant is seeking to be considered.
Collection, use, processing, disclosure or international transfer of Personal Data may be by automated or
manual means, including by hard-copy or soft-copy documents or other appropriate technology.

III. DATA STORAGE AND ACCESS BY BANK PERSONNEL

The Bank maintains an automated record of the Personal Data of the Applicant. The Bank may also maintain
hard-copy records on Applicants. The Bank maintains these records in a secure environment. Additionally,
the Bank maintains Personal Data in the HRIS and other applicant tracking systems.

Access to Personal Data is restricted to those individuals who need such access for the purpose of their role
or where required by law, including members of the Human Resources Department and the managers
involved in the recruitment process, and to authorised representatives of the Bank’s internal control functions
such as Compliance, Corporate Security, Audit and Legal. Access may also be granted, on a strict need-to-
know basis, to other managers in the Bank where relevant if the Applicant is being considered for an
alternative job opportunity. All Bank personnel, including managers, are bound by the requirements of this
Notice.

IV. DISCLOSURE AND INTERNATIONAL TRANSFERS OF PERSONAL DATA

The Bank may disclose, in accordance with applicable law, relevant Personal Data to certain third parties in
connection with the provision of the following services to the Bank: human resources administration and
assistance, recruiting and talent management services and training services. In addition, if necessary and in
accordance with applicable law, the Bank may disclose Personal Data to its auditors and other outside
professional advisers and to other parties that provide products or services to the Bank, such as IT systems
providers and consulting firms.

(MASTER Version 2) 23 May 2017 Page 2 of 4


Where the processing of Personal Data is delegated to a third party data processor, such as those listed
above, the Bank will delegate such processing in writing, will choose a data processor that provides sufficient
guarantees with respect to technical and organisational security measures governing the relevant processing
and will ensure that the processor acts on the Bank’s behalf and under the Bank’s instructions. In addition,
the Bank will impose in writing appropriate data protection and information security requirements on such third
party data processors.

A. INTERNATIONAL TRANSFERS OF PERSONAL DATA

Given the global nature of the Bank’s activities, the Bank may (subject to applicable law) transmit Personal
Data to other Bank of America affiliates or operations located in the United States or other jurisdictions where
data protection laws may not provide an equivalent level of protection to the laws in the Applicant’s home
jurisdiction. A list of affiliates belonging to the Bank of America Corporation group is available on request.
Such Personal Data may be transferred where necessary or appropriate for any of the purposes listed in
Section II.B above.

In addition to the third parties listed above, the Bank may disclose and transfer Personal Data to certain global
human resources data processors located in the United States and other processing locations where data
protection laws may not provide an equivalent level of protection to the laws of the Applicant’s home
jurisdiction.

As explained above, the Bank will take steps (and will memorialize such steps in writing) to ensure that third
parties provide sufficient guarantees with respect to technical and organisational security measures governing
the relevant processing and to ensure that these parties act on the Bank’s behalf and under the Bank’s
instructions. In addition, the Bank will impose in writing appropriate data protection and information security
requirements on these parties.

From time to time, the Bank also may need to disclose Personal Data to other parties, such as legal and
regulatory authorities located in the United States and other processing locations where data protection laws
in these locations may not provide an equivalent level of protection to the laws of the Applicant’s home
jurisdiction.

B. INTERNATIONAL TRANSFERS OF SENSITIVE PERSONAL DATA

As part of the international transfers of Personal Data described above and to the extent permitted by
applicable law, the Bank may transfer certain Sensitive Personal Data to the United States or other
jurisdictions outside an Applicant’s home jurisdiction where data protection laws may not provide an
equivalent level of protection to the laws of the Applicant’s home jurisdiction.

C. ADDITIONAL DISCLOSURES OF PERSONAL DATA

Personal Data also may be disclosed where permitted by applicable law, in connection with a corporate
restructuring, sale, or assignment of assets, merger, divestiture, or other changes of the financial status of the
Bank or any of its subsidiary or affiliated companies. Personal Data also may be released to protect the vital
interests of Applicants, to protect the legitimate interests of the Bank (unless this would prejudice the rights
and freedoms or interests of the Applicant), or in the Bank’s judgment to comply with applicable law, legal or
regulatory obligations and regulatory inquiries or requests.

V. SECURITY

The Bank maintains appropriate technical and organisational measures to protect against unauthorised or
unlawful processing of Personal Data and/or against accidental loss, alteration, disclosure or access, or
accidental or unlawful destruction of or damage to Personal Data. Similarly, where the Bank transfers
Personal data to non-affiliated companies and other third parties providing services to the Bank, it will ensure
that the recipient has in place appropriate technical and organizational security measures to protect the
confidentiality and security of the Personal Data disclosed to it.

(MASTER Version 2) 23 May 2017 Page 3 of 4


VI. ACCURACY OF AND ACCESS TO PERSONAL DATA

Applicants affirm that the information provided in the application form and supporting documents is true to the
best of their knowledge. Each Applicant understands that, in the event that their application is successful,
they will be subject to disciplinary action and possible dismissal if the statements contained in the application
form and supporting documents prove to be untrue.

Applicants are entitled to access Personal Data held about them (with the exception of any documents that
are subject to legal privilege, that include Personal Data about other unrelated individuals, or that otherwise
are not subject to access rights). In addition, to the extent required by applicable law, Applicants have the
right to have inaccurate data corrected or removed for legitimate purposes (at no charge to the Applicant and
at any time).

Any Applicant who wishes to obtain information about or a copy of Personal Data held about them should
contact a member of the Global Talent Acquisition group using the contact information set out in Section VIII
below.

The Bank will maintain Personal Data for as long as it is required to do so by applicable law(s) or for as long
as necessary for the purpose(s) for which it was collected. The Bank will delete Personal Data when it is no
longer needed and, in any case, upon expiration of the maximum storage term set forth by applicable law.

VII. OTHER RIGHTS AND CONSEQUENCES

To ensure good recruitment and talent management practices and the effective running of the Bank’s
business, it is mandatory for the Bank to collect, use, store, transfer and otherwise process the Personal Data
marked with an asterisk in Section II (unless otherwise indicated during the application process). It is
voluntary for Applicants to provide other types of Personal Data and information about themselves.

To the extent available under applicable law, Applicants have the right to object to the collection, use, storage,
transfer or other processing of Personal Data as described in this Notice, the right to withdraw consent to or
request discontinuance of collection, use, storage, transfer or other processing of Personal Data as described
in this Notice, and to request deletion of such Personal Data. However, objections to the collection, use,
storage, transfer or other processing of Personal Data, withdrawals of consent, requests for discontinuance
and requests for deletion may affect the Bank’s ability to consider an Applicant for an actual or potential job
vacancy or career event and to process a related application for employment to the extent that the purposes
set out in this Notice cannot be achieved.

Any Applicant who wishes to object to the collection, use, storage, transfer or other processing of Personal
Data as described in this Notice, to withdraw consent, to request discontinuance or to request deletion should
contact a member of the Global Talent Acquisition group using the contact information set out in Section VIII
below.

Under applicable law, in certain circumstances, the Bank may be exempt from or entitled to refuse the above
requests or rights. Certain additional terms and conditions may be applicable to process requests or rights,
such as requiring communications to be in writing or requiring proof of identity.

VIII. QUESTIONS

Should any Applicant have any questions, concerns or complaints about this Notice, please contact a member
of the Global Talent Acquisition group via: [email protected]

The Bank will make every effort to resolve any questions, concerns or complaints promptly and in accordance
with law.

NOTE: Do not submit Japan My Number, Korea Resident Registration Number, or other unique identification
information in your CV, resume or cover letter.

(MASTER Version 2) 23 May 2017 Page 4 of 4

You might also like