Data Privacy Notice for staff and similar data subjects

As of July 2023

Data Privacy Notice

 for staff and similar data subjects

The following data privacy notice is intended to provide you with an overview of the way in which we process your personal data and of your rights under data protection law. The specific data processed, and the uses to which that data is put, is determined by statutory provisions and the contractual agreements between you and us. This information is intended for individuals with whom we have concluded an employment contract (employee), and for applicants and individuals with whom we have entered into a service contract, a contract for works, an agreement for the supply of contract labour, or a consultancy agreement (similar data subjects). It may therefore be that not all the information below relates to you.

1. Who is responsible for data processing and who can I contact?

The data controller is:

HSBC Continental Europe S.A., Germany

Hansaallee 3

40549 Düsseldorf, Germany

Tel: +49 (0)211 9100

Fax: +49 (0)211 910 616

Email address: info@hsbc.de

Our data protection officer can be reached at the following address:

HSBC Continental Europe S.A., Germany

Data Protection Officer

Hansaallee 3

40549 Düsseldorf, Germany

Tel: +49 (0)211 910 2006

Fax: +49 (0)211 9109 2125

Email address: datenschutz@hsbc.de

2. Which sources and data do we use?

We process personal data that we obtain from our employees and similar data subjects during the initiation of employment relationships or in the course of such relationships. Where it is necessary in order for us to establish or conduct an employment relationship, we also process personal data that we lawfully obtain from publicly available sources (e.g. press, internet, professional networks) or that is legitimately provided to us by other companies within the HSBC Group. In certain circumstances, your personal data is also collected by other organisations on the basis of statutory provisions. This includes, in particular, ad hoc requests for tax-relevant information by the competent tax authority and information concerning periods of incapacity for work collected by the relevant health insurance company. We may also have received data from third parties (e.g. an employment agency).

The categories of personal data processed include, in particular,

• core data (such as name, address and other contact details, personnel number, date and place of birth and nationality, status as Material Risk Taker, relevant person according to
  
  MaComp, Individual Accountability Regime, WpHG-MaAnzV, Compensation Information)
• absences (e.g. Core Leave status, presence and absence periods)
• credentials (e.g. ID data)
• family information (e.g. marital status, information about your children)
• emergency contacts
• religious affiliation
• social data, social insurance number, pension insurance number, tax identification number, bank account details and salary data
• health data (so far as this is relevant to the employment relationship, e.g. if severely disabled)
• any previous convictions (police certificate of good conduct)
• information about your financial situation (e.g. borrowings, garnishment of salary)
• performance assessments and feedback within the HSBC Group
• participation in training and further education
• data relevant for talent and succession management
• information about and evidence of qualifications and details of previous employers.

We also process order-related information (e.g. if a remote workstation has been requested), the log files created when IT systems are used, and other data arising from the employment relationship (e.g. time records, holiday periods, periods of incapacity, electronic communication, recording of telephone calls, as well as skills data and activity-related performance data), data from the fulfilment of our contractual obligations (e.g. salary payments) and other data comparable to the above categories.

3. Joint responsibility of HSBC Continental Europe S.A., Germany and HSBC Group Management Services Ltd.

HSBC Continental Europe S.A., Germany (“the Company”) and the group company HSBC Group Management Services Ltd. (“HGMS”) work closely together. This applies in particular to the processing of your personal data in the area of Human Resources (HR). Both parties have jointly determined the HR Services within which they are jointly responsible for the protection of your personal data (Art. 26 GDPR).

For which services is there joint responsibility?

The Company’s personnel management is carried out under joint responsibility with the HGMS. Both parties use a common Human Resources management system and an HR Ticket system to efficiently complete tasks or requests of employees. Both parties have the power to decide on the operational processing of data withing the scope of the services they are responsible for.

What have the parties agreed?

As part of their joint data protection responsibility, the Company and HGMS have agreed who is responsible for fulfilling which obligations under GDPR. This agreement is necessary as the Company and HGMS each provide different HR services in both HR systems affected by the shared responsibility.

Within the framework of the common human resources management, the parties shall have the following responsibilities:

• The Company is responsible for the determination and implementation of adequate authorizations for both HR systems in respect of the Company and its order processors. The Company determines by this means which services are provided by the Company, which personal data is processed in this context by the Company or its order processors and who within the Company may access personal data. In addition, the Company is responsible for collection, provision, maintenance and corrections of data  in the HR management system as well as for the categorization of the requests and tasks to be processed in the  HR ticket system and, within this framework, the assignment for further processing to the respective employees at the Company or the HGMS.
• HGMS is responsible for the determination and implementation of adequate authorization and role concepts for both HR systems and, with regard to HGMS and its order processors, for the assignment of rights. HGMS determines by this means which services are provided by HGMS or its order processors, which personal data is processed in this context by the Company or its order processors  and who is allowed to access the Company’s personal data within HGMS or its order processors. In addition, HGMS is responsible for the processing of data required in the framework of the provision of central HR support and oversight services, concerning the areas data quality, training,  talent development, assignments abroad, Human Resources support and reporting. These services are provided to support the administration of the Company’s staff as well as to achieve group-wide goals such as the implementation of talent programs. For the provision of these services, data of the HR management system is used as well as data in the HR ticket system is edited and evaluated.

What does this mean for you?

The parties fulfill the data protection obligations according to their respective responsibilities for the individual services as follows:

• Within the scope of joint responsibility, both parties are responsible for the processing of personal data within the scope of the respective HR services which they are responsible for.
• The Company and HGMS shall make the information required unter Art. 13 and 14 of the GDPR available to the data subjects free of charge, in a clear and simple language and in a precise, transparent, comprehensible and easily accessible form. Here, each party  provides the other party with all necessary information from their sphere of influence.
  
  For information on services provided by HGMS, please contact:

HSBC Global Services (UK) Limited

ROI Fulfilment Team

Banking Operations

2, Grosvenor House, 1 Wellington Street, Sheffield, S1 4NB

Email adress (HSBC internal): gdpr.rightsuk@hsbc.com

• The parties will immediately inform each other of any legel positions asserted by the data subjects concerned. They will provide each other with all the information necessary to respond to requests of information.
• Data protection rights can be asserted against both the Company and HGMS. In principle, affected parties receive the information from the party responsible for the service in question.

4. Why do we process your data (purpose of data processing) and what is the legal basis for this?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG):

1. For the fulfilment of contractual duties (Art. 6 (1) b GDPR in conjunction with Art. 88 GDPR and section 26 (1) sentence 1 BDSG

The primary purpose of processing data is to establish, carry out, or terminate employment relationships or to take steps, upon request, prior to entering into a contract. To carry out the contract it is necessary amongst others to add the business contact details of all employees in to the HSBC-wide directory (Group Directory). Besides, all employees are added to the Active Directory to be able to administrate - as far as possible - access rights centrally. Furthermore, as part of the function of an employee it might be necessary for this person to register self-dependently via business email address and password to an external or HSBC-internal system. Both HSBC internal and external systems and websites can work with cookies. Cookies are small files that are stored in the user’s browser or VDI.

In the case of cookies, a distinction must be made between necessary and optional cookies. The necessary cookies ensure that the services offered work properly. This includes, for example, security, anti-fraud, authentication and technical cookies. These cookies are absolutely necessary and are therefore used automatically.

In addition, some applications use optional cookies, such as marketing, analysis or personalization cookies. These cookies require acceptance by the employee.

To carry out the contract it is also necessary amongst others that the human resources department maintains electronic personnel files for each employee, conducts salary accounting and calculates rights to pensions.

If you make use of additional benefits (e.g. subsidised childcare places, use of the pme family service, participation in healthcare days, etc.), your data will be processed to the extent necessary for us to provide these additional benefits.

2. As part of the balancing of interests (Art. 6 (1) f GDPR in conjunction with Art. 88 GDPR and section 26 (1) BDSG)

If necessary, we will process data that goes beyond what is necessary simply for the fulfilment of the contract, in order to safeguard our own legitimate interests or those of a third party (e.g. public authorities). Examples:

• Personal development planning measures
• Organisational change measures
• Contingency planning
• Assertion of legal claims and defence in the event of legal disputes
• Assurance of IT security and the Company’s IT operations
• Prevention and investigation of crimes or serious breaches of duty (cf. also section 26 (1) BDSG)
• Video surveillance and other measures to guarantee undisturbed possession of our premises
• Building and site security measures (e.g. access controls)
• Internal communication and other administrative measures.

3. On the basis of your consent (Art. 6 (1) a GDPR in conjunction with Art. 88 GDPR and section 26 (2) BDSG)

If you have given us your consent to process personal data for specific purposes (e.g. storing application details for an extended period, photographs on the intranet), the processing of this data is lawful on the basis of your consent. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent granted to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Withdrawal of consent only has future effect and will not affect the lawfulness of the data processed before consent was withdrawn.

4. On the basis of statutory or other legal provisions (Art. 6 (1) c GDPR and Art. 88 GDPR and section 26 BDSG) or in the public interest (Art. 6 (1) e GDPR)

We are also subject to a range of legal obligations, i.e. statutory requirements (under German social security law, the German Health and Safety at Work Act (ASiG), the German Working Hours Act (ArbZG), the German Part-Time and Fixed Term Employment Act (TzBfG) the German Banking Act (KWG), the German Anti-Money Laundering Act (GwG), the German Securities Trading Act (WpHG), and German tax legislation, for example) and regulatory requirements (imposed by institutions such as the European Central Bank, the European Banking Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority). Data is also processed for verifying identity, checking employee reliability, preventing fraud and money laundering, fulfilling monitoring, reporting and documentation obligations under social insurance and tax law, and managing risks within the Company and the HSBC Group.

5. On the basis of collective agreements (Art. 6 (1) b GDPR in conjunction with Art. 88 GDPR and section 26 (4) BDSG)

We also process your data so far as this is necessary to exercise rights or fulfil obligations arising from a collective agreement or an agreement between management and the Group works council or an individual Company works council (e.g. Company agreement on employee name screening).

6. Special categories of personal data

If special categories of personal data pursuant to Art. 9 (1) GDPR are processed, the purpose of such processing within the context of the employment relationship is to exercise rights or fulfil legal duties under employment law, social security law, and social protection (e.g. provision of medical data to the health insurance company, documentation of severe disability for extra vacation and for calculation of the levy payable). Such data is processed on the basis of Art. 9 (2) b GDPR in conjunction with section 26 (3) BDSG. The processing of medical data may also be necessary for the assessment of fitness to work pursuant to Art. 9 (2) h in conjunction with section 22 (1) b BDSG.

The processing of special categories of personal data may also be based on consent pursuant to Art. 9 (2) a GDPR in conjunction with section 26 (2) BDSG (e.g. occupational health management).

5. Who will receive my data?

Access to your data is provided only to those individuals and departments within the Company that need this data in order to meet our pre-contractual, contractual and legal obligations, e.g. line managers, HR, compliance, the works council, the representative committee for the severely disabled, and the equal opportunities representative.

In addition, the data will be made available to the group company HGMS within the scope of the agreed joint responsibility for HR services (as described in 2).

We only share your personal data with third parties as far as legally permitted, cf. Art. 6 GDPR.

So your personal data may be transmitted to service providers, as far as required for the purposes listed under section 3 of this Data Protection Information. Our service providers are companies (external as well as HSBC Group-internal) in the areas of payroll, pensions, consultancy (e.g. tax and legal advisors), removal companies and relocation services, data provision and data management, personnel recruitment, company vehicles, corporate health management as well as further benefits, auditors, insurance companies, training providers, IT service providers, logistics companies, printing and translation service providers and telecommunications service providers. We have agreed on extensive contractual rules with all our service providers to protect the data which shall be processed. Furthermore, our service providers have an obligation of secrecy.

In addition, data transfers to third parties take place as far as required to fulfill a legal obligation. Subject to this condition, recipients of personal data could include for example:

• Other banks and financial service institutions or similar bodies to which we provide personal data in order to perform our contractual relationship with you (e.g. for salary payments)
• Professional associations
• Social security providers
• Health insurance providers
• Pension funds
• Tax authorities
• Organizations to which data must be provided in order to ensure that entitlements under company pension plans are received
• Organizations to which data must be provided in order to ensure that benefits under employer-funded capital-formation scheme are paid out
• Public bodies and institutions (e.g. the European Central Bank, the European Banking Authority, Deutsche Bundesbank, the German Federal Financial Supervisory Authority, registrar entities (e.g. commercial register), fiscal authorities, and law enforcement authorities) if a legal or official obligation exists, auditors and wage tax auditors.

We may provide information to further data recipients provided we have your consent for the disclosure to these bodies.

6. Will data be transferred to a third country or an international organisation?

The recipients mentioned under section 4 are located in- and outside of the European Economic Area (“EEA”). A data transfer to bodies in countries outside the European Union and outside the EEA (“third countries”) only takes place as far as:

• the European Commission has decided that the respective third country or a territory or one or more specified sectors within this third country ensure an adequate level of protection, 
• as far as countries are concerned which aren’t subject to such an adequacy decision we have ensured that appropriate measures within the meaning of GDPR are in place for the protection of your personal data (e.g. by agreeing between both parties involved in the data transmission, to Standard Contractual Clauses, which have been issued by the European Commission, and additionally by ensuring that appropriate security measures are in place (such as data encryption, pseudonymization)); or
• the aforementioned is not applicable, but we nevertheless are allowed to transfer the data in a lawful manner, for example, when the transmission is necessary for the establishment, exercise or defence of legal claims, when the transmission is prescribed by law (e.g. fiscal reporting obligations), when you have provided us your consent or the legitimate interest of the Company in the transmission of the data outweighs the interests of the employees

Further details regarding the safeguards, which we have put in place for the transfer of personal data to third countries, as well as a copy of the agreed Standard Contractual Clauses may be requested under: datenschutz@hsbc.de.

7. How long is my data stored?

We process and store your personal data for as long as is required in order to fulfil our contractual and statutory duties. It should be noted that the employment relationship is a contract for the performance of continuing obligation that is intended to run for a long period.

If the data is no longer required for the fulfilment of contractual or statutory duties, it is erased unless its continued processing – for a limited time – is necessary for the following purposes:

• Compliance with statutory retention periods that could arise, for example under the German Working Hours Act (ArbZG), the German Works Constitution Act (BetrVG), the German Transparency of Pay Act (EntgTranspG), the German Social Security Code (SGB IV), the German Commercial Code (HGB), the German Tax Code (AO), the German Anti-Money Laundering Act (GwG), the German Banking Act (KWG), and the German Securities Trading Act (WpHG). The time periods specified in these laws for the retention of records and/or documentation generally range from five to ten years.
• Preservation of evidence in line with the statutory limitation periods. In accordance with section 195 et seq. of the German Civil Code (BGB), these may last up to 30 years although the standard limitation period is three years.

If the data processing is in our legitimate interest or the legitimate interest of a third party, the personal data will be erased as soon as this interest ceases to apply. The exceptions referred to above apply.

The same applies to the processing of data on the basis of consent. As soon as you withdraw your consent with future effect, the personal data will be erased, unless one of the aforementioned exceptions applies.

8. What data protection rights do I have?

Each data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. The right of access and the right to erasure are subject to limitations under sections 34 and 35 BDSG.

Data subjects may consult the Company’s data protection officer for any matters in relation to the processing of their personal data and the exercise of their rights in this regard (Article 38 (4) GDPR).

There is also a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG).

You can withdraw any consent given to us for the processing of personal data at any time. This also applies to the withdrawal of declarations of consent granted to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that this withdrawal of consent is not retroactive. Data processing that took place before consent was withdrawn is not affected.

9. Do I have a duty to provide data?

Within the scope of the employment relationship, you must provide any personal data that is necessary for the commencement, performance, and termination of the employment relationship and the fulfilment of the associated contractual duties, and any information that we are obliged to collect by law or on the basis of a collective agreement. Without this data, we will generally be unable to conclude a contract with you or to continue performing the contract.

In some situations, you may suffer a disadvantage if you do not provide certain personal data, e.g. lack of equipment to make work easier for severely disabled people, or additional nursing care insurance contributions for childless employees.

If you do not provide us with the necessary information and documents, it may be difficult for us to commence or continue the employment relationship.

10. To what extent is automated decision-making used? Is profiling used?

We do not use fully automated decision-making processes within the meaning of Article 22 GDPR. Nor do we use profiling.

Information regarding your right to object pursuant to Article 21 of the General Data Protection Regulation (GDPR)

The following information is prescribed by law. As you can see from our Data Protection Information, we do not undertake some of the specified types of processing. In particular, the following provisions may not be relevant to our relationship with you.

1. Right to object on a case-by-case basis

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Article 6 (1) e GDPR (data processing in the public interest) or Article 6 (1) f GDPR (data processing on the basis of a balancing of interests); this also applies to any profiling based on this provision within the meaning of Article 4 no. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing the data which override your interests, rights and freedoms, or for the establishment, exercise, or defence of legal rights.

2. Objection to the processing of data for direct marketing

In individual cases, we use your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling, to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for this purpose.

The objection is not subject to any particular requirements of form and should, if possible, be addressed to:

HSBC Continental Europe S.A., Germany

Data Protection Officer

Hansaallee 3

40549 Düsseldorf, Germany

Tel: +49 (0)211 910 2006

Fax: +49 (0)211 9109 2125

Email address: datenschutz@hsbc.de

As regards services provided not by HSBC Continental Europe S.A., Germany itself but by the group company HSBC Group Management Services Ltd., the objection may alternatively be addressed to the following address:

HSBC Global Services (UK) Limited

ROI Fulfilment Team

Banking Operations

2, Grosvenor House, 1 Wellington Street, Sheffield, S1 4NB

Email address (HSBC internal): gdpr.rightsuk@hsbc.com