3. Why do we process your data (purpose of data processing) and what is the legal basis for this?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG):
a. For the fulfilment of contractual duties (Art. 6 (1) b GDPR in conjunction with Art. 88 GDPR and section 26 (1) sentence 1 BDSG)
The primary purpose of processing data is to establish, carry out, or terminate employment relationships or to take steps, upon request, prior to entering into a contract. If you make use of additional benefits (e.g. subsidised childcare places, use of the pme family service, participation in healthcare days, etc.), your data will be processed to the extent necessary for us to provide these additional benefits.
b. As part of the balancing of interests (Art. 6 (1) f GDPR in conjunction with Art. 88 GDPR and section 26 (1) BDSG)
If necessary, we will process data that goes beyond what is necessary simply for the fulfilment of the contract, in order to safeguard our own legitimate interests or those of a third party (e.g. public authorities). Examples:
- Personal development planning measures
- Organisational change measures
- Contingency planning
- Assertion of legal claims and defence in the event of legal disputes
- Assurance of IT security and the Bank's IT operations
- Prevention and investigation of crimes or serious breaches of duty (cf. also section 26 (1) BDSG)
- Video surveillance and other measures to guarantee undisturbed possession of our premises
- Building and site security measures (e.g. access controls)
- Internal communication and other administrative measures
c. On the basis of your consent (Art. 6 (1) a GDPR in conjunction with Art. 88 GDPR and section 26 (2) BDSG)
If you have given us your consent to process personal data for specific purposes (e.g. storing application details for an extended period, photographs on the intranet), the processing of this data is lawful on the basis of your consent. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent granted to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Withdrawal of consent only has future effect and will not affect the lawfulness of the data processed before consent was withdrawn.
d. On the basis of statutory or other legal provisions (Art. 6 (1) c GDPR and Art. 88 GDPR and section 26 BDSG) or in the public interest (Art. 6 (1) e GDPR)
As a bank, we are also subject to a range of legal obligations, i.e. statutory requirements (under German social security law, the German Health and Safety at Work Act (ASiG), the German Working Hours Act (ArbZG), the German Part-Time and Fixed Term Employment Act (TzBfG) the German Banking Act (KWG), the German Anti-Money Laundering Act (GwG), the German Securities Trading Act (WpHG), and German tax legislation, for example) and regulatory requirements (imposed by institutions such as the European Central Bank, the European Banking Authority, Deutsche Bundesbank and the German Federal Financial Supervisory Authority). Data is also processed for verifying identity, checking employee reliability, preventing fraud and money laundering, fulfilling monitoring, reporting and documentation obligations under social insurance and tax law, and managing risks within the Bank and the HSBC Group.
e. On the basis of collective agreements (Art. 6 (1) b GDPR in conjunction with Art. 88 GDPR and section 26 (4) BDSG
We also process your data so far as this is necessary to exercise rights or fulfil obligations arising from a collective agreement or an agreement between management and the Group works council or an individual company works council (e.g. company agreement on employee name screening).
f. Special categories of personal data
If special categories of personal data pursuant to Art. 9 (1) GDPR are processed, the purpose of such processing within the context of the employment relationship is to exercise rights or fulfil legal duties under employment law, social security law, and social protection (e.g. provision of medical data to the health insurance company, documentation of severe disability for extra vacation and for calculation of the levy payable by employers failing to employ a sufficient proportion of disabled workers as required by law). Such data is processed on the basis of Art. 9 (2) b GDPR in conjunction with section 26 (3) BDSG. The processing of medical data may also be necessary for the assessment of fitness to work pursuant to Art. 9 (2) h in conjunction with section 22 (1) b BDSG.
The processing of special categories of personal data may also be based on consent pursuant to Art. 9 (2) a GDPR in conjunction with section 26 (2) BDSG (e.g. occupational health management).