1. Data protection under the EU General Data Protection Regulation (EU GDPR)
UBS takes your privacy seriously. This privacy notice contains information on what personal data UBS and its group companies (“UBS”, “we”, “our”, or “us”) collect(s), what they do with that information, and what rights you have. If you have any questions or comments about this notice, please contact the Group DPO Office using the following e-mail address email@example.com. To run our business, UBS collects and uses information about living individuals (also known as “personal data”), including information about the employees and contractors of our suppliers.
As part of our commitment to protect your personal data in a transparent manner, we want to inform you:
- why and how UBS collects, uses and stores your personal data;
- the lawful basis on which your personal data is processed; and
- what your rights and our obligations are in relation to such processing.
2. What does this Privacy Notice cover?
3. What type of personal data do we collect?
For the employees and contractors of our suppliers, we collect basic identification information, such as your name, title, position, professional history, experience, language skills and contact details. Such information will be collected if provided to us by your employer, for instance on a CV you have prepared, even if you do not ultimately work on an assignment for UBS.
In addition, for employees and contractors working on UBS premises, we will usually collect the following:
- Detailed identification information (e.g. address, office location, business telephone number, date and place of birth, picture, emergency contact details, ID card, passport details and other national ID numbers as required);
- Detailed professional information (e.g. academic, professional and industry qualifications and certifications (including dates), previous employer contact details, directorship information, contact details of references, previous employment dates, rank or seniority, line manager contact information, working arrangements (such as full or part time), assignment allocation and absence information);
- Electronic identification data (e.g. login information, access right, badge number, IP address, online identifiers/cookies, logs and connection time, sound or image recording such as CCTV or voice recordings);
- Personal and physical characteristics (e.g. gender, date of birth and immigration status, including visa and/or permit numbers); and
- Information submitted in support of an application to work for UBS on behalf of your employer (e.g. recordings of any video interviews in which you participate, and anything you choose to submit in support of your or your employer’s application).
In some cases, the personal data that we process will also include special categories of data, such as diversity-related information (including data about racial and ethnic origin, religious beliefs and other beliefs of a similar nature), health-related information (for instance to allow UBS to make appropriate adjustments to your working environment as a result of a disability) and data about alleged or proven criminal offences, in each case where permitted by law.
In some cases, the personal data we collect from you is needed to meet our legal or regulatory obligations, to perform our obligations under UBS’s contract with your employer (UBS’s supplier), or to enter into that contract. If so, we will indicate to you that the provision of this information is mandatory, and the consequences if we cannot collect this information.
In some cases, UBS will also collect personal data indirectly from background check providers such as HireRight and other administration services providers (for instance Hays, who provide non-permanent workforce resources), or from publicly available sources such as LinkedIn profiles.
4. On which legal basis and for which purposes do we process personal data?
4.1 Legal basis for the processing
We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process your personal data if:
- the processing is necessary to comply with our legal or regulatory obligations, such as tax reporting or reference requirements;
- the processing is necessary to protect the vital interests of the relevant individual or of another natural person, such as providing disability access to places of work where applicable;
- the processing is necessary for the legitimate interests of UBS, and does not unduly affect your interests or fundamental rights and freedoms (see below);
- where relevant, the processing is permitted on the basis of a works council agreement;
- the processing is necessary for the performance of a task carried out in the public interest; or
- in some cases, where we have obtained prior consent.
Examples of the ‘legitimate interests’ referred to above are:
- to benefit from cost-effective services (e.g. we may opt to use certain IT platforms offered by suppliers);
- to prevent fraud or criminal activity, misuses of our products or services as well as to safeguard the security of our IT systems, architecture and networks, and the security of our premises, including by conducting background checks;
- to exercise our rights under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property;
- to provide for a centralised, global approach to the provision of IT services to our employees, suppliers and contractors, and enable employees, suppliers and contractors to interact with one another. This normally involves the hosting of your contact and e-mail information to allow UBS’s global IT network to be established and populated with relevant details; and
- to meet our corporate and social responsibility objectives.
To the extent that we process any special categories of data relating to you, we will do so because:
- the processing is necessary for the establishment, exercise or defence of a legal claim;
- the processing is necessary for reasons of substantial public interest; or
- you have given your explicit consent to us to process that information (where legally permissible).
4.2 Purposes of processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data of our suppliers’ employees and contractors to:
- determine the suitability of prospective suppliers’ employees’ and contractors’ qualifications, checking for any existing or potential conflicts of interest or any other restrictions which may otherwise restrict or prevent a prospective engagement on a matter with UBS;
- administer, plan and manage our personnel, suppliers and contractors (including task management and internal workforce analysis and planning);
- assist us in managing external providers such as your employer (see below for further information about when we work with third parties);
- implement tasks and plan activities in preparation of or under existing contracts;
- train our staff, suppliers and contractors;
- carry out supplier performance reviews, satisfaction surveys and other contractor surveys;
- monitor our suppliers’ employees’ and contractors’ activities in the workplace, including compliance with banking regulations and internal policies as well as health and safety rules in place;
- manage our IT resources, including infrastructure management and business continuity;
- where relevant, manage and make available personal data within the UBS Group;
- receive and handle internal complaints or reports made to a compliance hotline;
- reply to an official request from a public or judicial authority with the necessary authorisation;
- comply with any legal obligations imposed on UBS in relation to its employees and contractors; and
- enable a transfer to a potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of UBS’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it.
5. How do we protect personal data?
All personnel accessing personal data must comply with the internal rules and processes in relation to the processing of personal data to protect them and ensure their confidentiality. They are also required to follow all technical and organisational security measures put in place to protect the personal data.
We have also implemented adequate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal data, with particular care for sensitive data.
6. Who has access to personal data and with whom are they shared?
6.1 Within the UBS Group
We make available personal data of our suppliers’ employees and contractors to other companies of the group to which we belong (the “UBS Group”), to complete the purposes indicated in section 4.2 above. Such other companies of the UBS Group will either act as another controller under this notice or will only process personal data on behalf and upon request of the controller.
6.2 Outside the UBS Group
We usually also transfer personal data to third parties outside the UBS Group to complete the purposes listed in section 4.2 above including:
- third party service providers, such as our IT systems providers, our hosting providers, cloud service providers, database providers, consultants (including lawyers, tax accountants and labour consultants) and third parties who carry out pre-employment or pre-engagement checks on prospective suppliers’ employees and contractors, and other goods and services providers (such as food service providers) – each of these service providers has signed contracts to protect your personal information;
- a potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of UBS’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it;
- any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request;
- other banks and credit institutions and clients (as part of you working on tasks related to or involving those banks, credit institutions and clients);
- public or private social security / welfare bodies, trade unions (when the employee is a member) and trade unions internal representatives (including for the purposes of compliance with national collective bargaining agreements), and trade associations;
- any central or local government department and other statutory or public bodies; and
- any legitimate recipient of communications required by laws or regulations.
6.3 Transfers outside the European Economic Area
The personal data transferred within or outside the UBS Group as set out in sections 6.1 and 6.2, is in some cases also processed in a country outside the European Economic Area ("EEA"), which covers the EU member states, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries.
If your personal data is transferred outside the EEA, we will put in place suitable safeguards to ensure that such transfer is carried out in compliance with applicable data protection rules. To ensure this level of protection for your personal information, UBS may use a data transfer agreement with the third party recipient based on standard contractual clauses approved by the European Commission or ensure that the transfer is to a jurisdiction that is the subject of an adequacy decision by the European Commission or to the US under the EU-US Privacy Shield framework.
You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below. Where UBS transfers personal data to other group companies, we rely on the standard contractual clauses.
A list of the countries in which UBS operates (inside and outside the EEA) can be found at https://www.ubs.com/locations.html.
7. How long do we store your data?
We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. In general, although there may be limited exceptions, data relating to our suppliers’ employees and contractors is kept for 10 years after termination of your engagement with UBS through your employer.
However, if individuals wish to have their personal data removed from our databases, they can make a request as described in section 8 below, which we will review as set out therein.
8. What are your rights and how can you exercise them?
8.1 Your rights
You may have a right to access and to obtain a copy of your personal data as processed by UBS. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction of your personal data.
You may also have the right to:
- object to the processing of your personal data;
- request the erasure of your personal data;
- request restrictions on the processing of your personal data; and/or
- withdraw your consent where UBS obtained your consent to process personal data (without this withdrawal affecting the lawfulness of any processing that took place prior to the withdrawal).
UBS will honour such requests, withdrawal or objection as required under applicable data protection rules but these rights are not absolute: they do not always apply and exemptions may be engaged. We will usually, in response to a request, ask you to verify your identity and/or provide information that helps us to understand your request better. If we do not comply with your request, we will explain why.
8.2 Exercising your rights
To exercise the above rights, please send an email to firstname.lastname@example.org.
If you are not satisfied with how UBS processes your personal data, please let us know and we will investigate your concern. Please raise any concerns via contacting the HR Data Protection Contact using the following e-mail address email@example.com. Alternatively you can contact the Office of the Group DPO by emailing firstname.lastname@example.org.
If you are not satisfied with UBS’s response, you have the right to make a complaint to the data protection authority in the jurisdiction where you live or work, or in the place where you think an issue in relation to your data has arisen. The contact details of each Data Protection Authority can be found at the following website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
In the interests of keeping personal data properly up to date and accurate, we will ask you periodically to review and confirm the personal data we hold about you and/or to inform us of any change in relation to your personal data (such as a change of address).
9. Updates to this notice
This notice was last updated in May 2018. It may be subject to amendments. Any future changes or additions to the processing of personal data as described in this notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.