Privacy statement for ING Hubs PH applicants

At ING Hubs PH, we understand that your personal data is important to you. This privacy statement explains in a simple and transparent way what personal data we collect, record, store, use and process and how. Our approach can be summarised as: the right people use the right data for the right purpose.

This privacy statement applies to

• all job applicants (‘you’).

This privacy statement does not apply to

• independent contractors or anyone else hired to work at ING Hubs PH on anything other than on the basis of an employment contract. Please refer to the 'Privacy statement for ING Hubs PH supplier personnel'.
• all past and present employees, including trainees, of ING Hubs PH in relation to data processed by ING Hubs PH in connection with their employment or training agreement.

We obtain your personal data in the following ways:

• You share it with us when you apply for a job or visit our websites.
• From the person who recommended your job application.
• From other available sources such as professional registers; online or traditional media; publicly available sources (such as Thompson Reuters, World Check, NFIS, or judicial platforms); other ING companies; or third parties such as public authorities or other entities that you provide specific authorization to release your personal data to ING Hubs PH or its legally authorized representatives or agents (e.g. previous employers or personal/professional references), including as part of employee screening.
• You share it with us when you log in as a visitor within our office premises. Kindly note that visitor logbook entries may also be visible to other visitors when they log in.
• We check your identification cards when you are asked to present identification upon arrival at our offices, and in case we need to get in touch with your emergency contact(s).
• We collect audio-visual data, where applicable and legally allowed, for closedcircuit television surveillance videos (‘CCTV’) of ING Hubs PH offices and car parks.
• The administration of the building within which our offices are located may share your personal data with us, as necessary.

Personal data refers to any information that identifies you or can be linked to a natural person. Personal data we process about you includes:

• Identification data, such as your first name, middle name, surname, date and place of birth, ID number, passport number, other data in your ID document, driver’s license, passport or other document confirming your identity, social security number, home address or place of residence, phone number and email address.
• Personal information, such as nationality; gender; work permits; photographs; professional experience (profile, previous employers, termination of last employments and work carried out, special projects, outside positions); education, professional qualifications and continuous training (diplomas, certificates, internships); emergency contacts.
• Financial data, such as salary information, payslips, and credit worthiness.
• Socio-demographic data, such as whether you have a spouse, partner, and/or children.
• Dependent(s)’ data, such as identification data and contact information of your spouse/partner, parent(s), child(ren), or other dependents. In certain cases, this may also include financial data of dependents.
• Emergency contact person data, such as identification data and contact information of your emergency contact person(s).
• Interests and needs, for example hobbies and memberships you share with us.
• Audio-visual data, where applicable and legally allowed, we process CCTV surveillance videos of ING Hubs PH offices and car parks.
• Online behaviour and preference data, IP address of your mobile device or computer you use and pages you visit on ING websites and apps.

Sensitive data

Sensitive data as defined under the DPA is personal information relating to your (1) race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (2) health, education, genetic (not applicable in this case), or sexual life (not applicable in this case), or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) specifically established by an executive order or an act of Congress to be kept classified.

We may process your sensitive data if

• you have given your consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
• it is legally required and allowed to do so under existing laws and regulations3. For example, we may be obliged to keep a copy of your passport or identity card when you become an ING Hubs PH employee.
• necessary to protect your (or another person’s) life and health, and you are not legally or physically able to express consent prior to the processing;
• necessary to achieve the lawful and non-commercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
• necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured;
• necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

For example, we process sensitive data related to:

• Employee due diligence obligations. We may run a background check when you apply for a job at ING Hubs PH . This could include checking your conduct, your credit worthiness, or your involvement in judicial proceedings, according to public sources or such other entities that you provide specific authorization to release your personal data to ING Hubs PH (e.g. previous employers or personal/professional references), including as part of employee screening.
• COVID-19 and health screening protocols. We may run a temperature check when you enter ING Hubs PH office premises in the course of your application and ask you to confirm whether you have been exposed to a person who has tested positive for COVID-19. This is for purposes of securing ING Hubs PH premises and protecting ING Hubs PH employees’ health and safety.
• Information on your identification card presented upon signing in as a visitor within ING Hubs PH offices, such as government-issued numbers. While these will generally not be recorded upon signing in, these will be visible to the inspecting ING Hubs PH personnel or representatives.

Processing refers to every activity that can be carried out in connection with personal data, such as collecting, recording, storing, retrieving, consulting, consolidating, adjusting, organising, using, disclosing, transferring or deleting blocking, erasing, or destroying it in accordance with applicable laws. Processing may be performed through automated means, or manual processing, if the personal data is contained or is intended to be contained in a filing system8.

We only use your personal data for the following business purposes:

Human resources and personnel management

As your potential employer, we process information about you that is necessary to fulfil our contractual obligations, or to take necessary steps at your request before entering into a contract. We also process information about you when we have a legal obligation to do so, or it is in our legitimate interest, such as for administrative purposes, and to manage our relationship with you. Activities falling under this purpose include recruitment, background checks, and applicant screening.

Access and security management

We process your personal data to provide you access to our offices when necessary. As part of ensuring that our offices remain secure, our security management team may process your personal data.

Compliance with legal obligations

We have a legal obligation to process certain personal data to comply with the laws, regulations and sector-specific guidelines that ING Hubs PH is subject to. We may process your data to comply with a range of legal obligations and statutory requirements such as sanctions screening, fraud prevention, anti-money laundering and terrorist financing.

Protecting your vital interests

It may be necessary to process personal information to protect your vital interests, for example in a medical emergency when you visit our offices in the course of your application.

When processing personal data that is not compatible with one of the purposes above,
we ask for your explicit consent, which you may withhold or withdraw at any time.

Limitations on processing data of your dependent(s) and/or emergency contact(s)

ING Hubs PH may process the personal data of a dependent (including dependent(s)’ financial data) and/or emergency contact(s) if

• you (and your dependent(s) and emergency contact(s)) have provided the data with consent, and
• it is reasonable and necessary for fulfilling the purpose of conducting applicant background checks and screening for employment purposes, and
• it is legally required or permitted under local law.

By providing the personal data of your dependent(s) and emergency contact(s), you guarantee that you are specifically authorized by such dependent(s) to provide such information to us.

Retention of your personal data

We are legally required to retain your personal data for a specified period of time. This retention period may vary from a few days to years, depending on the applicable local law. When we no longer need your personal data for the process or activity we originally collected it for, we delete it, or aggregate it (bundle data at a certain abstraction level), render it anonymous and dispose of it in accordance with the applicable laws and regulations.

We may retain Personal Data of applicants in our records as part of our potential talent pool for up to six (6) months from the time it is determined that the applicant will not enter into an employment contract with us.

Unless retention for a longer period is required for legal or reasonable cause, your (and your dependent(s)’ and, when used, your emergency contact(s)’) personal data will be deleted, erased, or destroyed upon the lapse of retention period, in accordance with applicable laws, regulations, and applicable internal policies such as, but not limited to, the ING Hubs PH Record Retention Policy. To find out more about the ING Hubs PH Retention Schedule and Record Retention Policy, you may contact us at the contact details provided in section 9.

We share certain data internally (with other ING businesses/departments) and externally (with third parties outside of ING), if necessary to achieve the purpose(s) in Section 3.

Whenever we share personal data in countries outside of the European Economic Area (‘EEA’) -- whether internally or with third parties – we ensure there are safeguards in place to protect it. For this purpose, we rely on (among others):

• Binding corporate rules as defined in EC Regulation (EU) 2016/679. These are known as the ING Global Data Protection Policy (‘GDPP’) and have been approved by the data protection authorities in all EU member states.
• Applicable local laws and regulations, including the Data Privacy Act of 2012.
• EU Model clauses, when applicable. We use standard contractual clauses in agreements with service providers to ensure personal data transferred outside of the EEA complies with EU General Data Protection Regulations (‘GDPR’).
• Adequacy decisions by the European Commission, which establish whether a country outside of the EEA ensures personal data is adequately protected.

ING entities

We transfer data across ING businesses and branches for various purposes (see section ‘What we do with your personal data’). We may also transfer data to centralised storage systems or for processing centrally within ING for efficiency purposes. For all internal data transfers, we rely on our GDPP and on the applicable local laws and regulations.

Authorised ING Hubs PH employees

Certain employees are authorised to process your personal data for legitimate purposes (see section 3 ‘What we do with your personal data’). They are only authorised to do so to the extent that is needed for that purpose and to perform their job. All employees are subject to confidentiality obligations, also according to local requirements.

Government, supervisory and judicial authorities

To comply with our regulatory obligations, we may disclose data to the relevant government, supervisory or judicial authorities. In some cases, we are obliged by law to share your data with external parties, including:

• Public authorities, regulators and supervisory bodies such as the central banks and other financial sector supervisors in the countries where we operate.
• Tax authorities may require us to report your assets (e.g. your salary). We may process your social security number or tax identification number for this.
• Judicial/ quasi-judicial/administrative/investigative or other authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request.

Examples of when we may disclose your personal information:

• It is required or permitted by an applicable law or regulation. We endeavor to not disclose more personal information than is specifically required. For example, in case of theft at premises, the police may ask us data about all visitors on a particular day.
• It is requested for a valid legal process such as a search warrant, subpoena or court order.

Service providers and other third parties

When it is required for a particular task, we may share your personal data with external service providers or other third parties who carry out certain activities for ING Hubs PH9 in the normal course of our business.

Service providers support us with activities like:

• performing certain services and operations such as background checks for applicants or applicant screening as required under internal policies;
• designing, developing and maintaining internet-based tools and applications;
• IT services such as applications or infrastructure (e.g. cloud services);
• preparing reports and statistics, printing materials and product design;
• recruitment; and
• securing access to ING Hubs PH offices and assets, and logging of employees, guests, and visitors in its offices.

Researchers

We are always looking for new insights to help you get ahead in life and in business. For this, we may exchange personal data (when it is legally allowed) with partners like universities and other independent research institutions, who use it in their research and innovation. This personal data is shared at an aggregated level and, as far as possible, the results of the research are anonymous (this cannot be guaranteed e.g. when benchmarking job positions).

In all of these cases, we ensure the third parties can only access personal data that is necessary for their specific tasks.

You have certain privacy rights when it comes to processing of your personal data. These rights may vary from jurisdiction to jurisdiction, depending on the applicable laws. If you have questions about which rights apply to you, please contact us via the contact details in section 9.

We respect the following rights:

Right to be informed

You have to be informed through this Privacy Statement as to when and how your personal data is being processed.

Right to access information

You have the right to ask us for an overview of your personal data that we process and/or a copy of this data.

Right to rectification

If your personal data is incorrect, you have the right to ask us to rectify it. If we have shared data about you with a third party, we will also notify that party of any corrections made.

Right to object to processing

You can object to us using your personal data for our own legitimate interest – if you have a justifiable reason. We will consider your objection and assess whether there is any undue impact on you that would require us to stop processing your personal data.

You may not object to us processing your personal data if

• we are legally required to do so, or
• it is necessary for fulfilling a contract with you.

Rights regarding the use of automated decisions

When it is legally permissible, we sometimes use systems to make automated decisions based on your personal information that are necessary for fulfilling a contract with you. If automated decisions are used, we will inform you about this and the purpose for and the extent of such processing. You have the right to object to such automated decisions and ask for an actual person to make the decision instead.

Right to restrict processing

You have the right to ask us to restrict using your personal data if

• you believe the information is inaccurate;
• we are processing the data unlawfully;
• ING Hubs PH no longer needs the data, but you want us to keep it for use in a legal claim; or
• you have objected to us processing your data for our own legitimate interests.

Right to data portability

You have the right to ask us to transfer your personal data directly to you or to another company. This applies to personal data we process by automated means and with your consent or on the basis of a contract with you. Where technically feasible, and based on applicable local law, we will transfer your personal data.

Right to erasure

We are legally obliged to keep certain personal data for a specified period of time. You may ask us to erase your online personal data and the right to be forgotten is applicable if:

• we no longer need your personal data for its original purpose;
• you withdraw your consent for processing it;
• you object to us processing your personal data for our own legitimate interests and we find your claim to be legitimate;
• we unlawfully process your personal data; or
• a local law requires ING Hubs PH to erase your personal data.

Right to complain

Should you not be satisfied with the way we have responded to your concerns, you have the right to submit a complaint to us. If you are unhappy with our reaction to your complaint, you can escalate it to the ING Hubs PH Data Protection Officer (‘DPO’). You can also lodge your complaint with the National Privacy Commission.

Exercising your rights

If you want to exercise your rights or submit a complaint, please contact us via the contact details under section 9.

We aim to address your request within one (1) month of ING Hubs PH receiving the request.

Should we require more time to complete your request, we will let you know how much longer we need and provide reasons for the delay. If, upon exhausting all internal remedies available within ING Hubs PH, your concerns are still not addressed, you may escalate it to the local data protection authority (National Privacy Commission (‘NPC’))9.

The contact information of local Data Protection Executive Office, our local DPO, the Bank DPO Office, and the NPC are found in section 9.

We take appropriate physical, technical and organisational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of your personal data and the way it is processed. We apply an internal framework of policies and minimum standards across all our business to keep your personal data safe. These policies and standards are periodically updated to remain current with regulations and market developments.

In addition, ING Hubs PH employees are subject to confidentiality obligations and may not disclose your personal data unlawfully or unnecessarily. To help us continue to protect your personal data, you should always contact ING Hubs PH if you suspect your personal data may have been compromised.

To find out more about ING Hubs PH’s data privacy policy(ies) and how we use your personal data you can find contact information below.