EMEA Employee Data Privacy Policy

Transcription

1 EMEA Emplyee Data Privacy Plicy Last Review Date: 04 December 2014 TABLE OF CONTENTS 1. General Summary r Ratinale Scpe Changes frm Previus Versin Plicy Statements Definitins The JPMC Privacy Functin J.P. Mrgan s bligatins t yu The Data Prtectin Principles Cllectin f Persnal Infrmatin Purpse Adequacy Accuracy and retentin Disclsures Safeguarding Persnal Infrmatin Yur rights Yur Obligatins T JPMC Firm References Dcument Infrmatin

2 1. General 1.1. Summary r Ratinale This Plicy prvides an verview f the practices f JPMrgan Chase & C., its affiliates, and its direct and indirect subsidiaries (tgether the firm r JPMC) with respect t the cllectin, use, and disclsure f data f Persnal Infrmatin. The Handbk applies t the Prcessing f Persnal Infrmatin by JPMC f its emplyees, cntingent wrkers (including cntractrs), jb applicants r ther wrkplace persnnel in any f the EMEA jurisdictins 1 (referred t in this Handbk as Staff ), as well as t Persnal Infrmatin abut a cnnected third party f a member f Staff, fr example details f any dependents, beneficiaries r ther individuals whse Persnal Infrmatin has been prvided t the firm fr any purpse, including fr any firm benefits plan. The Plicy will infrm Staff abut: the purpses fr which it cllects and uses their Persnal Infrmatin; the types f third parties with which it shares their Persnal Infrmatin; any chices and means the firm ffers Staff fr limiting the use and disclsure f their Persnal Infrmatin; and hw t cntact the firm where they have issues r cncerns abut their Persnal Infrmatin. The Plicy shuld be read in cnjunctin with certain ther f JPMC s Plicies, in particular dcuments cncerned with the glbal prcessing f EMEA Persnal Infrmatin. All entities in JPMC glbally are bund t prcess EMEA Persnal Infrmatin in line with the JPMC Binding Crprate Rules in the frm f the Glbal Privacy Standards Fr Prcessing EMEA Persnal Data (Glbal Standards). This plicy is binding n all staff. JPMC staff are either explicitly r implicitly bliged t cmply with it by virtue f their emplyment cntracts and the Cde f Cnduct. All Staff are required t: understand and cmply with the spirit as well as the letter f data privacy legislatin; understand and cmply with the requirements utlined in this Handbk as well as the JPMC Glbal Standards, assciated internal Plicies / Prcedures and Standards; and ther Plicies / Prcedures specific t the relevant line f business (as apprpriate and as amended frm time t time); and refer any cncerns r queries regarding data privacy t the EMEA Data Privacy team. Results f nn cmpliance: All Staff are required t adhere t this Plicy. Failure t d s is breach f JPMC plicy, fr which disciplinary actin may be taken, ptentially up t and including terminatin f cntract f emplyment r engagement (as applicable). 1 The jurisdictins included in the EMEA regin are thse where JPMC r its Affiliates maintain an perating presence: This currently includes Austria, Bahrain, Belgium, Denmark, Egypt, Finland, France, Germany, Greece, Guernsey, Ireland, Israel, Italy, Jersey, Luxemburg, Netherlands, Nigeria, Nrway, Pland, Qatar, Russia, Saudi Arabia, Suth Africa, Spain, Sweden, Switzerland, Turkey, the United Arab Emirates, the United Kingdm and Uzbekistan. This list may change ver time. 2

3 1.2. Scpe Lines f Business All Sub-Lines f Business All Functin(s) All Lcatins EMEA Legal Entities All 1.3. Changes frm Previus Versin Adapted t the new Plicy Template, Handbk turned int Plicy. Substantive changes made fr imprved clarity, including: Restructured t clarify the firms bligatins (Sectin 2) and the bligatins f Staff (Sectin 3); Sectin 2 enhanced with mre detailed descriptins f the types f persnal infrmatin cllected and the purpses fr which it is cllected; The rights f Staff have been clarified in sectin 2.8; Sme detailed examples, such as keeping file ntes r maintaining cntingency planning lists, have been remved Plicy Statements All Staff must be aware f the fllwing Data Prtectin Principles. Detailed infrmatin is prvided in the sectins belw. Mre specifically: Prcessing see sectin 2.2 Purpse see sectin 2.3 Adequacy see sectin 2.4 Accuracy and Retentin see sectin 2.5 Trans-brder data flws see sectin 2. 6 Security see sectin 2.7 Data Subject Rights see sectin 2.8 3

4 1.5. Definitins In this Plicy, the fllwing terms shall have the fllwing meanings: Persnal Infrmatin means any infrmatin abut an identified r identifiable natural persn regardless f whether it is held in paper, electrnic r any ther frmat, including: Identificatin Data, e.g. name, persnal address, persnal telephne number, persnal address, date f birth, natinal insurance number, phtgraph, marital/dependent status and emergency cntact infrmatin; Infrmatin Cncerning Emplyment, e.g. salary, wrk and cmpensatin histry, planned salary, earnings, career develpment, paid time ff, salary grade, perfrmance infrmatin (including perfrmance appraisal, internal cmmunicatins regarding perfrmance and attendance recrds), decisins t ffer emplyment, CVs, résumés, applicatins, emplyment references and backgrund verificatin infrmatin; Financial Infrmatin, e.g. bank accunt numbers, tax-related infrmatin, and salary related infrmatin; Sensitive Persnal Infrmatin, e.g. infrmatin which may reveal race r ethnic rigin (E.g. fr equal pprtunities mnitring purpses), religius r philsphical beliefs, r trade unin membership, r that cncerns health; and Other infrmatin necessary fr the JPMC business purpses which may be disclsed by individuals t the firm r cme int the firm s pssessin during an emplyment relatinship with the firm. Infrmatin pertaining t a current, past r prspective emplyee f the firm prcessed in the cntext f an emplyment relatinship r ptential emplyment relatinship with the firm. Such infrmatin may include details f any dependents, beneficiaries r ther individuals whse Persnal Infrmatin has been prvided t the firm fr any purpse, including fr any firm benefits plan. Prcess r Prcessing means any peratin r set f peratins that are perfrmed upn Persnal Infrmatin, whether dne by autmatic means r therwise. It includes cllecting, recrding, string, rganizing, adapting, altering, retrieving, cnsulting, using, disclsing r making available, destrying and/r deleting Persnal Infrmatin The JPMC Privacy Functin JPMC has a Privacy & Data Prtectin Oversight Cmmittee. The Cmmittee is chaired by the Glbal Chief Privacy Officer and is cmpsed f senir executives frm all lines f business and frm the fllwing Crprate grups: Infrmatin Technlgy Risk Management, Executive Office, Human Resurces, Cmmunicatins, Audit, and Office f General Cunsel. The Chief Privacy Officer versees the Privacy functin and prvides guidance t the lines f business and crprate grups, and prmtes awareness f and cmpliance with privacy and data prtectin bligatins acrss JPMC. The EMEA Privacy Officer is part f the glbal team f the Glbal Chief Privacy Officer and sits in the Cmpliance department in the UK. 4

5 2. J.P. Mrgan s bligatins t yu 2.1. The Data Prtectin Principles The Data Prtectin Principles represent the key rules with which cmpliance is required and are the fundatin fr the design f ur Plicies and Prcedures. A brief descriptin f each Principle is set ut belw. Prcessing Persnal Infrmatin will be cllected, used and prcessed by the firm fairly and lawfully. Individuals must nt be misled as t the purpse fr which their Persnal Infrmatin is t be prcessed. Purpse Persnal Infrmatin will nly be prcessed fr the purpses utlined prir t, r at the time f cllectin; r fllwing a revised ntice fr additinal purpses added pst cllectin. Adequacy Persnal Infrmatin shall be adequate, relevant and nt excessive in relatin t the purpse r purpses fr which it is cllected and prcessed. Accuracy Persnal Infrmatin will be kept accurate and up t date. Retentin Persnal Infrmatin shall nt be kept fr lnger than is necessary t meet legitimate peratinal, legal and regulatry requirements. Data Subject Rights Persnal Infrmatin shall be prcessed in accrdance with the rights f Individuals, such as the right t request a cpy f the data prcessed in respect t them. Security Apprpriate technical and rganisatinal measures shall be taken t prevent unauthrised r unlawful prcessing f Persnal Infrmatin and against accidental lss r destructin f, r damage t, Persnal Infrmatin. IT Risk and Security Management (ITRSM) Plicies and Standards must be adhered t at all times. N Staff will be permitted t access any Persnal Infrmatin unless they are authrised t d s and have a valid business reasn fr such access. It is a legal requirement that any Third Party engaged t prcess any Persnal Infrmatin n behalf f JPMC can nly prcess such Infrmatin under a cntract with JPMC which stipulates exactly hw the Persnal Infrmatin may be prcessed. 5

6 Trans-brder data flws There are restrictins impsed by law n the transfer f Persnal Infrmatin frm an EEA cuntry t a cuntry that des nt have equivalent r adequate data privacy legislatin. T enable such transfers, specific requirements have t be met and in sme cuntries apprval f the lcal data privacy regulatr may be required. Transfers f Persnal Infrmatin t JMPC s parent cmpany in the United States will need t be cnsidered against these requirements. Any Staff invlved in the setting up f any new transfers f data t anther cuntry must refer t the EMEA Privacy Team and Legal Department fr cnfirmatin that the transfer may prceed. In limited circumstances Persnal Infrmatin may be prcessed withut cmplying with the abve principles. Fr example it is smetimes pssible t prcess Persnal Infrmatin fr crime preventin and detectin purpses r natinal security withut cmplying with all f the abve principles. Any such exceptins must be pre-apprved by the EMEA Privacy Team. All emplyees must btain cnfirmatin frm the EMEA Privacy Team where they wish t recrd Sensitive Persnal Infrmatin n a systematic basis Cllectin f Persnal Infrmatin Persnal Infrmatin may be cllected r accessed in a number f ways, including: directly frm the Staff (in writing r verbally); generated by JPMC in cnversatins, crrespndence, appraisals, etc.; received by third parties s that such third parties may, fr example, administer the emplyment applicatin prcess, benefits, payrll r prvide ther services fr emplyment purpses n behalf f JPMC; thrugh the use f JPMC facilities ( including but nt limited t, cmputer and telephny equipment, including mbile phne, smart phnes and tablet devices, and sftware, including electrnic messaging, and internet applicatins); thrugh the use f the Staff member s wn persnal device if JPMC apprved sftware is installed generated by JPMC in reprts, metrics r ther statistical prcess Yu shuld als be aware f the fllwing: Access Cards/ Badges: fr security purpses, entry t JPMC buildings is cntrlled thrugh use f access cards issued t Staff. Access cards are issued and cntrlled by Glbal Security & Investigatins (GS&I). The fllwing Persnal Infrmatin is shwn and stred n each access card: name; staff number r barcde; and phtgraphic image. Fr security purpses, t prtect ur buildings, assets and Staff, data is generated (including 6

7 date, time and lcatin infrmatin) whenever yu use yur access card t pass thrugh a secure entry pint. In sme cuntries, this data may als be used t generate reprts t assist with the JPMC Cnsecutive Leave Plicy r attendance generally, r ther supervisry versight undertaken by the firm. Phtgraphs: the phtgraphic images cllected may be accessible by Glbal Security & Investigatins Staff in any lcatin when there is a legitimate business need; fr example phtgraphs may be viewed n screen by JPMC building receptinists as a means f identifying Staff. Apprpriate measures are in place t ensure the security f the image. Phtgraphs prcessed fr security purpses may nt be used fr ther purpses such as an internal r external publicatin withut the Staff member s prir cnsent. JPMC Hme Telephne Directry: the Intranet Phnebk is a knwledge sharing tl that enables individuals t uplad and share infrmatin abut themselves which they think will be f interest t their clleagues. Use f the Persnal Infrmatin element f an individual's prfile is nt permitted fr any ther purpse. Althugh entirely vluntary, yu may put yur persnal cntact details (i.e. persnal mbile phne) in the Intranet Phnebk t enable yu t be cntacted fr legitimate wrk related and/r emergency purpses nly, when utside f the ffice. Such numbers shuld nt be used fr any ther purpses. Vice Recrding: Certain telephne lines r mbile devices may be enabled fr vice recrding. This is enabled due t a regulatry bligatin r t supprt a line f business specific plicy. The facilities are perated by Vice Services wh may access and retrieve recrdings t supprt an apprved request. These may be als be accessed by Legal, Cmpliance and/r Supervisry management t prvide necessary versight f activity and/r respnd t regulatry r litigatin requests. Vide Surveillance (CCTV): Vide Surveillance Cameras are used primarily fr the purpses f crime preventin, Staff and public safety and t prtect ur buildings and assets. These cameras may be used n the exterir and interir f the buildings; where apprpriate ntificatin signs are displayed. The installatin and use f such cameras is under the cntrl f GS&I wh may access and prcess Vide Surveillance Camera recrdings (f anywhere in the EMEA regin) in the UK. Mnitring f Staff Electrnic Cmmunicatins: JPMC s facsimile, internet, , instant messaging, telephne, vic and ther facilities are intended fr use in relatin t business purpses. Hwever, yu are nt prhibited frm reasnable ccasinal persnal use f such facilities fr yur wn purpses n the basis that: yu understand that all use f such facilities may be subject t mnitring (as allwed by applicable laws and legislatin); yur usage des nt cntravene any law r any JPMC internal rule r plicy; and yur usage is kept t a reasnable minimum and shuld nt interfere with yur wrk cmmitments. The mnitring f Staff electrnic cmmunicatins falls int the fllwing categries: Autmated cntent inspectin t prevent the lss f cnfidential r persnal 7

8 infrmatin. Fr example an may be autmatically examined and blcked fr high risk data such as Credit/Debit Card numbers r the JPMrgan Internal Use Only watermark. Autmated cntent inspectin t prevent inapprpriate language r cntent. Fr example an may be autmatically examined and blcked fr inapprpriate language r certain types f attached file, virus r malware r t prtect against ptential cyber threats. Manual access r surveillance fr the purpses f emplyment, cmpliance, regulatry r ther investigatins, including t investigate any suspected breach f law, regulatin, internal rules r plicies, in the curse f dealing with grievance and/r disciplinary matters, and/r t assist with dispute reslutin. Such access and mnitring will generally take place by r under the directin f HR, Legal, Cmpliance, IT Security and/r GS&I. Manual access r surveillance t cmply with legal and/r regulatry bligatins that the firm has. Sme Staff members, due t the nature f their wrk, may be mre clsely mnitred. These Staff may als have their incming and utging , instant messages and vice recrdings replicated and retained t meet regulatry requirements. Manual access r surveillance t prevent r detect the sending f prprietary, client cnfidential infrmatin r inside infrmatin utside the firm. JPMC als uses internet blcking sftware t blck access t certain sites. If yu try t access a site that is prhibited, uplad data t a site r dwnlad files frm a site yu may be denied access and receive an autmated message telling yu wh t cntact if yu think that access shuld be allwed. Fr all f the mnitring examples abve the firm will maintain a reprting capability s that HR, Legal, Cmpliance, IT Security and/r GS&I can analyse trends and keep suitable recrds. Such infrmatin may be shared with business management/supervisrs t ensure apprpriate supervisin Purpse When applying t jin JPMC and thrughut yur emplyment, JPMC, its affiliates and agents, will cllect and prcess Persnal Infrmatin (which may include Sensitive Persnal Infrmatin required t ensure cmpliance with any legal regulatry requirement) abut yu. It is imprtant that yu ntify HR immediately f any changes t yur persnal details. Yur Persnal Infrmatin is cllected and used in line with the Principles fr legitimate emplyment and business purpses nly, which include, but may nt be limited t, the fllwing: Persnnel management: including but nt limited t the nrmal business practices related t the establishment, maintenance and terminatin f emplyment relatinships, fr example, the Staff member s applicatin fr emplyment, hiring, his r her rle and functin in the firm, Staff management and administratin generally (including bth befre, during and after emplyment), pre and nging emplyment screening and verificatin, administering benefits, administering persnal shrt r lng term cmpensatin prgrams, cnducting investigatins, grievance and/r disciplinary prceedings, addressing labur relatins issues and prcessing health insurance claims. Sme examples include: 8

9 recruitment r internal transfers backgrund vetting including, where allwed by law, searches with a credit reference agency and criminal recrd checks maintaining a recrd f yur emplyment histry at JPMC training and educatin CVs payrll, cmpensatin planning and related administratin perfrmance assessment/evaluatins, prmtin and successin planning business travel and the reimbursement f travel csts and expenses taxatin calculatins pensin administratin Staff administratin including wrking hurs and flexible wrk arrangements the prvisin f emplyee benefits, fr example healthcare sick leave and ther medical events family leave diversity (ur cmmitment t a diverse and inclusive wrkfrce) equal pprtunities mnitring sabbaticals and retirement ccupatinal health & health and safety matters prvisin f references, including emplyment and regulatry references t third parties JPMrgan s Alumni prgramme, Cntinuum cntingency planning & emergency cntact lists adjustments t the wrking envirnment in respect f a disability t mnitr cmpliance with any legal r regulatry requirements, request frm a cmpetent authrity and the firm s internal rules and plicies (such as the Cde f Cnduct, internet and telephne usage) and where required fr related investigative purpses cmputer system access, access rights, usage and security maintenance card entry systems Right t Wrk requirements t cmply with legal and regulatry requirements including requests frm verseas regulatrs t prvide Staff with marketing material sent t their wrk address. This may include details f JPMC prducts r services r thse f ther rganisatins and charities which may be f interest. Operatins Management: including but nt limited t establishment, perfrmance and management f business activities f JPMC, fr example, maintaining and mnitring usage f internal netwrks and IT systems; Security Management: including but nt limited t ensuring the security f the JPMC premises and infrmatin held by JPMC as well as the safety f Staff; Legal and Regulatry Cmpliance: including but nt limited t btaining and releasing Persnal Infrmatin as required by law and/r regulatry reasns (e.g. tax, health and safety, antidiscriminatin laws etc.) r judicial authrizatin and t maintain recrds that can include Persnal 9

10 Infrmatin, such as gvernment identifiers, infrmatin relating t sickness, maternity r parental leave, pensin and retirement, etc. JPMC will disclse Persnal Infrmatin t regulatrs, including tax authrities, law enfrcement agencies, curts f cmpetent jurisdictin r ther fficial bdies, with cmpetency t regulate JPMrgan and its affiliates anywhere in the wrld as JPMC may, in gd faith, cnsider necessary r desirable (r as may be mandatry due t, fr example a lcal r freign law, regulatin r curt rder) fr the any purpses required including but nt limited t: in cnnectin with any legal prceeding, t btain legal advice, r t establish, exercise r defend legal rights; and t cmply pursuant t legal prcess r t any ther freign, reginal r lcal legal r regulatry request r t cperate with any regulatry, supervisry r gvernmental authrity, institutin r department; and/r t cmply with legal, regulatry r selfregulatry requirements, r with the rules f prfessinal assciatins, any lcal r freign vluntary cde r actin, r internal plicy we may adpt fr gd practice. Yur Persnal Infrmatin may als be disclsed if JPMC has a right r duty t disclse the data r is permitted r cmpelled by law t d s in any jurisdictin in which JPMC perates. When yu leave the emplyment f JPMC: sme Persnal Infrmatin we hld abut yu will be retained fr varius purpses accrding t the firm s retentin plicies, as required and/r allwed by law and regulatry bligatins, including, but nt limited t, the fllwing: maintaining histrical recrds; analysis f emplyment trends; mnitring f diversity statistics; prvisin f references t third parties; pensins administratin; purpses required by law r regulatry requirement. If yu jin the JPMrgan Alumni, Cntinuum - Cntinuum may cntact yu by unless yu instruct therwise t invite yu t jin and/r t alumni events Adequacy JPMC will cllect Persnal Infrmatin that is adequate, relevant and nt excessive in relatin t the purpse r purpses fr which it is cllected and prcessed Accuracy and retentin JPMC will emply reasnable means t keep Persnal Infrmatin accurate, cmplete, up-t-date and reliable fr its intended use. With limited exceptins, Staff will be permitted t review and, where inaccurate, crrect Persnal Infrmatin. JPMC will amend the Persnal Infrmatin r, where the firm cnsiders that the Persnal Infrmatin is accurate; the firm will include in the file the alternative text that the Staff member believes t be apprpriate alngside the riginal infrmatin. If it is determined that Persnal Infrmatin needs t be updated r crrected, the firm 10

11 shall use reasnable effrts t infrm relevant third parties which were prvided with inaccurate infrmatin. JPMC may nt give Staff the ability t review Persnal Infrmatin where the burden r expense f ding s is disprprtinate t the risks t their privacy in a particular case. Where JPMC des nt prvide Staff with the ability t review their Persnal Infrmatin, it will give reasns fr refusing t d s and prvide a cntact pint fr further inquiries. JPMC will, in any event, cmply with all applicable lcal regulatins and ensure that Staff can review any Persnal Infrmatin they have a right t access under the law applicable in their cuntry f residence Disclsures Internatinal Disclsures Sme cuntries restrict the transfer f persnal infrmatin utside f that cuntry and impse particular requirements t ensure the prtectin and freedms f data subjects which must be met befre persnal infrmatin can be transferred t anther cuntry. All entities glbally are bund t prcess Infrmatin in line with the Glbal Privacy Standards Fr Prcessing EMEA Persnal Infrmatin. Transfers t Grup Cmpanies and Affiliates JPMC may disclse Persnal Infrmatin t grup cmpanies and JPMC affiliates where such entities need t Prcess that Persnal Infrmatin fr business r business efficiency purpses ( Intra Grup Transfer ). JPMC will ensure that it will prtect any Persnal Infrmatin disclsed during an Intra Grup Transfer in accrdance with the prvisins f this Plicy and the cmpanies Binding Crprate Rules in the frm f its Glbal Privacy Standards Fr Prcessing EMEA Persnal Infrmatin. Transfers t Agents and Cntractrs JPMC may disclse Persnal Infrmatin t third party agents r cntractrs that supply services t the firm which require the Prcessing f that Persnal Infrmatin. The firm will nly transfer Persnal Infrmatin where the agent r cntractr has prvided written assurances t JPMC that it will prtect any Persnal Infrmatin disclsed t it in accrdance with relevant laws, rules and regulatins and, where pssible, the prvisins f this Plicy. If JPMC has knwledge that an agent r cntractr is Prcessing Persnal Infrmatin in a manner cntrary t relevant laws, rules and regulatins r the prvisins f this Plicy, it will take all reasnable steps t prevent r stp the Prcessing. Transfers t Independent Third Parties ther than Agents and Cntractrs JPMC may disclse Persnal Infrmatin t third parties ther than thse mentined abve (including, but nt limited t, fr the purpses f business sales r acquisitins, r as may be required as a result f changes r prpsed changes t the prvisin r receipt f services). JPMC may als disclse Persnal Infrmatin t prtect the interests f the firm and/r its emplyees, if there is an emergency situatin invlving the health and safety f Staff, r where necessary fr 11

12 JPMC t perfrm a cntractual bligatin wed t a Staff member r fr ther lawful purpses, including legal r regulatry bligatins Safeguarding Persnal Infrmatin JPMC will use apprpriate administrative, technical, persnal and physical measures t safeguard Persnal Infrmatin against lss, misuse, unauthrized access, theft, mdificatin, disclsure and destructin. The firm will restrict access t Persnal Infrmatin under its cntrl t thse emplyees, agents and cntractrs f the firm wh have a legitimate business need fr such access. JPMC prvides training t prmte awareness f the requirements and plicies surrunding prtectin and security f Persnal Infrmatin. Mre infrmatin n the firm s safeguards can be btained frm IT Risk and Security Management Yur rights JPMC will assist Staff in prtecting their privacy and will prvide Staff with pprtunities t raise cncerns abut the Prcessing f their Persnal Infrmatin. Staff wh have questins r wh wuld like t raise cncerns abut the Prcessing f their Persnal Infrmatin shuld cntact the EMEA Cmpliance Privacy team. Individuals may request a cpy f the persnal data held in relatin t them by us. We may, where allwed by law, charge a fee fr this. If any persnal data is fund t be wrng, the individual cncerned has the right t ask us t amend, update r delete it, as apprpriate. In sme circumstances individuals als have a right t bject t the prcessing f their persnal data Any cmplaints will be reslved in accrdance with the JPMC EMEA Data Privacy Cmplaints Prcedure. If effrts t reslve a cncern within JPMC are unsatisfactry JPMC will cperate in the reslutin f any such inquiries and will cmply with any decisin r advice issued by data prtectin authrities. The EMEA Privacy Cmpliance team can be cntacted at this address EMEA_DataPrivacy@jpmrgan.cm 3. Yur Obligatins t JPMC All Staff are required t adhere t this Plicy, which must be read in advance f cmmencing their emplyment r engagement (as applicable) with the firm. Yur bligatins t JPMC with respect t Data Privacy are cntained within the key plicies and standards f the firm. In particular the Glbal Privacy Standards Fr Prcessing EMEA Persnal Data (Glbal Standards) and the EMEA Privacy Standards (EMEA privacy cmpliance page). If yu are required r elect t prvide Persnal Infrmatin abut ther peple (e.g. yur family members) then yu must ensure thse peple have access t the publicly available JPMC privacy ntices (i.e. thse that can be fund n JPMC s external website). 12

13 If yu are using JPMC facilities (including but nt limited t, cmputer and telephny equipment, including mbile phne, smart phnes and tablet devices, and sftware, including electrnic messaging, and internet applicatins);as part f the permitted ccasinal persnal use; yu shuld infrm anyne with whm yu are cmmunicating that the cmmunicatin may be subject t mnitring. Staff must advise HR if any f yur persnal details change s that HR may keep yur data accurate and up t date. Fr example, many details can be maintained using My Persnal Prfile. Staff wh suspect r learn f an actual r ptential breach f JPMC Infrmatin, data privacy and/r cnfidentiality bligatins, regardless f the frmat in which that JPMC Infrmatin is held, must immediately ntify the Incident Respnse Team in yur LOB. Other imprtant bligatins are recrded and maintained within the firm s Cde f Cnduct, with which yu are required t cmply. Breach f yur bligatins t JPMC may result in disciplinary actin, up t and including terminatin f yur emplyment. If yu leave JPMC, yu must be aware that we will lawfully have access t systems, files, dcuments and devices that may cntain yur persnal data and that we may use it. In additin, yu must als ensure that all required dcuments in rder t meet JPMC s regulatry and/r legal requirements, are nt deleted and are held n the apprpriate JPMC shared drive and nt n persnal drives. Legal Obligatins r Guidance Data Prtectin Act 1988 (the UK DPA ) Privacy and Electrnic Cmmunicatins (EC Directive) Regulatins 2003 Data Privacy Directive (95/46/EC) 4. Firm References Other Firm Plicies Glbal Standards Fr Prcessing EMEA Persnal Data EMEA Data Privacy Cmplaints Prcedure Ptential Breaches f Infrmatin Plicy 5. Dcument Infrmatin Primary Risk Categry D1 Privacy 13

14 Plicy Owner / Primary Cntact / Secndary Cntact/Plicy Manager Belinda Gaynr Alisn Stewart Michael Treip Plicy Owner s Functin r Line f Business/Regin/Cuntry EMEA Cmpliance Plicy Apprver Plicy Number (ptinal) EMEA CIB Cmpliance Gvernance grup N/A Original Effective Date (ptinal) 30/03/2010 Last Review Date (ptinal) 04/12/2014 Cntact Grup r Htline Number (ptinal) EMEA CIB Plicies & Prcedures 14