Employee Privacy Statement North America

1. Introduction

Privacy is a precious commodity, and the privacy issues that are all around us in today’s society are of acute concern to us all. We are confident that within Rabobank, the privacy of our employees is well secured. Our goal in this Employee Privacy Statement is to provide clear and transparent information about how we handle the processing of your data.

If this Statement contradicts with any national, local, or state law, legislation, or guidance in the USA, Mexico, or Canada, the latter law, legislation, or guidance will supersede.

When you enter employment with Rabo AgriFinance LLC, Coöperatieve Rabobank U.A., New York Branch, the U.S. and Mexico representative offices Coöperatieve Rabobank U.A., Rabobank Canada,  Rabo Diversified Services LLC, Rabo Securities USA, Inc., Rabo Securities Canada, Inc., St. Louis Agency Office or any other affiliated entities operating in North America, (hereinafter collectively and individually referred to as ”Rabobank”), and throughout your employment with us, certain employee data pertaining to you will be processed. For purposes this statement, an“Employee” includes any or all of the following: current employees, former employees, and temporary workers, i.e. contractors. Employee data also falls under the definition of ‘personal data’ if that data can be traced back to you personally (either directly or indirectly). That data includes, but is not limited to, your name, address, or personnel number. In the processing of your personal data, Rabobank will adhere to the law, regulations, and internal guidelines including the Rabobank Global Employee Privacy Code, as may be modified, adopted, or altered within our local region.

It will be the responsibility of the Employee to inform a Rabobank Entity regarding any changes in his or her Personal Data in order to keep the Employee’s Personal Data accurate, complete, and up-to-date.

Individuals should inform the Member Entity regarding any changes. The term “Member Entity” is defined within the Information Sheet of the Privacy Policy Employee Data.

1.1 Who is responsible for the processing of employee data?

Rabobank is responsible for processing your personal data as described in this Privacy Statement. More information about the processing of personal data by Coöperatieve Rabobank U.A. can be found here.

1.2 What is the scope of this Privacy Statement?

This statement pertains to all processing of employee data either by or at Rabobank as defined below. The term ‘processing’ is an umbrella term for all forms of ‘processing’ of employee data. Processing of employee data means any operation that is performed on Employee Data, whether or not by automatic means such as collecting, recording, storing, organizing, using, disclosing, transmitting or deleting. As noted above, this activity also includes the processing of “personal data”, which is data that data can be traced back to you personally (either directly or indirectly).

Nothing in this Privacy Statement indicates any individual’s employment status with Rabobank nor is this Privacy Statement a contract for the employment of any individual or group of individuals.

1.3 What types of personal data does Rabobank process?

Your personal data is obtained in one of two ways. It is information you provide to us, or data we obtain and process through another source.

Your data is saved in various HR systems. Below, we explain the differences between the major systems used for data processing.

Workday: This system is used primarily for the employment-law information such as name and address details and salary information. This system contains data needed to perform, process, and manage your employment status. There may also be a legal obligation to retain personal data, for example a copy of your proof of identity for the tax authorities. This system is used for employee expense reporting, as well as mandatory and required training.

GROW!: This is the performance management system that revolves around growth and performance. It is for all employees, and is focused on enhancing your own control of your performance and versatility and increasing your personal leadership. The GROW! system also saves certain employee data. Consider, for example, the MyGROW! Notes and your profile.

Other HR system vendor categories, including those of third parties, are identified below to allow you to see the business purposes for which we use those third parties.

• Payroll Service Providers
• Core Employee Benefit Providers
• Additional Employee Benefit Providers
• Professional Development/Learning Providers
• Legal & Regulatory Tracking/Verification Providers
• Employee Rewards & Recognition Provider
• Charitable Giving Facilitators
• Employee Travel Arrangement Providers
• Employee Engagement

Generally, we may collect the below categories of personal information from employees.

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	[YES]
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.	[YES]
C. Protected classification characteristics under California or federal law, or Sensitive Data.	Age, race, color, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.	[YES]
D. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	[YES]
E. Geolocation data.	Physical location or movements.	[YES]
F. Professional or employment-related information.	Current or past job history or performance evaluations.	[YES]
G. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, or student disciplinary records.	[YES]

The following are the service providers we use to process your data and the categories of your personal data disclosed to those providers (as referenced immediately above):

Payroll Service Providers

Receive personal data in Categories A, B, & C

 

Core Employee Benefit Providers

Receive personal data in Categories A, B, & C

 

Additional Employee Benefit Providers

Receive personal data in Categories A & B

 

Professional Development/Learning Providers
Receive personal data in Categories A & B

Legal & Regulatory Tracking/Verification Providers
Receive personal data in Categories A, B, C, F & G

Employee Rewards & Recognition Provider
Receive personal data in Categories A & B

Charitable Giving Facilitator
Receive personal data in Categories A & B

Employee Travel Arrangement Provider
Receive personal data in Categories A, B, & C

Employee Engagement
Receive personal data in Categories A & B

Security Software for Mobile Devices
Receive personal data in Categories D & E

Telecommunications Providers
Receive personal data in Categories A & B

Corporate Credit Card Provider
Receive personal data in Categories A & B

Emergency Notification Provider
Receive personal data in Categories A & B

1.4 Does Rabobank also process sensitive personal data? 

Rabobank will only process sensitive personal data where necessary for the applicable business purposes as defined in the Privacy Policy Employee Data. The information below shows, for each category of sensitive personal data, when this data is processed and for what purpose:

Race or ethnic background: This may apply, for example, to images of you. Rabobank processes this data for security reasons. Image data is also used for a number of purposes, such as the employee directories.

• Photos and video images may qualify as racial or ethnic data. In the United States, photos are used for security reasons, e.g., issuance of building and floor badges for site access and recording of activity at workplace entrances to secure the premises;
•  Demographic reporting under applicable anti-discrimination laws;
• Communication facilities;
•  Verifying and confirming advice provided by the Member Entity (e.g. when Employees participate in video conferencing which is recorded);
• For inclusion in Employee directories;

 

Personal data pertaining to criminal convictions: This refers to data concerning any criminal activity or previous record or pending prosecution for criminal or unlawful activities. This data is necessary to protect the interests of Rabobank, its employees and its customers, including safeguarding the security and integrity of the financial sector. This data is used for screening employees prior to and during employment and alert systems for the financial sector.

Physical or Mental Health: Processing of data concerning your health may be necessary when you are not at work for medical reasons. However, Rabobank does have to register that you are out ill, and in that event is obliged to make efforts for your reintegration and/or to support you in your recovery. If there are health problems or disabilities that must be addressed by the provision of certain facilities in the workplace, this will also involve the processing of personal data concerning your health. This may include, for example, modification of your workspace.

In addition, there are, other cases in which data concerning your health will be processed, such as the performance of your pension, healthcare, or welfare regulations, when you take parental leave, or whenever you wish to make a claim against systems that provide for claims that are based on your health status.

Sexual orientation: Rabobank will only process data pertaining to your sexual orientation (including data concerning employee partners) in the event of performance of pension commitments or payment of other benefits.

Religion or philosophy of life: This data may be processed for the purposes of accommodating religious or philosophical practices, dietary wishes, or religious holidays.

Citizenship: This data is used to determine if Rabobank needs to provide work sponsorship for you to work legally in the United States. This may involve obtaining information on the country or countries where you maintain citizenship.

At Rabobank you can voluntarily provide certain characteristics about yourself which help us in analyzing our workforce and trying to design interventions to ensure discrimination has no role within the organization. The characteristics contain, among others, sexual orientation, race, disability status, and veteran status.

1.5 Does Rabobank also process my social security number (SSN)?

Rabobank will only record your SSN if there is a legal obligation to do so and only for the specific purpose defined in the law. For example, this obligation is found in implementation of your payroll and/or medical insurance.

1.6 What rights do employees have?

As an employee, you have certain rights with respect to the processing of your data. Among them are the right to review your data and the right to correct your data. For a complete list of all rights and the way in which you can exercise them, see section 4.

1.7 Do we forward employee data to parties outside Rabobank?

In some cases, your data will be provided to parties outside Rabobank. These will be parties that process or receive data for Rabobank. The reasons for this will be a legal obligation, in the performance of a contract, or because we are engaging an outside service provider. Examples of such HR systems and vendors are identified in section 1.3 above.

1.8 Is employee data transferred abroad?

Possible situations within the Rabobank Group

Your employee data may be exchanged between different affiliates or divisions of the Rabobank in certain situations, for example in Global systems such as Workday, or if you are to perform activities and/or work for foreign Rabobank branches (whether temporarily or permanently). These Rabobank affiliates or divisions may potentially be located in countries outside North America. Transfer of your data to countries within the EU is generally permitted if there is a purpose and a basis for doing so.

As a Binding Corporate Rule, the Rabobank Employee Privacy Code guarantees an appropriate level of protection of personal data within the divisions of the Rabobank. Data is shared between the divisions of the Rabobank on the assumption of this guarantee.

Possible situations outside the Rabobank Group

If we forward your data ourselves to other parties outside Rabobank we evaluate on a case-by-case basis how the data will be processed and what the appropriate measures to adequately protect your data must be. This may include an analysis of whether the country where the data is being transferred is considered a “Non-Adequate Country” per the European Commission.

1.9 How long is the employee data retained? 

Rabobank retains your data no longer than necessary for the purposes for which we have collected it or the purposes for which the data is reused. Individual laws prescribe different retention periods. See Section 5 below for further discussion of retention time frames for Employee data.

1.10 What are the tasks of a Local Privacy Officer?

Rabobank has designated a Local Privacy Officer. The task of a Local Privacy Officer is to monitor compliance with the local privacy laws and the Privacy Code for Employee Data and perform other related tasks. The Local Privacy Officer can be reached through the following link: RaboPrivacyOffice@rabobank.com.

2. Description for the Purpose and Grounds for processing employee data

Your data will only be processed for properly specified, explicitly defined and justified purposes (see section 2.1) and where there is a legitimate basis for the processing (see section 2.2). The conditions that must be met are described in section 3.

2.1 Purposes for processing of employee data

Rabobank may process your data for the following business purposes:

• Human Resources and personnel management;
• Business process operations and internal management;
• Health, safety, security, and integrity;
• Company reports and analysis and development of the organization;
• Legal obligations;
• Protection of your vital interests.

2.2 Ground for processing of employee data

The reason for processing your data must be to achieve one or more of the purposes described in this section. There must also be a legal basis for the processing.

Your data will only be processed if:

a)   the data processing is necessary for the performance of:

-  your employment by Rabobank;

-  an employment contract to which you are a party;

-  or in the performance of pre-contractual measures resulting from a request by you and which are necessary for entering into employment or a contract such as your employment contract, upon screening and for assessment purposes;

b)   the data processing is necessary in order to comply with a statutory obligation borne by Rabobank, such as required disability administration in the event of a long-term period of occupational disability;

c)   the data processing is necessary to secure a vital interest of yours (such as emergency contact information for your family in the event of an emergency);

d)   the data processing is required to further the legitimate interests of Rabobank or a third party to which the data is provided, unless an interest of yours or your fundamental rights and freedoms prevail over Rabobank’s interests.

2.3 Human Resources and personnel policy

This processing is necessary to perform employment activities required to maintain an employment relationship with you, or the processing required to take the steps necessary prior to entering into an employment relationship at your request, or for the management and administration of recruiting and outplacement activities, assessments, deploy-ability, leave and other absences, remunerations and benefits (including pension), payments, tax matters, career and talent development, talent management, global mobility, performance management, HR analyses, emoluments, training, travel arrangements and expense reimbursements, insourcing of external employees, and the communication with you as employee. One example is the data saved in MyGROW! Notes, which can be used for internal analyses. These analyses are always conducted in a manner such that they cannot be traced back to you. The data will always be treated as confidential.

2.4 Business operations and internal management

This purpose comprises activities such as drafting work schedules, setting work times, managing operating resources, availability of central processing facilities for maximum efficiency, performing internal audits and investigations, implementing measures in the context of business management and the management and use of employee address files, archiving and insurance purposes, legal or business consulting, preparing or being involved in dispute resolution, and authorization management. For example, we establish what systems you must have access to in order to perform your job, but also log your visit at reception.

2.5 Health, safety, security, and integrity, including guaranteeing the security and integrity of the financial sector

This comprises activities such as the protection of the interests of Rabobank and its employees and customers. This includes guarantees for the security and integrity of the financial sector, and specifically uncovering, preventing, investigating, and combating criminal or reprehensible conduct or attempted conduct of such nature directed against Rabobank or its employees and customers. We screen employees prior to, and if applicable, during, the employment. Activities pertaining to health and safety in the workplace. The protection of Rabobank, employees, and the property of customers, as well as employee authentication. For example, certain positions are subject to logging requirements. If this applies to you, you will be informed in advance. For example, if you work with investment products, we may be legally obliged to log all conversations, because they may potentially serve as evidence at a later stage.

Rabobank has a standard protocol for logging audio, video, and chats.

2.6 Analysis and development of the organization, company reports, and acquisitions and divestments 

This purpose comprises activities like taking surveys of employees, managing mergers, acquisitions and divestments, and processing employee data for company reports and analyses, such as those processed by HR Analytics. This includes, for example, conducting employee satisfaction surveys.

2.7 Legal Obligations

This purpose comprises the processing of employee data where necessary for the performance of tasks for the fulfilment of statutory obligations or recommendations for the sector that are binding on Rabobank, including tasks for the purposes of preventing money laundering, the financing of terrorism and other crimes, and to that end disclosing Personal Data to government institutions and regulatory authorities, including the tax authorities.

2.8 Protecting the vital interests of employees 

This purpose comprises processing necessary to protect the vital interests of an employee. A vital interest is an interest that is essential to a person’s life or health, in a situation in which we cannot ask for the person’s consent, for example if there is an acute threat but a person is unconscious or not mentally capable of granting consent.

3. Principles in the processing of employee data 

Your data may only be processed for properly specified, explicitly determined and justified purposes, as stated in section 2.1, and there must be legitimate grounds for doing so, as stated in section 2.2. This section sets out the principles that Rabobank must observe in the processing of your data.

3. 1 Lawfulness, fairness, and transparency 

We are required to process your data in accordance with the law and in an appropriate manner. Transparency is an important principle in the protection of privacy and of Rabobank. This privacy statement informs you of what data about you is processed and why.

3.2 Necessary and proportional 

Rabobank processes your data insofar as your data is adequate, relevant, and necessary for the purposes (proportionality). We always look at the minimum data/personal data required.

3.3 Limited access and confidentiality 

Other employees of Rabobank are only authorized to view/process your data where necessary for the performance of their work (for example, to pay your salary).

3.4 Security 

Rabobank takes appropriate technical and organizational measures to prevent your data from being lost or improperly processed. The measures will also be aimed at preventing the unnecessary accumulation and further processing of your data.

3.5 Further processing must be compatible 

Your data may only be further processed to achieve justifiable company objectives other than the original objective if that original objective and the new objective are closely connected. The sensitivity of the employee data and the possible negative consequences for the employee concerned will be decisive in whether or not the data can be used for other objectives or whether or not further measures must be taken. We will not collect, use, retain, and/or share your personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information was originally collected or processed.  We will request explicit consent and provide a new notice if we intend to collect, use, retain, and/or share your personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information was originally collected or processed.

3.6 Further processing in context of internal employment market 

Your data can be exchanged between divisions of the Rabobank under the preconditions stated in sections 2 and 3 of this Employee Privacy Statement.

3.7 Processing of personal data of minors 

Processing of personal data of family members younger than 18 can only be done with either consent or authorization to grant consent from legal representatives in the place of the data subject. Personal data of a data subject of 18 years of age or older may be processed legitimately (i.e., without consent or authorization for consent of the legal representative).

3.8 Storing data 

Your data should not be stored in a way that allows you to be identified for any longer than is necessary to achieve the relevant company objectives. Aspects include, for example, that we anonymize application information so that we can conduct analyses to allow us to perform directed search campaigns to fill vacancies.

3.9 Data breaches and Privacy Incidents 

Data Breaches and Privacy Incidents are security incidents by which the data of one or more employees becomes accessible or available to an unauthorized person.

Examples include:

• someone gains unauthorized access to employee data as a result of erroneous authorization/abuse of authorization;
• a letter with salary data is misaddressed, as a result of which it is delivered to the wrong address;
• an e-mail containing employee data is sent to the wrong internal recipient.

If such a Data Breach or Privacy Incident is discovered, this must be reported immediately within the Privacy Incident Reporting Tool found on the Report Now on RaboHub North America. The report is then evaluated internally.

4. Employee rights

This chapter covers your rights as an employee. All requests can be directed to the HR department handling these. You can contact them via fm.am.WorkdaySupport@rabobank.com, or phone via (855) 886 9005 or +1-314-317-8175 for areas outside the USA.

4.1 Right to transparency of information 

As previously discussed, Rabobank processes employee data. This data also includes personal data. You are entitled to clear and transparent information about the processing of this data. Sometimes we give you more or different information, for example if Rabobank documents your data in its incident registers. If this happens, Rabobank will inform you separately (where permitted to do so). Likewise, if there are other reasons to inform you further to this privacy statement, we will do so, for example by e-mail or another channel.

4.2 Right to access, rectification, and copy 

You have the right to ask for the data about you that Rabobank processes. The list of data will contain information concerning the source, type, purposes, and categories of recipients of the employee data in question. If your data is incorrect or incomplete, or in violation of applicable law, you are entitled to have your data rectified.

4.3 Right to be forgotten 

You can ask for the data registered about you to be deleted if you object to the processing of that data. An example is if the processing is not legitimate or no longer necessary for the purposes for which the data was collected.

4.4 The right to not be subject to fully automated decision-making 

Automated decisions are decisions about you that are made by computers and not/no longer by people. Rabobank is legally entitled to make use of automated decision-making including profiling. However, this is subject to certain rules. Does a decision have legal consequences on you, or could you be disadvantaged by it? If so, then we would not be allowed to make an automatic decision on you. At present, Rabobank does not permit automated decision-making with regard to employees.

4.5 Right to objection 

We process your data because we as employer have a justified interest in doing so. However, you can object to this processing, in which case we will make a new determination of whether your data should no longer be used for this purpose. We will stop the processing if your interest outweighs our interest. We will inform you of our decision, stating the reasons.

4.6 Procedure 

If you have made one of the requests described above, we will acknowledge your request within 10 business days. Your question will be answered within 30 calendar days of receipt. That period may be extended by another 30 calendar day period where necessary and upon notification to you of an extension, taking into account the complexity and number of the requests. In that event, we will keep you informed of the progress on your request. If the provision of the data involves the data of third parties, these third parties can be asked in advance whether they have objections to the provision. A request for review or rectification will be at no cost to you. You may be asked to further specify your request. We may then ask for identification, because we need to know for certain whether we are issuing the data to the right person. In some cases, we will not be able to comply with your request. We may, for example, not be required to delete the data if Rabobank is legally obliged to retain it.

4.7 To whom should I direct a question or complaint concerning personal data? 

For questions about the processing of personal data, you can contact the Rabobank division that processes your data or the Local Privacy Officer, who can be reached at: RaboPrivacyOffice@rabobank.com.

For complaints about the processing of personal data, you can approach the Rabobank division that processes your personal data. If the response is unsatisfactory, you may submit this to fm.am.WorkdaySupport@rabobank.com.

5. Retention periods of personnel file and managers' file 

Human Resources retains employee documents in multiple electronic systems. Within each of those systems, data points are assigned a retention time frame consistent with local legislation. Data is retained based on the North America Record Keeping Policy requirements. You can find the North America Record Keeping Policy here (only accessible for employees).

6. Other provisions with regard to the Employee Privacy Statement

6.1 Appendices 

Any appendices to this Employee Privacy Statement make up part of this Employee Privacy Statement and would appear here if any were necessary.

6.2 Grounds for restrictions 

In observance of the provisions of applicable law, after prior consultation with the Local Privacy Officer in certain situations Rabobank’s obligations or the rights of the employee can be declared inapplicable.

6.3 Amendment of the Employee Privacy Statement 

Rabobank has the right to change or supplement this Employee Privacy Statement, with prior notice to the employees’ representatives. This Statement is v2.0 and has been updated on December 15, 2023.

6.4 Extraordinary circumstances 

In circumstances not covered by this Employee Privacy Statement, or in circumstances where compliance with the stipulations in this Statement cannot reasonably be met, the Local Privacy Officer will decide.