ING Protecting Personal Data PDF

Protecting personal data General awareness Accessibility statement ING elearning. ING is committed to supporting all our employees to reach their potential, including people with a disability. We recognise the importance of providing a digital environment that is accessible to all and are striving to meet those digital accessibility standards – a goal that is supported across ING, also by our colleagues involved in learning. Our vendors have used best endeavours to meet the standards of the international Web Content Accessibility Guidelines (WCAG 2.1). In case the eLearning does not meet screen reader requirements, this accessible PDF is an alternative format available for colleagues who cannot complete this training due to limited accessibility. If this applies to you, by reading this document you will have completed the module and all you then need to do is to confirm this to [email protected], with a cc to your manager if you wish. You can remain anonymous, by confirming completion only to [email protected]. Protecting personal data This training has been designed to give everyone at ING an appreciation of the basic principles of data protection. It will help you handle personal data in a safe and compliant way that’s in line with our personal data protection policy. You are completing this version of the training because you need a general overview of data protection. If you have one or more of the following activities as part of your role, please complete the tailored module of this course instead: Process/Product owner PDF_ING_Data Protection_General_v1.1_May 2023 Process developer Contract owner Asset owner Service owner Data owner Or you advise, challenge or provide input to any of the roles above. The Why Why personal data protection matters Privacy is a human right. We all have the right to determine when, how, and for what purpose our personal information is handled by others. Customers, suppliers, business partners and employees like you entrust ING with their personal information. It’s our collective responsibility to take the utmost care to retain that trust and to protect people’s privacy. Personal data needs protecting because it’s a valuable asset. If it falls into the wrong hands, people could become victims of identity theft, discrimination, or other malicious activity. Just think … how would you feel if your home address or private phone number or medical records were shared without your knowledge or consent? And how would you feel about the organisation or person that you trusted with that information, only to find they hadn’t protected it? By taking ownership and taking care of the personal data you’re entrusted with, you can make a difference. After all, we’re only the guardians of personal data. The data itself always belongs to the people who provide it to us. How does ING take responsibility? Doing the right thing ING is committed to ensuring that any personal data we collect and use is handled in line with the expectations of those whose personal data we hold. We also have legal obligations. Various data protection laws set out what should be done to make sure everyone’s data is used properly and fairly. As a global bank, ING must comply with the privacy rules that are stipulated in the EU General Data Protection Regulation (GDPR) and local data protection requirements. ING have a legal binding corporate rules (BCR) agreement which states that we'll apply the main principles of GDPR globally unless local law prohibits this or provides more protection. Internally we also refer to the legal BCR agreement as 'GDPP'. In addition, we have an internal policy in place, called the Global Personal Data Protection Policy (GPDP), that describes the obligations we must adhere to and the risks we must mitigate. Policies to support you Here are the key policies in place to guide you. You’ll find them on ING Today. Binding corporate rules ING’s legal BCR agreement clearly states how we aim to protect client, supplier, business partner and employee data. It is set out in two documents: The Global Data Protection Policy for Client, Supplier and Business Partner (GDPP for clients). The Global Data Protection Policy for Employee Data (GDPP for employees). These documents are also shared with individuals outside of ING and are approved by the Dutch Data Protection Authority. They must be adhered to globally unless local law determines otherwise. As these documents are also available to individuals outside of ING, you can find them on ing.com. They are publicly available so that all individuals can use them to exercise their rights towards ING if required. Internal policies Our global internal policies and standards consist of: The Global Personal Data Protection Internal Policy (GPDP). The Global Personal Data Protection Process Control Standard (PCS). We understand that there are multiple documents referenced here, so to bring these to life we’ll be using everyday examples throughout this course, putting ING’s policies into practice. People to support you At ING, we have personal data experts in place in every business unit to help you and to provide support. There’s a data protection contact list available on ING Today if you want to see the names and emails of these roles/departments. Data protection executive office The data protection executive or DPE office, sometimes called the privacy office, is your first point of contact if you have a question or concern relating to personal data. The DPE office performs activities relating to compliance with the GPDP and the BCR. Activities range from coordinating actions around data breaches, supervising the register of processing activities, supporting the business with data protection impact assessments and much more. The DPE office supports the business unit data protection executive (BU DPE). As this is your first point of contact for questions or concerns, please familiarise yourself with who this is locally. Business unit data protection executive The business unit data protection executive, or BU DPE, is the person who’s accountable for compliance with and implementation of the GPDP policy and the BCR within the business unit. This role is fulfilled by the chief operating officer (COO) of the business unit. On a global level, the bank DPE has overall accountability. This role is fulfilled at the Management Board Banking (MBB) level by the bank COO. Business unit data protection officer The business unit data protection officer, or BU DPO is responsible for providing advice and challenge to the business unit on personal data processing. They monitor compliance with the GPDP, the BCR and local data protection requirements. On a global level, the bank DPO is responsible for advising on cross-border issues and supervising compliance. The DPO role is part of the data protection compliance risk function. The DPO is the single point of contact for the Data Protection Authority. Remember It isn’t just about protecting people’s personal data because we have to (by law), it’s about protecting personal data because it’s the right thing to do for our customers, business partners, suppliers, colleagues and any other individual whose personal data ING processes. Our values ask us all to promise to behave honestly, prudently and responsibly. Our global code of conduct demands that we protect personal data. Take ownership and be vigilant. There are policies, departments and people in the place within ING to support you in doing this. Personal data fundamentals Harry, an ING customer said: “I’ve banked with ING for many years … and now I want to open a new joint account. I’m happy to hand over all the personal information you need to offer me this product, because I trust ING to do the right thing and to have systems in place that mean my personal information is protected and won’t be used illegally or end up in the wrong hands.” Personal data As a bank, people trust us with personal data. It’s important that we maintain that trust, that we’re transparent about what we do with their personal data, and that we comply with data protection laws. To do this, we need you to feel confident about what personal information is and why it’s important to protect it. Personal data is any information that identifies or could indirectly link to an individual. This includes pieces of information that, when combined, can identify a person. For example, their name, account number and address. Customer personal data From your experience of being a customer, with ING or any other bank, what personal information do you think a bank might collect? Choose all that apply. Option 1: Date of birth Option 2: Personal email address Option 3: Signature Option 4: Marital status Option 5: Phone number Option 6: Bank account number Answer All of these are examples of personal data that ING, or any bank, may collect from its customers. And there are many more examples of personal data that a bank may require depending on the product or service they’re offering. As you can imagine, ING holds a huge amount of personal data. If you’re in doubt about whether any piece of information concerns personal data, don’t hesitate to contact your DPE office. Is some personal data more sensitive? Sensitive personal data is a specific set of personal data, sometimes referred to as 'special categories', that must be treated with extra security. There are stricter guidelines and rules on the processing of sensitive personal data. It’s personal information that you must be more protective of. Which of the following data examples do you think fall into the sensitive personal data category? Which of the following options apply? Option 1: Health information such as medical records Option 2: Religious or philosophical beliefs Option 3: Sexual orientation Option 4: Political opinions Option 5: Ethnic origin Answer According to our GPDP, these are all classed as sensitive personal data. Imagine how you’d feel if sensitive personal information belonging to you was wrongly used. Sensitive personal data Sensitive personal data includes ethnic or racial origin, physical or mental health records, political opinions, sexual orientation, criminal records, trade union membership, religious beliefs, or any other data defined as sensitive by local law. While we need to handle all personal data with care, we need to be extra careful with sensitive personal data. If you come across data like this in your work, you need to be aware that we can only process it in exceptional circumstances. Note: ‘sensitive personal data’ shouldn’t be confused with confidential or insider business information, which is any data that would pose a risk to a company if released to a competitor or the public. Your role To maintain the trust of our customers, suppliers, business partners and employees, we must all play our part to protect everyone’s personal data. That means treating it in the right way and processing it according to ING’s policies and standards. This ensures that we live up to our values, comply with data protection laws and reduce the risk of a personal data breach. A personal data breach is when the data we’re protecting is accidentally or unlawfully lost, destroyed, altered or accessed. Consider this... Think back to our existing customer, Harry. He has banked with us for a while and has given us his personal information. But imagine if that personal data wasn't properly protected and fell into the wrong hands. Which of the following could he now be at risk of? Option 1: Identity theft Option 2: Fraud Option 3: Financial loss Answer All of these options are correct. Personal data in the wrong hands could be used to identify him, putting him at risk of identity theft, fraud, financial loss and other malicious activity. Imagine how you might feel if this happened to you. The consequences of personal data breaches can also include worry, anxiety and depression for the individuals concerned. That’s why personal data protection is so important. Consequences for ING You have considered how a customer might feel if there was a personal data breach at ING, and the effect it might have on them. Now think about it from ING’s perspective. What do you think the consequences of a personal data breach could be? Which of the following options apply? Option 1: Negative publicity could harm the reputation of ING. Option 2: ING’s compliance with data regulations would be questioned and investigated. Option 3: Customers may lose trust and leave ING. Option 4: The individuals concerned could raise a complaint with the local Data Protection Authority. Answer All of these options are correct. Depending on the scale of the personal data breach and the sensitivity of the information involved, the consequences may differ, but all of these are possible consequences. Data breaches can have a large impact on ING as an organisation and on our customers, both in terms of potential reputational (non-financial) and financial consequences. Mistakes can happen Data breaches aren’t always the result of criminal activity. Sometimes personal data is accidentally lost or shared. In fact, most data breaches are thought to be down to human error. We can all be busy or distracted and make mistakes. Emails There are several breaches that could occur due to mistakes linked to the use of emails, such as: Sending personal data to the wrong employee, customer/client, business partner or supplier. Sending emails to a group of customers/clients with emails exposed in the ‘to’ field instead of in blind copy. Forwarding emails to new recipients without checking if they should have access to the content of the whole email chain or attachments. Not password protecting documents that contain personal data. Password protecting a document but then sending the password in the same email as the document. Hard copy documents Sending documents that include personal data to the wrong customer/client. Sending an employment contract to the wrong employee. Printing a document containing customer/client or employee personal data and leaving it on a printer. Leaving customer/client files unattended in the office. Storage and access Errors relating to both physical and online storage and access include failing to: Protect folders or systems where documents are saved. Update access rights promptly when there’s a change, for example, someone leaves the business. Ensure that access is only given to those people who need it. How to respond Mistakes happen. The key is knowing how to respond. Here’s what happened to Cassy, one of your colleagues. “I was having an exceptionally busy day and had to send an urgent email to a customer before I finished work. The email contained the customer’s name, bank account and overdraft details. However, in my rush, I accidentally sent the email to someone else in my contacts with a similar name.” What should Cassy do? Which of the following options apply? Option 1: Report the data breach to her manager. Option 2: Report the data breach to her DPE office. Option 3: Call the person she sent the email to and ask them to delete it. Option 4: Wait to see if anything happens – it isn’t a serious data breach. Answer The correct answers are options 1, 2 and 3. It’s always important to speak up and report any personal data breach as soon as possible. Prompt reporting to the DPE office is necessary as we have a 72-hour deadline for notifying the regulator if needed. The DPE office informs the DPO who will decide on the need to notify the regulator or not. However serious or trivial it might be, you should never wait and see what happens if you think there has been a personal data breach. Remediate and report If you realise that there has been a potential personal data breach, you need to take immediate action to reduce the potential risks for the individual(s) involved. Remediate Your first response should be to try and remedy the situation where possible. This could include: Recalling emails. Ensuring that the receiver has deleted the information, etc. Report Immediately following this, you need to inform your DPE office to discuss the reporting of the breach. These are immediate actions, however, following this you will need to work with the DPE office and any other key stakeholders involved on lessons learnt and any follow up actions required to prevent such a breach from reoccurring in the future. Reporting a data breach To help you safeguard personal data, we have people in place with specific roles and responsibilities to support and guide you. These are also the people who get involved if there has been a potential personal data breach. DPE office The DPE office is your first point of contact if you have any personal data concerns or if there’s a possible personal data breach to report. Prompt reporting to the DPE office is necessary as ING have a 72-hour deadline for notifying the regulator if needed. If an event is confirmed as a personal data breach, the DPE office has to record this in a data breach register and liaise with the DPO on the breach. The business remains responsible for registering breaches as events in iRisk, with the support of the DPE office. DPO The DPO decides whether the breach holds a high risk of adversely affecting individuals' rights and based on that decision, whether the breach should be reported to the data authority. ING have 72 hours to report any relevant breach to the data authority via the DPO. If multiple countries are involved in a data breach, we call this a cross-border data breach. In this case the bank DPO decides on reporting to the lead Data Protection Authority. For IN G this is the Data Protection Authority in the Netherlands. Key points We’ve used examples from retail banking to help explain the basics of personal data protection, but the same principles apply whether you’re processing personal data in the back office, supporting client-facing staff, working with employee data or wholesale banking clients. Remember that we don’t own the personal information that our customers, suppliers, business partners and employees give to us. Instead, we’re guardians of that information and need to look after it with care. If you follow our policies and procedures, you can be confident that you’re doing the right thing. Here are some key points to remember: People trust ING to keep their personal data safe and to only use it for the purpose it was provided. Familiarise yourself with the global data protection documents on ING Today. Mistakes happen – the key is to act promptly. Report any concerns or potential personal data breaches immediately to the DPE office and your line manager. This is the end of the personal data fundamentals topic. All of the required items in this topic need to be completed before you can move on. The principles of processing personal data Cassy, an ING colleague said: “I know I need to take care when working with anyone’s personal data. It isn’t just an ING requirement, or a legal requirement … it’s about protecting personal data because it’s the right thing to do for our customers, business partners, suppliers and colleagues. And that sometimes makes me anxious because I don’t want to do the wrong thing.” How confident are you? Can you sympathise with that comment? Any action we perform on personal data is called ‘processing’. Processing includes actions such as collecting, recording, organising, structuring, storing, adapting, consulting, disclosing, combining, deleting, and destroying. GDPR, local data protection laws and the BCR state what you are and aren’t allowed to do with personal data. You need to know what is and isn’t possible. When it comes to working with personal data (whether it belongs to employees, suppliers, or retail customers and business clients), how confident are you about doing the right thing? Don’t worry if you don’t feel confident yet about what you are and aren’t allowed to do with personal data, because next we’ll be looking at the principles you need to be aware of to do the right thing. Once you understand what’s allowed you should feel a lot more confident. What’s processing? First, let’s be clear about what we mean by processing. Cassy is the ING colleague you met earlier. She’s an account manager and Harry is one of her many customers. She’s planning her activities for the week and is organising the customers she needs to contact in alphabetical order on a spreadsheet. Harry’s contact information is included. Do you think Cassy is processing Harry’s personal data? Option 1: Yes Option 2: No Answer The correct answer is option 1. Processing includes a wide range of actions, including collecting, recording, organising, structuring, storing, adapting, consulting, disclosing, combining, deleting, and destroying. Even viewing personal data is interpreted as processing. So yes, organising customer contact information in alphabetical order is classed as processing. It’s likely that most of you are processing the personal data of customers, colleagues, business partners or suppliers every day. Personal data processing principles At ING we make sure that the right people use the right personal data, with a clearly defined purpose in the right way. The following key principles enable us to achieve this: Purpose and purpose limitation Lawful basis Transparency Minimisation Accuracy Storage limitation Integrity and confidentiality. Purpose and purpose limitation The business unit that Cassy works in is developing a new product. It’s a tool that will help customers manage their finances. The tool relies on gathering personal information. Cassy knows that the first principle to consider when dealing with personal data is to have a clearly described purpose. In this case the purpose is “to provide a service that will enable customers to better manage their finances”. Cassy knows that another business unit has a list of customer contact details that were collected for a different service, but they might be interested in this new service. Can Cassy reach out to her colleagues to ask for the existing list of contact details to market the new product? Option 1: Yes Option 2: No Answer The correct answer is option 2. She can’t access or use the personal data that was collected by a different business unit for a different purpose. When collecting personal data, we need to have a clearly defined business purpose. And, when we have obtained personal information for a specific purpose, we can’t then use that data for another purpose. There are some exceptions where the data can be used for a different purpose. Contact the DPE office if you require more information on this. These are the principles of purpose and purpose limitation. Lawful basis Another key principle is that we must have a lawful basis for processing personal data. For example, it’s a lawful basis if the individual concerned: has given their consent; has entered into a contract with ING and we need to process their personal data to comply with that contract. Other examples of a lawful basis are if: There‘s a legal obligation – for example, we may need to collect information to comply with laws or regulations, such as complying with regulations preventing money laundering. ING has a legitimate interest – for example, there may be a good business reason for collecting personal information, such as fraud detection (Applicable in the EU). In developing the tool to help customers manage their finances, it’s likely that the lawful basis would be consent. During the application process to use this tool, the user would most likely be asked to provide consent to use their personal data. It is important to note that the term ‘lawful basis’ is currently described in the GDPR regulation but is not explicitly listed in the BCR. In the BCR the lawful basis is included in and defined as ‘legitimate business purpose’. When any processing activity falls within the scope of any of the personal data protection regulations and/or policies we have described, there are tools and assessments in place to ensure that the owners of the processing activity are supported and can clearly identify and document the lawful basis. Consent When the service is launched, Cassy’s business unit decides it would like to investigate the movements of users on the ING website that offers the service. The purpose is to improve the customer experience. They decide to use a non-essential internet cookie that tracks and saves information about each user’s session. Can ING do this if they ask individuals for their consent? Option 1: Yes Option 2: No Answer The correct answer is option 1. Consent to use cookies should be asked when the individuals go onto the website or app to use this service, so in this instance, the lawful basis for collecting information would be consent. There’s an ING cookie statement on ing.com that explains what they are, the different types we use and how users can decide which cookies to allow. Transparency The service has been so successful that Cassy’s business unit in the head office needs support and decides to involve other ING entities located across the world. Personal data is being collected in the Netherlands and is now going to be transferred to Asia for processing. Should customers be informed about how and why their data is being processed? Option 1: Yes Option 2: No Answer The correct answer is option 1. This relates to the principle of transparency. We need to be clear and open about why we’re obtaining personal information and explain what we’ll do with it. We set this out (alongside the other principles) in our privacy statement which is available on the ING website. When purchasing the product, the customer should have been pointed to a privacy statement. If the process isn’t covered by a privacy statement, we can’t execute that process unless the individuals concerned have been informed. Other principles So far, you’ve explored the principles of purpose, purpose limitation, lawful basis and transparency. There are four other principles you need to be aware of. Minimisation We must only obtain the minimum amount of data needed. For example, if the purpose of the cookie used to track a user’s behaviour to improve the user experience also tracked their location, could we use that location information? If location information isn’t necessary for the purpose (i.e., to improve the user experience), then the answer to this question is no, we mustn’t use it. Minimisation also means that only those people who need the information can access it. Access to personal data should be on a ‘need to know’ basis only. Accuracy When developing a process, we must make sure that we have a way of keeping the personal data up to date, complete and accurate. For example, if a customer changes address, our records need to be updated. Storage limitation Personal information needs to be stored in an appropriate, managed environment. We must only retain the personal information for as long as necessary for the business purpose. Once it’s no longer needed for its purpose, data should be deleted or anonymised. There are rules to follow regarding how long information can be kept. For example, if a customer cancels a product, their data needs to be permanently deleted or retained until the retention period expires, after which it needs to be deleted. Deletion of personal data relates to permanent irreversible deletion. Only irreversible deletion means that information is no longer regarded as personal data. If you need more information on deletion, an ING deletion guidance document is available on ING Today. Integrity and confidentiality We must put security measures in place to protect personal data from unauthorised loss, alteration, disclosure or access. The level of security depends on the amount and type of personal data we hold. In general, the more personal data belonging to a customer or employee that we process, the higher the considered possible risk will be for that individual and their personal data. At ING we use a business impact assessment (BIA) to determine how relevant the security is of an IT asset or a process (including the data that it holds). A BIA is mandatory for all data that’s to be held in an asset or a process, including personal data. Record of processing activity ING is required to maintain a record of all the personal data processing activities it’s responsible for and of the different parties involved in this processing. We call this the record of processing activity (RoPA). When processing personal data, you may be asked to check or add to the RoPA. There’s a central tool to be used by all ING entities to capture this information. There’s usually someone in your team or department who’s responsible for the RoPA. If you aren’t sure who that is, find out and speak to them about the types of processes recorded for your team. The RoPA is a mandatory inventory and it’s essential to keep it up to date when there are new processes, reviews or changes to existing processes that use personal data. DPIA Before planning any processing of personal data, the business owner needs to ensure that a pre-DPIA is completed. This is to identify if the planned processing of data will have a high risk for the individuals involved. If the pre-DPIA concludes that a high risk exists, a full DPIA needs to be performed. A full DPIA helps us: identify the potential high risks arising from processing personal data; and determine the mitigating measures that need to be put in place to minimise these risks as much as possible. Key points When dealing with personal data, always have these key principles in mind: Purpose and purpose limitation Lawful basis Transparency Minimisation Accuracy Storage and storage limitation Integrity and confidentiality. By following these principles, you can be confident that you’re processing the right personal data, with a clearly defined purpose in the right way. You’ll be working lawfully, and just as importantly, doing the right thing for our customers, business partners, suppliers and colleagues. We have multiple tools in place (like the RoPA, DPIA, etc.) to ensure that we’re assessing, identifying, mitigating and recording the potential risks that may arise from processing personal data. The rights of individuals Harry, an ING customer says: “I've been an ING customer for some time now, both for myself, members of my family and for my business. As I hold multiple different accounts with ING, I am curious to know what information ING holds about me.” Is it allowed? Are customers allowed to ask for an overview of the personal data processed by ING? Option 1: Yes Option 2: No Answer The correct answer is option 1. Customers have the right to know what personal data ING holds and how it's used. There’s a procedure in place to help them exercise this right, which is set out in each privacy statement in countries where ING has a presence in addition to ing.com. Individual rights Any individual for whom ING processes personal data can request access to the personal data ING holds. The most common individual rights include the right to: Access information – you can ask us for an overview of the personal data that we process. Rectify information – you can ask for any personal data that is incorrect or incomplete to be corrected. Be forgotten – you can ask for some of your personal data to be deleted. Object to processing – you can object to ING processing personal data based on legitimate interest if there’s a justifiable reason. How to respond Harry decides to contact his local ING bank to find out what personal information is on file about him. ING receives this request on Monday. Which of the following statements do you think is true? Which of the following options apply? Option 1: There’s no time limit for ING to respond to this request. Option 2: ING has to respond to the request within 72 hours. Option 3: ING should respond to the request within one month. Answer The correct answer is option 3. In principle, we should respond to Harry’s request within one month. If there’s a good reason for needing more time, the response time can be extended by another two months. If you handle these requests or answer questions from customers about their rights, it’s important you know how to handle them. The specific procedure regarding access, correction, updating, blocking, or deleting personal data, as well as objections regarding processing, are explained in the Global Data Protection Policy (also known as the BCR, which is available on ing.com) and local working instructions. You can also ask your local DPE office for guidance. What can he do? Harry receives an overview of the personal data processed by ING. He notices two things that concern him. Firstly, ING has stored personal data regarding an old account his grandparents opened for him 20 years ago when he was a child. Secondly, there’s a mistake in his current address – the apartment number is wrong. What action can Harry take? Which of the following options apply? Option 1: He can ask us to correct his address. Option 2: He can ask us to delete information about his old account. Option 3: He can ask us for the information ING still holds about his grandparents. Answer The correct answers are options 1 and 2. Harry has the right to request changes to his personal data if he finds mistakes, or if the information is incomplete. He can also ask to have data deleted, for instance because it’s no longer necessary for the purpose for which it was originally collected. If there’s a valid legal reason for deletion, ING must comply. Harry doesn’t have the right to request information about his grandparents. He can only request information about himself. Please note that if you work at an ING office outside the EU different rights may apply. Please contact your local DPO for more information. Let’s consider other rights that individuals have. Right to object to personal offers Direct marketing is when we send individual customers information about products and services that we think will be of interest to them. For example, if a customer has a mortgage with us, we may choose to send them personal offers about other attractive credit arrangements. But we can only do this if we have the individual’s consent. For direct marketing we call that consent ‘opt in’. Customers also have the right to stop their information being used for direct marketing. So, we must make it easy for customers to ‘opt out’ of personal offers. Right to obtain human intervention in case of automated decision-making Automated decision-making is where we analyse personal data using automated processes, such as algorithms (for example, to speed up credit decisions for loans and mortgages, or make decisions about the price we charge for a product or service). Again, we can only do this in limited cases, for instance if the customer has given us explicit consent to do so. In which case we must ensure there are additional safeguards in place to protect the interest of the individual, such as the right to obtain human intervention, meaning it should be possible to ask for an actual person to make the ultimate decision instead. Key points Familiarise yourself with ING’s privacy statement. Each country has one. It informs our customers and employees about the ways we process their personal data, the rights they have and how we respect them. Remember that an individual’s basic rights include: Various rights relating to accessing, updating and blocking the use of personal data. The right to opt in and out of direct marketing communication. The right to obtain human intervention if ING uses automated decision-making. Protecting personal data We all come across the processing of personal data in our daily work in various forms. Protecting personal data should be at the forefront of your mind even when you’re completing basic tasks like sending an email, meeting with your colleagues on Teams or collaborating on a project on SharePoint. You must be confident that you’re aware of all the instances where you are (or might be) processing the personal data of our customers or employees, or any other individual who’s in touch with ING. You must safeguard their rights by taking into account the personal data protection principles that we have guided you through in this training course and get in touch with the data protection specialists working in ING whenever you need help or assistance. Protecting personal data should be your number one priority when working with personal data. Further resources For further information or contact details, please search for data protection on ING Today (the intranet). For those who have access to My Learning, you can also visit the data protection learning channel. Thank you. For colleagues with a disability who need this alternative format of the training and who cannot access the course with assistive technology, you’ve now finished this learning module. To confirm your completion of the course please provide your corporate key to [email protected] and cc to your manager. If you wish, you can remain anonymous by confirming completion only to [email protected]. You have reached the end of this accessible PDF.

ING Protecting Personal Data PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue