Code of Conduct Hotline Privacy Notice, effective from May 31st, 2019
1. This Notice
This Notice is issued by JPMorgan Chase & Co., on behalf of itself, its branches, its subsidiaries and its affiliates, (together, “JPMorgan”, “we”, “us” or “our”) in relation to the Code of Conduct Hotline and the reporting of known or suspected violations of our Code of Conduct, our policies, or applicable laws and regulations by employees, former employees, or external parties (together, “you”). Defined terms used in this Notice are explained in Section 9 below.
This Notice may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Notice carefully. Other privacy principles or policies could apply depending on how you interact with us apart from this Code of Conduct Hotline.
2. Processing your Personal Data
Collection of Personal Data: We collect Personal Data about you from a variety of sources as follows:
- We obtain your Personal Data when you provide it to us.
- We collect your Personal Data in the ordinary course of our relationship with you.
- We collect Personal Data that you manifestly choose to make public, including via social media.
- We may receive your Personal Data from third parties who provide it to us in relation to your report to this Hotline or our corresponding investigation.
Relevant Personal and Sensitive Personal Data: The categories of Personal Data about you or the subject(s) of your report that we may Process are as follows:
- Your name and contact details (unless you report anonymously) and whether you are employed by [J.P. Morgan Chase.
- The name and other personal data of the persons you name in your report if you provide such information (i.e.: description of functions and contact details).
- A description of the alleged misconduct as well as a description of the circumstances of the incident.
- Personal details: given name(s); preferred name(s); nickname(s); gender; date of birth / age; marital status; Social
- Contact details: address; telephone number; email address; and social media profile details.
- Employment details: industry; role; business activities; names of current and former employers; work address; work telephone number; work email address; and work-related social media profile details.
- Education history: details of your education and qualifications.
- Financial details: billing address; bank account numbers; credit card numbers; cardholder or accountholder name and details; instruction records; transaction details; and counterparty details.
- Views and opinions: any views and opinions that you choose to send to us, or publish about us (including on social media platforms).
Processing your Sensitive Personal Data: We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:
- the Processing is necessary for compliance with a legal obligation (e.g., to comply with our diversity reporting obligations);
- the Processing is necessary for the detection or prevention of crimeto the extent permitted by applicable law;
- you have manifestly made those Sensitive Personal Data public;
- the Processing is necessary for the establishment, exercise or defence of legal rights;
- we have, in accordance with applicable law, obtained your explicit consent; or
- Processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.
Purposes for which we may Process your Personal Data, and legal bases for Processing: The principal purposes for which we may Process Personal Data, subject to applicable law, and the legal bases on which we may perform such Processing, are as shown in the table below.
Where we process your Personal Data for other purposes, such as for operating our websites or information technology infrastructure, we will do so in accordance with applicable law, and only upon establishing an appropriate legal basis.
| Processing purpose | Legal basis for Processing |
|---|---|
| Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law. |
|
| Legal compliance: compliance with our legal and regulatory obligations under applicable law. |
|
| Legal proceedings: establishing, exercising and defending legal rights. |
|
| Risk Management: Audit, compliance, controls and other risk management. |
|
3. Disclosure of Personal Data to third parties
We may disclose your Personal Data to other entities within the JPMorgan group, for legitimate business purposes (including providing services to you and operating our Sites), in accordance with applicable law. In addition, we may disclose your Personal Data to individuals or organizations outside the JPMorgan group such as the following:
- you and, where appropriate, your family, your associates and your representatives;
- Governmental, legal, regulatory, or similar authorities, ombudsmen, and central and/or local government agencies, upon request or where required, including for the purposes of reporting any actual or suspected breach of applicable law or regulation;
- accountants, auditors, financial advisors, lawyers and other outside professional advisors to JPMorgan, subject to binding contractual obligations of confidentiality;
- third party Processors (such as payment services providers; shipping companies; etc.), located anywhere in the world, subject to the requirements noted below in this Section 3;
- any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights in accordance with applicable law;
- any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law; and
- any relevant third party acquirer(s), in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation).
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under applicable law.
4. International transfer of Personal Data
Because of the international nature of our business, we may need to transfer your Personal Data within the JPMorgan group, and to third parties, in connection with the purposes set out in this Notice. We may transfer your Personal Data to other countries that have different laws and data protection compliance requirements, including data protection laws of a lower standard to those that apply in the country in which you are located. Such transfers are made on the basis of:
- adequacy decisions,
- our Binding Corporate Rules,
- suitable Standard Contractual Clauses, or
- other valid transfer mechanisms.
If you want to know more about the safeguards applied to international transfers of personal data, please use the contact details provided in Section 8 below.
5. Data Security
We have implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, in accordance with applicable law.
6. Data Accuracy, Minimisation and Retention
We take reasonable steps to ensure that the Personal Data we Process is limited to what we require in connection with the purposes set out in this Notice; it is accurate and, where necessary, kept up to date; and it is erased or rectified without delay if it is inaccurate. From time to time we may ask you to confirm the accuracy of your Personal Data.
We will retain copies of your Personal Data in a form that permits identification for as long as we deem necessary in connection with the purposes set out in this Notice, unless applicable law requires a longer retention period.
7. Your legal rights
Subject to applicable law, you may have a right to one or more of the following with respect to your personal information we process or control:
- request access to, or copies of, your personal information, together with details about how we process it;
- request rectification of any inaccuracies;
- request erasure or restriction of Processing;
- object to processing by us or on our behalf;
- have personal information transferred to another party;
- withdraw consent to processing; and
- lodge complaints with a data protection authority regarding any processing by us or on our behalf.
To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Notice, or about our Processing of your Personal Data, please use the contact details provided in Section 8 below.
8. Contact details
If you have any comments, questions or concerns about any of the information in this Notice, or any other issues relating to the Processing of Personal Data by JPMorgan, please contact:
Global Privacy Office, JPMorgan Chase & Co.
270 Park Avenue, New York, NY 10017
email: jpmc_cpo@jpmchase.com
If you would like to contact the J.P. Morgan Data Protection Officer, please send an email to EMEA.Privacy.Office@jpmchase.com.
9. Defined terms
| Controller | The entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws. |
| Data Protection Authority | An independent public authority that is legally tasked with overseeing compliance with applicable data protection laws. |
| Personal Data | Information that is about any individual, or from which any individual is identifiable. |
| Process or Processed or Processing | Anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Processor | Any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller). |
| Sensitive Personal Data | Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, or any other information that may be deemed to be sensitive under applicable law. |