Navigation
Privacy Policy
GLOBAL EXCLUDING CHINA
ALUMNI NETWORK WEBSITE DATA PROTECTION NOTICE
Effective: 24 April 2024
I. INTRODUCTION
Thank you for making a connection and requesting to join our Alumni Network Website.
This Alumni Network Website Data Protection Notice (“Notice”) has been prepared to outline how Bank of America N.A., and each other affiliate or subsidiary (“affiliate”) of Bank of America Corporation (collectively, “the Company”, “we”, “us”, or “our”) collect, use, store, transfer and otherwise process individually identifiable information about Alumni (“Personal Data”) who visit or use the Bank of America Alumni Network Website. For the purposes of this Notice, “Alumni” means any individual who is a former employee of the Company who has retired or left in good standing as determined by us and limited to use of this site. The Company may also provide to Alumni additional data protection or privacy notices from time to time.
California residents covered by the California Consumer Privacy Act may have additional rights. To learn more, California residents can reference the California Consumer Privacy Act Notice for additional information.
In the event this Notice is provided to an Alumni in a language other than English, any discrepancy, conflict or inconsistency between the two language versions shall be resolved in favor of the English version, subject to applicable law.
Please access the following link for Data Protection Notices in languages other than English: ALUMNI NETWORK WEBSITE DATA PROTECTION NOTICE
II. PERSONAL DATA COLLECTION AND PURPOSES OF USE
Participation in the Alumni Network Website requires the Company to collect Personal Data that is directly relevant to its business, required to meet its legal obligations, or otherwise permissible to collect under applicable law. Listed in Appendix A of this Notice are the categories of Personal Data that we collect and the purposes for which we use the data that we collect, except where restricted by applicable law. We receive Personal Data from you and from other sources, including public sources. To join the Network, you must first acknowledge the Data Protection Notice by checking the confirmation box when creating your account. Checking this box indicates that you are providing consent to your information to be displayed and shared, and for the program to use your contact information.
We collect and process Personal Data about you: (i) because we are required or permitted to do so by applicable law, (ii) because such information is necessary for membership of the Alumni Network, (iii) because such information is of particular importance to us and we have a specific legitimate interest under law to process it, (iv) where the Personal Data is necessary for the establishment, exercise or defense of legal claims, or (v) where necessary, we obtain consent of Alumni for collection and processing of Personal Data.
If you do not provide certain categories of Personal Data, the Company may not be able to accomplish some of the purposes outlined in this Notice and we may not be able to grant you membership.
III. COOKIES AND TRACKING TECHNOLOGY
Non-essential and essential cookies are collected on some websites and mobile applications that the Company uses. Please refer to the following policy.
This site may leverage technology to collect information on where Alumni are located, which in turn may be used to present job openings, volunteer activities and other opportunities to participate in the Alumni Network. See Section VI for information on how you can delete your personal data.
Industry standards continue to evolve around web browser "do not track" signals or configurations set in your internet browser. Bank of America captures opt out preference signals, and to the extent users have rights under applicable law, treats them as valid requests to opt out of sale/sharing at the browser level.
We may use third-party providers to process personal information for business purposes on our behalf. Third-party providers are contractually obligated to comply with our policies to protect information we share with them or they collect on our behalf.
IV. DISCLOSURE
To the extent permitted by applicable law and as appropriate to achieve the purposes described in this Notice, Personal Data may be disclosed by the Company as follows:
Given the global nature of the Company’s activities, the Company may (subject to applicable law) transmit Personal Data, to other Bank of America affiliates or operations located in other jurisdictions, including the United States or other jurisdictions where data protection laws may not provide an equivalent level of protection to the laws in the Alumni’s home jurisdiction. A listing of affiliates belonging to the Bank of America Corporation group can be provided upon request using the contact information provided in the Questions section of this notice.
The Company may disclose in accordance with applicable law relevant Personal Data to certain third parties in connection with the provision of services to the Company. Where the processing of Personal Data is delegated to a third party data processor, such as those listed in Appendix A, the Company will delegate such processing in writing, will choose a data processor that provides sufficient guarantees with respect to technical and organizational security measures, such as data protection and information security requirements, governing the relevant processing and will ensure that the processor acts on the Company’s behalf and under the Company’s instructions.
Personal Data also may be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of the financial status of the Company or any of its subsidiary or affiliated companies.
V. SECURITY
The Company maintains appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Data and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage to Personal Data.
VI. ACCESS, PORTABILITY, RECTIFICATION AND SUPPRESSION, LIMITATION AND RESTRICTION OF PROCESSING AND ACCURACY OF PERSONAL DATA
Alumni are entitled to access Personal Data held about them (with the exception of any documents that are subject to legal privilege, that provide Personal Data about other Alumni, or that otherwise are not subject to data subject access rights). Any Alumni who wishes to access their Personal Data or (where permitted under applicable law) request portability of their data should contact a member of the Alumni Network Program Office using the contact information set out in the Questions section below.
To the extent required by applicable law, Alumni have the right to have inaccurate data corrected or removed (at no charge to the Alumni and at any time) or to limit or restrict processing of their data.
To assist the Company in maintaining accurate Personal Data, Alumni must ensure they keep their Personal Data up to date on the Company’s Alumni portal. In the event that the Company becomes aware of any inaccuracy in the Personal Data it has recorded, it will correct that inaccuracy at the earliest practical opportunity.
To the extent available under applicable law, Alumni may also have the following rights (including but not limited to):
- to request a copy of Personal Data held by the Company (as part of an access request above);
- to request further information or complain about the Company’s practices and processes regarding their Personal Data;
- to object to, withdraw consent to, restrict, or request discontinuance of collection, use, disclosure and other processing of their Personal Data as described in this Notice and to request deletion of such Personal Data by the Company.
For all inquiries, Alumni should contact a member of the Alumni Network Program Office using the contact information set out in the Questions section below. Under applicable law, in certain circumstances, the Company may be exempt from or entitled to refuse the above requests or rights. Certain additional terms and conditions may be applicable to process requests or rights, such as requiring communications to be in writing or requiring proof of identity.
VII. MODALITIES OF THE PROCESSING AND DATA RETENTION
The Company does not use automated decision making on Alumni processes. ‘Automated decision-making’ is the process of making a decision by automated means without any human involvement.
Collection, use, disclosure, transfer and other processing, including storage, of Personal Data may be by electronic or manual means, including by hard-copy or soft-copy documents or other appropriate technology. Personal Data may be stored in an Alumni’s home jurisdiction and/or other jurisdictions in which the Company has operations.
The Company will maintain Personal Data for as long as it is required to do so by applicable law(s) or for as long as necessary for the purpose(s) of use and processing in Section II, whichever is longer (“the retention period”). Any maximum storage term set forth by applicable law will prevail. The Company will delete Personal Data after the applicable retention period. The retention periods for each type of data and jurisdiction are outlined on the Global Records Retention Schedule, available upon request.
The criteria used to determine our retention periods include:
- As long as we have an ongoing relationship with the Alumni;
- As required by a legal obligation to which we are subject;
- As advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations);
- The time period necessary to achieve the purpose of use and processing.
VIII. QUESTIONS
Should any Alumni have any questions, concerns or complaints about this Notice, please contact the Data Protection Officer using the contact details below. For individual rights, please contact the Alumni Program via email: alumni.network@bofa.com.
In certain countries, if you have additional queries about the way in which the Company processes your Personal Data more broadly you may contact the local Data Protection Officer using the following contact details:
All regions: DPO@bofa.com
Brazil: Sandra Ornelas
Avenida Brigadeiro Faria Lima, 3400 - 12º Anda CEP 04538 - 132 - São Paulo, SP
Telefone
+55 (11) 2188-4000
Germany: DatenschutzBAMLFrankfurt@bofa.com
Switzerland: Frank Bessoles
c/o Nicole Busslinger-Roch
Bank of America Europe Designated Activity Company, Dublin, Zurich Branch
STOCKERHOF
STOCKERSTRASSE 23
ZURICH, 8002 Switzerland
Alumni may have the right to lodge a complaint with the local Data Protection authority.
IX. CHANGES TO THIS NOTICE
Should the Company substantially modify the manner in which it collects or uses Personal Data, the type of Personal Data it collects or any other aspect of this Notice, it will notify Alumni as soon as reasonably possible by reissuing a revised Notice or taking other steps in accordance with applicable laws including obtaining Alumni consent where required.
X. JURISDICTION-SPECIFIC CLAUSES
AUSTRALIA
All reasonable steps are taken to ensure security, privacy and integrity of any Personal Data transferred to recipients outside Australia. However, the Company must rely on your consent to transfer Personal Data to unaffiliated third-party recipients outside Australia. You acknowledge that, prior to your consent to transfers of Personal Data to unaffiliated third party recipients outside Australia (other than service providers), the Company has expressly informed you that it is a consequence of such consent that, if any such overseas recipient handles the Personal Data in breach of the Privacy Act 1988 (Cth) (“Privacy Act”), the Company is not accountable under the Privacy Act and you may not be able to seek redress under the Privacy Act or in the overseas jurisdiction.
BRAZIL
The Lei Geral de Proteção de Dados Pessoais (LGPD) has implemented new rights in addition to those listed in Section VII:
- To receive information about the consequences of denying consent;
- To request anonymization, blocking, or deletion of unnecessary or excessive personal data;
- To request information about entities with which the company has shared personal data; and
- To request review, by a natural person, of decisions taken solely on the bases of automated processing of personal data that affects the Alumni’s interests.
Under applicable law, in certain circumstances, the Company may be exempt from or entitled to refuse the above requests or rights. Certain additional terms and conditions may be applicable to process requests or rights, such as requiring communications to be in writing or requiring proof of identity.
EEA / UK / Switzerland
Given the global nature of the Company’s activities, the Company may transfer your Personal Data to countries located outside of the European Economic Area (“EEA”), the UK or Switzerland. With regards to transfers from the EEA, UK or Switzerland to other countries, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your information. Where necessary we added the UK SCC addendum (for transfers from UK) and/or additional clauses for Switzerland (for transfers from Switzerland). Alumni in the EEA, UK or Switzerland may obtain a copy of these measures by going to https://commission.europa.eu/law/law-topic/data-protection_en
Where countries are considered adequate by the EU, UK and Switzerland respectively, we rely on this adequacy decision as a safeguard. Countries that are subject to an adequacy decision can be found on the links below.
For Switzerland: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html
Individuals may also file a complaint with a supervisory authority competent for their relevant country or region. A list of data protection authorities in the EEA is available at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. The data protection authority in the UK is the Information Commissioners Office (the ICO) and in Switzerland it’s the Federal Data Protection and Information Commissioner (FDPIC).
FRANCE
Under French law, in addition to the above, Alumni shall have the right to set guidelines regarding the retention, erasure and disclosure of their Personal Data after their death.
PHILIPPINES AND SINGAPORE
To the extent required by applicable law, certain authorized individuals may exercise the rights mentioned in Section VII on behalf of a deceased Alumni. In furtherance of data protection and security, the Company may apply additional terms and conditions to process requests or rights made by individuals other than the deceased Alumni, such as requiring proof of legal authority to validly act on behalf of the deceased Alumni. Authorized individuals that seek to exercise these rights may contact a member of the Alumni Program using the contact information set out in Section IX.
SOUTH AFRICA
Where Personal Data is transferred by the Company outside of South Africa, the Company will address any applicable requirement to assure an adequate level of data protection before transferring Personal Data by assuring the implementation of binding corporate rules or the execution of appropriate data transfer agreements conforming to the European Union Standard Contractual Clauses. In terms of POPIA, Alumni are entitled to approach the South African courts and can lodge a complaint with South Africa’s information regulator in respect of any alleged interference with the protection of their Personal Data. The contact details of South Africa’s information regulator are as follows:
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email address: complaints.IR@justice.gov.za
TAIWAN
See Annexures 1 and 2 for a list of the relevant standard purposes of use and types of personal data as prescribed by the Ministry of Justice.
TURKEY
As per Article 11 of the Data Protection Law (Law No. 6698) your rights regarding protection of your personal data are as follows:
- To know whether or not personal data is processed
- To request information if personal data is processed
- To know the purpose of processing personal data and whether or not the data is being processed in accordance with these purposes
- To know of any third parties where personal data is transferred to within Turkey or abroad, to request correction of personal data if it is incomplete or inaccurately processed, and to request notification of such correction if the personal data is being transferred
- To request the deletion or destruction of the personal data in case the legal ground or reasons requiring the processing of the data is no longer existed and to request notification of such deletion or destruction if the personal data is being transferred
- To object to negative results occurred through a fully automated processing of personal data
- To request compensation in case of loss due to unlawful processing of personal data.
For your request regarding usage of your rights mentioned above in connection with your personal data, please contact the Company, please refer to Section IX for details, or deliver by hand or by a notary public with your identification documents with original signature. Your request will be finalized as soon as possible at the latest within 30 (thirty) days after the receipt of the relevant documents. If your application is rejected, you can apply to the Personal Data Protection Board within 30 days and at the latest 60 days in accordance with the Article 14 of the Data Protection Law (Law No. 6698).
Given the global nature of the Company’s activities, the Company may transfer your Personal Data to countries located outside of Turkey. Any such transfers will be undertaken in accordance with the Law on the Protection of Personal Data numbered 6698.
UNITED ARAB EMIRATES
International Transfers of Personal Data
With regards to transfers from the DIFC to other countries, we have put in place suitable safeguards, such as standard contractual clauses, adopted by the DIFC to protect your information. Alumni in the DIFC may obtain a copy of these measures by following these links: https://www.difc.ae/business/operating/data-protection/adequate-data-protection-regimes/
Consent of the Notice
I have read the “Alumni Network Data Protection Notice” describing the collection, processing and use of my Personal Data by the Company, and the international transfer of my Personal Data (including to jurisdictions where data protection laws may not provide an equivalent level of protection to the laws of my home jurisdiction) during the course of enrolment into the network. By voluntarily submitting my Personal Data, I explicitly consent to the processing as set out in this Notice.
Appendix A
The table below contains the purpose for which we may process your personal data, the types of processing activities that may take place and the category of personal information that would be used for such processing as well as the legal basis for the processing. More information is listed below the table about the personal information categories.
Purpose | Examples of Processing Activities | Personal Information Categories | Legal Basis |
Alumni Network |
|
| Consent
|
*Personal Data marked with an asterisk in this Section is mandatory for Alumni to provide to the Company. It is voluntary for Alumni to provide other types of Personal Data and information about themselves. Some of the personal data listed above may be shared, collected, used, transferred and/or disclosed in-line with country specific laws/regulations.
The Categories Of Unaffiliated Third Parties With Whom We May Share Personal Data
Categories of third parties | Personal Data | Purpose of processing your Personal Data | Destination Countries |
Event Vendors
| Personal Details: Name*, Profile Photo, Current Location*, Postal Address, State* Professional Details: Employment Status*, Current Company* and Industry Contact Information: Email Address*, Linkedin Profile, Phone Number | For use in planning events and communicating with members of the Bank of Alumni network | Globally where we have presence
|
Annexure 1
Relevant Standard Purposes for Personal Data Protection Act as prescribed by Ministry of
Justice
Code | Purpose Type | 目的項目 |
(001) | personal insurance | 人身保險 |
(002) | human resources management | 人事管理 |
(003) | arrival, departure and immigration | 入出國及移民 |
(031) | national health insurance, labor insurance, farmers insurance, national pension insurance or other social insurances | 全民健康保險、勞工保險、農民保險、國民年金保險或其他社會保險 |
(059) | the collection, process and use by financial service enterprises according laws and regulations and for the need of financial supervision | 金融服務業依法令規定及金融監理需要,所為之蒐集處理及利用 |
(060) | financial dispute resolution | 金融爭議處理 |
(061) | financial supervision, management and examination | 金融監督、管理與檢查 |
(063) | the collection, process and use of personal information by non-government agency for fulfillment of regulatory obligations | 非公務機關依法定義務所進行個人資料之蒐集處理及利用 |
(064) | health and medical services | 保健醫療服務 |
(069) | contractual, quasi-contractual or other legal relationship affairs | 契約、類似契約或其他法律關係事務 |
(090) | consumer and customer management and services | 消費者、客戶管理與服務 |
(104) | billing management and credit transaction business | 帳務管理及債權交易業務 |
(114) | labor administration | 勞工行政 |
(120) | tax administration | 稅務行政 |
(129) | accounting and relevant services | 會計與相關服務 |
(136) | information (tele-) communication and database management | 資(通)訊與資料庫管理 |
(137) | information (tele-) communication security and management | 資通安全與管理 |
(150) | auxiliary and back-office supporting management | 輔助性與後勤支援管理 |
(154) | credit checks | 徵信 |
(157) | investigation, statistics and research analysis | 調查、統計與研究分析 |
(166) | securities, futures, securities investment trust and consulting relevant business | 證券、期貨、證券投資信託及顧問相關業務 |
(168) | passport, visa, and verification documents
processing | 護照、簽證及文件證明處理 |
(173) | the supervision and management of target
enterprises by other government agencies | 其他公務機關對目的事業之監督管理 |
(177) | other financial management business | 其他金融管理業務 |
(181) | other business conducted under the business registration items or organizational articles of incorporation | 其他經營合於營業登記項目或組織章程所定之業務 |
(182) | other advisory and consulting services | 其他諮詢與顧問服務 |
Annexure 2
Relevant Data Types for Personal Data Protection Act as prescribed by Ministry of Justice
Code | Data Type | 資料項目 |
1. Identification category 識別類 | ||
(C001) | for identification of individual | 辨識個人者 |
(C002) | for identification of finance | 辨識財務者 |
(C003) | for identification in government document | 政府資料中之辨識者 |
2. Characteristic category 特徵類 | ||
(C011) | individual description | 個人描述 |
(C012) | description of bodies | 身體描述 |
(C014) | characteristic – the comment or opinion on characteristic, etc | 個性 - 例如:個性等之評述意見 |
3. Household status 家庭情形 | ||
(C021) | household status | 家庭情形 |
(C023) | details of other members in the family | 家庭其他成員之細節 |
(C024) | other social relations – friend, colleague and other non-family relationship etc | 其他社會關係 - 例如:朋友、同事及其他除家庭以外之關係等 |
4. Social status 社會情況 | ||
(C031) | residence and facilities | 住家及設施 |
(C032) | properties | 財產 |
(C033) | immigration status | 移民情形 |
(C034) | travel and other transportation details | 旅行及其他遷徙細節 |
(C035) | recreational activities and interests – the hobbies, sports and other entertainments, etc | 休閒活動及興趣 - 例如:嗜好、運動及其他興趣等 |
(C038) | occupation | 職業 |
5. Education, examination and election, techniques or other professions 教育、考選、技術或其他專業 | ||
(C051) | academic records | 學校紀錄 |
(C052) | qualification or techniques | 資格或技術 |
(C053) | occupational group member qualification | 職業團體會員資格 |
(C054) | occupational expertise | 職業專長 |
(C057) | record of students (members) and examination takers | 學生(員)、應考人紀錄 |
6. Employment status 受僱情形 | ||
(C061) | current employment status | 現行之受僱情形 |
(C062) | employment history | 僱用經過 |
(C063) | jobs leaving history | 離職經過 |
(C064) | work experiences | 工作經驗 |
(C065) | work, travel and attendance records | 工作、差勤紀錄 |
ALUMNI DATA PROTECTION NOTICE
April 2024 ©2024 Bank of America Corporation