Additional Privacy Notice for INSEAD Employees
This additional Privacy Notice for INSEAD Employees (“Privacy Notice”) should be read in conjunction with INSEAD’s Personal Data Protection Charter.
This additional Privacy Notice applies to all individuals who are employees (faculty and staff), ex-employees, agency staff, contractors, freelancers, secondees and non-executive directors, hereinafter collectively referred to as “employee(s)”, regardless of their location. However the Personal Data INSEAD will process about an employee will vary depending on specific role and personal circumstances.
INSEAD requires to process and retain certain personal data relating to you, by virtue of your being an employee of INSEAD.
Sources of Data
The personal data INSEAD holds about you is obtained from a number of sources, including the following:
- Information you have provided to INSEAD as part of your hiring process or during your career at INSEAD
- Information you have provided to an employment agency as part of your hiring process
- Information you have provided to your employer if you are a secondee
- Information provided from referees, either external or internal
- Information provided by Occupational Health and other health providers as may be applicable
- Information provided by pension administrators or generally public authorities including tax authorities and other institutions as may be applicable
- Information provided by your trade union if any
- Information provided by providers of employees benefits as may be applicable
- CCTV images
What Personal Data INSEAD processes
Personal data about employees is processed in different data systems of INSEAD and manually.
INSEAD processes the following data:
- Personal details and identification data e.g. name, surname, given employee number, address, gender, nationality, native language, chosen language, personal identity number, copies of passport or identity documents, date of birth, CV;
- Contact details e.g. email, phone number, both personal and profession;
- Badge details, credential and access to resources
- Family, lifestyle, social circumstances if relevant, e.g. marital status, emergency contact;
- Employment and education history e.g. qualifications, copy of diplomas and certifications, job application, employment references, right to work information and details of any criminal convictions that you declare;
- Financial details, e.g. bank details;
- Location of employment, e.g. Europe Campus;
- Details of any secondary employment, political declarations, conflict of interest declarations or gift declarations;
- Specific conditions requesting tailored support;
- Feedback collected through the surveys, if this data is not anonymised;
- Salary, pensions and benefits
- Job role and employment contract e.g. start and leave dates, salary (including grade and salary band), any changes to your contract, working pattern;
- Details time spent working and any overtime, expenses or other payments claimed;
- Details of any leave e.g. sick leave, holidays, special leave;
- Pension details e.g. state pension, additional pension schemes;
- Payroll records and tax status;
- Maternity, paternity, adoption leave and pay.
- Performance, training and monitoring
- Performance at work e.g. probation reviews, promotions;
- Complaints, grievance and dignity at work matters and investigations to which you may be a party or witness when applicable;
- Breaches and alleged breaches of INSEAD policies and generally documents related to disciplinary action taken against an employee e.g. investigations, hearings, warnings, penalties issued;
- Whistleblowing concerns raised by you, or to which you may be a party or witness, subject to specific confidential provisions as described in the whistleblowing policy
- Training history and development needs;
- Information derived from monitoring IT acceptable use standards and policies;
- Photos, video recording and CCTV images.
- Health and wellbeing and other special category data
- Health and wellbeing data provided by you or obtained from health checks, eye examinations, occupational health referrals and reports, sick leave forms, health management questionnaires or fit notes;
- Accident records in case of accident at work.
Purposes of Processing
INSEAD requires to process the personal data it collects about you for the purpose of performing your employment contract and to execute all the administrative and ancillary tasks. This includes but is not limited to the following:
- Carry out the employment contract in place, provide access to internal services and resources required for your role and manage the human resources processes;
- Payment of salary, pension and other employment related benefits, as well as administration of statutory and contractual leave rights e.g. holidays, maternity leave;
- Meet development needs and provide training;
- Ensure the health, safety and wellbeing of our employees and community, and provision of advice and support to employees, including welfare, health and counselling;
- Assess employees’ performance, conduct pay and grading reviews, evaluate compliance with INSEAD policies and procedures and manage behavioural or disciplinary issues, complaints and litigations;
- Management and administration of INSEAD’s property and resources (including access to INSEAD’s locations and IT systems and preventing and detecting crime e.g. by use of video surveillance or access monitoring);
- Comply with our legal and regulatory obligations;
- Collect data, records and statistics for research purposes and/or optimize resources and processes;
- Publicity and marketing including the use of images and photographs;
- Organization of in person and virtual events.
Legal Basis for Processing your Personal Data
The right of INSEAD as the data controller to process personal data about employees is based on a number of legal basis that legitimise its processing activities. Given the wideness and ramifications of matters for which INSEAD processes your personal data to provide the relevant academic services, the majority of INSEAD’s processing activities in are based upon the following grounds:
- To fulfil the employment contract (Art. 6.1(b) GDPR): If you have accepted an offer to become an employee of INSEAD you have entered into an agreement with INSEAD.
- To perform tasks carried out in order to protect your vital interests or those of another person (Art. 6.1 (d) GDPR), the public interest (Art. 6.1(e) GDPR) or INSEAD’s legitimate interest (Art. 6.1 (f) GDPR): INSEAD may process personal data to carry out certain functions required to operate as an employer and academic institute. This includes for example ensuring health and safety of the INSEAD community; processing related to teaching, examining, promoting research, granting of awards, disciplining and collaborating with other institutions.
- Compliance with a Legal Obligation (Art. 6.1(c) GDPR): Sometimes INSEAD may need to process your personal data to comply with a legal obligation imposed upon INSEAD.
- Your Consent (Art. 6.1(a) GDPR): Some processing may trigger your explicit consent. In such cases, your consent will be sought as and when required. You have the right to withdraw consent at any time without prejudice to your status within INSEAD.
Special category of Personal Data
INSEAD does not process sensitive data on a regular basis. However, from time to time, INSEAD may be requested to process special category of Personal Data is data, e.g. health data. In such cases, the additional legal bases for processing may be:
- Carry out obligations and exercise rights in employment, and safeguard your fundamental rights (Art. 9.2 (b) GDPR);
- Protect your vital interests or those of another person where incapable of giving consent (Art. 9.2 (c) GDPR);
- Preventative or occupational medicine and assess working capacity as an employee (Art. 9.2 (h) GDPR);
- Establishment, exercise or defence of legal claims (Art. 9.2 (f) GDPR);
- Archiving purposes in the public interest (Art 9.2 (j) GDPR).
Retention of Your Personal Data
Once you become an employee, INSEAD retains your personal data in line with INSEAD’s data retention policy. Where some of your Personal Data are no longer needed, these will be securely deleted from the systems. Please note that once you have enrolled as an employee, some personal data will be retained on a permanent basis.
Personal Data Sharing
In some circumstances INSEAD may be requested by law to share information, e.g. by government agencies, courts, external auditors, or tax authorities. INSEAD will only share these data as needed and required.
For other information on INSEAD’s processing activities, including your rights, the third parties your personal data may be shared with and the relevant contact details please refer to INSEAD’s Personal Data Protection Charter.
Last update: 4 February 2021