Privacy & Security
Last updated April 12, 2023
Under the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (the “CCPA”), as modified by the California Privacy Rights Act (the “CPRA”), California residents who are employees and job applicants of Exchange Bank, referred to as “the Bank,” have the right to know what categories of personal information the Bank collects about them and how the Bank uses, discloses and retains personal information collected. References to “we” in this Privacy Notice mean the Bank.
As used in this Privacy Notice, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information includes but is not limited to, the categories of personal information identified below if such information identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household.
The following provides appropriate details on the categories of Personal Information that we have collected about Employees and Applicants in the last 12 months and the purposes for which we collect them:
- Identifiers, such as name, government-issued identifier (e.g., Social Security number (SSN)) and unique identifiers (e.g., employee ID);
- Personal information, such as name, signature, SSN, address, telephone number, passport number, driver’s license or state identification card number, federal identification authorizing work in the United States, access and/or passcodes, insurance policy number, education, employment, employment history, bank account number, other financial information, medical information or health insurance information;
- Characteristics of protected classifications under California or federal law, such as age, marital status, gender, sex, race, color, disability, citizenship, primary language, immigration status, military/veteran status, disability, request for leave and medical conditions;
- Commercial information, such as transaction information and purchase history (e.g., in connection with expense reimbursements, or business-related purchases);
- Internet or network activity information, such as browsing history and interactions with our online systems and websites and any personal information that you provide while accessing the Company’s computer systems;
- Geolocation data, such as device location from using the Company’s devices;
- Biometric information such as photo facial images;
- Audio, electronic, visual, and similar information;
- Professional or employment-related information, such as work history, prior employers, data submitted in job applications, professional licenses, degrees, background checks, performance and disciplinary records, compensation, benefits and leaves of absence information;
- Non-public education information;
- Inferences drawn from any of the personal and sensitive personal information listed above to create a profile or summary about, for example, an individual’s behavior and abilities.
Where we collect your information from:
- Prior employers, references, recruiters and job-related social media platforms;
- Third-party companies, such as background check companies and licensing and credentialing organizations;
- Claim administrators and investigators.
Depending on the Bank’s interactions with you, we may or may not collect all of the information identified about you.
How your personal and sensitive information is used:
- Recruiting, hiring and retaining employees.
- Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, and onboarding.
- Employee benefit plan and program administration.
- Leave of absence administration.
- Compensation administration and compliance, including payroll, bonuses, reimbursements, etc.
- Maintaining personnel records and complying with record retention requirements.
- Communicating with employees and/or employees’ emergency contacts and plan beneficiaries.
- Administering and securing the use of the company’s property and resources, including the company’s information systems, electronic devices, network and data, and preventing unauthorized access of such.
- Workplace health and safety compliance.
- Ensuring employee productivity and adherence to the policies.
- Investigating complaints, grievances and suspected violations of policy.
- Complying with applicable state and federal laws, including labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety and related laws.
- Exercising and defending legal claims.
Exchange Bank may or may not use personal and sensitive personal information about you for each of the above purposes.
Disclosure or sale of personal information
Exchange Bank has not sold or shared Personal Information of employees or applicants for monetary or any other valuable consideration within the preceding 12 months. Exchange Bank only shares your personal information with third-party service providers to the extent necessary to administer employee benefits, payroll, tax processing, health insurance, and managing human resource activities. The bank may share your personal information when required by law with federal or state regulatory agencies, law enforcement, courts and other governmental authorities.
Retention of personal information
Exchange Bank retains Personal Information from Employees and Applicants as needed to fulfill the purposes(s) for which it was obtained, and as long as necessary to satisfy compliance requirements and applicable laws.
Your rights under CPRA/CCPA
You have the right to request that we disclose what personal information we collect, use, disclose and sell. If you wish to submit a verifiable request for personal information we collect, use, disclose or sell, you may submit requests using one of the designated methods described below. Once we receive and confirm your verifiable request, we will provide the following, subject to applicable exemptions and exceptions:
- The categories of personal information we collected about you
- The categories of sources from which the personal information was collected
- The categories of personal information that the business disclosed for a business purpose about you
- The categories of third parties to whom the personal information was disclosed for a business purpose
- The business purpose for collecting or selling personal information
You have the right to request the correction or deletion of any personal information about you which we have collected or maintained. If you wish to submit a request to delete or correct the personal information we collected or maintain about you, you may submit requests using one of the designated methods described below. Once we receive and confirm your verifiable request, we will delete or correct (and direct our service providers to delete or correct) your information, subject to applicable exemptions and exceptions.
We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. If you submit a request on behalf of another person, we may require proof of authorization and verification of identity from the person for whom you are submitting the request.
In some instances, we may not be able to honor your request if we cannot verify your identity or if we cannot verify that you have authorization to make the request. We will not honor requests where an exception applies or the personal information is not subject to the CPRA’s access or deletion rights. We will advise you in our response if we are unable to honor your request. We will work to process all verified requests within 45 days pursuant to the CPRA and if we need an extension for up to an additional 45 days to process your request, we will provide you an explanation for the delay.
You may submit a request by one of the following designated methods:
- By submitting your request in writing via email at HumanResources@exchangebank.com; or
- By calling the Human Resources department at 1.707.524.3070
You may only make a verifiable request twice within a 12-month period and the request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Non-Discrimination for exercising your privacy rights
You have a right not to receive discriminatory treatment by us for the exercise of any privacy rights conferred by the California Privacy Rights Act.
Changes to our privacy notice
We may change or update this disclosure from time to time. When we make a change, we will post the revised Disclosure on https://www.exchangebank.com/privacy-security/ with a new “Last Updated” date.
Contact us for more information.
If you have any questions regarding this Privacy Notice, please contact HumanResources@exchangebank.com.