We are deeply committed to protecting the privacy of your personal information. This privacy statement describes what personal information we collect and use, how we collect and use it, and the purposes for which we use it. This privacy statement also provides information about your rights with respect to our use of your personal information. This privacy statement applies to personal information we collect online and offline. Our goal is to always be honest, fair and transparent about how and why we use your personal information.
In this privacy statement, ‘personal information’ means your personal data – i.e., information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household. We may also refer to ‘processing’ your personal information, which includes collecting, handling, protecting and storing it.
This privacy statement also contains information about when we share your personal information with our affiliated entities and with other third parties (for example, our service providers). This privacy statement does not apply to our personnel, who are covered by our internal notices, policies and procedures.
We may collect and use your personal information in physical and electronic form, and will hold, use and otherwise process that information in compliance with applicable data protection laws and regulations and as set out in this statement.
When we provide products and services to our clients we may process personal information about you. We may also collect personal information from you when you use our websites.
We collect personal information from the following categories of sources:
The categories of personal information we process may include your:
We do not intend to collect personal data relating to your health information. With the exception of our subsidiary Discovery Data, Inc., we do not intend to collect personal data relating to your religious beliefs or political affiliations.
If you choose not to provide, or object to us processing, the information we need to collect for statutory or contractual purposes (including entering into a contract), we may not be able to process your instructions or continue to provide some or all of our products and services to our clients.
We may receive personal information about you from our clients, partners, vendors, or other third parties. In some cases, such parties may collect personal information on our behalf, in which case we require them to comply with the relevant privacy laws and regulations. This may include, for example, placing the responsibility on the client or other third party to inform you of the processing of your personal information and to obtain any necessary permission for us to process your personal information as described in this privacy statement.
If you provide us with any personal information that relates to a third party (such as a spouse, child, or joint account holder), you confirm that you have obtained any necessary permission to use such information or are otherwise permitted to give it to us and that we may use that information in accordance with this privacy statement without breaching applicable data protection laws and regulations. Do not provide us with such information absent the necessary permission.
In general, we process your personal information so we can provide products and services to our clients, conduct other business activities (such as management of our client accounts) and meet our legal or regulatory obligations. We may also use your personal information for marketing purposes with your consent or where applicable data protection laws and regulations otherwise allow.
We use your personal information for various purposes, including:
To communicate with you
We will use your personal information to communicate with you about our products and services, including responding to your inquiries, sending you newsletters, contacting you with information about our events, contacting you about surveys, and for marketing and advertising purposes.
To provide products and services to our clients
We will use your personal information to provide our clients or other third parties with products and services, and this includes using your personal information in communications relating to those products and services. For example, we might collect and use personal information about a potential or actual client’s employees or customers, officers or directors of companies, investment advisors, or other business contacts to:
For other activities that form part of the operation of our business
We may also, for example, use your personal information in connection with:
We may also de-identify or anonymise your personal information and combine it with other such information to create aggregated, de-identified or anonymised information which we may share with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional activity.
Collected from our website
We may, for example, use your personal information that we have collected from our website:
Depending on what personal information about you we have and the context in which we obtain it, we rely on one or more of the following lawful grounds for processing your personal information:
To the extent that we process any special categories of personal information relating to you for any of the purposes outlined above, we will do so because:
In connection with our processing of your personal information as described above, we may share your personal information with the following third parties, for the purposes described:
We disclose the following categories of information for our or our service providers’ operational purposes, or other purposes described in this Privacy Statement:
We do not engage in sales of the personal information of minors under 16 years of age without affirmative authorization.
We may also disclose the following categories of information for commercial purposes (i.e., these arrangements may be deemed to be “sales” under some applicable laws):
Certain ISS entities may engage third-party services (e.g., Facebook, LinkedIn, Google) to advertise on our behalf on other websites. Through such ad services, we can retarget our messaging to users of our websites on other webpages and applications through interest-based and contextual means. These services track your online activities over time and across multiple websites by collecting information through automated means, including through the use of third-party cookies, web server logs and web beacons. The ad services use this information to show you ads that may be tailored to your individual interests. The information our ad services may collect on our behalf includes data about your visits to websites that serve our ads, such as the pages or ads you view and the actions you take on the websites. This data collection takes place both on our websites and on third-party websites that participate in these ad services. This process also helps us track the effectiveness of our marketing efforts. To learn about how to opt out of interest-based advertising in the U.S., please visit http://optout.aboutads.info. The websites are not designed to respond to “do not track” signals received from browsers.
Our websites may offer links to other websites operated by third parties for your convenience. Such third-party websites may have information, policies, and practices different from our websites. We do not control and are not responsible for the privacy policies, practices and/or content of such third-party websites. Please contact such third-party websites directly for information regarding such websites.
We will transfer your personal information to countries outside the European Economic Area (EEA) for the purposes of carrying out our obligations under our contracts with our clients, to operate our business, and/or to comply with legal obligations. Some of these countries outside the EEA, such as the United States of America and the Philippines, are not currently covered by an adequacy decision by the European Commission (EC) which means that such countries are not deemed by the EC to provide an adequate level of protection for your personal information. However, any such transfers by us will be covered by a data transfer mechanism recognized by the relevant government authorities or courts as providing an adequate level of protection for personal information, including but not limited to: standard data protection clauses (processors) adopted by the EC from time to time, and/or binding corporate rules.
We may also transfer your personal information when:
We are committed to ensuring that in the future we will only process your personal information for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting or reporting requirements, or for other legitimate business purposes. Given that we operate on a global basis, the relevant periods for which we hold personal information may vary according to the requirements of local laws but, in general terms, we will only retain your personal information for periods required or permitted by law or, more generally, for the period necessary to provide our products and services and to our clients and thereafter for so long as is required to allow us to establish, exercise or defend legal claims and/or as is necessary to meet any retention obligations applicable to us. For more information as to how long we may retain personal information in particular circumstances, please contact us – see Contact information and further advice below.
We are committed to complying with all applicable data protection laws that apply to our processing of your personal information. This privacy statement applies on a worldwide basis across our operations, unless it conflicts with the laws in any particular jurisdiction, in which case we will process personal information in accordance with those laws to the extent they apply. While this privacy statement is designed, in part, to satisfy the requirements of the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws and regulations, and to apply standards which are generally consistent with those laws and regulations, this privacy statement does not create rights under those data protection laws and regulations for individuals whose personal information is being processed outside the scope of the application of those laws and regulations.
Under applicable data protection laws and regulations, you may have various rights in relation to your personal information.
In particular, where GDPR applies to you, you have a right to:
Access your information
You have the right to request a copy of the personal information about you that we hold.
Correct your information
You have the right to ask us to correct your personal information if you believe it is not accurate, complete or up-to-date.
Request deletion of your information
You have the right to ask us to delete your personal information if:
Object to how we may process your information
If we process your personal information to perform tasks carried out in the public interest or on the basis of our legitimate interests, you have the right to object to this processing on the basis of your particular situation. In such event, we will continue the processing only if we have overriding legitimate grounds for this, or the processing is to establish, exercise or defend legal claims. You may also object if we process your personal information for direct marketing purposes in which case we will no longer process your information for such purposes.
Restrict how we may process your information
You have the right to ask us to restrict our processing of your personal information if:
Currently, ISS does not take decisions about individuals based solely on automated processing (i.e., without human involvement) which have a legal or similarly significant effect on them.
Withdraw consent for processing your information
You may withdraw your consent for the processing of your personal information at any time in which case we will stop processing your personal information for the purpose(s) for which consent was given unless we have another legal basis for the processing.
Stop us from sending you marketing information
If you receive marketing communications from us you may, at any time, ask us to stop sending them to you by following the unsubscribe instructions in communications from us, or contacting us as described under Contact information and further advice below.
Where the CCPA applies to you, you have the right to:
Access your information
You may be entitled to request that we disclose to you the specific pieces of your personal information that we have collected in the 12 months preceding your request.
Request deletion of your information
You have the right to ask us to delete personal information we have collected from you, subject to certain exceptions, such as if we need to retain such personal information if needed for contractual performance or to comply with applicable laws.
Request disclosures about how we may process your personal information
You may be entitled to receive the following information with respect to the 12 months preceding your request: the categories of personal information we have collected, the sources from which we collected that personal information, the purposes for which we collected and shared that personal information, the categories of personal information that we sold and the categories of third parties to whom we sold personal information, and the categories of personal information that we disclosed for a business purpose.
Opt out of certain sharing with third parties
You may be entitled to direct us to stop disclosing your personal information to third parties in exchange for consideration, even non-monetary consideration. To exercise such right to opt-out, click here.
Be free from discrimination
We will not engage in illegal discrimination on account of your exercise of these rights.
If you are a California resident and would like to exercise your rights, please click here or call us at 1-844-665-9287. If you would prefer, you may designate an authorized agent to make a request on your behalf. Please note that we may require additional information from you in order to honor your request, as we will review your request to verify your identity upon receipt. In some circumstances we will not honor your request, as permitted under the law.
If you wish to make a complaint about how we are using your personal information, exercise any of the rights set out above, or if you have any questions or comments about privacy issues, you can contact us by sending an email to our data protection officer: email@example.com
Where GDPR applies to the processing of your personal information, you also have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction.
We may modify or amend this privacy statement from time to time.
When we make changes to this privacy statement, we will amend the revision date at the top of this page. The modified or amended privacy statement will apply from that date. We encourage you to review this statement regularly to remain informed about how we are protecting your information.
If you have any questions about this privacy statement, ISS’ processing of your personal data, you wish to exercise your rights as stated above, or you would like assistance accessing this policy in a more accessible format, please contact us at firstname.lastname@example.org.
To reach the Data Protection Officer for Institutional Shareholders Services Germany AG, please contact email@example.com.