We are deeply committed to protecting the privacy of your personal information.  This privacy statement describes what personal information we collect and use, how we collect and use it, and the purposes for which we use it.  This privacy statement also provides information about your rights with respect to our use of your personal information.  This privacy statement applies to personal information we collect online and offline.  Our goal is to always be honest, fair and transparent about how and why we use your personal information.

In this privacy statement, ‘personal information’ means your personal data – i.e., information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household.  We may also refer to ‘processing’ your personal information, which includes collecting, handling, protecting and storing it.

This privacy statement also contains information about when we share your personal information with our affiliated entities and with other third parties (for example, our service providers). This privacy statement does not apply to our personnel, who are covered by our internal notices, policies and procedures.

We may collect and use your personal information in physical and electronic form, and will hold, use and otherwise process that information in compliance with applicable data protection laws and regulations and as set out in this statement.

When we provide products and services to our clients we may process personal information about you.  We may also collect personal information from you when you use our websites.

We collect personal information from the following categories of sources:

• You, when you provide it to us (for example, in a registration form on our websites);
• Our clients (for example, a client may provide us with your personal information in connection with our provision of products and services to the client);
• Our partners and vendors, including data brokers, who provide us with marketing and survey support and from which we may obtain information to build our products and services;
• Analytics partners who provide cookies, pixels, or similar tools on our website; or
• Publicly available sources, such as publicly available websites.

We may also process personal information from data we collect automatically about how you interact with us.  For example, we (or our service providers) may use cookies (small text files stored in a user’s browser) or web beacons to collect personal information when you visit our websites or other online offerings for various purposes, including to help the websites function appropriately, for analytics or for targeted advertising on third party websites.  Some of this information may be collected by third parties we do not control who may collect personal information about you over time and across different websites.  Please see the section below titled Third-party information collection for more information about these and other third parties’ data collection.  Also please note that at this time, we do not respond to Do Not Track browser settings or signals.

The categories of personal information we process may include your:

• identifiers, such as your name, address, email address, mobile phone number, and payment information;
• demographic information, such as your gender, race, ethnicity, age and date of birth, some of which may be protected characteristics under anti-discrimination laws;
• professional or employment-related information (e.g., the name of your employer and your job title (current and historical));
• education information (e.g., colleges or universities attended and degrees earned);
• financial and tax-related information (e.g., your investments, transaction history, and tax residency);
• your passport information;
• postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
• device and online identifiers and related information, such as your IP address, browser type and language;
• commercial information, such as which of our products and services you purchase or consider;
• Internet, application, or network activity information, such as information about how you use our websites, products and services, including for example, when you access our websites, including through cookies and similar trackers as discussed in more detail below in Third-party information collection;
• geolocation data, for example city or state in which our website visitors are located;
• audio and visual data, such as call recordings and CCTV images and other information we collect when you are on our premises;
• inferences drawn from personal information, such as performance metrics or a profile reflecting your preferences, tendencies, demographic information, and characteristics; and
• details of how you like to interact with us, including how you prefer to communicate with us, and other similar information relevant to our relationship.

We do not intend to collect personal data relating to your health information. With the exception of our subsidiary Discovery Data, Inc., we do not intend to collect personal data relating to your religious beliefs or political affiliations.

If you choose not to provide, or object to us processing, the information we need to collect for statutory or contractual purposes (including entering into a contract), we may not be able to process your instructions or continue to provide some or all of our products and services to our clients.

We may receive personal information about you from our clients, partners, vendors, or other third parties. In some cases, such parties may collect personal information on our behalf, in which case we require them to comply with the relevant privacy laws and regulations. This may include, for example, placing the responsibility on the client or other third party to inform you of the processing of your personal information and to obtain any necessary permission for us to process your personal information as described in this privacy statement.

If you provide us with any personal information that relates to a third party (such as a spouse, child, or joint account holder), you confirm that you have obtained any necessary permission to use such information or are otherwise permitted to give it to us and that we may use that information in accordance with this privacy statement without breaching applicable data protection laws and regulations. Do not provide us with such information absent the necessary permission.

In general, we process your personal information so we can provide products and services to our clients, conduct other business activities (such as management of our client accounts) and meet our legal or regulatory obligations.  We may also use your personal information for marketing purposes with your consent or where applicable data protection laws and regulations otherwise allow.

We use your personal information for various purposes, including:

To communicate with you

We will use your personal information to communicate with you about our products and services, including responding to your inquiries, sending you newsletters, contacting you with information about our events, contacting you about surveys, and for marketing and advertising purposes.

To provide products and services to our clients

We will use your personal information to provide our clients or other third parties with products and services, and this includes using your personal information in communications relating to those products and services.  For example, we might collect and use personal information about a potential or actual client’s employees or customers, officers or directors of companies, investment advisors, or other business contacts to:

• help individuals access our products and services or provide customer service;
• to identify potential clients or understand a client’s or potential client’s business operations, requirements or objectives;
• facilitate your or a client’s customer’s attendance at an annual shareholders meeting; or
• offer our research and data product offerings, which may include personal information.

For other activities that form part of the operation of our business

We may also, for example, use your personal information in connection with:

• legal or regulatory requirements;
• client account management (e.g., invoicing, contract administration and other administrative tasks);
• client relationship management and marketing which may involve:
  • sending you thought leadership materials or details of our products and services;
  • contacting you for feedback on our products and services; and
  • hosting events and sending you event invitations;
• use of third-party data sources to help us obtain, verify and improve the information we have about contacts at our prospects and clients;
• maintaining and improving our services, functionality, and overall user experience;
• undertaking internal research for technological development and demonstration;
• services we receive from our professional advisors, such as lawyers, accountants and auditors;
• detecting, investigating, or preventing security incidents;
• protecting against malicious, deceptive, fraudulent, or illegal activity; or
• protecting our rights and those of our clients and defending any claims made against us.

We may also de-identify or anonymise your personal information and combine it with other such information to create aggregated, de-identified or anonymised information which we may share with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional activity.

Collected from our website

We may, for example, use your personal information that we have collected from our website:

• to manage and improve our website;
• to provide additional information about our products and services that may be of interest to you; or
• to manage and respond to any request you submit through our website (e.g., a request to receive an ISS newsletter).

Depending on what personal information about you we have and the context in which we obtain it, we rely on one or more of the following lawful grounds for processing your personal information:

• you have agreed to us processing your information for a specific reason (e.g., using your email address because you have consented to receive marketing materials from us);
• the processing is necessary to perform the agreements we have with you or your company or to take steps to enter into an agreement with you or your company;
• the processing is necessary for compliance with a legal obligation we have, such as recordkeeping obligations or providing information to a public body or law enforcement agency to the extent this does not contravene applicable data protection laws or regulations; and/or
• the processing is necessary for our legitimate interests such as:
  • to provide our services or information to our clients and others;
  • to prevent and detect theft, fraud and other criminal activity;
  • to protect our business interests;
  • to manage our business (including business planning and promotion);
  • to investigate complaints;
  • to evaluate, develop or improve our services or products;
  • to keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so; or
  • in the case of electronic marketing communications, where permitted under applicable data protection laws or regulations, we have a relationship with you which permits us to issue marketing communications to you subject to the right to opt-out.

To the extent that we process any special categories of personal information relating to you for any of the purposes outlined above, we will do so because:

• you have given us your explicit consent to process that personal information;
• we are required by law to process that personal information in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us);
• that personal information was manifestly made public by you;
• the processing is necessary for the establishment, exercise or defence of legal claims; or
• we are otherwise permitted to do so by applicable law.

In connection with our processing of your personal information as described above, we may share your personal information with the following third parties, for the purposes described:

• our clients or potential clients in the course of providing our products and services;
• our regulators (e.g., the United States Securities and Exchange Commission);
• other third parties as appropriate to:

• • comply with the law;
  • enforce applicable terms of service, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security or technical issues; or
  • protect against harm to the rights, property or safety of our employees, customers, ISS, or the public as required or permitted by law;

• entities in the ISS group of companies as part of our business operations in the ordinary course of business, regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and/or for system maintenance support and hosting of data;
• other third parties as necessary to perform our contractual obligations to our clients;
• our hosting service providers and other service providers in order to provide our websites and services;
• our professional advisers (including legal counsel, tax advisers, and auditors);
• potential or actual purchasers of the business (or a part thereof), or other third parties in the context of a possible sale or restructuring of the business; and/or
• any person or entity specified by you.

We disclose the following categories of information for our or our service providers’ operational purposes, or other purposes described in this Privacy Statement:

• identifiers, such as your name, address, email address, mobile phone number, and payment information;
• demographic information, such as your gender, race, ethnicity, age and date of birth, some of which may be protected characteristics under anti-discrimination laws;
• professional or employment-related information (e.g., the name of your employer and your job title (current and historical));
• education information (e.g., colleges or universities attended and degrees earned);
• financial and tax-related information (e.g., your investments, transaction history, and tax residency);
• your passport information;
• postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
• device and online identifiers and related information, such as your IP address, browser type and language;
• commercial information, such as which of our products and services you purchase or consider;
• Internet, application, or network activity information, such as information about how you use our websites, products and services, including for example, when you access our websites, including through cookies and similar trackers as discussed in more detail below in Third-party information collection;
• geolocation data, for example city or state in which our website visitors are located;
• audio and visual data, such as call recordings and CCTV images and other information we collect when you are on our premises;
• inferences drawn from personal information, such as performance metrics or a profile reflecting your preferences and characteristics; and
• details of how you like to interact with us, including how you prefer to communicate with us, and other similar information relevant to our relationship.

We do not engage in sales of the personal information of minors under 16 years of age without affirmative authorization.

We may also disclose the following categories of information for commercial purposes (i.e., these arrangements may be deemed to be “sales” under some applicable laws):

• identifiers, such as your name, address, email address, mobile phone number, and payment information;
• demographic information, such as your gender, race, ethnicity, age and date of birth, some of which may be protected characteristics under anti-discrimination laws;
• professional or employment-related information (e.g., the name of your employer and your job title (current and historical));
• education information (e.g., colleges or universities attended and degrees earned);
• financial and tax-related information (e.g., your investments, transaction history, and tax residency);
• your passport information;
• postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
• device and online identifiers and related information, such as your IP address, browser type and language;
• commercial information, such as which of our products and services you purchase or consider;
• Internet, application, or network activity information, such as information about how you use our websites, products and services, including for example, when you access our websites, including through cookies and similar trackers as discussed in more detail below in Third-party information collection;
• geolocation data, for example city or state in which our website visitors are located;
• audio and visual data, such as call recordings and CCTV images and other information we collect when you are on our premises;
• inferences drawn from personal information, such as performance metrics or a profile reflecting your preferences, tendencies, demographic information, and characteristics; and
• details of how you like to interact with us, including how you prefer to communicate with us, and other similar information relevant to our relationship.

Some content or applications on our websites may be provided by third parties, including advertisers, ad networks and servers, analytics companies, and application providers. These third parties may use cookies or other tracking technologies to collect personal information about you when you use our websites for purposes such as to provide you advertising about services tailored to your interests. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions, you should contact the responsible provider directly. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of our websites.

Certain ISS entities may engage third-party services (e.g., Facebook, LinkedIn, Google) to advertise on our behalf on other websites. Through such ad services, we can retarget our messaging to users of our websites on other webpages and applications through interest-based and contextual means. These services track your online activities over time and across multiple websites by collecting information through automated means, including through the use of third-party cookies, web server logs and web beacons. The ad services use this information to show you ads that may be tailored to your individual interests. The information our ad services may collect on our behalf includes data about your visits to websites that serve our ads, such as the pages or ads you view and the actions you take on the websites. This data collection takes place both on our websites and on third-party websites that participate in these ad services. This process also helps us track the effectiveness of our marketing efforts. To learn about how to opt out of interest-based advertising in the U.S., please visit http://optout.aboutads.info. The websites are not designed to respond to “do not track” signals received from browsers.

One of the third-party services the websites use is Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to analyze how individuals use the websites. The information generated by the cookie about your use of the websites (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the websites, compiling reports on websites activity, and providing other services relating to website activity.  For more information about how Google collects and uses information, visit www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time. To opt out of being tracked by Google Analytics across all websites visit: http://tools.google.com/dlpage/gaoptout.

Our websites may offer links to other websites operated by third parties for your convenience.  Such third-party websites may have information, policies, and practices different from our websites. We do not control and are not responsible for the privacy policies, practices and/or content of such third-party websites. Please contact such third-party websites directly for information regarding such websites.

We will transfer your personal information to countries outside the European Economic Area (EEA) for the purposes of carrying out our obligations under our contracts with our clients, to operate our business, and/or to comply with legal obligations.  Some of these countries outside the EEA, such as the United States of America and the Philippines, are not currently covered by an adequacy decision by the European Commission (EC) which means that such countries are not deemed by the EC to provide an adequate level of protection for your personal information. However, any such transfers by us will be covered by a data transfer mechanism recognized by the relevant government authorities or courts as providing an adequate level of protection for personal information, including but not limited to: standard data protection clauses (processors) adopted by the EC from time to time, and/or binding corporate rules.

We may also transfer your personal information when:

• the transfer is to a country deemed to provide adequate protection of your personal information by the European Commission; or
• where you have otherwise consented to the transfer.

We are committed to ensuring that in the future we will only process your personal information for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting or reporting requirements, or for other legitimate business purposes.  Given that we operate on a global basis, the relevant periods for which we hold personal information may vary according to the requirements of local laws but, in general terms, we will only retain your personal information for periods required or permitted by law or, more generally, for the period necessary to provide our products and services and to our clients and thereafter for so long as is required to allow us to establish, exercise or defend legal claims and/or as is necessary to meet any retention obligations applicable to us.  For more information as to how long we may retain personal information in particular circumstances, please contact us – see Contact information and further advice below.

We are committed to complying with all applicable data protection laws that apply to our processing of your personal information.  This privacy statement applies on a worldwide basis across our operations, unless it conflicts with the laws in any particular jurisdiction, in which case we will process personal information in accordance with those laws to the extent they apply.  While this privacy statement is designed, in part, to satisfy the requirements of the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws and regulations, and to apply standards which are generally consistent with those laws and regulations, this privacy statement does not create rights under those data protection laws and regulations for individuals whose personal information is being processed outside the scope of the application of those laws and regulations.

Under applicable data protection laws and regulations, you may have various rights in relation to your personal information.

In particular, where GDPR applies to you, you have a right to:

Access your information
You have the right to request a copy of the personal information about you that we hold.

Correct your information
You have the right to ask us to correct your personal information if you believe it is not accurate, complete or up-to-date.

Request deletion of your information
You have the right to ask us to delete your personal information if:

• It is no longer necessary for the purposes for which we obtained it
• You have withdrawn your consent for our processing of your personal information (see Withdraw consent to using your information below), and we have no other legal basis for the processing
• You have validly objected to our processing of your personal information (see Object to how we may process your information below)
• We have unlawfully processed your personal information; or
• We must delete your personal information to comply with a legal obligation.

Object to how we may process your information
If we process your personal information to perform tasks carried out in the public interest or on the basis of our legitimate interests, you have the right to object to this processing on the basis of your particular situation.  In such event, we will continue the processing only if we have overriding legitimate grounds for this, or the processing is to establish, exercise or defend legal claims. You may also object if we process your personal information for direct marketing purposes in which case we will no longer process your information for such purposes.

Restrict how we may process your information
You have the right to ask us to restrict our processing of your personal information if:

• you contest the accuracy of the information (for a period of time that enables us to check it);
• our processing is unlawful, but you don’t want the data deleted;
• we no longer need the data, but you require it to establish, exercise or defend legal claims; or
• you have objected (as above) and are awaiting confirmation as to whether we have overriding legitimate grounds for processing.

Automated processing
Currently, ISS does not take decisions about individuals based solely on automated processing (i.e., without human involvement) which have a legal or similarly significant effect on them.

Withdraw consent for processing your information
You may withdraw your consent for the processing of your personal information at any time in which case we will stop processing your personal information for the purpose(s) for which consent was given unless we have another legal basis for the processing.

Stop us from sending you marketing information
If you receive marketing communications from us you may, at any time, ask us to stop sending them to you by following the unsubscribe instructions in communications from us, or contacting us as described under Contact information and further advice below.

Where the CCPA applies to you, you have the right to:

Access your information
You may be entitled to request that we disclose to you the specific pieces of your personal information that we have collected in the 12 months preceding your request.

Request deletion of your information
You have the right to ask us to delete personal information we have collected from you, subject to certain exceptions, such as if we need to retain such personal information if needed for contractual performance or to comply with applicable laws.

Request disclosures about how we may process your personal information
You may be entitled to receive the following information with respect to the 12 months preceding your request: the categories of personal information we have collected, the sources from which we collected that personal information, the purposes for which we collected and shared that personal information, the categories of personal information that we sold and the categories of third parties to whom we sold personal information, and the categories of personal information that we disclosed for a business purpose.

Opt out of certain sharing with third parties
You may be entitled to direct us to stop disclosing your personal information to third parties in exchange for consideration, even non-monetary consideration. To exercise such right to opt-out, click here.

Be free from discrimination
We will not engage in illegal discrimination on account of your exercise of these rights.

If you are a California resident and would like to exercise your rights, please click here or call us at 1-844-665-9287. If you would prefer, you may designate an authorized agent to make a request on your behalf. Please note that we may require additional information from you in order to honor your request, as we will review your request to verify your identity upon receipt. In some circumstances we will not honor your request, as permitted under the law.

If you wish to make a complaint about how we are using your personal information, exercise any of the rights set out above, or if you have any questions or comments about privacy issues, you can contact us by sending an email to our data protection officer:  dataprotectionofficer@issgovernance.com

Where GDPR applies to the processing of your personal information, you also have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction.

We may modify or amend this privacy statement from time to time.

When we make changes to this privacy statement, we will amend the revision date at the top of this page. The modified or amended privacy statement will apply from that date. We encourage you to review this statement regularly to remain informed about how we are protecting your information.

If you have any questions about this privacy statement, ISS’ processing of your personal data, you wish to exercise your rights as stated above, or you would like assistance accessing this policy in a more accessible format, please contact us at dataprotectionofficer@issgovernance.com.

To reach the Data Protection Officer for Institutional Shareholders Services Germany AG, please contact issagdpo@issgovernance.com.