We are deeply committed to protecting the privacy of your personal information.  This privacy statement describes what personal information we collect and use, how we collect and use it, and the purposes for which we use it.  This privacy statement also provides information about your rights with respect to our use of your personal information.  This privacy statement applies to personal information we collect online and offline.  Our goal is to always be honest, fair, and transparent about how and why we use your personal information.

In this privacy statement, ‘personal information’ means your personal data – i.e., information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household.  We may also refer to ‘processing’ your personal information, which includes collecting, handling, protecting, and storing it.

This privacy statement also contains information about when we disclose your personal information to our affiliated entities and to other third parties (for example, our service providers).  California residents can click here for additional information about how we process their personal information. This privacy statement does not apply to our personnel, who are covered by our internal notices, policies, and procedures.

We may collect and use your personal information in physical and electronic form, and will hold, use, and otherwise process that information in compliance with applicable data protection laws and regulations and as set out in this privacy statement.

When we provide products and services to our clients we may process personal information about you.  We may also collect personal information from you when you use our websites.

We collect personal information from the following categories of sources:

• You, when you provide it to us (for example, in a registration form on our websites);
• Publicly available sources, such as publicly available websites and public records (for example, government records);
• Our clients (for example, in connection with our provision of products and services to the client);
• Our partners and vendors, including data brokers, who provide us with information to build our products and services; and
• Analytics partners who provide cookies, pixels, or similar tools on our website.

We may also collect personal information from data we collect automatically about how you interact with us.  For example, we (or our service providers) may use cookies (small text files stored in a user’s browser) or web beacons to collect personal information when you visit our websites or other online offerings for various purposes, including to help the websites function appropriately, for analytics, or for targeted advertising on third party websites.  Some of this information may be collected by third parties who may collect personal information about you over time and across different websites when you visit our website.  Please see the Third-party information collection section below for more information about these and other third parties’ data collection and the section titled Your rights for information about choices you may have with respect to your personal information.  Also please note that at this time, we do not respond to Do Not Track browser settings or signals.

The categories of personal information we process may include your:

• identifiers, such as your name, address, email address, mobile phone number, and passport number;
• personal characteristics, such as your gender, race, ethnicity, religious beliefs, sexual orientation, nationality, age, and date of birth, some of which may be protected characteristics under anti-discrimination laws or sensitive personal information;
• professional or employment-related information (e.g., the name of your employer and your job title (current and historical));
• education information (e.g., colleges or universities attended and degrees earned);
• financial and tax-related information (e.g., your investments, transaction history, account information, and tax residency);
• postings or messages on any blogs, forums, platforms, wikis, or social media applications and services that we provide (including with third parties);
• device and online identifiers and related information, such as your IP address, browser type, and language;
• commercial information, such as products and services purchased or considered;
• Internet, application, or network activity information, such as information about how you use our websites, products, and services, including for example, when you access our websites, including through cookies and similar trackers as discussed in more detail below in the Third-party information collection section;
• geolocation data, for example city or state in which our website visitors are located;
• audio and visual data, such as call recordings and CCTV images and other information we collect when you are on our premises;
• inferences drawn from personal information, such as performance metrics or a profile reflecting your preferences, tendencies, demographic information, and characteristics; and
• details of how you like to interact with us, including how you prefer to communicate with us, and other similar information relevant to our relationship.

If you choose not to provide, or object to us processing, the information we need to collect for statutory or contractual purposes (including entering into a contract), we may not be able to process your instructions or continue to provide some or all of our products and services to our clients with which you are associated.

We may receive personal information about you from our clients, partners, vendors, or other third parties. In some cases, such parties may collect personal information on our behalf, in which case we require them to comply with the relevant privacy laws and regulations. This may include, for example, placing the responsibility on the client or other third party to inform you of the processing of your personal information and to obtain any necessary consent for us to process your personal information as described in this privacy statement.

If you provide us with any personal information that relates to a third party (such as your employees or other individuals with whom you are associated), you confirm that you have obtained any necessary consent to use such information or are otherwise permitted to give it to us and that we may use that information in accordance with this privacy statement without breaching applicable data protection laws and regulations. Do not provide us with such information absent the necessary permission.

In general, we process your personal information so we can provide products and services to our clients, conduct other business activities (such as management of our client accounts), and meet our legal or regulatory obligations.  We may also use your personal information for marketing purposes with your consent or where applicable data protection laws and regulations otherwise allow.

We use your personal information for various purposes, including:

To communicate with you
We will use your personal information to communicate with you about our products and services, including responding to your inquiries, sending you newsletters, contacting you with information about our events, contacting you about surveys, and for marketing and advertising purposes.

To provide products and services to our clients
We will use your personal information to provide our clients or other third parties with products and services, and this includes using your personal information in communications relating to those products and services.  For example, we might collect and use personal information about a potential or actual client’s employees or customers, officers or directors of companies, investment advisors, or other business contacts to:

• help such individuals access our products and services or provide customer service;
• to identify potential clients or understand a client’s or potential client’s business operations, requirements, or objectives;
• facilitate your or a client’s customer’s attendance at an annual shareholders meeting; or
• offer our research and data product offerings, which may include personal information.

For other activities that form part of the operation of our business
We may also, for example, use your personal information in connection with:

• legal or regulatory requirements;
• client account management (e.g., invoicing, contract administration, and other administrative tasks);
• client relationship management and marketing which may involve:
  • sending you thought leadership materials or details of our products and services;
  • contacting you for feedback on our products and services; and
  • hosting events and sending you event invitations;
• use of third-party data sources to help us obtain, verify, and improve the information we have about contacts at our prospects and clients;
• maintaining and improving our services, functionality, and overall user experience;
• undertaking internal research for technological development and demonstration;
• services we receive from our professional advisors, such as lawyers, accountants, and auditors;
• detecting, investigating, or preventing security incidents;
• protecting against malicious, deceptive, fraudulent, or illegal activity; or
• protecting our rights and those of our clients and defending any claims made against us.

We may also de-identify or anonymise your personal information and combine it with other such information to create aggregated, de-identified, or anonymised information, which we may share with third parties for several purposes, including data analytics, research, submissions, thought leadership, and promotional activity. If we de-identify or anonymise your personal information, we will maintain and use this information in de-identified or anonymised form and not attempt to re-identify it.

Collected from our website
We may, for example, use your personal information that we have collected from our website:

• to manage and improve our website;
• to provide additional information about our products and services that may be of interest to you; or
• to manage and respond to any request you submit through our website (e.g., a request to receive an ISS newsletter).

Depending on what personal information about you we have and the context in which we obtain it, we rely on one or more of the following lawful grounds for processing your personal information:

• you have agreed to us processing your information for a specific purpose (e.g., we use your email address because you have consented to receive marketing materials from us);
• the processing is necessary to perform the agreements we have with you or your company or to take steps to enter into an agreement with you or your company;
• the processing is necessary for compliance with a legal obligation we have, such as recordkeeping obligations or providing information to a public body or law enforcement agency to the extent this does not contravene applicable data protection laws or regulations; and/or
• the processing is necessary for our legitimate interests such as:
  • to provide our services or information to our clients and others;
  • to prevent and detect theft, fraud, and other criminal activity;
  • to protect our business interests;
  • to manage our business (including business planning and promotion);
  • to investigate complaints;
  • to evaluate, develop, or improve our services or products;
  • to keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so; or
  • in the case of electronic marketing communications, where permitted under applicable data protection laws or regulations, we have a relationship with you which permits us to issue marketing communications to you subject to the right to opt-out.

To the extent that we process any categories of personal information that may be deemed “special categories” or “sensitive personal information” under applicable law for any of the purposes outlined above, we will do so because:

• you have given us your explicit consent to process that personal information;
• we are required by law to process that personal information in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us);
• that personal information was manifestly made public by you;
• the processing is necessary for the establishment, exercise or defense of legal claims; or
• we are otherwise permitted to do so by applicable law.

In connection with our processing of your personal information as described above, we may disclose your personal information to the following third parties, for the purposes described:

• our clients or potential clients in the course of providing our products and services;
• our regulators (e.g., the United States Securities and Exchange Commission);
• other third parties as appropriate to:
  • comply with the law;
  • enforce applicable terms of service, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security, or technical issues; or
  • protect against harm to the rights, property, or safety of our employees, customers, ISS, or the public as required or permitted by law;
• entities in the ISS group of companies as part of our business operations in the ordinary course of business, regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and/or for system maintenance support and hosting of data;
• other third parties as necessary to perform our contractual obligations to our clients;
• our hosting service providers and other service providers in order to provide our websites and services;
• our professional advisers (including legal counsel, tax advisers, and auditors);
• potential or actual purchasers of the business (or a part thereof), or other third parties in the context of a possible sale or restructuring of the business; and/or
• any person or entity specified by you.

Some content or applications on our websites may be provided by third parties, including advertisers, ad networks and servers, analytics companies, and application providers. These third parties may use cookies or other tracking technologies to collect personal information about you when you use our websites for purposes such as to provide you advertising about services tailored to your interests. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions, you should contact the responsible provider directly. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of our websites.

Certain ISS entities may engage third-party services (e.g., Facebook, LinkedIn, Google) to advertise on our behalf on other websites. Through such ad services, we can retarget our messaging to users of our websites on other webpages and applications through interest-based and contextual means. These services track your online activities over time and across multiple websites by collecting information through automated means, including through the use of third-party cookies, web server logs, and web beacons. The ad services use this information to show you ads that may be tailored to your individual interests. The information our ad services may collect on our behalf includes data about your visits to websites that serve our ads, such as the pages or ads you view and the actions you take on the websites. This data collection takes place both on our websites and on third-party websites that participate in these ad services. This process also helps us track the effectiveness of our marketing efforts. To learn about how to opt out of interest-based advertising in the U.S., please visit http://optout.aboutads.info or visit the section titled Your rights for information about choices you may have with respect to your personal information. Our websites are not designed to respond to “do not track” signals received from browsers.

One of the third-party services our websites use is Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to analyze how individuals use our websites. The information generated by the cookie about your use of our websites (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites, compiling reports on website activity, and providing other services relating to website activity.  For more information about how Google collects and uses information, visit www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time. To opt out of being tracked by Google Analytics across all websites visit: http://tools.google.com/dlpage/gaoptout.

Our websites may offer links to other websites operated by third parties for your convenience.  Such third-party websites may have information, policies, and practices different from our websites. We do not control and are not responsible for the privacy policies, practices, and/or content of such third-party websites. Please contact such third-party websites directly for information regarding such websites.

We will transfer your personal information to countries outside the European Economic Area (EEA) for the purposes of carrying out our obligations under our contracts with our clients, to operate our business, and/or to comply with legal obligations.  Some of these countries outside the EEA, such as India and the Philippines, are not currently covered by an adequacy decision by the European Commission (EC) which means that such countries are not deemed by the EC to provide an adequate level of protection for your personal information. However, any such transfers by us to those countries will be covered by a data transfer mechanism recognized by the relevant government authorities or courts as providing an adequate level of protection for personal information, including but not limited to standard processor data protection clauses adopted by the EC from time to time, and/or binding corporate rules.

We may also transfer your personal information when:

• the transfer is to a country deemed to provide adequate protection of your personal information by the European Commission; or
• where you have otherwise consented to the transfer.

Given that we operate on a global basis, the relevant periods for which we hold personal information may vary according to the requirements of local laws but, in general terms, we will only use your personal information for periods required or permitted by law or, more generally, for the period necessary to provide our products and services to our clients and thereafter for so long as is required to allow us to establish, exercise, or defend legal claims and/or as is necessary to meet any retention obligations applicable to us.  For more information as to how long we may retain personal information in particular circumstances, please contact us – see Contact information and further advice below.

We are committed to complying with all applicable data protection laws that apply to our processing of your personal information.  This privacy statement applies on a worldwide basis across our operations, unless it conflicts with the laws in any particular jurisdiction, in which case we will process personal information in accordance with those laws to the extent they apply.  While this privacy statement is designed, in part, to satisfy the requirements of the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Colorado Privacy Act (ColPA), and other applicable data protection laws and regulations, and to apply standards which are generally consistent with those laws and regulations, this privacy statement does not create rights for individuals whose personal information is being processed outside the scope of the application of those laws and regulations.

Under applicable data protection laws and regulations, you may have various rights in relation to your personal information, including:

Access your information
You may have the right to request the specific pieces of personal information about you that we hold.

Know how we process your information
You may have the right to obtain confirmation that we have collected personal information about you and know what personal information we have collected about you, including, as applicable, the categories of personal information we have collected; the sources from which we collected that personal information; the business or commercial purposes for which we collected, sold, and shared that personal information; the categories of personal information that we sold, shared, or disclosed to third parties for business purposes; and the categories of third parties to whom we sold, shared, or disclosed personal information.

Correct your information
You may have the right to ask us to correct your personal information if you believe it is not accurate, complete, or up-to-date.

Request deletion of your information
Subject to certain exceptions, you may have the right to ask us to delete your personal information if:

• It is no longer necessary for the purposes for which we obtained it;
• You have withdrawn your consent for our processing of your personal information (see Withdraw consent to using your information below), and we have no other legal basis for the processing;
• You have validly objected to our processing of your personal information (see Object to how we may process your information below);
• We have unlawfully processed your personal information; or
• We must delete your personal information to comply with a legal obligation.

Object to how we may process your information
If we process your personal information to perform tasks carried out in the public interest or on the basis of our legitimate interests, you may have the right to object to this processing on the basis of your particular situation.  In such event, we will continue the processing only if we have overriding legitimate grounds to do so, or the processing is to establish, exercise, or defend legal claims. You may also object if we process your personal information for direct marketing purposes in which case we will no longer process your information for such purposes.

Restrict how we may process your information
You may have the right to ask us to restrict our processing of your personal information if:

• you contest the accuracy of the information (for a period of time that enables us to check it);
• our processing is unlawful, but you don’t want the data deleted;
• we no longer need the data, but you require it to establish, exercise, or defend legal claims; or
• you have objected (as above) and are awaiting confirmation as to whether we have overriding legitimate grounds for processing.

Opt-out of sales of your personal information
You may have the right to opt out of sales of your personal information to third parties. If you are a California resident, click here for additional information.

Opt-out of sharing of your personal information for targeted advertising
You may have the right to opt out of the disclosure of your personal information to third parties for targeted advertising. If you are a California resident, click here for additional information.

Limit use of your sensitive personal information
You may have the right to limit use and disclosure of your sensitive personal information to certain specific business purposes. If you are a California resident, click here for additional information.

Automated processing
Currently, ISS does not take decisions about individuals based solely on automated processing (i.e., without human involvement) which have a legal or similarly significant effect on them.

Withdraw consent for processing your information
You may have the right to withdraw your consent for the processing of your personal information at any time in which case we will stop processing your personal information for the purpose(s) for which consent was given unless we have another legal basis for the processing.

Stop us from sending you marketing information
If you receive marketing communications from us you may have the right to, at any time, ask us to stop sending them to you by following the unsubscribe instructions in communications from us, or contacting us as described under Contact information and further advice below.

Be free from discrimination
We will not engage in illegal discrimination on account of your exercise of these rights.

If you wish to make a complaint about how we are using your personal information you can contact us by sending an email to our data protection officer:  dataprotectionofficer@issgovernance.com

Where GDPR applies to the processing of your personal information, you also have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction.

If you would like to exercise your rights or appeal a decision we have made in response to your rights request, please call us at 1-844-665-9287. If you are a California resident, please click here to exercise your rights. If you are a Colorado resident, please click here to exercise your rights.

If you would prefer, you may have the right in certain jurisdictions to designate an authorized agent to make a request on your behalf. Please note that we may require additional information from you in order to honor your request, as we will review your request to verify your identity upon receipt. In order to confirm that your request is valid, we may also send you an email with instructions on how to confirm your residency.

In some circumstances we may deny your request, as permitted under applicable law.

If you have any questions about this privacy statement, ISS’ processing of your personal information, you wish to exercise your rights as stated above, or you would like assistance accessing this policy in a more accessible format, please contact us at dataprotectionofficer@issgovernance.com.

To reach the Data Protection Officer for Institutional Shareholder Services Germany AG, please contact issagdpo@issgovernance.com.

ISS may disclose any of the categories of personal information described in the What personal information we collect and use section to the categories of third parties described in the Disclosing your personal information section.

ISS may sell the following categories of personal information to clients as part of its products and services:

• identifiers, such as your name and business contact information;
• personal characteristics, such as your gender, age, and date of birth;
• device and online identifiers and related information, such as your IP address, browser type, and language; and
• inferences drawn from personal information, such as performance metrics or a profile reflecting your preferences, tendencies, demographic information, and characteristics.

To exercise any rights you may have with respect to your personal information, including to opt-out of sales of personal information as part of our products, click here.

In accordance with California law, this notice describes the categories of personal information ISS collects about California residents and its purposes for collection. It also describes how we disclose, sell or share your personal information, and how you may opt-out of such sales or sharing. For purposes of this California privacy notice, the terms “personal information”, “sell”, and “share” are used as defined under California law, including any applicable exceptions.

For detailed information about our privacy practices, please refer to our privacy statement.

ISS collects the categories of personal information described above for the purposes described in the How and why we use your personal information and The legal basis for processing your personal information sections of the privacy statement.

ISS retains personal information as described in the How long we keep your personal information section of the privacy statement.

We may sell your personal information as part of the products that we offer to our clients. To opt-out of sales of personal information as part of our products, click here.

Our use of tracking technologies may be considered a “sale” or “sharing” under California law. You can opt-out of being tracked by these third parties by clicking here or by broadcasting the Global Privacy Control (GPC) (on browsers and/or browser extensions that support such a signal). Please note that your use of our website may still be tracked by ISS and/or our service providers.

We do not knowingly sell the personal information of consumers under 16 years of age.