Institutional Shareholder Services Inc.
IMPLEMENTED MAY 25, 2018
We are deeply committed to protecting the privacy of your personal information. This privacy statement describes what personal information we collect and use, how we collect and use it, and the purposes for which we use it. This privacy statement also provides information about your rights with respect to our use of your personal information. Our goal is to always be honest, fair and transparent about why and how we use your personal information.
In this privacy statement, ‘personal information’ means your personal data – i.e., information about you from which you can be identified or are identifiable. We may also refer to ‘processing’ your personal information, which includes collecting, handling, protecting and storing it.
This privacy statement also contains information about when we share your personal information with our affiliated entities and with other third parties (for example, our service providers). This privacy statement does not apply to our personnel, who are covered by our internal notices, policies and procedures.
Who we are
This is the privacy statement of Institutional Shareholder Services Inc. and its wholly-owned subsidiary entities, whether direct or indirect (collectively, “ISS” or “we” or “us”). ISS is a multinational company, with offices around the globe. ISS’ clients and prospects are businesses, not individuals or consumers. We share data, which may include personal information, internally among our affiliated entities and business units in the ordinary course of our daily operations.
As of May 2018, the wholly-owned subsidiaries of Institutional Shareholder Services Inc. are as follows:
- Conflict Securities Advisory Group, Inc.
- IdealsWork, Inc.
- Institutional Shareholder Services Canada Corp.
- Institutional Shareholder Services Europe S.A.
- Institutional Shareholder Services France S.A.S
- Institutional Shareholder Services India Private Limited
- Institutional Shareholder Services K.K.
- Institutional Shareholder Services (Australia) Pty. Ltd.
- Institutional Shareholder Services (Singapore) Private Limite
- Investor Research Responsibility Center, Inc.
- ISS-Ethix AB
- ISS Corporate Solutions, Inc.
- ISS Europe Limited
- oekom research AG
- oekom research Inc.
- Research, Recommendations and Electronic Voting Ltd.
- Securities Class Action Services, LLC
In this privacy statement references to our websites refer to the following:
Institutional Shareholder Services Inc. is located at 702 King Farm Blvd., Suite 400, Rockville, MD 20850.
The addresses of our other offices are set out at www.issgovernance.com/contact/
What personal information we collect and use
We may collect and use your personal information in physical and electronic form, and will hold, use and otherwise process that information in compliance with applicable data protection laws and regulations and as set out in this statement.
When we provide products and services to our clients we may process personal information about you. We may also collect personal information from you when you use our websites.
We may process your personal information when:
- you provide it to us (for example, in a registration form on our websites);
- other people provide it to us (for example, a client may provide us with your personal information in connection with our provision of products and services to the client); or
- it is available from publicly available sources.
The personal information we process may include your:
- name, gender, age and date of birth;
- contact information, such as name, address, email address and mobile phone number;
- employment information (e.g., the name of your employer and your job title (current and historical));
- educational background (e.g., colleges or universities attended and degrees earned);
- financial and tax-related information (e.g., your investments, transaction history, and tax residency);
- your passport information;
- postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
- IP address, browser type and language, and your access times;
- information about how you use our websites, products and services;
- CCTV images and other information we collect when you are on our premises; and
- details of how you like to interact with us, and other similar information relevant to our relationship.
We do not intend to collect any ‘sensitive’ or ‘special categories’ of personal data about you in respect of your religious beliefs, political affiliations or health information.
If you choose not to provide, or object to us processing, the information we need to collect for statutory or contractual purposes (including entering into a contract), we may not be able to process your instructions or continue to provide some or all of our products and services to our clients.
Personal information provided by third parties or about third parties
When we receive personal information about you from our clients or from another third party, we require them to comply with the relevant privacy laws and regulations. This may include, for example, placing the responsibility on the client or other third party to inform you of the processing of your personal information and to obtain any necessary permission for us to process your personal information as described in this privacy statement.
If you provide us with any personal information that relates to a third party (such as a spouse, child, or joint account holder), you confirm that you have obtained any necessary permission to use such information or are otherwise permitted to give it to us and that we may use that information in accordance with this privacy statement without breaching applicable data protection laws and regulations.
How we use your personal information
In general, we process your personal information so we can provide products and services to our clients, conduct other business activities (such as management of our client accounts) and meet our legal or regulatory obligations. We may also use your personal information for marketing purposes with your consent or where applicable data protection laws and regulations otherwise allow.
We have provided some examples of our use of your personal information below.
Use of personal information to provide products and services to our clients
We will use your personal information to provide our clients or other third parties with products and services, and this includes using your personal information in communications relating to those products and services. For example, we might use personal information about:
- a client’s personnel to help those individuals access our products and services on behalf of the client such as through access to a password-restricted electronic platform;
- a client’s personnel in the course of collecting information about the client or understanding a client’s business operations, requirements or objectives;
- a client’s customer’s passport information to facilitate the customer’s attendance at an annual shareholders meeting; or
- an individual who serves as an officer or director of a company that is the subject of one or more of our research and data product offerings.
Use of personal information for other activities that form part of the operation of our business
We may also, for example, use your personal information in connection with:
- legal or regulatory requirements;
- client account management (e.g., invoicing, contract administration and other administrative tasks);
- client relationship management and marketing which may involve:
- sending you thought leadership materials or details of our products and services;
- contacting you for feedback on our products and services; and
- sending you event invitations;
- use of third-party data sources to help us obtain, verify and improve the information about key contacts at our prospects and clients;
- services we receive from our professional advisors, such as lawyers, accountants and auditors;
- investigating or preventing security incidents; or
- protecting our rights and those of our clients and defending any claims made against us.
We may also anonymise your personal information and combine it with other such anonymised information to create aggregated, anonymised information which we may share with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional activity. Use of personal information collected from our website
We may, for example, use your personal information that we have collected from our website:
- to manage and improve our website;
- to provide additional information about our products and services that may be of interest to you; or
- to manage and respond to any request you submit through our website (e.g., a request to receive an ISS newsletter).
The legal basis for processing your personal information
Depending on what personal information about you we have and the context in which we obtain it, we rely on one or more of the following lawful grounds for processing your personal information:
- you have agreed to us processing your information for a specific reason (e.g., using your email address because you have consented to receive marketing materials from us);
- the processing is necessary to perform the agreements we have with our clients or to take steps to enter into an agreement with clients (or prospective clients);
- the processing is necessary for compliance with a legal obligation we have such as keeping records for compliance with our obligations as a registered investment adviser under U.S. securities laws or providing information to a public body or law enforcement agency to the extent this does not contravene applicable data protection laws or regulations; and/or
- the processing is necessary for our legitimate interests such as:
- to provide our services or information to our clients and others;
- to prevent and detect theft, fraud and other criminal activity;
- to protect our business interests;
- to manage our business (including business planning and promotion)
- to investigate complaints;
- to evaluate, develop or improve our services or products;
- to keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so; or
- in the case of electronic marketing communications, where permitted under applicable data protection laws or regulations, we have a relationship with you which permits us to issue marketing communications to you subject to the right to opt-out.
To the extent that we process any special categories of personal information relating to you for any of the purposes outlined above, we will do so because:
- you have given us your explicit consent to process that personal information;
- we are required by law to process that personal information in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us); or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Sharing your personal information
In connection with our processing of your personal information as described above, we may share your personal information with the following third parties:
- our regulators (e.g., the United States Securities and Exchange Commission);
- other third parties as necessary to comply with the law;
- entities in the ISS group of companies as part of our business operations in the ordinary course of business, regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and/or for system maintenance support and hosting of data;
- other third parties as necessary to perform our contractual obligations to our clients;
- our hosting service providers and other service providers;
- our professional advisers (including legal counsel, tax advisers, and auditors);
- potential or actual purchasers of the business (or a part thereof), or other third parties in the context of a possible sale or restructuring of the business; and/or
- any person or entity specified by you.
Transferring your personal information outside the EEA
We will transfer your personal information to countries outside the European Economic Area (EEA) for the purposes of carrying out our obligations under our contract with our clients, to operate our business, and/or to comply with legal obligations. Some of these countries outside the EEA, such as the United States of America and the Philippines, are not currently covered by an adequacy decision by the European Commission (EC) which means that such countries are not deemed by the EC to provide an adequate level of protection for your personal information. However, any such transfers by us will be covered by a data transfer mechanism recognized by the relevant government authorities or courts as providing an adequate level of protection for personal information, including but not limited to: standard data protection clauses (processors) adopted by the EC from time to time, binding corporate rules, and/or the EU-US Privacy Shield Framework.
We may also transfer your personal information when:
- the transfer is to a country deemed to provide adequate protection of your personal information by the European Commission; or
- where you have otherwise consented to the transfer.
How long we keep your personal information
We are committed to ensuring that in the future we will only process your personal information for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting or reporting requirements. Given that we operate on a global basis, the relevant periods for which we hold personal information may vary according to the requirements of local laws but, in general terms, we will only retain your personal information for periods required or permitted by law or, more generally, for the period necessary to provide our products and services and to our clients and thereafter for so long as is required to allow us to establish, exercise or defend legal claims and/or as is necessary to meet any retention obligations applicable to us. For more information as to how long we may retain personal information in particular circumstances, please contact us – see Contact information and further advice below.
We are committed to complying with all applicable data protection laws that apply to our processing of your personal information. This privacy statement applies on a worldwide basis across our operations, unless it conflicts with the laws in any particular jurisdiction, in which case we will process personal information in accordance with those laws to the extent they apply. While this privacy statement is designed, in part, to satisfy the requirements of the EU General Data Protection Regulation (GDPR) and to apply standards which are generally consistent with it, this privacy statement does not create rights under GDPR for individuals whose personal information is being processed outside the scope of the application of GDPR.
Under applicable data protection laws and regulations, you may have various rights in relation to your personal information. In particular, where GDPR applies to you, you have a right to:
Access to your information
You have the right to request a copy of the personal information about you that we hold.
Correcting your information
You have the right to ask us to correct your personal information if you believe it is not accurate, complete or up-to-date.
Deletion of your information
You have the right to ask us to delete your personal information if:
- It is no longer necessary for the purposes for which we obtained it
- You have withdrawn your consent for our processing of your personal information (see Withdrawing consent to using your information below), and we have no other legal basis for the processing
- You have validly objected to our processing of your personal information (see Objecting to how we may process your information below)
- We have unlawfully processed your personal information; or
- We must delete your personal information to comply with a legal obligation.
Objecting to how we may process your information
If we process your personal information to perform tasks carried out in the public interest or on the basis of our legitimate interests, you have the right to object to this processing on the basis of your particular situation. In such event, we will continue the processing only if we have overriding legitimate grounds for this, or the processing is to establish, exercise or defend legal claims. You may also object if we process your personal information for direct marketing purposes in which case we will no longer process your information for such purposes.
Restricting how we may process your information
You have the right to ask us to restrict our processing of your personal information if:
- you contest the accuracy of the information (for a period of time that enables us to check it);
- our processing is unlawful, but you don’t want the data deleted;
- we no longer need the data, but you require it to establish, exercise or defend legal claims; or
- you have objected (as above) and are awaiting confirmation as to whether we have overriding legitimate grounds for processing.
Currently, ISS does not take decisions about individuals based solely on automated processing (i.e., without human involvement) which have a legal or similarly significant effect on them.
Withdrawing consent for processing your information
You may withdraw your consent for the processing of your personal information at any time in which case we will stop processing your personal information for the purpose(s) for which consent was given unless we have another legal basis for the processing.
Stop us from sending you marketing information
If you receive marketing communications from us you may, at any time, ask us to stop sending them to you by following the unsubscribe instructions in communications from us, or contacting us as described under Contact information and further advice below.
Right to complain
If you wish to make a complaint about how we are using your personal information, exercise any of the rights set out above, or if you have any questions or comments about privacy issues, you can contact us by sending an email to our data protection officer: email@example.com
Where GDPR applies to the processing of your personal information, you also have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction.
Changes to this privacy statement
We may modify or amend this privacy statement from time to time.
When we make changes to this privacy statement, we will amend the revision date at the top of this page. The modified or amended privacy statement will apply from that date. We encourage you to review this statement regularly to remain informed about how we are protecting your information.
Contact information and further advice
If you have any questions about this privacy statement, ISS’ processing of your personal data or you wish to exercise your rights as stated above, please contact us at firstname.lastname@example.org