Privacy Statement

1.

WHO ARE WE?

1.1 The International Stock Exchange Group Limited (Guernsey registered company 57524) (“TISEG”) wholly owns The International Stock Exchange Authority Limited (Guernsey registered company number 57527) (“TISEA”).
1.2 Together, these companies are the “TISE Entities”, both with a registered office at Helvetia Court, Block B, Third Floor, Les Echelons, St Peter Port, Guernsey GY1 1AR.
1.3 TISEA is licensed by the Guernsey Financial Services Commission to operate an investment exchange under the Protection of Investors (Bailiwick of Guernsey) Law, 1987, as amended. The International Stock Exchange (the “Exchange”) is an investment exchange which is operated and regulated by TISEA.

2.

TO WHOM DOES THIS PRIVACY STATEMENT APPLY?

2.1

This Privacy Statement (the “Statement”) sets out how the TISE Entities, as joint data controllers, collect, process and retain personal data. 'Personal data' means any information relating to an identified or identifiable natural person.
The Statement does not form part of any contract to provide services.

2.2

This Statement applies to you as a:

  • casual browser of our website, tisegroup.com (the “Website”);
  • subscriber to our market and research material;
  • user of our Legal Entity Identifier (“LEI”) service;
  • Member or prospective Member of the Exchange;
  • Issuer or prospective Issuer for listing on the Exchange;
  • user of the Exchange’s software; or
  • shareholder of the TISE Entities.

3.

HOW DO WE COLLECT PERSONAL DATA?

3.1 We collect personal data when you browse or fill in forms on our Website, use our software, send us documentation or correspond with us by phone, e-mail or otherwise. We will collect additional personal information in the course of service-related activities throughout the period of providing services to you. The personal data which we collect, process and retain will vary depending upon your relationship with the TISE Entities.

4.

WHAT PERSONAL DATA DO WE COLLECT?

4.1

Casual browsers of our Website

4.1.1

When you browse our Website we may automatically collect the following:

  • technical information, including your Internet Protocol (“IP”) address to help diagnose problems with our server, and to administer our Website. An IP address is a number that is assigned to your computer when you use the internet. Your IP address is also used to help identity you during a particular session and to gather broad demographic data; and
  • information about your visit including, for analytical purposes, using the Google Analytics service which collects information such as how often and what pages you visit on the Website and what other sites you used prior to coming to the Website.
4.1.2 Google Analytics places a cookie, which is only accessible by Google, on your computer to identify you as a unique user the next time you visit our Website. Google's use of this cookie is governed by their Google Analytics Terms of Service (https://www.google.com/analytics/terms/) and their Google Privacy Policy (https://www.google.com/intl/en-GB/policies/privacy/).
4.1.3 We do not combine the information collected through our use of Google Analytics with any other information which may identify you personally.

 

4.2

 

Subscribers to our market and research material

4.2.1 The TISE Entities will only collect, process and retain your personal data (including where appropriate your name, email address and any other relevant information you provide to us) for marketing purposes or market and opinion research, where you have provided your consent for us to do so. You may at any time withdraw your consent and unsubscribe from receiving such information by selecting unsubscribe.
4.2.2 We will not disclose personal data collected for marketing purposes to any third parties without notifying you of the identity of the third party together with details of what data is being shared and how it will be processed.

 

4.3

 

Users of our LEI service

4.3.1 TISEA collects, processes and retains personal data (including where appropriate your name, postal address, email address and any other relevant information you provide to us) relating to users of the LEI service where it has received consent from you to do so. Users may at any time withdraw their consent.
4.3.2 TISEA may disclose personal data relating to users of the LEI service to the London Stock Exchange (“LSE”), who will collect, process and retain the data for the purposes of applying, renewing or maintaining an LEI. See also section 8 of this notice which deals with data transfers.
4.3.3 It is the responsibility of users of the LEI service to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA and, where applicable, the LSE.
4.3.4 Users of the LEI service are responsible for ensuring the accuracy of the personal data provided to TISEA.

 

4.4

 

Members and prospective Members of the Exchange

4.4.1 TISEA is required to collect, process and retain personal data (including where appropriate your name, postal address, email address, employment history and any other relevant information that you provide to us or that we collect) relating to Members and prospective Members of the Exchange in order to satisfy its legal and regulatory obligations.
4.4.2 It is the responsibility of Members or prospective Members of the Exchange to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.
4.4.3 Members of the Exchange are responsible for ensuring the accuracy of the personal data provided to TISEA.

 

4.5

 

Issuers and prospective Issuers for listing on the Exchange

4.5.1 TISEA is required to collect, process and retain personal data relating to Issuers and prospective Issuers for listing on the Exchange in order to satisfy its legal and regulatory obligations. Where appropriate TISEA collects names, postal addresses, email address and any other relevant information you provide to us or that we collect for this purpose.
4.5.2 Where a Member is acting as a sponsor to an issuer or prospective issuer for listing on the Exchange, it is the responsibility of the Member to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.
4.5.3 Members of the Exchange are responsible for ensuring the accuracy of the personal data provided to TISEA.

 

4.6

 

Users of the Exchange’s software

4.6.1 TISEA is required to collect, process and retain personal data relating to users of its software (“Contributors”) in order to satisfy its legal and regulatory obligations. TISEA collects where appropriate names, email addresses and dates of birth for this purpose.
4.6.2 It is the responsibility of the Contributor to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.
4.6.3 Contributors are responsible for ensuring the accuracy of the personal data provided to TISEA.

 

4.7

 

Shareholders

4.7.1

In addition to the requirements under law for the TISE Entities to maintain records of their shareholders, we may collect, retain and process personal data (including where appropriate your name, postal address, email address and any other relevant information that you provide to us or that we collect) for:

  • the processing and payment of dividends, and associated reporting;
  • the issuance of circulars to shareholders; and
  • routine correspondence and administration purposes.

5.

HOW WE WILL USE INFORMATION ABOUT YOU?

5.1

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform an agreement we have entered into with you.
  • Where we need to comply with a contractual, legal or regulatory
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
5.2

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else's interests).
  • Where it is needed in the public interest, including to prevent fraud.
5.3

The situations in which we will process your personal information are listed below.

  • The operation of the Exchange under the terms of its licence
  • Providing its LEI services
  • Administering the contract we have entered into with you or where you are a party related to an entity for which we are contracted to provide services
  • Complying with a valid order by a court or other governmental body or applicable law
  • Satisfying any legal or regulatory obligation
  • Business management and planning, including accounting and auditing
  • Making arrangements for the termination of our commercial relationship
  • Dealing with legal disputes involving you
  • To prevent fraud, criminal activity or market abuse
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
  • To conduct data analytics studies to review and better understand customer retention and attrition rates
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
5.4 If you fail to provide certain information when requested, we may not be able to perform the agreement we have entered into with you (if applicable) or we may be prevented from complying with our legal obligations.
5.5 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
5.6 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6.

HOW WE USE PARTICULARLY SENSITIVE DATA

6.1

'Sensitive personal data' is referred to under the law as 'Special Category Data'. Special Category Data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy.
  • Where it is needed in the public interest, such as to prevent fraud and in line with our data protection policy.
6.2 Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
6.3 Save where you have given explicit consent, we may only use information relating to the commission or alleged commission of a criminal offence by an individual where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.

7.

AUTOMATED DECISION-MAKING

7.1 We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

8.

DATA SHARING

8.1 We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law.
8.2 We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
8.3 "Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: IT system management, banking, share registration, marketing and archiving.
8.4 We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business.
8.5

We may also need to share your personal information with:

  • a court, regulator, government body, applicable authority, enforcement agency or to otherwise comply with the law; or
  • the Appeals Committee, Disciplinary Committee and Disciplinary Appeals Committee of TISEA.
8.6

An authorised jurisdiction is (a) the Bailiwick of Guernsey, (b) a Member State of the European Union, (c) any country, any sector within a country, or any international organisation that the Data Protection Commission has determined ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR (or the equivalent article of the former Directive), and for which the determination is still in force, or (d) a designated jurisdiction which is (i) the United Kingdom, (ii) a country within the United Kingdom, (iii) any other country within the British Islands, or (iv) any sector within a country mentioned in (i), (ii) or (iii) (Authorised Jurisdictions).

An unauthorised jurisdiction is a jurisdiction which is not an Authorised Jurisdiction (Unauthorised Jurisdiction).

We may transfer the personal information we collect about you to Authorised Jurisdictions.

Save as permitted by law we will not transfer the personal information we collect about you to Unauthorised Jurisdictions.

9.

STORAGE AND SECURITY OF YOUR PERSONAL DATA

9.1 The TISE Entities will collect and process personal data in accordance with this Statement and the law.
9.2 We will hold your personal data securely and will only keep it for as long as is reasonably necessary. The TISE Entities have implemented reasonable organisational and technical measures to protect your personal data. These measures include policies and procedures, physical and software security, and an employee training programme.
9.3 Whilst we have taken measures to protect your personal data, the transmission of data over the internet or other networks cannot be guaranteed as being secure. The TISE Entities do not make any warranties, express or implied, about the security of your personal data in this regard.
9.4 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

10.

DATA RETENTION

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from our Data Protection Officer. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

11.

LINKS TO OTHER WEBSITES

11.1 Our Website may contain links or references to websites operated by external parties. This Statement does not apply to those websites and you should check the privacy policy of each website you visit.
11.2 We have no control over or responsibility for those other websites or the way in which they collect, process or retain your personal data which may be different from the way in which we collect, process and retain your personal data.
11.3 By including references, hyperlinks or other connections to other websites we do not imply any endorsement of them or any association with their owners or operators. 

12.

RIGHTS OF ACCESS, CORRECTION, ERASURE AND RESTRICTION

12.1 It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
12.2

Under certain circumstances, by law you have the:

  • Right to data portability: right to request the transfer of your personal information to another party.
  • Right of access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes or if data were being processed on grounds of public interest or for historical or scientific purposes.
  • Right to rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Right to erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Right to restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Right to be notified of rectification, erasure and restrictions.
  • Right not to be subject to decisions based on automated processing.
12.3 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer in writing.
12.4 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if a repeated request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
12.5 We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
12.6 In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

13.

ENQUIRES AND COMPLAINTS

13.1 Any questions relating to this Statement or the personal data which we hold on you, should be referred to our Data Protection Officer.
13.2 Should you wish to exercise any of your rights under the data protection law, or submit a complaint regarding our compliance with the exercise of such rights, please contact our Data Protection Officer.
13.3 If you are dissatisfied with the way in which we have dealt with or handled your complaint, you have the right refer your complaint to your local data protection authority, and to appeal the outcome of your complaint.

14.

DATA PROTECTION OFFICER

14.1 Mr John Inderwick
14.2 Address: Helvetia Court, Block B, 3rd Floor, Les Echelons, St Peter Port, Guernsey GY1 1AR
14.3 E-mail: data.protection@tisegroup.com
14.4 Telephone: +44 (0) 1481 753000

15.

DATA PROTECTION REGISTRATION

15.1 The TISE Entities are registered as data controllers with the Data Protection Commissioner (Guernsey):
  • The International Stock Exchange Authority Limited (No 12726); and
  • The International Stock Exchange Group Limited (No 12727).
15.2 The TISE Entities are registered as data controllers with the Information Commissioner (Jersey):
  • The International Stock Exchange Group Limited (No 22077); and
  • The International Stock Exchange Authority Limited (No 22078).
There is currently no need for the TISE Entities to register in the Isle of Man but if their new GDPR compliant legislation affects this then one or more of the TISE Entities may register.

16.

CHANGES TO OUR PRIVACY STATEMENT

16.1 Please read this Statement carefully and re-visit the relevant sections of it each time you visit our Website or provide us with any personal data. Changes may be made to this Statement at any time and without notice.
16.2 This Statement was last updated on 25 May 2018.