Privacy Statement | TISE

Privacy Statement

1. Who are we?

1.1. The International Stock Exchange Group Limited (Guernsey registered company 57524) (“TISEG”) wholly owns The International Stock Exchange Authority Limited (Guernsey registered company number 57527) (“TISEA”).

1.2. Together, these companies are the “TISE Entities”, both with a registered office at Helvetia Court, Block B, Third Floor, Les Echelons, St Peter Port, Guernsey GY1 1AR and No.3 The Forum, Grenville Street, St Helier, Jersey, JE4 4UF. 

1.3. TISEA is licensed by the Guernsey Financial Services Commission to operate an investment exchange under the Protection of Investors (Bailiwick of Guernsey) Law, 2020. The International Stock Exchange (the “Exchange” or “TISE”) is an investment exchange which is operated and regulated by TISEA.

2. To whom does this privacy statement apply?

2.1. This Privacy Statement sets out how the TISE Entities, as joint data controllers, collect, process and retain personal data. 'Personal data' means any information relating to an identified or identifiable natural person.

2.2. The Privacy Statement does not form part of any contract to provide services.

2.3. This Privacy Statement applies to you as a:

  • casual browser of our website, tisegroup.com (the “Website”);
  • subscriber to our market and research material;
  • Member or prospective Member of the Exchange;
  • Issuer or prospective Issuer for listing on the Exchange;
  • user of our online contributor services portal, MyTISE;
  • users of the TISE trading system, NOVA;
  • users of the private online marketplace, TISE Private Markets;
  • shareholder of TISEG; or
  • potential employee, employee, contractor, consultant or temporary worker of the TISE Entities.

3. How do we collect personal data?

3.1. We collect personal data when you browse or fill in forms on our Website, use MyTISE, NOVA or the TISE Private Markets platform, send us documentation or correspond with us by phone, e-mail or otherwise. We will collect additional personal information in the course of service-related activities throughout the period of providing services to you. The personal data which we collect, process and retain will vary depending upon your relationship with the TISE Entities.

4. What personal data do we collect?

4.1. Casual browsers of our Website

4.1.1. When you browse our Website we may automatically collect the following:

  • technical information, including your Internet Protocol (“IP”) address to help diagnose problems with our server, and to administer our Website. An IP address is a number that is assigned to your computer when you use the internet. Your IP address is also used to help identify you during a particular session and to gather broad demographic data; and
  • information about your visit including, for analytical purposes, using the Google Analytics service which collects information such as how often and what pages you visit on the Website and what other sites you used prior to coming to the Website.

4.1.2. Google Analytics places a cookie, which is only accessible by Google, on your computer to identify you as a unique user the next time you visit our Website. Google's use of this cookie is governed by their Google Analytics Terms of Service (https://www.google.com/analytics/terms/) and their Google Privacy Policy (https://www.google.com/intl/en-GB/policies/privacy/).

4.1.3 The Lead Forensics tool uses IP tracking for identifying businesses and is not the same as cookies. The Lead Forensics tracking code will only provide information that is readily available in the public domain. It does not, and cannot, provide individual, personal or sensitive data regarding who has visited the TISE website. It will provide information on what companies have visited our website by identifying by way of their IP address. This data may be used by us to contact the business about their experience or for marketing purposes. We will not pass this data to third parties for any reason. More information can be found at www.leadforensics.com.

4.1.4. We do not combine the information collected through our use of Google Analytics with any other information which may identify you personally.

4.2. Subscribers to our market and research material

4.2.1. The TISE Entities will only collect, process and retain your personal data (including where appropriate your name, email address and any other relevant information you provide to us) for marketing purposes or market and opinion research, where you have provided your consent for us to do so. You may at any time withdraw your consent and unsubscribe from receiving such information by selecting unsubscribe.

4.2.2. We will not disclose personal data collected for marketing purposes to any third parties without notifying you of the identity of the third party together with details of what data is being shared and how it will be processed.

4.3. Members and prospective Members of the Exchange

4.3.1. TISEA is required to collect, process and retain personal data relating to individuals associated with Members and prospective Members of the Exchange in order to satisfy its legal and regulatory obligations. Where appropriate TISEA collects names, dates of birth, certain criminal record data in relation to directors of Category 2 & 3 Members and traders of Members and prospective Members, postal addresses, email addresses and any other relevant information that we collect for this purpose. The names of other relevant staff is also collected.

4.3.2. It is the responsibility of Members or prospective Members of the Exchange to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.

4.3.3. Members of the Exchange are responsible for ensuring that personal data provided to TISEA is processed correctly and accurately.

4.4 Issuers and prospective Issuers for listing on the Exchange

4.4.1. TISEA is required to collect, process and retain personal data relating to individuals associated with Issuers and prospective Issuers for listing on the Exchange in order to satisfy its legal and regulatory obligations. Where appropriate TISEA collects names, dates of birth, certain criminal record data (in relation to directors of equity issuers and prospective issuers) postal addresses, email addresses and any other relevant information.

4.4.2. Where a Member is acting as a listing agent or sponsor to an issuer or prospective issuer for listing on the Exchange, it is the responsibility of the Member to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.

4.4.3. Members of the Exchange are responsible for ensuring that personal data relating to issuers provided to TISEA is processed correctly and accurately.

4.5. Users of MyTISE & NOVA

4.5.1. TISEA is required to collect, process and retain personal data relating to users of MyTISE and NOVA (“Contributors”) in order to satisfy its legal and regulatory obligations and in order to monitor MyTISE’s system functions. TISEA collects user names, email addresses and contact telephone numbers for this purpose.

4.5.2. It is the responsibility of the Contributor to ensure that the individuals to whom the personal data relates have been notified of its collection, processing and retention by TISEA.

4.5.3. Contributors are responsible for ensuring that personal data relating to its system users provided to TISEA is processed correctly and accurately.

4.6. Users of TISE Private Markets

4.6.1 The Privacy Policy specific to users of the TISE Private Markets platform is available at https://tiseprivatemarkets.com/privacy-statement 

4.7. Shareholders

4.7.1. In addition to the requirements under law for the TISE Entities to maintain records of their shareholders, we may collect, retain and process personal data (including where appropriate your name, postal address, email address and any other relevant information that you provide to us or that we collect) for:

  • the processing and payment of dividends, and associated reporting;
  • the issuance of circulars to shareholders; and
  • routine correspondence and administration purposes.

4.8. Potential Staff

4.8.1. As part of our recruitment process we collect, process and retain personal data (including where appropriate your CV and any covering letter, your name, residential address, personal contact details, work experience, residential status, education, qualifications, skills, and any other relevant information that you provide to us or that we collect) for:

  • assessing your suitability for a role within the TISE Entities;
  • verifying your information and carrying out pre-screening checks and/or conducting background or criminal records checks (where applicable) if you are offered employment;
  • communicating with you about the recruitment process and/or your application, including, in appropriate cases, informing you of other potential career opportunities at the TISE Entities; and/or complying with applicable laws, regulations or other legal duties.

As a regulated business, we have a legal obligation to know the identity and background of the individuals we employ to ensure we have the appropriate staff.

5. How we will use information about you?

5.1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to comply with an agreement, we have entered into with you.
  • Where we need to comply with a contractual, legal or regulatory obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

5.2. We may also use your personal data in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else's interests).
  • Where it is needed in the public interest, including to prevent fraud.

5.3. The situations in which we will process your personal data are listed below.

  • The operation of the Exchange under the terms of its licence.
  • The operation of the MyTISE & NOVA.
  • The operation of the TISE Private Markets platform.
  • Administering any contract, we have entered into with you or where you are a party related to an entity for which we are contracted to provide services.
  • Complying with a valid order by a court or other governmental body or applicable law.
  • Satisfying any legal or regulatory obligation.
  • Business management and planning, including accounting and auditing.
  • Making arrangements for the termination of a commercial relationship or contract.
  • Dealing with legal disputes involving you.
  • To prevent fraud, criminal activity or market abuse.
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  • To enable the effective monitoring and review of the performance of MyTISE.
  • To conduct data analytics studies to review and better understand customer retention and attrition rates.
  • To undertake the staff recruitment and onboarding process.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

5.4. If you fail to provide certain personal data when requested, we may not be able to comply with the agreement we have entered into with you (if applicable) or we may be prevented from complying with our legal obligations.

5.5. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

5.6. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. How we use special category data

6.1. Special Category Data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal data in the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to comply with our legal or regulatory obligations and in line with our data protection policy.
  • Where it is needed in the public interest, such as to prevent fraud and in line with our data protection policy.
  • During the recruitment process to establish if you have a medical condition or disability for which the Company is required to make reasonable adjustments for.

6.2. Less commonly, we may process this type of data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

6.3. Save where you have given explicit consent, we may only use data relating to the commission or alleged commission of a criminal offence by an individual where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and where we do so in line with our data protection policy.

7. Automated decision-making

7.1. We do not envisage that any decisions will be taken about you using automated means to process your data, however we will notify you in writing if this position changes.

8. Data sharing

8.1. We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law.

8.2. We will share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

8.3. "Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers:

  • medical and dental insurance;
  • IT system management;
  • pension scheme operation;
  • banking;
  • share registration;
  • identity and bank account verification services in relation to users of the TISE Private Markets platform and to process payments in relation to auctions on the TISE Private Markets platform (https://tiseprivatemarkets.com/privacy-statement); 
  • marketing; and
  • archiving.

8.4. We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.

8.5. We may also need to share your personal data with:

  • a court, regulator, government body, applicable authority, enforcement agency or to otherwise comply with the law; or
  • the Appeals Committee or Disciplinary Committee of TISEA.

8.6. For the purposes of the sharing of personal data, Guernsey’s Office of the Data Protection Commission has defined an authorised jurisdiction as:

  • the Bailiwick of Guernsey;
  • a Member State of the European Union, or any sector within a country, or any international organisation that the (European) Commission has determined ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR and for which the determination is still in force; or
  • a designated jurisdiction (by Ordinance).

8.7. We may transfer the personal data we collect about you to an Authorised Jurisdiction.

8.8. Save as permitted by law we will not transfer the personal data we collect about you to unauthorised Jurisdictions.

9. Storage and security of your personal data

9.1. The TISE Entities will collect and process personal data in accordance with this Privacy Statement and the law.

9.2. The TISE Entities have implemented proportionate organisational and technical measures to protect your personal data. These measures include policies and procedures, physical and software security, and an employee training programme.

9.3. Whilst we have taken measures to protect your personal data, the transmission of data over the internet or other networks cannot be guaranteed as being secure. The TISE Entities do not make any warranties, express or implied, about the security of your personal data in this regard.

9.4. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

10. Data retention

10.1. We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. Details of retention periods for different aspects of your personal data are available in our data retention policy, the details of which are available from our Data Protection Officer.

10.2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process and retain your personal data, whether we can achieve those purposes through other means and the applicable legal and regulatory requirements.

11. Links to other websites

11.1. Our Website may contain links or references to websites operated by external parties. This Privacy Statement does not apply to those websites and you should check the privacy policy of each website you visit.

11.2. We have no control over or responsibility for those other websites or the way in which they collect, process or retain your personal data which may be different from the way in which we collect, process and retain your personal data.

11.3. By including references, hyperlinks or other connections to other websites we do not imply any endorsement of them or any association with their owners or operators.

12. Rights of access, correction, erasure and restriction

12.1. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

12.2. Under certain circumstances, by law you have the:

  • Right of access to your personal data (commonly known as a "data subject access request"). This entitles you to ask what data we hold about you and why.
  • Right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes or if data were being processed on grounds of public interest or for historical or scientific purposes.
  • Right to rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Right to erasure of your personal data, enabling you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
  • Right to the restriction of processing of your personal data enabling you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Right to be notified of rectification, erasure and restrictions.
  • Right not to be subject to decisions based on automated processing.
  • Right to data portability: right to request the transfer of your personal data to another party.

12.3. If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact our Data Protection Officer in writing.

12.4. You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if a repeated request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

12.5. We may need to request specific information from you to help us confirm your identity and ensure your right to access the data you have requested (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

12.6. In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer.

12.7. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

13. Enquires and complaints

13.1. Any questions relating to this Privacy Statement or the personal data which we hold on you, should be referred to our Data Protection Officer.

13.2. Should you wish to exercise any of your rights under the data protection law or wish to submit a complaint regarding our compliance with the exercise of such rights, please contact our Data Protection Officer.

13.3. If you are dissatisfied with the way in which we have dealt with or handled your complaint, you have the right refer your complaint to your local data protection authority, and to appeal the outcome of your complaint.

14. Data protection officer

14.1. Jonathan Richards

14.2. Address: Helvetia Court, Block B, 3rd Floor, Les Echelons, St Peter Port, Guernsey GY1 1AR.

14.3. E-mail: data.protection@tisegroup.com

14.4. Telephone: +44 (0) 1481 753000

15. Data protection registrations

15.1. Guernsey Office of the Data Protection Commissioner - The TISE Entities are registered as data controllers and processors:

  • TISEG – Registration ID DPA1564; and
  • TISEA – Registration ID DPA1562.

15.2. Jersey Office of the Information Commissioner:

  • TISEG – Registration ID 22077 – is registered as a data controller and processor; and
  • TISEA – Registration ID 22078 – is registered as a data controller.

16. Changes to our privacy statement

16.1. Please read this Privacy Statement carefully and re-visit the relevant sections of it each time you visit our Website or provide us with any personal data. Changes may be made to this Privacy Statement at any time and without notice.

16.2 This Statement was last updated on 30 August 2023.