Information Privacy Policy

Information Privacy Policy

INFORMATION PRIVACY POLICIES AND PROCEDURES OF
THE DEPOSITORY TRUST & CLEARING CORPORATION (DTCC) AND SUBSIDIARIES

As of August 2013

I. Scope and Applicability of Privacy Policies and Procedures

This statement of policies and procedures (collectively, the "Privacy Policy") applies to DTCC and the subsidiaries of DTCC listed below (each a "Subsidiary" and collectively, the "Subsidiaries"):

  • DTCC Data Repository KK (Japan)
  • DTCC Data Repository (U.S.) LLC
  • DTCC Deriv/SERV LLC
  • DTCC Derivatives Repository Ltd.
  • DTCC Loan/SERV LLC
  • DTCC Solutions LLC
  • DTCC Solutions Worldwide Ltd.
  • European Central Counterparty Limited
  • Fixed Income Clearing Corporation
  • Global Trade Repository for Commodities B.V.
  • National Securities Clearing Corporation
  • The Depository Trust Company
  • The Warehouse Trust Company LLC

The Privacy Policy sets forth the general policies and procedures of DTCC and the Subsidiaries with respect to the use and disclosure of certain confidential information received by DTCC and/or the Subsidiaries in connection with the provision of certain services, including, without limitation, trade repository, clearance, settlement, custody and asset servicing and transaction processing services (collectively, the "DTCC Services") to customers, participants and members, as applicable, of the Subsidiaries (collectively, "Customers").

This Privacy Policy applies to "non-public personal information" that DTCC and/or its Subsidiaries may receive from Customers in the course of providing DTCC Services. For purposes of this Privacy Policy, the term "non-public personal information" under applicable United States law means any information (i) a consumer provides to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service; or (iii) that is otherwise obtained about a consumer in connection with providing a financial product or service to that consumer (collectively, "Personal Information"). "Non-public personal information" also includes any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any Personal Information that is not publicly available. "Non-public personal information" is referred to herein for convenience as "NPI". The Subsidiaries may receive NPI from Customers; such NPI is the NPI of individuals with whom DTCC’s Customers have the consumer/customer relationship.

This Privacy Policy also applies to confidential Customer information (“Customer Information”) (this is confidential information that is not personal in nature and does not pertain to individuals) that DTCC and/or its Subsidiaries may receive from Customers in the course of providing DTCC Services (for example, confidential transaction information that a participant submits to one of the Subsidiaries for clearance and settlement).

For purposes of the UK Data Protection Act 1998 (“DPA”), which applies when processing takes place in the United Kingdom, DTCC and/or its Subsidiaries may also receive from Customers “Personal Data” of Customers’ contact persons/representatives. For the purposes of this Policy, Personal Data (as defined under the DPA) that DTCC and/or its Subsidiaries collect shall include names, work email addresses, telephone numbers, business addresses, areas of business coverage, job titles and related “know your customer” information of the representatives of Customers who deal with DTCC.

For purposes of the (Indian) Information Technology Act, 2000 (21 of 2000) and Rules framed under it (collectively the “ITA”), which apply when “Personal Information” or “Sensitive Personal Data or Information” (as defined in the ITA) is being collected from a Customer with respect to the Customer’s representative who is located in India at the time of the collection of such information, DTCC and/or its Subsidiaries may also collect and process such information (such as financial information).

For purposes of the Act for the Protection of Personal Information (the “APPI”) in Japan, which will apply to organizations that are engaged in data collection, processing or disclosure within Japan, DTCC and/or its Subsidiaries may all collect, process or disclose “Personal Data” (as defined in the APPI). For purposes of this Policy, APPI Personal Data (as defined by the APPI) that DTCC and/or its Subsidiaries collect shall include names, work email addresses, telephone numbers, business addresses, areas of business coverage and job titles of the representatives of Customers who deal with DTCC as well as any related “know your customer” information when applicable.

For purposes of the Dutch Personal Data Protection Act (the “DPDPA”), which applies to the processing of personal data carried out in the context of the activities of an establishment of a data controller in the Netherlands and to the processing of personal data by or for a data controller which is not established in the EU, whereby use is made of means situated in the Netherlands (unless such means are only used for forwarding personal data), DTCC and/or its Subsidiaries may also receive “Personal Data” of contact/persons/representatives of Customers from Customers. For the purposes of this Policy, DPDPA Personal Data (as defined under the DPDPA) that DTCC and/or its Subsidiaries collect shall include names, work email addresses, telephone numbers, business addresses, areas of business coverage and job titles of the representatives of Customers who deal with DTCC as well as any related “know your customer” information when applicable.

For ease of reference, hereinafter NPI, Personal Data, Personal Information and Sensitive Personal Data or Information, APPI Personal Data and DPDPA Personal Data, shall be referred to as “Protected Personal Information.” Protected Personal Information and Customer Information shall hereinafter be referred to as “Confidential Information.”

As described herein, it is the policy of DTCC and the Subsidiaries not to use Confidential Information they receive from Customers except in connection with the provision of the DTCC Services (or otherwise in accordance with law) and to safeguard such Confidential Information. DTCC may change this Privacy Policy from time to time, including as necessary or appropriate based on (i) results of testing and monitoring; (ii) changes to the business and operation of DTCC or the Subsidiaries or to the DTCC Services; and (iii) changes to regulations/laws.

II. Non-Disclosure of Confidential Information

It is the policy of DTCC and the Subsidiaries not to use or disclose Confidential Information received from Customers except in connection with the DTCC Services. Such uses or disclosures may include, for example, those that are usual, appropriate, or acceptable to carry out the DTCC Service for which the information was given or a transaction related thereto, to maintain accounts, to provide confirmations and statements, to provide access to data services and for record keeping purposes. DTCC and the Subsidiaries may also disclose Confidential Information as permitted or required by law or as required by or to assist duly authorized regulators (including DTCC's U.S regulators). It is the policy of DTCC and the Subsidiaries not to disclose Confidential Information to third parties for marketing purposes.

III. Contact Information

DTCC has designated its Chief Privacy Officer (the “CPO”) responsible for privacy practices of DTCC and the Subsidiaries, including periodic review of this Privacy Policy. The CPO should be contacted for further information regarding this Privacy Policy at privacyoffice@dtcc.com.

IV. Marketing

DTCC and its Subsidiaries may from time to time, in accordance with this Privacy Policy, inform (either by post or email) a Customer about products and services that DTCC expects may be of interest to a Customer. Individuals may object to their information being used for marketing purposes by sending an email to privacyoffice@dtcc.com.

V. Information Safeguarding

DTCC has established an information security program setting forth standards for maintaining administrative, technical and physical safeguards to (i) ensure the security and confidentiality of Confidential Information; (ii) protect against anticipated threats or hazards to the security of Confidential Information; and (iii) protect against unauthorized access to or use of Confidential Information. These standards are applied across the Subsidiaries. Security protections use technology consistent with current industry standards as existing from time to time. DTCC periodically tests the security protections of its information systems and monitors the effectiveness of its information security controls, systems and procedures. DTCC also periodically reviews foreseeable internal and external risks to information security with key operations, management and risk control personnel in all areas of operation of DTCC and the Subsidiaries.

It is the policy of DTCC to restrict access to Confidential Information to those staff members who need to know such information in order to provide DTCC Services or as otherwise appropriate and consistent with this Privacy Policy. Any staff member who is authorized to have access to such information in connection with the performance of such staff member's duties and responsibilities is required to keep such information secure and confidential. Staff members are instructed to review materials setting forth policies and procedures of DTCC and Subsidiaries and to comply with procedures that are designed to address administrative, technical and physical safeguards for the protection of such information. DTCC will use commercially reasonable best efforts to advise Customers of breaches involving NPI, if any.

VI. Additional Considerations where Personal Data is Processed in the UK

This Section V applies where Personal Data is being processed either by (i) a UK subsidiary of DTCC; or (ii) by DTCC or a non UK subsidiary where such information is processed on equipment situated in the UK.

As stated above, DTCC and its Subsidiaries may from time to time, in accordance with this Privacy Policy, use Personal Data to inform (either by post or email) a Customer about products and services that DTCC expects may be of interest to a Customer. Individuals may object to their Personal Data being used for marketing purposes by sending an email to privacyoffice@dtcc.com.

DTCC and/or its Subsidiaries will only use and disclose the Personal Data of a representative of a Customer to selected third parties (i.e., service providers who provide services in connection with DTCC and the Subsidiaries’ products and services) for the purpose for which it was disclosed to DTCC and/or its Subsidiaries or a compatible purpose, or as required by duly authorized regulators or as required or permitted by law.

DTCC and its Subsidiaries may, for the purposes set out in this Privacy Policy, transfer Personal Data overseas to any office of DTCC, any of its Subsidiaries or any of the third parties referred to above. Some of DTCC's offices and those of its Subsidiaries or third party service providers are located in countries outside the European Economic Area that do not have such protective data protection legislation when compared to European law. By submitting Personal Data as set forth on the applicable membership/contact forms related to the application/membership processes of the Subsidiaries, the Customer agrees to the transfer, storing or processing of Personal Data outside of the European Economic Area and will obtain its representatives’ consent when necessary.

DTCC has a legal obligation to ensure that Personal Data is kept accurate and up to date. DTCC kindly requests its Customers to assist DTCC to comply with this obligation by informing DTCC of any changes to Personal Data. Customers’ representatives have the right to request details of the Personal Data that DTCC holds about the Customer’s representatives and to delete or rectify any inaccurate Personal Data about the Customer’s representatives by sending a written request to privacyoffice@dtcc.com.

Each of European Central Counterparty Limited, DTCC Data Repository Ltd., and Global Trade Repository for Commodities B.V. is the data controller with respect to personal data that is provided to each of them. DTCC is the data controller with respect to personal data that is provided to DTCC. Therefore, DTCC, one the one hand, and EuroCCP, DTCC Data Repository Ltd., and Global Trade Repository for Commodities B.V, on the other hand, are the data controllers with respect to personal data that the latter may send to DTCC. DTCC and its Subsidiaries will share data within the DTCC group of companies.

VII. Privacy Statement as it relates to DTCC’s public websites

This website (the “Website”) is provided for information purposes only. DTCC does not collect personal information (that is, information from which an individual may be identified) from visitors to the Website, other than information sent by visitors who:

  • (i) Elect to register or subscribe to receive information;
  • (ii) Submit change requests to the DTCC Customer Service Center for processing;
  • (iii) Submit information for the purpose of qualifying for membership in DTCC services.

This information is sent only when completing and submitting forms on the Website. This information will be used by DTCC solely for the purpose of fulfilling and administering the subscriptions and/or processing business-related requests.

This Website uses cookies and local shared objects (e.g., “Flash cookies”) to collect and share information from Website visitors in non-personally identifiable form. Cookies are files stored in your Web browser and are used by most websites to help personalize a web experience. Local shared objects (“LSOs”) are stored on your computer or device using a media player (e.g., Flash) or other software installed on your computer or device. Cookies and LSOs assign a unique numerical identifier to your machine so that we can tell if you are the same user who visited our Website previously, and relate your use of our Website to other information about you, such as your site usage. We may also use a service that collects data remotely by using tags embedded in our site's content (e.g., “pixel tags”). The aggregate data we collect includes which hardware, operating system and browser you use and their settings, IP addresses, how you navigate to and through our site, and how long you stay on our web pages, among other information. This information is anonymous and does not include your name, e-mail address, or any other contact information, unless you have provided it to us. We deploy these technologies on our own and using our third party vendors who do so on our behalf, such as Omniture and YUDU, who give us reports of aggregated, anonymous data on the usage of our Website. We share this information within DTCC and with DTCC’s subsidiaries, DTCC’s joint ventures and our third party vendors. We use this data to remember and honor your site viewing preferences, to allow you to not have to re-enter your username to login, and to improve our site by responding to our users' interests and providing more relevant and useful information. To learn more about Omniture's and YUDU’s privacy standards and to opt out of receiving their cookies, please visit: http://www.omniture.com/en/company/visualsciences/privacy.

You can choose to accept or decline cookies and LSOs. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. For more information about cookies and how you can modify your browser settings please visit: http://www.allaboutcookies.org/manage-cookies. Depending on how LSOs are enabled on your computer or device, you may be able to manage them using software settings. For information on managing Flash cookies please visit: http://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html. Disabling cookies and LSOs may prevent you from taking full advantage of our Website.

Individuals outside the United States who submit personally identifiable information via this Website acknowledge and agree that the information submitted will be forwarded to the United States or another jurisdiction for processing in connection with the purposes for which it has been supplied. These jurisdictions do not have such protective data protection legislation when compared to European law.

Please note that when you link to any other website from this Website, the operator of such other website (whether DTCC, a DTCC subsidiary, a DTCC joint venture or a third party) may collect information about you, including through cookies or other technologies. In addition, your Internet or other service provider(s) may collect information about or submitted by you while you use the Website, or any other website. You acknowledge that information collection or privacy practices of any other party are not monitored or controlled by DTCC and DTCC is not responsible for such websites. Links on the Website to other websites are provided only as a convenience, and the inclusion of such links does not imply endorsement of the linked site. You should review the privacy policies of any other website that you visit to understand how your information is collected and used.

Notwithstanding the information policies stated above, the right to store and disclose to third parties any information under the following circumstances is reserved: when the law permits it; to legal advisors; and to protect the rights, property, safety or security of DTCC, DTCC’s subsidiaries, DTCC’s joint ventures, Website visitors or the public.

Section VII of this Policy applies solely to online information collection and use practices in connection with this Website. DTCC reserves the right to make changes to this section from time to time, which will be provided to you by posting the revised draft of this document on this Website.

VIII. Additional Considerations where Personal Data is collected from India

This Section VIII applies where Personal Information and Sensitive Personal Data or Information (as defined in the ITA) (referred to collectively for purposes of this section as “Protected Personal Information”) is being collected from a Customer who is located in India at the time of the collection of such information. Sections I, II, III, IV, V and VII will also be applicable to Protected Personal Information collected from a Customer who is located in India at the time of the collection of the information.

By submitting Protected Personal Information as set forth on the applicable membership/contact forms related to the application/membership process or through other means, the Customer agrees to disclose Protected Personal Information to DTCC and its Subsidiaries. DTCC and/or its Subsidiaries shall not use Protected Personal Information they receive from Customers except in connection with the provision of the DTCC Services and otherwise permitted by law.

DTCC and/or its Subsidiaries will only use and disclose Protected Personal Information to selected third parties (i.e., service providers who provide services in connection with DTCC and the Subsidiaries’ products and services) for the provision of the DTCC Services. By submitting Protected Personal Information as set forth on the applicable membership/contact forms related to the application/membership or through other means the Customer agrees to disclose Protected Personal Information to such third parties selected by DTCC. Further the Customer agrees and acknowledges that DTCC and its Subsidiaries may share Protected Personal Information within the DTCC group of companies.

DTCC has a legal obligation to ensure that Protected Personal Information is kept accurate and up to date. DTCC requests the Customer to assist DTCC to comply with this obligation by informing DTCC of any changes to Protected Personal Information. Customers have the right to request details of the information that DTCC holds about the Customer and to delete or rectify any inaccurate information about the Customer by sending a written request to privacyoffice@dtcc.com.

The Customer acknowledges that the DTCC might be legally obliged to disclose information to Indian government agencies to comply with applicable laws. The Customer also acknowledges the DTCC may not inform the Customer prior to or after such disclosure to Indian government agencies.

IX. Additional Considerations Where Personal data is Collected from Japan

This Section IX applies where APPI Personal Data is being collected from a Customer who is located in Japan at the time of the collection of such information. Sections I, II, III, IV, V and VII will also be applicable to APPI Personal Data collected from a Customer who is located in Japan at the time of the collection of the information.

Purpose of Utilization

APPI Personal Data we collect may be used for the following purposes:

  • to carry out the DTCC service or transaction;
  • to maintain accounts;
  • to provide confirmations;
  • to provide access to data services for record keeping purposes.

Providing Information to Third Parties

With the exception of the joint use set forth below, we will not provide your APPI Personal Data to any third party without your advance consent, except where such disclosure:

  • is in accordance with or required by applicable law;
  • is necessary for the protection of the safety or property of our users or the public, and it is difficult or impractical to obtain your consent;
  • is necessary for public health or education and it is difficult or impractical to obtain your consent;
  • is made in cooperation with national or local authorities (or an individual or entity appointed by such authorities to enforce the law or carry out legal process) and in which seeking your consent could affect such enforcement or legal process;
  • is to data processors or service providers who collect, process or store data on our behalf.

Joint Use

We jointly use your APPI Personal Data according to the following:

  • the personal data to be jointly used:
    • names and tiles;
    • work email addresses;
    • telephone numbers;
    • business addresses;
    • know your customer information where applicable.
  • the scope of the joint users: The Subsidiaries listed on the first page of this Privacy Policy.
  • the purpose of the joint use
    • to carry out the DTCC service or transaction;
    • to maintain accounts;
    • to provide confirmations;
    • to provide access to data services for record keeping purposes;
    • to obtain know your customer information where applicable.
  • the name of the individual or entity responsible for the management of the personal data concerned:  DTCC

X. Additional Considerations under Dutch law

This Section X applies to the processing of personal data carried out in the context of the activities of an establishment of a data controller in the Netherlands and to the processing of personal data by or for a data controller which is not established in the EU, whereby use is made of means situated in the Netherlands (unless such means are only used for forwarding personal data), DTCC and/or its Subsidiaries may also receive “DPDPA Personal Data” of contact/persons/representatives of Customers from Customers (as defined in the DPDPA).

As stated above, DTCC and its Subsidiaries may from time to time, in accordance with this Privacy Policy, use DPDPA Personal Data (either by post or email) to send information to a Customer about products and services that DTCC expects may be of interest to a Customer. Individuals may object to their DPDPA Personal Data being used for marketing purposes by sending an email to privacyoffice@dtcc.com.

DTCC and/or its Subsidiaries will only use and disclose DPDPA Personal Data of the contact persons/representatives of Customers to selected third parties (i.e., service providers who provide services in connection with DTCC and the Subsidiaries’ products and services) for the purpose for which it was disclosed to DTCC and/or its Subsidiaries or a compatible purpose, or as required by duly authorized regulators or as required or permitted by law.

DPDPA Personal Data we collect may be used for the following purposes:

  • to carry out the DTCC service or transaction;
  • to maintain accounts;
  • to provide confirmations;
  • to provide access to data services for record keeping purposes;
  • to conduct “know your customer” requirements.

DTCC and its Subsidiaries may, for the purposes set out in this Privacy Policy, transfer DPDPA Personal Data overseas to any office of DTCC, any of its Subsidiaries or any of the third parties referred to above. Some of DTCC's offices and those of its Subsidiaries or third party service providers are located in countries outside the European Economic Area that do not have such protective data protection legislation when compared to European law. By submitting DPDPA Personal Data as set forth on the applicable membership/contact forms related to the application/membership processes of the Subsidiaries, the Customer agrees to the transfer, storing or processing of DPDPA Personal Data outside of the European Economic Area and will obtain its representatives consent where necessary.

DTCC has a legal obligation to ensure that DPDPA Personal Data is kept accurate and up to date. DTCC kindly requests its Customers to assist DTCC to comply with this obligation by informing DTCC of any changes to DPDPA Personal Data. Customers have the right to request details of the DPDPA Personal Data that DTCC holds about the Customer’s representatives and to delete or rectify any inaccurate DPDPA Personal Data about the Customer by sending a written request to privacyoffice@dtcc.com.