EMEA Privacy Notice

WHO WE ARE HOW WE OBTAIN YOUR PERSONAL DATA TYPES OF PERSONAL DATA WE COLLECT WHY WE PROCESS YOUR PERSONAL DATA AND LEGAL BASIS WHEN WE ACT AS PROCESSOR WHEN WE SHARE YOUR DATA WITH OTHERS WHEN WE TRANSFER YOUR DATA INTERNATIONALLY HOW LONG WE KEEP YOUR DATA KEEPING YOUR PERSONAL DATA UP TO DATE YOUR DATA SUBJECT RIGHTS HOW TO CONTACT THE SUPERVISORY AUTHORITIES HOW TO CONTACT US NORTHERN TRUST ENTITIES Download the EMEA Data Privacy Notice PDF

Hide

Unsubscribe

Stop receiving marketing materials.

We take your privacy seriously and value transparency at the highest possible standard. For more than half a century, we have continued to operate inside of the Europe, Middle East and Africa region and to meet the privacy needs of our clients.

Who We Are

Expand to view how we will process personal information

This notice sets out how members of the Northern Trust group (collectively and individually, "Northern Trust", "we" or "us") will process personal information as a controller or joint controller in connection with the:

• provision of its products and services from within EMEA;

• provision or offering products or services to you if you are an individual located in EMEA;

• provision of the Northern Trust global investor solution (the "Northern Trust Matrix");

• marketing of Northern Trust products or services conducted by Northern Trust;

• regulatory obligations of Northern Trust, including know-your-customer and anti-money laundering;

• management and operation of our businesses and websites; or

• management and operation of our properties and premises.

The entity which shall be deemed controller or joint controller of your personal data is as per the applicable entity in the final section of this notice “Northern Trust Entities”.

And in this notice, "you" means:

(i) any individual client of Northern Trust or individual investor in an investment fund in respect of which Northern Trust acts as a service provider (each a "Fund");

(ii) any individual who represents or is employed by any institutional client of Northern Trust or any institutional investor in a Fund, or who is a shareholder, settlor, beneficiary, director, officer or ultimate beneficial owner of such institutional client or institutional investor;

(iii) any individual who represents or is employed by any promoter, investment manager, fund manager or alternative investment fund manager of a Fund (each a "Manager");

(iv) any individual employed by our service providers and business partners.

If you have any questions about our use of your personal information, please contact our Data Protection Officer at Privacy_Compliance@ntrs.com.

We may amend this notice from time to time to keep it up to date with applicable legal requirements and our global operating model. If we make material changes to this notice, we will aim to notify you by way of including notice of change in this notice or as part of our established correspondence with you. We encourage you to check this page from time to time to review the latest version of this notice.

How We Obtain Your Personal Data

Expand to view how and why we obtain your personal data

How and why we obtain your personal data may depend on the capacity in which you interact with us.

We will obtain some of your personal information directly from you, such as when you are a customer for our products and services or you complete a form, sign up for marketing or choose to give us personal information as part of the Northern Trust Matrix, including in connection with the security features of the Northern Trust investor portal forming part of the Northern Trust Matrix ("Matrix Portal").

We will also obtain some of your information indirectly from Northern Trust clients, from Funds, from an investor in the Fund(s) (each an "Investor"), or from a Manager, where you have been appointed by that client, Investor or Manager to access and use Northern Trust products and services, including the Northern Trust Matrix, on its behalf. Where you are an investor in a Fund, references to Investor in this notice should be read as references to you.

We will also obtain some of your information indirectly when we provide the following services to our institutional clients:

Privacy Chart

We will receive information about you when Northern Trust acts as a service provider to its institutional clients and where you represent or are employed by such an institutional client or where you are an underlying investor, shareholder, settlor, beneficiary, director, officer or beneficial owner of such institutional client. We also obtain information about you from our service providers and business partners where you work with us in the course of their business.

We will also collect some information from you when you interact with our websites or visit our premises.

Types of Personal Data We Collect

Expand to view the types of personal information we collect

The types of personal information collected by Northern Trust.

Northern Trust Matrix and Other Services
The types of personal information collected by Northern Trust include, without limitation:

•in respect of individual clients and Investors, the name, address (including postal and/or e-mail address), telephone number, bank account details including account holdings, date of birth, place of birth, nationality, proof of identity details (passport, driving licence or nationality identity), occupation, country of residence/tax residence, invested amount and holdings of that Investor;

•in respect of institutional clients and institutional Investors, and their underlying investors, shareholders, settlors, beneficiaries, directors, officers or beneficial owners, the name and address (including postal and/or e-mail address), date of birth, nationality, country of residence/tax residence and percentage ownership of underlying investors, shareholders, settlors, beneficiaries, directors, officers or beneficial owners;

•in the case of all clients and Investors, any personal data which is required in order to comply with regulatory requirements, including information which is necessary for tax reporting requirements (including tax number and documentation) and for compliance with local or foreign laws;

•in respect of users of Northern Trust websites and systems, including the Matrix Portal, name, address (including postal and /or email address) and security details, and special categories of personal data, such as biometric data.

Operation of the Business
Northern Trust will also collect and use information in the day-to-day operation of our business, including:

• name, address (including postal and /or email address), title and role of employees and representatives of our institutional clients, service providers and business partners;

• name and contact details for direct marketing;

• content and metadata of call recordings;

• CCTV images;

• name, date, time and purpose of visit for visitors of our premises.

Operating our Electronic Infrastructure
Northern Trust will collect information through your use of our website or other online services such as applications, including:

• device information such as operating system, unique device identifiers, the mobile network system;

• hardware and browser settings;

• IP address;

• pages you visit on our site and search engine terms used.

Why We Process Your Personal Data and Legal Basis

Expand to view how we may process your personal information

Northern Trust may process your personal information for the following purposes:

Relationship Management and Administration

• Managing and administering your holdings in any relevant Fund and/or managing any account you hold with Northern Trust on an on-going basis;

• Managing our relationship with you or the institution you represent, including establishing and managing service delivery, contractual arrangements, reporting and issue resolution;

• Updating and maintaining client records and records for fee billing.

The legal bases for this processing are:

• Northern Trust's legitimate interests in understanding and developing our relationship with you or the institution you represent;

• Contractual obligations;

• Consent (where required by applicable law).

Development and Management of our Services
Northern Trust may process your personal information for the following purposes:

• Day to day administration and management of our businesses;

• Carrying out statistical analysis and market research;

• Monitoring and recording calls and electronic communication for (i) processing and verification of instructions, (ii) enforcing and defending Northern Trust's rights itself or through third parties to whom it delegates such responsibility, (iii) quality, business analysis, training and related purposes;

• Providing you with information about products and services which may be of interest to you or to the institution you represent;

• Disclosing information to third parties, such as service providers of Northern Trust, auditors, regulatory authorities and technology providers;

• Processing in the event of a merger, reorganisation or disposal of, or a proposed merger, reorganisation or disposal of any member (or the assets of any member) of the Northern Trust group;

• Procurement and supply-chain management.

The legal bases for this processing are:

• Northern Trust's legitimate interests in understanding, improving and developing our services and products, identifying relevant clients or opportunities for our services and products, making and defending against legal claims, legitimate interests in connection with mergers, reorganisations or disposals;

• Contractual obligations;

• Legal obligations;

• Consent (where required by applicable law).

Crime Prevention and Detection
Northern Trust may process your personal information for the following purposes:

• Northern Trust will itself (or through a third party e.g. credit reference agency) process certain information about you or your directors, officers and employees and your beneficial owners (if applicable) in order to carry out anti-money laundering (AML) checks and related actions which Northern Trust considers appropriate in accordance with Northern Trust's AML procedures;

• Monitoring and recording calls and electronic communications for investigation and fraud prevention purposes, for crime detection, prevention, investigation and prosecution, and to enforce or defend Northern Trust and its affiliates' rights, itself or through third parties to whom it delegates such responsibilities or rights in order to comply with a legal obligation;

• Retaining AML and other records of individuals to assist with subsequent screening and ongoing AML customer due diligence and monitoring of them including in relation to investment or other funds or the provision of other services by Northern Trust.

The legal bases for this processing are:

• Northern Trust's legitimate interests relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and to prevent the provision of financial services to persons who may be subject to economic or trade sanctions, on an on-going basis, relating to making or defending against legal claims, or relating to Northern Trust's ability to support its clients' legitimate interests;

• Public interest;

• Contractual obligations;

• Legal obligations.

Exemptions under A9/10 GDPR;

• Consent (including explicit consent where required by applicable law) / Substantial Public Interest.

Other Legal and Regulatory Obligations
Northern Trust may process your personal information for the following purposes:

• Reporting tax related information to tax authorities in order to comply with a legal obligation applicable to Northern Trust.

• Reporting IBAN and related bank account information to regulatory authorities in order to comply with a legal obligation applicable to Northern Trust.

• Where required in connection with Northern Trust's compliance with applicable law and / or in connection with lawful requests from a court, government or regulatory body.

The legal bases for this processing are:

• Northern Trust's legitimate interests in supporting compliance with its legal and regulatory obligations in the markets in which it operates;

• Public interest;

• Contractual obligations;

• Legal obligations.

Protection and Administration of our Physical and Electronic Infrastructure
Northern Trust may process your personal information for the following purposes:

• Site management including the use of:

•CCTV;

•Sign-in procedures; and

•Access control measures.

• Monitoring use of website and online infrastructure for technical improvement and cybersecurity.

• Site security purposes, to ensure that all relevant locations are being monitored throughout the day;.

• Disaster recovery, business continuity and information security purposes.

The legal bases for this processing are:

• Northern Trust's legitimate interests (and the legitimate interests of our clients) in administering and securing our infrastructure;

• Contractual obligations;

• Legal obligations.

Northern Trust Matrix

We may use personal information which you provided in connection with an investment in a Fund, or which we have received from a Fund or Manager as a result of services which we provide to that Fund or Manager, for the purposes of the services provided via the Matrix Portal. We may also use this information for the purposes of providing services to other Funds (or their Managers) in which you have invested or in respect of which an Investor has appointed you to access the Matrix Portal.

Northern Trust may process your personal information in connection with the Northern Trust Matrix:

• Holding, maintaining and using the single source record, relating to each Investor;

• Carrying out AML checks and related actions which Northern Trust considers appropriate to meet any legal obligations imposed on the Fund(s) or Northern Trust;

• Updating and maintaining records in connection with our use of the Northern Trust Matrix.

Where an Investor has agreed to Northern Trust’s centralised AML procedures, and your personal data is required in connection with that Investor’s AML due diligence checks, Northern Trust, may process your personal data as a controller by:

• Retaining AML and other records of individuals to assist with the subsequent screening and ongoing AML customer due diligence and monitoring of Investors by Northern Trust and its affiliates, including in relation to other funds or clients of Northern Trust or any of its affiliates.

Where you have subscribed to use Matrix Portal Northern Trust, as a controller, will additionally use your personal data for:

• Security purposes in connection with Matrix Portal, which are necessary in Northern Trust’s and your legitimate interests, or where you have provided your explicit consent in advance to Northern Trust’s use of biometric data relating to you;

• Facilitation of electronic dealings and access to information in connection with investments in the Fund(s), including without limitation the processing of subscription, redemption, conversion, transfer and additional subscription requests, where the relevant Fund permits electronic dealings;

• Disclosing information to third party service and application providers in order to facilitate payment and other services accessed in connection with and to facilitate the functioning of Matrix Portal.

The legal bases for this processing are:

• Northern Trust's legitimate interests and the legitimate interests of our clients in providing and using the Northern Trust Matrix;

• Contractual obligations;

• Legal obligations;

Exemptions under A9/10 GDPR;

• Consent (including explicit consent where required by applicable law).

When We Act As Processor

Expand to view how we will not act as a joint controller

Northern Trust will not at any time be acting as a joint controller with its institutional clients or a Fund.

While this notice sets out how Northern Trust will use your personal data as controller (and as joint controller with other members of the Northern Trust group), you should also note that where Northern Trust provides services to a Fund or other institutional client, Northern Trust will continue to act as a processor for that institutional client, Fund and / or its Manager, which will act as controller(s). You should refer to the relevant controller's data protection notice to understand how your personal information will be used in connection with that institutional client or investment in that Fund by you or the Investor that has appointed you to act on its behalf. Northern Trust will not at any time be acting as a joint controller with its institutional clients or a Fund.

When We Share Your Data with Others

Expand to view how we may disclose your personal information

Northern Trust may disclose your personal information as follows:

•to its service providers, including its affiliates, and other third party service providers engaged by Northern Trust in order to process the data for the above mentioned purposes, examples of services procured from third parties can include: AML processes including screening, money laundering and identity checks and transaction monitoring, relationship management and call recording/surveillance

• to competent authorities (including tax authorities), courts and bodies as required by law or requested or to affiliates for internal investigations and reporting, as required in line with our internal policies;

• to Northern Trust’s affiliates as controllers in connection with Northern Trust’s centralised AML procedure (where applicable), in connection with investment funds to which those affiliates act as a service provider;

• to credit reference agencies (e.g. Experian) in order to carry out money laundering and identity checks and comply with legal obligations;

• to Northern Trust’s affiliates as controllers in connection with the operation and provision of information via Northern Trust’s website, systems and / or the Matrix Portal, where you have subscribed to use these; and

• in the event of a merger or proposed merger, any (or any proposed) transferee of, or successor in title to, the whole or any part of the Northern Trust group’s business, and their respective officers, employees, agents and advisers, to the extent necessary to give effect to such transaction.

When We Transfer Your Data Internationally

Expand to view our global operating model to provide services and products

We maintain a global operating model to provide services and products to clients globally.

Northern Trust maintains a global operating model which enables delivery of our services and products to our international client base. The disclosure of personal data to third parties, including Northern Trust affiliates, set out above may therefore involve the transfer of your personal data to the USA, India, the Philippines and other countries or territories outside the European Economic Area (“EEA”), the U.K. or your country of residence. Such transfers are made in accordance with locally applicable data protection laws.

Some of the countries to which Northern Trust transfers personal data to are deemed by the European Commission, or under locally applicable data protection law, to provide an adequate level of data protection. However, you should be aware that data protection laws in other countries to which Northern Trust transfers personal data may be considered less protective than those in your country of residence.

Where we are required to do so under applicable data protection laws, we take appropriate steps to implement appropriate technical and organisational safeguards, such as the European Commission’s Standard Contractual Clauses, or their equivalent applicable in the U.K. to ensure your data continues to be adequately protected and your privacy rights respected.

We also assess the overall level of protection offered in the context of specific transfers and, where necessary, our use of appropriate safeguards is supplemented by additional measures that support an adequate level of data protection. We apply these safeguards to transfers of personal data to third parties as well as to the Northern Trust affiliates.

In limited circumstances, Northern Trust may rely on a derogation from the obligation to ensure an adequate level of protection, meaning that we transfer personal data without the use of appropriate safeguards. This may be the case where, for example, a transfer of your personal data is necessary for important reasons of public interest, or to establish, exercise or defend legal claims.

Please contact Privacy_Compliance@ntrs.com for copies of appropriate safeguards, including Standard Contractual Clauses, that have been entered into by Northern Trust. Please be aware that appropriate safeguards may be redacted for reasons of commercial confidentiality.

How Long We Keep Your Data

Expand to view how long we will retain your personal information

Northern Trust will retain your personal information for as long as required for Northern to perform the services.

In general terms, we will retain your personal information for the length of time we perform the services (including the Northern Trust Matrix) or the service to the institution you represent. We may maintain different retention periods for different products and services.

We will also retain your personal information for the period as required by tax and company laws, or other regulations such as anti-money laundering and know-your-customer regulations, to which we or your institution are subject, and as long as necessary for you to be able to bring a claim against us and for us to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under local laws.

In certain circumstances, information may need to be retained for a longer period of time, for example where we are in ongoing correspondence or there is a continuing claim or investigation.

Keeping Your Personal Data Up To Date

Expand to view we will keep your personal information up to date

Northern Trust will retain your personal information for as long as required for us to perform the services.

Northern Trust will use reasonable efforts to keep your personal information up to date. However, you will need to notify Northern Trust without delay in the event of any change in your personal circumstances, or those of the others mentioned above, so that Northern Trust can keep the personal information up to date. You should do this through Matrix Portal or by contacting Privacy_Compliance@ntrs.com.

Your Data Subject Rights

Expand to view the rights, in relation to your personal information

You have the following rights, in certain circumstances and subject to certain exceptions, in relation to your personal information:

• Right to access your personal information – You have a right to request that we provide you with a copy of your personal information and to be informed about how we obtained and use your personal information, who it is shared with and who is the controller.

• Right to rectify your personal information – You have a right to request that we correct inaccurate personal information.

• Right to restrict the use of your personal information – In certain circumstances you have a right to ask us to restrict the use of your personal information. This applies if you contest the accuracy of the personal information (to allow us to verify its accuracy), the processing is unlawful but you do not want the information erased, it is no long needed for the purpose for which we collected the information but is required by you to establish or exercise legal claims or defences, or because you have exercised your right to object and we are considering your request. Depending on the situation we may refuse your request, in particular if using this information is necessary for legal claims.

• Right to request that your personal information is erased – In certain circumstances you have a right to ask us to erase your personal information (this is also often called the "right to be forgotten"). This applies to personal information that we no longer need for the purpose for which it was collected, if the processing is based on consent and you withdraw that consent, if you have successfully exercised your right to object, if the personal information has been processed unlawfully, or if we are legally required to erase the data. Depending on the situation we may refuse your request, in particular if we need to process this information to meet our legal obligations or if the information is necessary for legal claims.

• Right to object to processing of your personal information – In certain circumstances you have the right to object to the processing of your personal information. This applies if we process the personal information on the basis of our legitimate interests or if the information is processed for the purpose of direct marketing. We will review this request to establish if we have compelling legitimate interests which override your rights and freedoms.

• Right to data portability – In certain circumstances you have the right to ask us to provide your personal information to you or another controller in a structured, commonly used, machine-readable format. This applies when we process your information by automated means and this processing is based on your consent or performance of a contract with you.

Where you have provided your consent to processing (e.g. to receive information about products and services which may be of interest to you or the institution you represent), you may withdraw your consent at any time. You can withdraw your consent or exercise your rights by contacting Northern Trust here.

Where Northern Trust requires your personal information to comply with AML or other legal requirements, failure to provide this information means Northern Trust will not be able to provide services to you or the institution you represent, facilitate dealings in the Fund(s) (whether electronic or otherwise) or the provision of information in relation to the Funds to you via the Matrix Portal.

How To Contact Supervisory Authorities

Expand to view your rights to lodge a complaint

You have the right to lodge a complaint in relation to Northern Trust’s processing of your personal data:

• with the supervisory authority in the EU Member State of your habitual residence or place of work or in the place of the alleged infringement. A list of the supervisory authorities within the EU can be found here; or

• where your habitual residence or place of work or the alleged infringement is in Guernsey, with the Office of the Data Protection Commissioner, contactable at St Martin’s House, Le Bordage, St Peter Port, Guernsey GY1 1BR, enquiries@odpc.gg or +44 (0)1481 742074); or

• where your habitual residence or place of work or the alleged infringement is in the UK, with the UK Information Commissioner’s Office, contactable at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (or at the relevant regional office for Scotland, Wales or Northern Ireland, details of which are available at https://ico.org.uk/global/contact-us/postal-addresses/), casework@ico.org.uk or +44 (0)303 123 1113;

• where your habitual residence or place of work or the alleged infringement is in Switzerland, with the Swiss Federal Data Protection and Information Commissioner, contactable at Feldeggweg, CH-3003, Switzerland or +41 (0)58 462 43 95; or

• where your habitual residence or place of work or the alleged infringement is in Norway, with the Norwegian Data Protection Authority, contactable at P.O. Box 458 Sentrum, NO-0105 Oslo, Norway, +47 (0) 22 39 69 00.

How To Contact Us

Expand to view questions about our use of your personal information

If you have any questions about our use of your personal information, please contact our Data Protection Officer at Privacy_Compliance@ntrs.com, and/or:

• in Luxembourg, 10 rue du Château d’Eau, L-3364 Leudelange, Grand-Duché de Luxembourg ;

• in the United Kingdom, 50 Bank Street, London, E14 5NT, United Kingdom;

• in Ireland, Georges Court, 54-62 Townsend Street, Dublin 2, Ireland;

• in Guernsey, PO Box 71, Trafalgar Court, Les Banques, St Peter Port, Guernsey, GY1 3DA, GBR;

• in the Netherlands, Vinoly 7th floor, Claude Debussylaan 18A, 1082 MD Amsterdam, The Netherlands;

• in Sweden, Ingmar Bergmans gata 4, 1st Floor, 11434 Stockholm, Sweden;

• in Switzerland, Grosspeteranlage 29, Basel, CH-4052, Switzerland;

• in Norway, Third Floor Haakon VIIs gate 6, 0161 Oslo, Norway.

Northern Trust Entities

Expand to view the chart for Appendix 1 - Entities