EMEA Privacy Notice
EMEA Privacy Notice
We take your privacy seriously and value transparency at the highest possible standard. For more than half a century, we have continued to operate inside of the Europe, Middle East and Africa region and to meet the privacy needs of our clients.
Who We Are
This notice sets out how members of the Northern Trust group (collectively and individually, "Northern Trust", "we" or "us") will process personal information as a controller or joint controller in connection with the:
- provision of its products and services from within EMEA;
- provision or offering products or services to you if you are an individual located in EMEA;
- provision of the Northern Trust global investor solution (the "Northern Trust Matrix");
- marketing of Northern Trust products or services conducted by Northern Trust;
- regulatory obligations of Northern Trust, including know-your-customer and anti-money laundering;
- management and operation of our businesses and websites; or
- management and operation of our properties and premises.
In this notice, "you" means:
- (i) any individual client of Northern Trust or individual investor in an investment fund in respect of which Northern Trust acts as a service provider (each a “Fund”);
- (ii) any individual who represents or is employed by any institutional client of Northern Trust or any institutional investor in a Fund, or who is a shareholder, settlor, beneficiary, director, officer or ultimate beneficial owner of such institutional client or institutional investor;
- (iii) any individual who represents or is employed by any promoter, investment manager, fund manager or alternative investment fund manager of a Fund (each a “Manager”);
- (iv) any individual employed by our service providers and business partners.
If you have any questions about our use of your personal information,
please contact our Data Protection Officer at Privacy_Compliance@ntrs.com.
How We Obtain Your Personal Data
How and why we obtain your personal data may depend on the capacity in which you
interact with us.
We will obtain some of your personal information directly
from you, such as when you are a customer for our products and services or you complete
a form, sign up for marketing or choose to give us personal information as part of
the Northern Trust Matrix, including in connection with the security features of the
Northern Trust investor portal forming part of the Northern Trust Matrix ("Matrix
Portal").
We will also obtain some of your information indirectly
from Northern Trust clients, from Funds, from an investor in the Fund(s) (each an
"Investor"), or from a Manager, where you have been appointed by
that client, Investor or Manager to access and use Northern Trust products and services,
including the Northern Trust Matrix, on its behalf. Where you are an investor in a
Fund, references to Investor in this notice should be read as references to you.
We will also obtain some of your information indirectly when we provide the
following services to our institutional clients:
We will receive information
about you when Northern Trust acts as a service provider to its institutional clients
and where you represent or are employed by such an institutional client or where you
are an underlying investor, shareholder, settlor, beneficiary, director, officer or
beneficial owner of such institutional client. We also obtain information about you
from our service providers and business partners where you work with us in the course
of their business.
We will also collect some information from you when
you interact with our websites or visit our premises.
When We Obtain Information About Third Parties From You
Where we obtain personal information from you in respect of third parties, you warrant that you are authorised to provide that information to us, that you will only do so in accordance with applicable data protection laws, and that you will ensure that before doing so, the individuals in question are made aware of the fact that Northern Trust will hold information relating to them and that it may use it for any of the purposes set out in this privacy notice, and where necessary that you will obtain consent to Northern Trust's use of the information.
Types of Personal Data We Collect
Northern Trust Matrix and Other Services
The types of personal
information collected by Northern Trust include, without limitation:
- in respect of individual clients and Investors, the name, address (including postal and/or e-mail address), telephone number, bank account details, date of birth, place of birth, nationality, source of wealth, proof of identity details (passport, driving licence or nationality identity), occupation, country of residence/tax residence, invested amount and holdings of that Investor;
- in respect of institutional clients and institutional Investors, and their underlying investors, shareholders, settlors, beneficiaries, directors, officers or beneficial owners, the name and address (including postal and/or e-mail address), date of birth, nationality, country of residence/tax residence and percentage ownership of underlying investors, shareholders, settlors, beneficiaries, directors, officers or beneficial owners;
- in the case of all clients and Investors, any personal data which is required in order to comply with regulatory requirements, including information which is necessary for tax requirements (including tax number and documentation) and for compliance with local or foreign laws;
- in respect of users of Northern Trust websites and systems, including the Matrix Portal, name, address (including postal and /or email address) and security details, and special categories of personal data, such as biometric data.
Operation of the Business
Northern Trust will also
collect and use information in the day-to-day operation of our business, including:
- name, address (including postal and /or email address), title and role of employees and representatives of our institutional clients, service providers and business partners;
- name and contact details for direct marketing;
- content and metadata of call recordings;
- CCTV images;
- name, date, time and purpose of visit for visitors of our premises.
Operating our Electronic Infrastructure
Northern Trust
will collect information through your use of our website or other online services
such apps, including:
- device information such as operating system, unique device identifiers, the mobile network system;
- hardware and browser settings;
- IP address;
- pages you visit on our site and search engine terms used.
Why We Process Your Personal Data and Legal Basis
Northern Trust may process your personal information for the following purposes:
Relationship Management and Administration
- Managing and administering your holdings in any relevant Fund and/or managing any account you hold with Northern Trust on an on-going basis;
- Managing our relationship with you or the institution you represent;
- Updating and maintaining client records and records for fee billing.
The legal bases for this processing are:
- Northern Trust's legitimate interests in understanding and developing our relationship with you or the institution you represent;
- Contractual obligations;
- Consent (where required by applicable law).
Development and Management of our Services
Northern
Trust may process your personal information for the following purposes:
- Day to day administration and management of our businesses;
- Carrying out statistical analysis and market research;
- Monitoring and recording calls and electronic communication for (i) processing and verification of instructions, (ii) enforcing and defending Northern Trust's rights itself or through third parties to whom it delegates such responsibility, (iii) quality, business analysis, training and related purposes;
- Providing you with information about products and services which may be of interest to you or to the institution you represent;
- Disclosing information to third parties, such as service providers of Northern Trust, auditors, regulatory authorities and technology providers;
- Processing in the event of a merger, reorganisation or disposal of, or a proposed merger, reorganisation or disposal of any member (or the assets of any member) of the Northern Trust group.
The legal bases for this processing are
- Northern Trust's legitimate interests in understanding, improving and developing our services and products, identifying relevant clients or opportunities for our services and products, making and defending against legal claims, legitimate interests in connection with mergers, reorganisations or disposals;
- Contractual obligations;
- Legal obligations;
- Consent (where required by applicable law).
Crime Prevention and Detection
Northern Trust may process your personal information for the following purposes:
- Northern Trust will itself (or through a third party e.g. credit reference agency) process certain information about you or your directors, officers and employees and your beneficial owners (if applicable) in order to carry out anti-money laundering (AML) checks and related actions which Northern Trust considers appropriate in accordance with Northern Trust's AML procedures;
- Monitoring and recording calls and electronic communications for investigation and fraud prevention purposes, for crime detection, prevention, investigation and prosecution, and to enforce or defend Northern Trust and its affiliates' rights, itself or through third parties to whom it delegates such responsibilities or rights in order to comply with a legal obligation
- Retaining AML and other records of individuals to assist with subsequent screening and ongoing AML customer due diligence and monitoring of them including in relation to investment or other funds or the provision of other services by Northern Trust.
The legal bases for this processing are:
- Northern Trust's legitimate interests relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and to prevent the provision of financial services to persons who may be subject to economic or trade sanctions, on an on-going basis, relating to making or defending against legal claims, or relating to Northern Trust's ability to support its clients' legitimate interests;
- Public interest;
- Contractual obligations;
- Legal obligations.
Other Legal and Regulatory Obligations
Northern Trust may process your personal information for the following purposes:
- Reporting tax related information to tax authorities in order to comply with a legal obligation applicable to Northern Trust.
- Reporting IBAN and related bank account information to regulatory authorities in order to comply with a legal obligation applicable to Northern Trust.
The legal bases for this processing are:
- Northern Trust's legitimate interests in supporting compliance with its legal and regulatory obligations in the markets in which it operates;
- Public interest;
- Contractual obligations;
- Legal obligations.
Protection and Administration of our Physical and Electronic Infrastructure
Northern Trust may process your personal information for the following purposes:
- Site management including the use of:
- CCTV;
- Sign-in procedures; and
- Access control measures.
- Monitoring use of website and online infrastructure for technical improvement and cybersecurity
The legal bases for this processing are:
- Northern Trust's legitimate interests (and the legitimate interests of our clients) in administering and securing our infrastructure;
- Contractual obligations;
- Legal obligations.
Northern Trust Matrix
We may use personal information which you provided in connection with an investment in a Fund, or which we have received from a Fund or Manager as a result of services which we provide to that Fund or Manager, for the purposes of the services provided via the Matrix Portal. We may also use this information for the purposes of providing services to other Funds (or their Managers) in which you have invested or in respect of which an Investor has appointed you to access the Matrix Portal.
Northern Trust may process your personal information in connection with the Northern Trust Matrix:>
- Holding, maintaining and using the single source record, relating to each Investor;
- Carrying out AML checks and related actions which Northern Trust considers appropriate to meet any legal obligations imposed on the Fund(s) or Northern Trust;
- Updating and maintaining records in connection with our use of the Northern Trust Matrix.
Where an Investor has agreed to Northern Trust’s centralised AML procedures, and your personal data is required in connection with that Investor’s AML compliance Northern Trust, may process your personal data as a controller by:
- Retaining AML and other records of individuals to assist with the subsequent screening and ongoing AML customer due diligence and monitoring of Investors by Northern Trust and its affiliates, including in relation to other funds or clients of Northern Trust or any of its affiliates.
Where you have subscribed to use Matrix Portal Northern Trust, as a controller, will additionally use your personal data for:
- Security purposes in connection with Matrix Portal, which are necessary in Northern Trust’s and your legitimate interests, or where you have provided your explicit consent in advance to Northern Trust’s use of biometric data relating to you;
- Facilitation of electronic dealings and access to information in connection with investments in the Fund(s), including without limitation the processing of subscription, redemption, conversion, transfer and additional subscription requests, where the relevant Fund permits electronic dealings;
- Disclosing information to third party service and application providers in order to facilitate payment and other services accessed in connection with and to facilitate the functioning of Matrix Portal.
The legal bases for this processing are:
- Northern Trust's legitimate interests and the legitimate interests of our clients in providing and using the Northern Trust Matrix;
- Contractual obligations;
- Legal obligations;
- Consent (including explicit consent where required by applicable law).
When We Act As Processor
While this notice sets out how Northern Trust will use your personal data as controller (and as joint controller with other members of the Northern Trust group), you should also note that where Northern Trust provides services to a Fund or other institutional client, Northern Trust will continue to act as a processor for that institutional client, Fund and / or its Manager, which will act as controller(s). You should refer to the relevant controller's data protection notice to understand how your personal information will be used in connection with that institutional client or investment in that Fund by you or the Investor that has appointed you to act on its behalf. Northern Trust will not at any time be acting as a joint controller with its institutional clients or a Fund.
When We Share Your Data with Others
Northern Trust may disclose your personal information as follows:
- to its service providers, including its affiliates, and other third party service providers engaged by Northern Trust in order to process the data for the above mentioned purposes;
- to competent authorities (including tax authorities), courts and bodies as required by law or requested or to affiliates for internal investigations and reporting;
- to Northern Trust’s affiliates as controllers in connection with Northern Trust’s centralised AML procedure (where applicable), in connection with investment funds to which those affiliates act as a service provider;
- to credit reference agencies (e.g. Experian) in order to carry out money laundering and identity checks and comply with legal obligations;
- to Northern Trust’s affiliates as controllers in connection with the operation and provision of information via Northern Trust’s website, systems and / or the Matrix Portal, where you have subscribed to use these; and
- in the event of a merger or proposed merger, any (or any proposed) transferee of, or successor in title to, the whole or any part of the Northern Trust group’s business, and their respective officers, employees, agents and advisers, to the extent necessary to give effect to such transaction.
When We Transfer Your Data Internationally
Northern Trust maintains a global operating model to provide services and products
to clients globally. The disclosure of personal information to the third parties set
out above may therefore involve the transfer of data to the USA and other jurisdictions
outside the European Economic Area (“EEA”) in accordance
with applicable data protection laws in your jurisdiction.
Where such
countries may not have the same data protection laws as your jurisdiction, and are
not recognised as having an adequate level of data protection by the European Commission
or under data protection law in your jurisdiction, we take appropriate steps to implement
alternative arrangements to ensure your data continues to be adequately protected
and your privacy rights respected.
Northern Trust has put in place Standard
Contractual Clauses with relevant parties to whom personal data will be transferred.
Where required, the Standard Contractual Clauses are accompanied by measures that
support an adequate level of data protection, including controlling access to data
by third parties, law enforcement and regulators.
Please contact Privacy_Compliance@ntrs.com for copies of the Standard Contractual
Clauses that have been entered into by Northern Trust.
How Long We Keep Your Data
Northern Trust will retain your personal information for as long as required for
Northern to perform the services. In general terms, we will retain your personal information
for the length of time we perform the services (including the Northern Trust Matrix)
or the service to the institution you represent. We may maintain different retention
periods for different products and services.
We will also retain your
personal information for the period as required by tax and company laws, or other
regulations such as anti-money laundering and know-your-customer regulations, to which
we or your institution are subject, and as long as necessary for you to be able to
bring a claim against us and for us to defend ourselves against any legal claims.
This will generally be the length of the relationship plus the length of any applicable
statutory limitation period under local laws.
In certain circumstances,
information may need to be retained for a longer period of time, for example where
we are in ongoing correspondence or there is a continuing claim or investigation.
Keeping Your Personal Data Up To Date
Northern Trust will use reasonable efforts to keep your personal information up to date. However, you will need to notify Northern Trust without delay in the event of any change in your personal circumstances, or those of the others mentioned above, so that Northern Trust can keep the personal information up to date. You should do this through Matrix Portal or by contacting Privacy_Compliance@ntrs.com.
Your Data Subject Rights
You have the following rights, in certain circumstances and subject to certain exceptions, in relation to your personal information:
- Right to access your personal information – You have a right to request that we provide you with a copy of your personal information and to be informed about how we obtained and use your personal information, who it is shared with and who is the controller.
- Right to rectify your personal information – You have a right to request that we correct inaccurate personal information.
- Right to restrict the use of your personal information – In certain circumstances you have a right to ask us to restrict the use of your personal information. This applies if you contest the accuracy of the personal information (to allow us to verify its accuracy), the processing is unlawful but you do not want the information erased, it is no long needed for the purpose for which we collected the information but is required by you to establish or exercise legal claims or defences, or because you have exercised your right to object and we are considering your request. Depending on the situation we may refuse your request, in particular if using this information is necessary for legal claims.
- Right to request that your personal information is erased – In certain circumstances you have a right to ask us to erase your personal information (this is also often called the "right to be forgotten"). This applies to personal information that we no longer need for the purpose for which it was collected, if the processing is based on consent and you withdraw that consent, if you have successfully exercised your right to object, if the personal information has been processed unlawfully, or if we are legally required to erase the data. Depending on the situation we may refuse your request, in particular if we need to process this information to meet our legal obligations or if the information is necessary for legal claims.
- Right to object to processing of your personal information – In certain circumstances you have the right to object to the processing of your personal information. This applies if we process the personal information on the basis of our legitimate interests or if the information is processed for the purpose of direct marketing. We will review this request to establish if we have compelling legitimate interests which override your rights and freedoms.
- Right to data portability – In certain circumstances you have the right to ask us to provide your personal information to you or another controller in a structured, commonly used, machine-readable format. This applies when we process your information by automated means and this processing is based on your consent or performance of a contract with you.
Where you have provided your consent to processing (e.g. to receive information
about products and services which may be of interest to you or the institution you
represent), you may withdraw your consent at any time by contacting Northern Trust
by email at Privacy_Compliance@ntrs.com.
Where Northern Trust requires
your personal information to comply with AML or other legal requirements, failure
to provide this information means Northern Trust will not be able to provide services
to you or the institution you represent, facilitate dealings in the Fund(s) (whether
electronic or otherwise) or the provision of information in relation to the Funds
to you via the Matrix Portal.
How To Contact Supervisory Authorities
You have the right to lodge a complaint in relation to Northern Trust’s processing of your personal data:
- with the supervisory authority in the EU Member State of your habitual residence or place of work or in the place of the alleged infringement. A list of the supervisory authorities within the EU can be found here; or
- where your habitual residence or place of work or the alleged infringement is in Guernsey, with the Office of the Data Protection Commissioner, contactable at St Martin’s House, Le Bordage, St Peter Port, Guernsey GY1 1BR, enquiries@odpc.gg or +44 (0)1481 742074); or
- where your habitual residence or place of work or the alleged infringement is in the UK, with the UK Information Commissioner’s Office, contactable at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (or at the relevant regional office for Scotland, Wales or Northern Ireland, details of which are available at https://ico.org.uk/global/contact-us/postal-addresses/), casework@ico.org.uk or +44 (0)303 123 1113;
- where your habitual residence or place of work or the alleged infringement is in Switzerland, with the Swiss Federal Data Protection and Information Commissioner, contactable at Feldeggweg, CH-3003, Switzerland or +41 (0)58 462 43 95; or
- where your habitual residence or place of work or the alleged infringement is in Norway, with the Norwegian Data Protection Authority, contactable at P.O. Box 458 Sentrum, NO-0105 Oslo, Norway, +47 (0) 22 39 69 00.
How To Contact Us
If you have any questions about our use of your personal information, please contact our Data Protection Officer at Privacy_Compliance@ntrs.com, and/or:
- in Luxembourg, 10 rue du Château d’Eau, L-3364 Leudelange, Grand-Duché de Luxembourg ;
- in the United Kingdom, 50 Bank Street, London, E14 5NT, United Kingdom;
- in Ireland, Georges Court, 54-62 Townsend Street, Dublin 2, Ireland;
- in Guernsey, PO Box 71, Trafalgar Court, Les Banques, St Peter Port, Guernsey, GY1 3DA, GBR;
- in the Netherlands, Vinoly 7th floor, Claude Debussylaan 18A, 1082 MD Amsterdam, The Netherlands;
- in Sweden, Ingmar Bergmans gata 4, 1st Floor, 11434 Stockholm, Sweden;
- in Switzerland, Aeschenplatz 6, Basel, CH-4052, Switzerland;
- in Norway, Third Floor Haakon VIIs gate 6, 0161 Oslo, Norway.