CME Group Inc. Privacy Policy

Effective as of November 2^nd, 2018

Purpose and Scope

CME Group Inc. and each of its subsidiaries and affiliates, (collectively known as "CME Group") are committed to safeguarding your personal information. We have adopted and implemented this privacy policy ("Policy") as part of our commitment to protecting your personal information across all of our services. We encourage you to read this Policy to learn more about the ways we collect, use, disclose, and protect your personal information. 

Because we are a global company, this Policy takes into consideration various privacy regulations and frameworks for protecting the collection, use, maintenance, sharing, and disposition of personal information in compliance with applicable legal and regulatory requirements.  Additional details relating to the European Union (EU) or, respectively, European Economic Area (EEA) (collectively, “EU/EEA”), United States, countries or other jurisdictions are provided in the body of this Policy as well as at the end of the Policy in the "Country- and State-Specific Notices" section. 

Unless superseded by alternative Terms and Conditions (e.g. customer agreements, employee contracts) where appropriate, when you provide CME Group with personal information, the method by which the information will be collected, used, distributed, and maintained will be in accordance with the terms outlined in this Policy.

By providing personal information and using our products and services you acknowledge the collection, use, distribution and maintenance of your personal information in the manner described in this Policy or the alternative Terms and Conditions under which the collection of the information applies. If you object to any aspect of this Policy or alternative Terms and Conditions, CME Group asks that you do not submit your personal information or utilize our services. 

Consent

Where required by law, we generally will seek your express written or oral consent for the collection, use, maintenance and distribution of your personal information. 

There are situations where consent may not be sought as we are legally permitted under applicable laws to process personal information without consent.  For example, depending on the applicable jurisdiction, this may include situations where;

• the processing of personal information is required by law (e.g. subpoena);
• the processing of personal information is required in order for CME Group to fulfill its legal and regulatory obligations;
• the processing of personal information is necessary as part of the provision and receipt of our products and services;
• information is used in the aggregate to improve our products and services;
• in response to an emergency or where the safety or health of an individual or the public is at risk; or
• the information is publicly available.  

Changes to the Privacy Policy

The Policy is current as of the effective date set forth above. The Policy is reviewed regularly and may change over time.  All modifications are effective immediately, where permitted by law. Therefore, we encourage you to review this Policy periodically so you are aware of our practices.  If we make material changes to the Policy by modifying our privacy practices that increase our rights to use personal information we have previously collected about you, we may attempt to notify you or obtain your consent, where required by law, either through your registered email address or by prominent posting on this page with an appended revision date. 

Information Collection

CME Group recognizes that personal information is considered to be any information relating to an identified or identifiable natural person.  CME Group may collect personal information directly from you and, in some circumstances, from those individuals and/or entities you may authorize to act on your behalf and, where permissible by applicable laws, from publicly available sources.

The type of information you may be requested to provide will vary based upon the type of relationship(s) you have established with CME Group. 

Most commonly, we collect your full name, professional job title, physical address, phone number, and your email address in order to provide you with services tailored to your particular needs.  In connection with some of our products and services we may collect additional types of personal information including, but not limited to, full name, phone number, email, Internet Protocol (“IP”) address, Social Security Number, Financial Account Information, country of origin, etc. Please refer to the sections below or to the forms where we collect information from you for details.

CME Group may collect personal information relevant to the purposes of administering its business, providing and improving its products and services, such as in relation to:

USE OF OUR WEBSITES ("SITES"): In order to better serve your particular needs, CME Group (and third parties operating on CME Group’s behalf) may collect information from or about you while visiting the Sites. Some of this information is collected automatically through cookies (see our Cookie Policy) and when using your log-in credentials. CME Group may also obtain information directly from you and, depending upon the nature of transactions you may conduct, from third party sources.

From time to time, CME Group may seek to collect input from you about the use of our Sites, products or services.  This information may be collected with or without the collection of identifying information.  If we request personal information, these fields will be optional, unless otherwise indicated, resulting in you having control over whether or not the answers remain anonymous. Third party tools may be used to facilitate these questionnaires.

We also collect non-personal (pseudonymized and anonymized) information when you visit CME Group Sites. This information includes, but is not limited to, the pages you view, the search terms entered into the search utility, location, the operating system, browser software, preferred language and internet service provider you use.  Such non-personal information we may collect generally is used to administer the Site, improve our services, determine how the Sites are being used, identify popular areas of the Sites, analyze trends and usage patterns, and offer you tailored content. If we associate your non-personal information with your personal information, we will generally treat everything as personal information.

Additionally, as permitted by law and regulation, your information may be used in aggregate, statistical form to track and measure usage including, but not limited to, customer/user preferences, interests, demographics, and patterns; and to determine trading volumes, audience size and repeated usage. We may then use such data, together with information collected from other users, to manage and customize the Site's content, layout, and our services in order to improve the Sites, enhance customer service, and provide tailored messages. We may combine personal information and non-personal information to conduct analytics in order to improve user experience.

We will use your IP address for legally permitted uses including to provide the services to you, to improve our services and to help diagnose problems with our server.

Furthermore, we may use the information you provide us to contact you about our products and services as legally permitted. Please see the section entitled "Contact Us" for instructions relating to opting out of such use.

The personal information you submit to us either via the Sites (e.g. by completing our on-line forms) or via email may be used to provide you with the response or services you have requested.

We do collect personal information about your online activities over time and across third party websites or online services.  When we see a browser set to "do not track", signals transmitted from web browsers do not apply to our sites, and we do not alter any of our data collection and use practices upon receipt of such a signal.

CME Group offers educational resources: including Risk Ranch and CME Institute (also known as Futures Institute) to increase the awareness of our industry.  CME Group collects information in aggregate for the Risk Ranch and CME Institute, and does not collect or maintain information that identifies any specific individual. The information collected is only used to improve upon functionality and its content.

The Sites may contain links to third party websites. Please note that when you click on one of these links, you will be accessing a website that CME Group does not control and which may be governed by privacy policies and practices that differ from ours. CME Group is not, and will not be, responsible for the privacy policies or practices of third parties or the content or security of any third-party websites.

PUBLIC FORUMS (e.g. website comment sections, Blogs, Social Media): Posts, comments or other information you submit on any public forums (e.g. message board, chat rooms) should not be considered private or confidential. CME Group may use any such postings ("Postings"), any content thereof, and any information derived from any such Postings (including any ideas, concepts, know-how or other intellectual property) and may provide such Postings to any of its subsidiaries, affiliates, or others, for any purpose whatsoever, as deemed appropriate in the sole discretion of CME Group and subject to applicable laws.  Posts, comments, and other information you share on these platforms can be read, viewed, collected or used by others accessing these public forums.  We have no responsibility for how others use the information you share on these public forums, such as sending you unsolicited communications, contacting you, or any other usage of your personal information. When registering, you may choose a username (pseudonym) that does not identify you to the general public.

CME Group is under no obligation to review any Postings relating to CME Group and assumes no responsibility or liability relating to any Postings. Nonetheless, CME Group may from time to time monitor the Postings and in its sole discretion and in accordance with law may remove and/or decline to publish any material, including but not limited to:  (i) any Postings that contain any unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind (ii) advertisements or solicitations of any kind; (iii) messages posted by visitors impersonating others; (iv) personal information, such as messages which list phone numbers, Social Security numbers, account numbers, addresses, or employer references; (v) messages by non-spokesperson employees of CME Group purporting to speak on behalf of the CME Group; (vi)  multiple messages by the same visitor restating the same point; (vii) messages of commercial or reputational damage to CME Group; and (viii) chain letters of any kind.

SOCIAL NETWORK ACCOUNT INFORMATION: We may allow you to sign into and associate your social network accounts including, but not limited to, Twitter, LinkedIn, Facebook, and YouTube with CME Group.

By using this functionality, we deem that you consent by affirmative action to the use of your personal data for the purpose of enabling the functionality.

We may ask you to allow us to access certain elements of your social network profile information you have made available to be shared and to use it in accordance with the social network’s terms of use and this Policy. Each social network will give you full control over what kind of data you will share with us. Please refer to the privacy settings in your social network account for information about what data is shared and to manage the data shared through your account, including information about your activities using our Sites. 

We do not retain your username or password for social networking platforms for any longer than is necessary to complete an interaction. If you would like to disconnect a social media account from CME Group refer to the settings of that social media account and its provider.

EMAIL SUBSCRIPTIONS FOR NEWSLETTERS, NOTICES, AND SERVICE ANNOUNCEMENTS:  If you have subscribed to receive communications from CME Group (e.g., through the CME Subscription Center), we may contact you by phone, text, mail or email, as applicable, related to company services, market or product announcements and newsletters, sales and marketing communications, and when applicable, service announcements pertaining to system maintenance or disruptions.  Generally, you have the ability to opt-out of these marketing communications at any time by contacting us with the information in the “Contact Us” section of this Policy, clicking on the unsubscribe button located within the message, or directly modifying your preferences in the subscription center. Some non-promotional communications used for administrative purposes, such as service announcements, may be sent to you regardless of your status for receiving marketing communications.

SALES AND MARKETING AND CUSTOMER SERVICE: Based upon the CME Group services you use, and as permitted by law, individuals from our sales and marketing and customer service teams may contact you directly by phone, email, mail or text messaging. Should you choose not to be contacted please submit a request to the Data Protection Officer ("Contact Us") or complete the form on "Unsubscribe – Email Alert Subscription."  Unsubscribing from these communications may impact the way CME Group may share information with you regarding the use of our services. 

CME Group may record certain telephone conversations, including phone lines in the Global Command Center, Clearing House, main switchboard, or where required by law. The purpose of such recordings is to provide verification of customer transactions entered in connection with CME Group business, to protect the organization against misconduct, and to ensure the telephone lines are being used consistent with applicable CME Group policies. When a recorded line is being used an announcement will be made at the beginning of the call notifying you that the call may be recorded and that you can object to such recording at the beginning of the call. Consent to such recording and monitoring is presumed by the use of the recorded phone lines without raising such objection. There may be instances where the recording cannot be turned off.  Please use discretion when sharing information over a recorded line as the recording may be retained and used for legal, regulatory, or business purposes. 

BILLING INFORMATION WHEN YOU ARE PURCHASING PRODUCTS OR SERVICES:  There are certain circumstances for which CME Group may collect personal information when you purchase products or services from us.  For the purposes of these transactions, CME Group may collect, use, and maintain personal information such as your name, email, phone number, and mailing address from you. 

Where offered, you may choose to complete your transactions using credit or debit card information (e.g. Online Store, Software, Market Data).  CME Group does not directly process or retain any credit card information. Your credit card information will only be processed and stored with third parties that are Payment Card Industry Data Security Standard ("PCI DSS") compliant. The third parties are not allowed to share or use any of your information beyond the purposes for which it was collected.  Where available, you may elect to have the third party maintain your credit card information for reoccurring purchases. 

USE OF CME GROUP TECHNOLOGY SYSTEMS: When using CME Group systems, personal information may be collected and used to authenticate your access such as device type, operating system, browser, IP address, and country of origin.  Additional information may be collected during your use of the technology so CME Group can continue providing you the services applicable to the offering, and tailoring our content as appropriate. Refer to our Cookie Policy.  

For registered users, upon the creation of your profile (by the user or at the request of your organization) personal information is required to be provided.  Personal information collected will vary based on the type of relationship you have with CME Group.  Information collected may include, name, phone number (landline or mobile), email address, physical address, organization name, professional title.

Accessing CME Group systems may require additional authentication credentials beyond a password. In these situations, you can request to receive the automated code via text message or telephone call. Receipt and use of this verification code may be required in order to gain access to certain CME Group systems.   

MEMBERSHIP: CME Group may collect and use personal information for the purpose of processing membership applications. For the purposes of these applications CME Group may collect, use, and maintain personal information such as your name, phone number, physical address, professional title, email address, social security number (or national identity number), date of birth, and place of birth. CME Group does not share membership information with third parties except where required by law, or service providers. CME Group distributes a weekly “Membership Bulletin” that is sent to all current members providing information on new, withdrawn or changed membership details on all membership sales.

MARKET DATA AGREEMENTS: CME Group may collect personal information in order to comply with the provisions of agreements relating to receipt and/or use of market data. Under the provisions of such agreements, CME Group will collect contact details for business and contact administration purposes. Such contact details may include name, title, phone number and email address. CME Group will use this information for billing and business development management. CME Group will use personal information submitted by licensees in order to supply, administer, manage and improve services provided by CME Group and to comply with applicable regulatory and legal requirements.

RECRUITMENT AND EMPLOYMENT: CME Group may collect personal information from applicants and potential candidates, employees, interns, temporary employees and consultants (collectively "Colleagues"), as part of recruitment and selection of candidates (e.g. resumes, contact details), to fulfill the terms of employment (e.g. references and background checks) and for staff administration purposes (e.g. payroll processing, providing benefits and performance reviews). Depending on the jurisdiction, we may process additional data as required or authorized by laws regarding taxes, social security and social protection, including sensitive information (special categories of personal data). We will separately inform you about this additional processing of personal data when you enter into an employment, internship, temporary employment or consulting agreement with us through the HR Privacy Policy applicable to the CME Group entity.

Where necessary and permissible under applicable law, CME Group may combine personal information from one service with information, including personal information, from other services or information that is publicly available to conduct due diligence for compliance and/or security purposes and/or to help us better understand your relationship to CME Group to improve your experience. For further details, please refer to the applicable HR Privacy Policy.

CORPORATE TRANSACTIONS: CME Group may collect personal information from third parties as part of a reorganisation, sale, merger or joint venture and will process it for the purposes of the business integration, including sending communications to you.

Location of Personal Information

CME Group is a global company and may collect and process personal information in countries throughout the world.  Therefore, subject to applicable laws, your personal information may be located and used in a country where CME Group does business other than your country of residence or where you provided CME Group with your personal information.  These other countries may not have the same data protection laws as the country in which you reside. When we transfer your information to other countries, we protect that information as described in this Policy. By submitting your information, you acknowledge our collection, transfer, and processing of your personal information in accordance with this Policy.

Third Party Access to Information

We do not share personal information with third parties, unless one of the following conditions applies:

• We have obtained your consent to share your personal information.  
• To disclose information about the use of our websites or mobile applications but only in aggregate, statistical form.
• To protect CME Group’s rights, property or safety of its assets and Colleagues and where permitted by law.
• To assist with investigations into malicious or fraudulent activity or other potential security or compliance threats or violations.
• To support auditing, compliance, and corporate governance functions.
• To cooperate fully with state, local, federal, and international legal, governmental and regulatory entities, authorities and officials in any investigation or governmental, legal or regulatory proceeding relating to any information collected or to any purported unlawful activities. 
• As permitted by law, the information we collect, including personal information, may also be disclosed to third parties if CME Group, in its sole discretion, believes disclosure is necessary to comply with legal or regulatory processes or requests or to protect the rights, property, or personal safety of CME Group, its affiliates, and/or the respective customers, members, directors, officers, employees and agents and/or the public.
• To enforce our Terms and Conditions.
• If CME Group or any of its assets are acquired by a third party, in which case personal information may be one of the transferred assets.

When we share access to personal information with companies or individuals working on CME Group’s behalf, we protect such personal information by requiring those parties to enter into agreements (e.g., non-disclosure agreements) with CME Group to safeguard the confidentiality of personal information, to use the personal information only for CME Group purposes, and ensure compliance with applicable data protection laws.

Retention of Personal Information

CME Group retains personal information for the duration of the business relationship or where required, in accordance with the corporate Records and Information Management Policy and Retention Schedule. We make reasonable attempts to ensure that all instances of such information (e.g. production, backups, etc.) are deleted in their entirety, including any of your personal information.  For requests for access, corrections, or deletion please see "Contact Us". 

Children's Privacy

The Sites are general audience sites not directed at children under the age of 13. If we obtain actual knowledge that any personal information we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our Sites from the EU/EEA or if you access an EU/EEA Site, the age limit will be 16.

CME Group does offer a website and a mobile application for students to learn more about our industry.  Please refer to the discussions of Risk Ranch and CME Institute within this Policy for more information under the header "Use of Our Websites".

Further, we occasionally allow children to be onsite for work experience/job shadowing.  As a result, personal information (such as name, contact details and parent/guardian) may be processed to administer access to relevant CME Group facilities and while such individuals are onsite (see CME Group Facilities and Visitors section below).

Monitoring of Electronic Communication

CME Group reserves the right to monitor all electronic communications that occur on CME Group information systems where a CME Group representative is party to the communication as deemed necessary and appropriate, subject to applicable law. CME Group generally does not monitor the content of messages offered directly to our customers via Pivot and CME Direct where a CME Group representative is not an active participant within the communication.  For more information regarding electronic communications with CME Group, please click here.

Security

CME Group takes security and the protection of your personal information seriously.  We have implemented a physical and logical security program that includes commercially reasonable administrative, physical, and technical safeguards. These controls may be updated as new technology and controls become available, or as appropriate.  

To safeguard CME Group facilities and colleagues, CME Group may collect personal information and video when you are on company premises.  Your personal information may be used for security and due diligence purposes.  CME Group uses video recording in public areas of its facilities, 24/7. We will clearly post signs indicating such video surveillance and/or recording on site.

Access to or Deletion of Your Information

You may request from us certain information about you including, but not limited to, any information you have provided to us upon registration for various services.  CME Group will provide individuals with access to their personal information, allow modifications, or request deletion, within reason and in accordance with applicable laws.  We are committed to keeping your personal information current and accurate. If your contact information should change, please "Contact Us" so that we may update our records accordingly.  

Prior to fulfilling any request for information or deletion, we may require you to provide information so we may verify your identity. Subject to applicable laws, we reserve the right to decline requests that are unreasonable, present risk to the privacy of another individual, may jeopardize the confidentiality of another party, are excessively repetitive, or may require significant technical modifications to our systems. Provided the request is reasonable in nature, all requests for information will be free of charge. CME Group reserves the right to respond to any requests as soon as reasonably possible, but generally within 30 days or one month, whichever is shorter. For Korean residents, CME Group will respond to any such requests within 10 days. 

Requests should be sent to Privacy@cmegroup.com.

Contact Us

All complaints, questions or comments regarding CME Group’s Policy should be directed to Privacy@cmegroup.com. If you wish to opt out of receiving communications from CME Group or others as described in this Policy, please contact CME at Privacy@cmegroup.com. All questions and comments will be directed to the Privacy Office.  

CME Group Inc.

20 S Wacker Drive
Chicago, IL 60606
1.312.930.1000
1.866.716.7274 (US Only)
privacy@cmegroup.com

Related Notices:

• Confidentiality and Data Protection Policy
• News and Events Alerts Subscription & Unsubscribe Email Alert Subscription
• Disclaimer: www.CMEGroup.com
• Cookie Policy

Country - and State - Specific Notices

The notice for “European Customers (EU/EEA)” below applies to:

• any activities in the context of an establishment or subsidiary of CME Group in the European Union (EU) or other countries in the European Economic Area (EEA) (collectively, “EU/EEA”); and
• visits to our Sites or use of CME Group systems by natural persons located in and from the EU/EEA; and
• the offering of products or services to natural persons located in the EU/EEA, irrespective of whether a payment of the data subject is required; and
• any monitoring of the behaviour of natural persons as far as such behaviour takes place within the EU/EEA.

EU currently consists of the Member States Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Czechoslovakia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Spain, Sweden, United Kingdom; the EEA additionally includes Iceland, Liechtenstein and Norway.

The other following notices apply to customers who are residents of the specific country or state mentioned.

European Customers (EU/EEA)

We will process your data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”). Additional information regarding the processing of your personal data as required by the GDPR is set out in the following sub-sections.

Data Controller:  The entity responsible for the processing of personal data (data controller) is, in the following order or precedence:

• for the processing of personal data in the context of visits to our Site at cmegroup.com: CME Group Inc. as identified in the section “Contact Us” above; for visits to other Sites or access to other CME Group systems, the CME Group entity identified on such website or system;
• for the processing of personal data of Colleagues, the CME Group entity identified in the employment, internship, temporary employment or consulting agreement or, respectively, the job posting;
• for activities in the context of the sale and/or procurement of products and services, the CME Group entity identified in the order form, agreement, or applicable Terms and Conditions; and
• the CME Group entity identified in the location where we make reference to this Policy, such as a form where we collect personal data, email signatures, business cards, stationary, etc.

In each case, this Policy should be read as “CME Group” or “we” being a reference to the respective data controller as identified above.

You can find the Contact details of CME Group Inc. in the Section “Contact Us” above. The contact details of other CME Group entities established in the EU/EEA are as follows:

Company name	Address	Contact
CME Benchmark Europe Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance phone: +44 20 3379 3700 privacy@cmegroup.com
CME Marketing Europe Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance   phone: +44 20 3379 3700   privacy@cmegroup.com
CME Operations Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance   phone: +44 20 3379 3700   privacy@cmegroup.com
CME Trade Repository Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance   phone: +44 20 3379 3700   privacy@cmegroup.com
Elysian Systems Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance   phone: +44 20 3379 3700   privacy@cmegroup.com
CME Technology and Support Services Limited	Fourth Floor One New Change London EC4M 9AF United Kingdom	Privacy Compliance   phone: +44 20 3379 3700   privacy@cmegroup.com

The contact details of other CME Group entities not established in the EU/EEA are as follows:

Company name	Address	Contact
Board of Trade of the City of Chicago, Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
Chicago Mercantile Exchange Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
Chicago Mercantile Exchange Korea Inc.	Level 10 97, Uisandang-daero Yeongdeungpo-gu Seoul, 07327 Republic of Korea	Privacy Compliance +1 82 2 6336 6700 privacy@cmegroup.com
CME Consulting (Beijing) Co. Ltd.	No.6 Wudinghou Street 12th Floor, Financial District Excel Center Xicheng District Beijing 100032 China	Privacy Compliance +86 10 5913 1300 privacy@cmegroup.com
CME Global Marketplace Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CME Group Australia Pte. Ltd.	Level 36, Gateway Tower 1 Macquarie Place Sydney 2000 Australia	Privacy Compliance +61 8051 3210 privacy@cmegroup.com
CME Group Index Services LLC	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CME Group Japan Kabushiki Kaisha	Kasumigaseki Building 3-2-5, Kasumigaseki 6F Room No. 622 Chiyoda-ku Tokyo 100-6006 Japan	Privacy Compliance +81 3 5511 6656 privacy@cmegroup.com
CME Group Marketing Canada Inc.	#100, 888—3rd st. SW Bankers Hall, West Tower Calgary, Alberta T2P 5C5, Canada	Privacy Compliance +1 403 444 6876 privacy@cmegroup.com
CME Group Singapore Operations Pte. Ltd.	One Raffles Quay #27-10 South Tower Singapore 048583	Privacy Compliance +65 6593 5555 privacy@cmegroup.com
CME India Technology and Support Services Private Limited	Level 8, Bagmane Tridib Block A, No. 65/2 Bagmane Tech Park C.V. Raman Nagar Bangalore – 560093 India	Privacy Compliance +91 80 3323 2300 privacy@cmegroup.com
CME Interest Earning Facility for Customer-Segregated Funds, L.L.C.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CME Interest Earning Facility for Proprietary Funds, L.L.C.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CME Shareholder Servicing LLC	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CME Ventures LLC	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
CMEG Brazil 1 Participações Ltda.	Avenida Paulista, 1079 Rm 707 São Paulo, Brazil 013110200	Privacy Compliance +55 11 2787 6279 privacy@cmegroup.com
CMEG Foundation Services Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
Commodity Exchange, Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
GFX Corporation	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
New York Mercantile Exchange, Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com
Pivot, Inc.	20 South Wacker Drive Chicago, IL 60606	Privacy Compliance +1 312 930 1000 privacy@cmegroup.com

For the purposes of data protection in the EU/EEA, CME Group Inc., and the above non-EU/EEA entities have designated CME Operations Limited as their representative within the EU/EEA.

Data Protection Officer: CME Group has designated a Data Protection Officer. You can contact the Data Protection Officer at Privacy@cmegroup.com or +44 20 3379 3700.

Purposes and Legal Basis for Processing: The legal basis for each processing activity set out in this Policy will be as follows:

Purpose / Activity	Legal basis	Comment / Legitimate Interest
USE OF OUR WEBSITES; USE OF CME GROUP TECHNOLOGY SYSTEMS
Providing access to the Site to the general public (without a usage agreement)	Article 6(1)(f) GDPR	Legitimate interest of providing information to the general public
Providing access to the Site and/or CME Group Systems under a usage agreement or in order to enter into a usage agreement	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
User registration	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
Questionnaires on our Site	Article 6(1)(a) GDPR	Consent
Collection of non-personal (pseudonymised and anonymised information) from visitors of our Sites	Article 6(1)(f) GDPR	Legitimate interest of administration of the Site, improving our services and statistical purposes
Collection of IP addresses	Article 6(1)(f) GDPR	Legitimate interest of ensuring the security, integrity and availability of our systems
Provision of requested responses or services.	Article 6(1)(a) GDPR	Consent (affirmative action)
Collection of online activities over time and across third party websites or online services.	Article 6(1)(a) GDPR	Consent
PUBLIC FORUMS
Publication of personal information you submit	Article 6(1)(a) GDPR	Consent (affirmative action)
SOCIAL NETWORK ACCOUNT INFORMATION:
Login via social networks	Article 6(1)(a) GDPR	Consent (affirmative action)
Access and use of your profile information	Article 6(1)(a) GDPR	Consent
EMAIL SUBSCRIPTIONS FOR NEWSLETTERS, NOTICES, AND SERVICE AN-NOUNCEMENTS:
Sending of communications that you have subscribed to	Article 6(1)(a) GDPR	Consent
Service announcements	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
SALES AND MARKETING AND CUSTOMER SERVICE:
Contacting you directly by phone, email or text messaging	Article 6(1)(f) GDPR	Legitimate interest of marketing products and services
– where consent is required under applicable direct marketing laws	Article 6(1)(a) GDPR	Consent
Recording of phone calls	Article 6(1)(a) GDPR	Consent (implied)
BILLING INFORMATION WHEN YOU ARE PURCHASING PRODUCTS OR SERVICES
Sales of products and services	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
– where the data subject is a contact person of the purchaser	Article 6(1)(f) GDPR	Legitimate interest of efficient communication with the purchaser
Processing payment information	Article 6(1)(b) GDPR	Performance of a contract
MEMBERSHIP
Processing membership applications, and all activities related to memberships	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
MARKET DATA AGREEMENTS
Collecting personal information relating to receipt and/or use of market data	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
– where the data subject is a contact person of the member	Article 6(1)(f) GDPR	Legitimate interest of efficient communication with the member
RECRUITMENT AND EMPLOYMENT
Recruiting, employment	Article 6(1)(b) GDPR	Performance of a contract / pre-contractual measures
– where processing is required by statutory law	Article 6(1)(c) GDPR	Legal obligation
For additional legal processing activities and specific legal bases that apply to a specific CME Group subsidiary or establishment, please refer to the applicable HR Privacy Policy
CORPORATE TRANSACTIONS
Collecting and processing personal information as part of corporate transaction for business integration purposes	Article 6(1)(f) GDPR	Legitimate interest of ensuring transparency of the transaction and business integration

Recipients and legal basis for transfer: Recipients of your personal data will be our internal recipients, service providers (data processors) and other data controllers as set out below:

Internal Recipients: Your data will be used by our employees and other staff members on a need-to-know basis for the purposes described above. Management may also have limited access to your personal data and/or anonymized statistics for the legitimate interest (Article 6(1)(f) GDPR) of company governance.

Data Processors: We engage other CME Group entities as well as third-party service providers for the provision of services that help us in providing the services to us. These will process your personal data as data processors (Article 28 GDPR) solely on our behalf.

The categories of such recipients include:

• service providers for information technology and telecommunications (such as hosting providers, email service providers
• marketing service providers
• accounting service providers
• business process outsourcing providers

We will remain fully responsible for the processing of your personal data by our data processors.

Other Controllers: We will also transfer your data to third parties acting as another data controller as follows:

Recipient	Legal basis	Comment / Legitimate Interest
Governmental bodies as required by applicable laws (e.g., regulatory authorities, police/criminal prosecution, courts)	Article 6(1)(c) GDPR	Legal obligation
Tax authorities, social security providers (esp. in the context of employment)	Article 6(1)(b) GDPR	Performance of a contract
CME Group Inc. (from a subsidiary)	Article 6(1)(f) GDPR	Legitimate interest of group-wide governance
Post and telecommunication providers, banks, payment providers and other service providers	see above	Depends on the purpose of the underlying processing activity
Legal advisors, courts, the police, and comparable public bodies	Article 6(1)(f) GDPR	Legitimate interest of the establishment, exercise or defence of legal claims, and of obtaining legal advice (access to justice
Other Professional advisors (e.g., tax advisers)	Article 6(1)(f) GDPR	Legitimate interest of obtaining professional advice

These other data controllers will be responsible themselves for their collecting, processing and using your personal data.

Transfers outside of the EU/EEA:Your personal data may be transferred to recipients outside of the EU/EEA, including to countries and/or recipients which are not subject to laws providing an adequate level of data protection.

For transfers to CME Group Inc. (from a subsidiary), we have entered into data processing agreements (for situations where CME Group Inc. acts as a data processor) and data transfer agreements (for situations where CME Group Inc. acts as another controller) based on the standard contractual clauses approved by the European Commission under Article 46 of the GDPR.

For other recipients, we will ensure that they are either (a) subject to laws providing an adequate level of data protection (as determined by a respective adequacy decision of the European Commission under Article 45 of the GDPR) (including the EU-U.S. Privacy Shield where the recipient is a participant), (b) bound by an agreement establishing appropriate safeguards according to Article 46 of the GDPR, or (c) bound by binding corporate rules according to Article 47 of the GDPR.

You can request a copy of the aforementioned agreements by contacting us as set out in the section “Contact Us.”

Automated Decision-Making: Your personal data will not be used for automated decision-making, including profiling, unless we inform you separately about this.

Your rights:

 Under the applicable

• Right to access to the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data has not been collected from you, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (Article 15 of the GDPR).
• Right to rectification of inaccurate personal data concerning you as well as, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 16 of the GDPR).
• Right to erasure (deletion) of personal data concerning you without undue delay where: (a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) you withdraw your consent and there are no other legal grounds for the processing; (c) you exercise your right to object (see below) and there are no compelling legitimate grounds for the processing; (d) the personal data have been unlawfully processed; or (e) the personal data have to be erased for compliance with a legal obligation applicable to us (Article 17 of the GDPR).
• Right to restriction of processing (i.e., data will be blocked from normal processing but not erased) where: (a) you contest the accuracy of the personal data, for a period enabling us to verify the accuracy; (b) the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims; (d) you exercise your right to object (see below) pending the verification whether our legitimate grounds override those of you (Article 18 of the GDPR).
• Where processing is based on your consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing prior to such withdrawal (Article 7(3) of the GDPR).
• Where processing is based on your consent, or on a contract, the right to data portability, i.e. the right to obtain a copy of the data concerning you in a structured, commonly used and machine-readable format and the right to transmit that data to another controller without hindrance from us.
• Right to object to the processing of personal data based on legitimate interests of us, other CME Group entities or any third party under Article 21 of the GDPR based on your particular situation, provided that there are no compelling legitimate grounds for the processing that would override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims (Article 21 of the GDPR).
• Finally, you always have the right to contact us regarding all issues related to the processing of your personal data and/or lodge a complaint with the competent supervisory authority (Article 77 of the GDPR).

California Privacy Rights

Other than as part of joint marketing programs where the co-sponsor is identified, we do not share personal information with third parties for the third parties’ direct marketing purposes. If this practice changes, we will provide details on how we will comply with California Civil Code § 1798.83 in this Policy.

Hong Kong Customers

As part of our normal operations and in order to better serve your particular needs, we may utilize your personal data in accordance with the provisions of the Personal Data (Privacy) Ordinance, Cap 486.

The personal data collected from you may be transferred to, and stored at, a destination outside Hong Kong. It may also be processed by staff operating outside Hong Kong who work for CME Group or for one of our suppliers when providing products and/or services to you. Such staff may be engaged in, among other things, the provision of support services. By submitting your personal data, you agree to this transfer, storing and/or processing.  Overseas third parties to whom we may disclose your personal data are not authorized to use your information for any other purposes beyond those we have agreed with them.

Japanese Customers

The data collected from you may be transferred to, and stored at, a destination outside Japan. It may also be processed by staff operating outside Japan who work for CME Group or for one of our suppliers when providing products and/or services to you. Such staff may be engaged in, among other things, the provision of support services. By submitting your personal data, you agree to this transfer, storing and/or processing.

Please note that we may transfer your personal data to a third party (i) in a country which is not recognized by the regulations of the Privacy Information Protection Commission (the "PPC") as having personal data protection legislation equivalent to the Act on the Protection of Personal Information (the "APPI") or (ii) which has not established an internal system for the protection of personal data which meets the requirements set forth in the regulations of the PPC. By submitting your personal data, you also agree to the transfer of your personal data to such third party. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy and the APPI. Overseas third parties to which we disclose your personal information are not authorized to use your information for any other purposes beyond those we have agreed with them.

South Korean Customers

The data collected from you may be transferred to, and stored at, a third party outside South Korea.  It may also be processed by staff who work for CME Group or for one of our suppliers when providing products and/or services to you.  Such staff may be engaged in, among other things, the provision of support services.  Prior to (i) the collection and use of; (ii) the change of purpose of such collection and use of; and (iii) the provision to a third party of, your personal information, CME Group will seek to obtain consent from you pursuant to the Personal Information Protection Act of Korea (“PIPA”) and other relevant Korean laws and regulations, unless the contemplated data processing is necessary to implement the agreement with you.

In cases where CME Group transfers your personal information or outsources processing of your personal information to a person or entity outside South Korea or allows a person or entity outside Korea to retain or access to your personal information, we will take steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy, PIPA and other relevant laws and regulations of Korea.  

PRC Customers

This Policy sets forth the purposes, manners, and scope that CME Group may collect and use your personal information, subject to your consent.

If CME Group identifies any Postings that are considered to violate applicable laws and regulations, CME Group reserves the right to retain the relevant record and/or report to the competent authorities.

If you find your identity and/or personal privacy is infringed on or otherwise compromised, you may wish to contact us to delete the corresponding information and/or take other reasonable measures as described in the “Contact Us” section of this Policy. 

Singapore Customers

As part of our normal operations and in order to better serve your particular needs, we may collect, use and disclose your personal data in accordance with the provisions of the Personal Data Protection Act 2012 ("PDPA").

Where your personal data is transferred out of Singapore, we strive to comply with the PDPA. This may include obtaining your consent, unless an exception under the PDPA applies, and taking appropriate steps to ascertain that the foreign recipient organization of the personal data is bound by legally enforceable obligations to provide a standard of protection to that date that is at least comparable to the protection under the PDPA. This may include us entering into an appropriate contract with the foreign recipient organization dealing with the transfer of personal data or permitting the transfer of personal data without such a contract if the PDPA permits us to do so.

By submitting your personal data, you agree to our use of your personal data in accordance with this Policy.  Third parties outside Singapore to whom we may disclose your personal data are not authorized to use your information for any other purposes beyond those we have agreed with them.