CME Group Colleague Privacy Notice

Effective March 9 2022

CME Group Inc. and each of its subsidiaries and affiliates (collectively known as "CME Group") are committed to safeguarding your personal information. The purpose of this notice is to make all current and former employees, internal consultants, contractors, temporary personnel and agents and suppliers with physical or logical access to CME Group (“Colleagues” "you", "your") aware of how CME Group processes their personal data. Such processing may include the collection, storage, modification, access, or destruction of personal information, and may be completed manually or by automatic means.

Personal information, or personal data, means any information relating to you from which you can be identified. It does not include anonymous data.

This notice does not form part of any contract of employment or any other contract to provide services. To avoid doubt, the application of this notice to any person is not intended to change your status or condition that results from your relationship with us.

Back to top

We may collect, store, and use the following categories of personal data about you to the extent relevant, necessary and permitted by applicable local laws:

• Information which identifies you
  E.g. your name, date of birth, passport, visa, driver’s license, government-issued identification numbers, vehicle registration, security pass details, signature, IP address and GPS information
• Personal contact details
  E.g. address, telephone numbers and personal email address
• Demographics or protected class characteristics
  E.g. gender, marital status, citizenship, residency or domicile and immigration status
• Family information
  E.g. name, date of birth and other identifying information of your spouse, partner or dependents; next of kin; emergency contact and information concerning parental leave
• Professional or employment-related information
  E.g. title, location of employment, terms of employment or engagement, work product, dates of employment, dates of leave, termination or separation details, dates of absence, working hours, work days, work duties, professional biography, skills and professional memberships, compliance/training records and records of key fob or security card usage
• Health insurance information
  E.g. beneficiaries, expression of wish forms, notice coverage, national insurance number
• Financial details
  E.g. bank account numbers, payroll records, tax status, expenses, corporate card details, compensation history, benefit entitlements
• Recruitment information
  E.g. copies of right to work documentation, references, background check outcome (if applicable), education history and level/qualifications, salary expectations and other information included in a resume/CV or cover letter or as part of the application process
• Communications
  E.g. corporate mobile telephone details, copies of messages sent through our networks, written communications from or about you
• Internet or other electronic network activity information
  E.g., information about devices issued by CME to Colleagues (e.g., which devices were issued, IMEI number of device, MAC address of device, phone number of mobile phone), details of resource or device usage (e.g., mobile data usage, battery usage, applications used, calls made, text messages sent), information about your use of our computer or other communication systems (e.g. logs of applications used, downloads, uploads, and actions taken), IP addresses, login and logout information, session length, log-in location, browsing history, search history, interaction with areas of our network
• Performance reviews and assessments
  E.g. performance development goals, performance improvement plans, 360 feedback, evaluations, financial performance and profitability, utilization details, personality and assessment results
• Disciplinary and grievance information including information relating to workplace investigations
• Personal trading information in accordance with CME policies.
• Information regarding preferences
  E.g. characteristics, psychological tests, behavior, attitudes, predispositions, abilities, or aptitudes
• Audio, electronic, visual, thermal, or similar information
  E.g., professional photograph, photographs taken in workplace or at work events, CCTV, records of telephone calls, recordings of meetings, trainings, or business presentations

In addition, we may also collect the following categories of personal data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:

• Information about sensitive characteristics
  E.g. your nationality, race or ethnicity, religious beliefs, sexual orientation and political opinions where required by applicable laws or provided voluntarily by you
• Information about criminal convictions and offences, information about criminal history which may be provided while employed and be used in assessing whether to continue employing or engaging individuals.
• Biometric identifiers, see our Biometric Information Security Policy for more information.
• Information about your health to administer CME Group policies or regulatory benefit responsibilities, including any medical condition, disability, health and sickness records, including:
  • work station assessments;
  • consideration of any reasonable adjustments related to a disability;
  • details of any absences from work (other than holidays) including time on sick leave (including absence certification and Fitness to Work certificates); and
  • information about your health and/or any medical condition provided because of any referral made by us to an independent occupational health provider or a medical practitioner who is responsible for your care.

Where we collect your personal data out of the scope above or for purposes beyond those specified in this notice, we will communicate with you of such change.

Back to top

To the extent relevant, necessary and permitted by applicable local law,

• beyond the personal data which you provide to us directly (including at the time you applied to work with us and through the recruitment and on-boarding process), we may collect certain information about you from third parties including an employment and/or recruitment agency, former employer, benefits provider, healthcare provider, social media (such as LinkedIn) or online share dealing portals, background check provider or credit reference agencies, government agencies and other related sources.
• we will also collect personal data on an ongoing basis throughout the period of your working with us in the course of job-related activities, your use of our systems and in administering our relationship with you.
• we will also collect information about you automatically on an ongoing basis through workplace monitoring. See our Code of Conduct and Local Employee Handbooks for more information.

You may not be required to provide us with certain information requested and the provision of such is voluntary. However, some information is necessary for the purposes described in this notice and, therefore, if you fail to provide certain information requested as mandatory, we may not be able to administer our relationship with you (such as paying you or providing a benefit) or perform the contract we have entered into with you, where applicable, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Back to top

We occasionally allow children to be onsite for work experience/job shadowing.  As a result, personal information (such as name, contact details and parent/guardian) may be processed to administer access to relevant CME Group facilities and while such individuals are onsite.

For children residing in the PRC and are under the age of 14, we process their personal information (if any) based on their parent or guardian's explicit consent.

Back to top

The purposes for which we may process your personal data are as follows to the extent relevant, necessary and permitted by applicable law:

• Recruitment and onboarding
  • Making a decision about your recruitment or appointment.
  • Determining the terms on which you work for us.
  • Checking that you are legally entitled to work in the country in which we are seeking to employ you.
  • Providing employment verification references to prospective employers.

• Administration of your salary, benefits and expenses claims
  • Paying you and, if you are an employee or deemed an employee for tax purposes, deducting tax and other governmental contributions.
  • Providing you with and otherwise liaising with vendors for the purposes of administering benefits.
  • Inviting you to participate in, granting awards under, and administering your participation in any share plans operated by the CME Group.
  • Enrolling you in a pension arrangement.
  • Administering our relationship with you or perform the contract we have entered into with you, where applicable.
  • Administering your corporate credit card and reimbursing you for business related expense claims.
  • Conducting performance reviews, managing performance and determining performance requirements.
  • Making decisions about salary reviews and compensation generally.

• Assessing your performance and supporting you in your career development
  • Assessing qualifications and suitability for a particular job or task, including decisions about assignments or promotions.
  • Undertaking and fulfilling education, training and development activities and requirements.
  • Maintaining sickness and other absence records.
  • Gathering information and evidence related to grievance or disciplinary matters.
  • Making decisions about your continued employment or engagement.
  • Making arrangements for the termination of our working relationship.

• Activities relating to CME's commercial operations in the context of your role
  • Planning and making travel arrangements.
  • Corporate event management.
  • Maintaining a staff contacts database (to assist in the effective operation of the business).
  • Providing staff collaboration tools (to assist in the effective operation of the business).

• Administration of the CME business
  • Equal opportunities monitoring.
  • Providing information to prospective future purchasers/merger partners (should they arise) in connection with the outsourcing or sale or combination (including through acquisition) of some or all of the business or part of the business in which you work.
  • Running business operations, management and planning, including accounting and auditing, marketing and business development, cost management and business continuity (to ensure the effective running of the business).
  • Conducting data analytics studies to review and better understand employee retention and attrition rates.

• Compliance purposes and in relation to any lawsuits
  • Dealing with legal disputes involving you, the organization and/or other employees, workers, contractors and third parties, including accidents at work and to protect our interests.
  • Preventing fraud and other unlawful activities or misconduct.
  • Ascertaining and taking decisions related to your fitness to work and workplace adjustments.
  • Complying with health and safety obligations.
  • Handling your requests in relation to the rights you have regarding your personal information.
  • Monitoring your use of our information and communication systems to ensure compliance with our IT and data security policies as set forth in the Code of Conduct and other CME Group policies posted on OpenExchange, or as otherwise communicated to you.
  • Ensuring compliance with applicable policies and corporate governance obligations (including maintaining insiders' lists and statutory records) as set forth in your contract (where applicable), posted on OpenExchange or otherwise communicated to you (including to ensure the effective and efficient running of the business).
  • Ensuring network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution (including to ensure the effective and efficient running of the business in keeping with all requirements to which we are subject).
  • Satisfying and ensuring compliance with our legal and regulatory obligations and the requests and recommendations of any regulatory authority anywhere in the world having jurisdiction (applicable to any member of the CME Group, including to protect our interests and ensure the effective running of the business in keeping with all requirements to which we are subject).
  • Where applicable, registering or certifying you with any relevant regulator or authority (e.g. through the UK Financial Conduct Authority's SMCR regime).
  • Operating a whistleblower hotline/system (to provide a means by which unlawful or unethical behavior can be reported, investigated and acted upon).

The additional purposes for which we may process special categories of personal data are as follows to the extent relevant, necessary and permitted by applicable local law:

• We will use information relating to leaves of absence (whether sickness or family-related) to comply with employment and other laws.
• We will use information about your physical or mental health, or disability status, for occupational health purposes to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits, where applicable.
• In the United States we will use your Personal Health Information (PHI) for the benefit of your treatment, payment of benefits, and for health care operations of our benefit programs as outlined in the HIPAA Notice of Privacy Practices (U.S. employees) and for the same purposes outside of the U.S.
• We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
• We will use any of the special categories of personal data referred to above for the purpose of conducting investigations of potential violations of the Code of Conduct or other CME Group policies.

Additional information

To the extent permitted under local law we may use information about criminal convictions and offences, criminal history to confirm your suitability for a particular job, following an offer of employment or engagement, process information concerning the alleged commission of an offence(s) in investigating and acting upon concerns reported through internal avenues or through our whistleblower hotline/system, or to share this information with regulators as required by law pertaining to any alleged misconduct, wrongdoing, or actionable breach of regulatory requirements.

For some roles, we are required by law to undertake background screening checks and we are allowed to process your personal information in this way because processing is necessary for the purposes of complying with a regulatory requirement which involves us taking steps to establish if you have committed an unlawful act or been involved in dishonesty, malpractice or other improper conduct. This will be done both during onboarding and will be confirmed every three years as part of CME’s Global Background Check Policy. In any other circumstances, we will only collect and process criminal records information to the extent permitted by local law, or with your explicit consent where legally required and permitted, in accordance with applicable law.

How will we use information about your dependents?

Subject to applicable law, we may collect personal information about your dependents to administer benefits to them in accordance with your benefit entitlements or to comply with our legal obligations under immigration law.

We may share personal information about your dependents in accordance with this privacy notice or with governmental authorities where we are legally required to do so. All personal information about your dependents will be processed by us in accordance with this privacy notice and applicable law.

Hong Kong only: you undertake to notify your dependents of this privacy notice.

Automated Decision-Making

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.

CME Group may do this via monitoring, or surveillance activities on any content or materials located on any CME Group Information Resource or CME Group facility, in accordance with applicable laws. CME Group may provide information obtained in the course of its monitoring activities to a third party, including regulators and law enforcement agencies.

Back to top

We may share your data with the CME Group entities, service providers, or other third parties. We require the receiving entity to protect the security of your data, to process your personal data only in accordance with our instructions and to treat it in accordance with the law. We have agreements in place with these external third parties who process your personal data to ensure their compliance with the applicable data protection laws. We may share your personal information for certain purposes and with the entities described in this section:

• Members of CME Group: We may share your personal information with other CME Group entities, for example, for payroll, administration and provision of benefits or employer-sponsored plans, maintenance of our standard record systems, workplace monitoring, expense reimbursement, travel and accommodations, relocation services, employee assessments, IT infrastructure, training, telephony services, or wellness evaluations and services.
• Service Providers: We may share your personal information with services providers that we engage to assist us in conducting our employment-related activities. Such service providers may include equity plan administrators, brokers, benefits providers, payroll companies, IT or systems maintenance providers, systems or data hosts, communications providers, record-keeping companies, accountants, auditors, other professional advisors, or other vendors that help support migration services.
• Corporate transactions: We may share your personal information to the extent reasonably necessary to proceed with the consideration, negotiation, or completion of a merger, reorganization, or acquisition of our business, or a sale, liquidation, or transfer of some or all of our assets.
• Third parties as required by law: We will share your personal information to comply with laws to which we are subject, as permitted by applicable laws. For example, we may share your personal information in response to a court order or subpoena, in response to a valid request from law enforcement, or with your future employers where required by law.
• Third parties for other purposes: We may share your personal information with any third party as necessary to protect our legitimate business interests in protecting our rights; enforcing our Terms of Use; detecting, preventing, or responding to fraud, intellectual property infringement, or other illegal activities; and protecting the safety and security of tangible or intangible property belonging to us or a related third party.
• Regulators and governmental authorities: We may also need to share your personal information with a regulator or to otherwise comply with the law applicable to any member of CME Group, as permitted by applicable laws. This may include filing returns with tax authorities and making disclosures to our regulators (including, for example, the US Securities and Exchange Commission, the US Commodity Futures Trading Commission, the Health & Safety Executive and local financial regulation authorities and data protection authorities) and shareholders.

Back to top

We process information collected from or about you in any country in which CME Group operates, as permitted by applicable laws.  In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the European Union).  When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) and/or put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.  Information located outside of your home country may be subject to access by that country’s government or its agencies under a lawful order, as permitted by applicable laws.  For more information on the appropriate safeguards in place or to obtain a copy, please contact us at privacy@cmegroup.com.

Back to top

We retain your personal information for as long as necessary to carry out the purposes set out in this privacy notice, unless a longer retention period is required by applicable laws or regulatory requirements that may be applicable to us or is necessary for us to protect our rights. We keep your personal information for as long as you are employed or engaged by us. When your employment or engagement is over, we may retain certain personal information for purposes such as complying with our legal obligations, resolving disputes, conducting workplace investigations, preventing fraud or misuse of our property or data, and protecting our rights and interests. We may be legally obligated, for example by local employment or tax laws, to retain personal information related to your employment for a period of time specified by law.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements. In many instances, personal data will be held for 7 years following the termination of your employment or engagement.

In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you (as, once anonymized, it will cease to constitute personal data).

Back to top

We use technical, administrative, and physical security safeguards to protect the information that we collect or receive against loss and unauthorized access, use, modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including Internet and wireless networks.

Back to top

Subject to local law, you may have certain additional rights regarding your personal information. For example, residents of the European Union and other countries may have rights to: access personal information; correct personal information; request deletion of personal information; restrict our use of personal information; object to certain uses of personal information; receive personal information in a usable electronic format and transmit it to a third party (also known as the right of data portability); lodge a complaint with a local data protection authority; or withdraw any consent supporting uses or disclosures of personal information.  If you have questions about the rights you may have, please contact us via the channels listed in Section 14.

If you reside in France, you also have the right to give us instructions on the fate of your personal data after your death.

If you reside in California, you may have certain rights with respect to your personal information, including the right to access the personal information we hold about you and the right to opt out of the sharing of your personal information in certain circumstances. Requests to exercise your rights may be submitted to us in writing at privacy@cmegroup.com or by phone at + 1 866.716.774.

Please note that, to exercise any rights, we may require that you provide additional personal information to confirm your identity.

Back to top

We are committed to only using your personal data to the extent relevant, necessary and permitted by applicable local laws. Where we rely on our legitimate business interests, we have undertaken an assessment where we have balanced your rights against ours to ensure that our interest is not overridden by the interests you have to protect your information.

The lawful bases for the different purposes set out in this notice will be as follows:

* If you are located in the People's Republic of China ("PRC", for the purpose of this CME Colleague Privacy Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your personal information based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests).

Back to top

Yes. We may update this privacy notice at any time. For any material changes, we will provide you with an updated copy of this notice as soon as reasonably practical. The current version of this notice from time to time can be accessed on our Privacy Page.

We may also notify you in other ways from time to time about the processing of your personal data.

Back to top

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Back to top

If you have any questions about this privacy notice or how we handle your personal data or to exercise any right, please contact Privacy Compliance at privacy@cmegroup.com.

CME Group, Inc.
20 S Wacker Drive
Chicago, IL 60606
+1 312 930 1000
+1 866 716 7274 (US Only)
privacy@cmegroup.com

For the purposes of data protection in the EU/EEA, Singapore or India:

• Your controller is the company which employs or engages you. This entity is responsible for deciding how we hold and use your personal information. The list of employing controllers, across the CME Group can be found here. In addition, CME Group Inc. (our US parent company) is also a joint data controller. This privacy notice is provided for CME Group, and on behalf of Chicago Mercantile Exchange Inc.
• The CME Group has designated a Data Protection Officer that can be contacted at privacy@cmegroup.com
• CME Group Inc., CME Mercantile Exchange Inc. and the above non-EU/EEA entities have designated CME Operations Limited as their representative within the EU/EEA.

Back to top

Effective March 9 2022