PRIVACY CENTER NOTICES

CME Group Colleague Privacy Notice

Effective: March 25, 2025

CME Group Inc. and each of its subsidiaries and affiliates (collectively known as 'CME Group', 'we' and 'us') are committed to safeguarding your personal data. CME Group is the controller or processor of your personal data according to the privacy laws and regulations applicable to us. See Section 18 below for details on how you can contact us.

The purpose of this privacy notice (‘Notice’) is to explain how we process your personal data so that you understand what we collect, what we do with it, who we disclose it to and the rights available to you. The processing we undertake may include the collection, storage, modification, access, or destruction of personal data, and may be completed manually or through automatic means.

Personal data (also referred to as 'personal information’ or 'data') means any information that can be used to identify you, your device, or, if you live in California, your household. This includes direct identifiers such as your name and contact details, but also indirect identifiers such as data that we may collect from the electronic device that you use to access our services.

If you have any questions about this Notice or how we use your data, our details are provided in the 'Contact details' Section below.

This Notice applies to you if you have any of the following relationships with us:

Agents and suppliers - an individual who has physical or logical access to CME Group.
Contractors – an individual or a company that has undertaken a contract to provide materials or labor to perform a service or a job for CME Group.
Current or former employee – an individual who is employed or has been employed by CME Group.
Internal consultant – an individual or group that serves internal clients in an advisory capacity at CME Group.
Temporary personnel – an individual who has been hired for a set period or to help with a large project at CME Group.

If you are an applicant or candidate for one of our job opportunities, then you can find out more about how we use your data via our Candidate Privacy Notice and our Cookie Notice.

We may collect, store, and use the following categories of personal data about you to the extent relevant, necessary and permitted by applicable local laws and depending on the nature of the relationship you have with us:

Account preferences and analytics
Information regarding your stated preferences and relating to your use of our services.
Audio, electronic, visual, thermal or similar information
Information including professional photographs, photographs taken in the workplace or at work events, CCTV footage, records of telephone calls, recordings of meetings, trainings or business presentations.
Authentication details
Credentials that allow you to access our services, including your user ID, password, and memorable information.
Communication records
Records of any communications between you, other CME colleagues, customers and others at CME Group, including corporate mobile telephone details, copies of messages sent through our networks and written communications from or about you.
Contact details
Information that is provided to us so that we can contact you such as your name, title, home address, office address, company name and type, job role, telephone numbers and personal email address.
Demographics or protected class characteristics
Qualities about an individual such as gender, marital status, citizenship, residency or domicile and immigration status.
Device and electronic information
Details of resource usage or information about your interaction with areas of our network and details we collect from devices issued by CME Group to Colleagues (e.g., which devices were issued, device type, IMEI number of device, MAC address of device, operating system, phone number of mobile phone), details of resource or device usage (e.g., mobile data usage, battery usage, applications used, browser, calls made, text messages sent), information about your use of our computer or other communication systems (e.g., logs of applications used, downloads, uploads, and actions taken), IP addresses, online identifiers, login and logout information, session length, log-in location, browsing history, search history, interaction with areas of our network and geolocation data.
Disciplinary and grievance information
Information relating to workplace investigations.
Family information
Name, date of birth and other identifying information of your spouse, partner or dependents; next of kin; emergency contact and information concerning parental leave.
Financial details
Information including payroll records, expenses, corporate card details, compensation history and benefit entitlements.
Financial status
Information used to determine your creditworthiness, such as your credit rating, bank statements and tax information.
Health insurance information
Your details including your designated beneficiaries, expression of wish forms, notice coverage and national insurance number.
Identification information
Information that is used to verify your identity such as your name, date of birth, passport, visa, driver’s license, government-issued identification numbers, vehicle registration, security pass details and signature.
Information regarding aptitude testing and preferences
Results from taking aptitude tests or psychometric tests that may reveal details about your characteristics, psychological tests, behavior, attitudes, predispositions, abilities or aptitudes.
Military status
Military or military reserve service or status.
Performance reviews and assessments
Details found in your personnel file regarding your performance development goals, performance improvement plans, 360 feedback, evaluations, financial performance and profitability, utilization details, personality and assessment results.
Personal trading information
Information collected regarding personal trading accounts, in accordance with CME Group policies.
Prior or current professional or employment-related information
Details regarding previous or current professional experience such as title, location of employment, terms of employment or engagement, work product, dates of employment, dates of leave, termination or separation details, dates of absence, working hours, work days, work duties, professional biography, skills, interests, professional memberships, experience information, compliance/training records and records of key fob or security card usage.
Recruitment information
Copies of right to work documentation, references, background check outcome (if applicable), education history and level/qualifications, salary expectations and other information included in a resume/CV or cover letter or that you provide to us during an interview, assessment or otherwise as part of the application process.
Service usage
Information collected when you are operating our services (e.g., one of our software applications), including transactions that you undertake, information that you select, logs of when you access the services and for how long, details of any failed login attempts and any information that you choose to download. When you are using one of our Artificial Intelligence (“AI”) tools, we will collect records of your prompts, user-provided input, generated output, refinements and feedback.
Social network information
Social media account information and personal data collected from social media accounts.

In addition, we may also collect the following categories of personal data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:

Biometric identifiers
Fingerprint data captured for Financial Industry Regulatory Authority (FINRA) purposes and in certain situations when allowing access to individuals to our premises. See our Biometric Information Security Policy for more information.
Information about criminal convictions and offenses
Information about criminal history which may be provided while employed and be used in assessing whether to continue employing or engaging individuals.
Information about sensitive characteristics
Details regarding your nationality, race or ethnicity, religious beliefs, sexual orientation and political opinions where required by applicable laws or provided voluntarily by you. This may also include information disclosed in ERG chat groups created for events, mental health, and career advice.
Information about your health
Information needed to administer CME Group policies or regulatory responsibilities, such as any medical condition, disability, health and sickness records, including:
- Workstation assessments;
- Consideration of any reasonable adjustments related to a disability;
- Information related to accidents on CME Group property reported in accordance with the law;
- Onsite healthcare center records (including consent forms and other data processed as a part of receiving onsite healthcare center services);
- Details of any absences from work (other than holidays) including time on sick leave (including absence certification and Fitness to Work certificates); and
- Information about your health and/or any medical condition provided because of any referral made by us to an independent occupational health provider or a medical practitioner who is responsible for your care.

Where we collect your personal data outside of the scope above or for purposes beyond those specified in this Notice, we will communicate this to you.

In addition to any personal data that you provide to us directly (e.g., at the time you applied to work with us, through the recruitment and onboarding process, etc.), we may also collect and derive data about you through the following means:

Automated means - for example, when you interact with areas of our network.
Cookies and similar technologies – when you visit our website or use any of our mobile applications, we may employ cookies and similar technologies. See Section 14 below for further details.
In the course of job-related activities - we will also collect personal data on an ongoing basis throughout the period of your working with us in the course of job-related activities, your use of our systems, and in administering our relationship with you.
Third party sources - including an employment and/or recruitment agency, former employer, benefits provider, healthcare provider, social media (such as LinkedIn) or online share dealing portals, background check provider or credit reference agencies, government agencies and other related sources.
Workplace monitoring - we will also collect information about you automatically on an ongoing basis through workplace monitoring. See our Code of Conduct and Local Employee Handbooks for more information.

You may not be required to provide us with certain information requested and the provision of such is voluntary. However, some information is necessary for the purposes described in this Notice. If you fail to provide certain information requested as mandatory, we may not be able to administer our relationship with you (such as paying you or providing a benefit) or perform the contract we have entered into with you, where applicable, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

We may receive certain data about you from various third parties from time to time, including:

CME Group – including CME Group systems, colleagues, and departments, as needed to facilitate our business operations, services and products and to fulfill our legal obligations to you.
Electronic devices – including data sourced from any electronic devices issued by CME Group (e.g., mobile devices and laptops).
Publicly available government and non-government data – information about you that is available from the government or otherwise publicly available.
Social media platforms – such as email account, chat logs, and publicly available information sources from social media pages or via services provided via social media platforms (e.g., LinkedIn, WeChat, Weibo, Facebook, X (formerly Twitter), etc.).
Third party agencies – who may provide us with information that they have collected from you on our behalf (e.g., companies that perform background checks on behalf of CME Group).
Third parties that you have a relationship with – if you are a customer of a third party and we have a relationship with that third party, we may receive information from them. During the hiring process, we may also receive information from a former employer or your other reference providers.

The purposes for which we may process your personal data are as follows to the extent relevant, necessary and permitted by applicable law:

PROCESSING PURPOSE	CATEGORIES OF DATA & TYPE OF RELATIONSHIP WITH US	LEGAL BASIS FOR PROCESSING (RELEVANT JURISDICTIONS ONLY)
Accident reporting Processing data related to physical incidents which occur on CME Group property. Using the information to conduct activities related to OSHA and RIDDOR reports and for the administration of activities related to accidents on CME Group property.	*Categories of data* Communication records Contact details Demographics or protected class characteristics Health information *Relationship Type* Colleague	Legitimate interest Legal requirement
Administration of CME Group’s commercial operation in the context of your role Administering accounts payable such as invoice and payments. Maintaining a staff contacts database (to assist in the effective operation of the business). Managing corporate events. Recording your memberships to professional associations. Planning and making travel arrangements. Providing staff collaboration tools (to assist in the effective operation of the business). Using your information for billing and collection purposes.	*Categories of data* Communication records Contact details Financial information Identification information Professional information *Relationship Type* Colleague	Consent Legal requirement Legitimate interest
Administration of our business Administering trading floor operations including trading cards, tickets, master pulpit, wireless valet files, and spread cards. Conducting data analytics studies to review and better understand employee retention and attrition rates. Equal opportunity monitoring and reporting. Managing cash debt and investment management activities, and payment of dividends to Shareholders. Providing information to prospective future purchasers/merger partners (should they arise) in connection with the outsourcing or sale or combination (including through acquisition) of some or all of the business or part of the business in which you work. Running business operations, management and planning, including accounting and auditing, marketing and business development, cost management and business continuity (to ensure the effective running of the business). Scheduling for command center daily log and personnel.	*Categories of data* Communication records Contact details Demographics or protected class information Financial information Identification information Prior or current professional or employment related information Professional information Service usage *Relationship Type* Colleague	Consent Legal requirement Legitimate interest Performance of a contract Public interest
Administration of our political action committee Processing contributions made via the political action committee.	*Categories of data* Contact details Payment information Professional information *Relationship type* Colleague	Consent Legal requirement Legitimate interest
Administration of your salary, benefits, and expense claims Administering your corporate credit card. Conducting performance reviews, managing performance and determining performance requirements. Enrolling you in a pension arrangement. Inviting you to participate in, granting awards under, and administering your participation in any share plans operated by CME Group. Making decisions about salary reviews and compensation generally. Paying you and, if you are an employee or deemed an employee for tax purposes, deducting tax and other governmental contributions. Providing you with and otherwise liaising with vendors for the purposes of administering benefits, including: Administration of workers’ compensation activities in the United States; and Administration of benefits outside of the US that are similar to Family Medical Leave in the United States. Reimbursing business related expense claims. Using information to abide by regulations, including to abide by the ADA and make reasonable accommodations for colleagues. Using your Personal Health Information (PHI) for the benefit of your treatment, payment of benefits, and for health care operations of our benefit programs as outlined in the HIPAA Notice of Privacy Practices (U.S. employees) and for the same purposes outside of the U.S. For EU/UK/EEA residents please see Section 16 for more information on the processing of your health data.	*Categories of data* Contact details Current professional data Demographics or protected class information Family information Financial information Health information Health insurance information Identification information Personal contact details Prior or current professional or employment related information Professional information *Relationship Type* Colleague	Legal requirement Legitimate interest Performance of a contract
Assessing your performance and supporting you in your career development Administering and managing personnel files. Assessing qualifications and suitability for a particular job or task, including decisions about assignments or promotions. Collecting information relating to leaves of absence (whether sickness or family-related) to comply with employment and other laws. Gathering information and evidence related to grievance, disciplinary matters, or health and safety concerns. Maintaining sickness and other absence records. Making arrangements for the termination of our working relationship. Making decisions about your continued employment or engagement. Structuring, drafting, and negotiating severance agreements with departing colleagues. Undertaking and fulfilling education, training and development activities and requirements.	*Categories of data* Audio, electronic, visual, or similar information Biometric data Communication records Contact details Current professional/ employment data Demographics or protected class characteristics Device and electronic information Disciplinary and grievance information Family information Financial details Health information Health insurance information Identification information Information about criminal convictions Information about sensitive characteristics Information regarding preferences Performance reviews and assessments Personal contact details Prior or current professional or employment related information Recruitment information Service usage *Relationship Type* Colleague	Legal requirement Legitimate interest Performance of a contract
Communicating with the community and you Administering community relations activities, contacting you by email, phone, text or post (as applicable) about services, events, industries, product announcements and other marketing communications if you have agreed to receive this information. Communicating with you as necessary to administer our relationship with you. Providing written and verbal communications to Colleagues and external stakeholders about CME Group. Providing you with notifications and alerts relating to your account such as service announcements and details maintenance or other disruptions.	*Categories of data* Account preference and analytics Communication records Contact details Device and electronic information Financial information Internet or other electronic network activity information Product and service preferences Professional information Service usage Social network information *Relationship type* Colleague	Consent Legitimate interest Performance of a contract
Compliance with laws applicable to us Ascertaining and taking decisions related to your fitness to work and workplace adjustments. Complying with health and safety obligations. Ensuring compliance with applicable laws, policies, and corporate governance obligations (including maintaining insiders’ lists and statutory records) as set forth in employee handbooks (where applicable) posted on OpenExchange or otherwise communicated to you (including to ensure the effective and efficient running of the business). Handling your requests in relation to the rights you have regarding your personal data. Monitoring your use of our information and communication systems to ensure compliance with our IT and data security policies as set forth in the Code of Conduct and other CME Group policies posted on OpenExchange, or as otherwise communicated to you. Operating a whistleblower hotline/system (to provide a means by which unlawful or unethical behavior can be reported, investigated and acted upon). Using any of the special categories of personal data referred to above for the purpose of conducting investigations of potential violations of the Code of Conduct or other CME Group policies. Where applicable, registering or certifying you with any relevant regulator or authority (e.g., through the UK Financial Conduct Authority's SMCR regime).	*Categories of data* Communication records Contact details Current professional/employment data Criminal convictions Demographics or protected class characteristics Device and electronic information Disciplinary and grievance information Financial details Financial information Financial status Health information Identification information Information about criminal convictions and offenses Information about sensitive characteristics Personal contact details Personal trading information Prior or current professional or employment related information Service usage *Relationship Type* Colleague	Legal requirement Legitimate interest Performance of a contract
Enforcing and defending our legal rights Cooperating fully with state, local, federal, and international legal, governmental and regulatory entities, authorities and officials in any investigation or governmental, legal or regulatory proceeding relating to any information collected or to any purported unlawful activities. Dealing with legal disputes involving you, the organization and/or other employees, workers, contractors and third parties, including accidents at work and to protect our interests. Defending against legal claims. Enforcing our legal rights. Notifying law enforcement regarding alleged or potential criminal activities.	*Categories of data* Communication records Contact details Current professional/employment data Disciplinary and grievance information Financial information Performance reviews and assessments Prior or current professional or employment related information *Relationship type* Colleague	Legal requirement Legitimate interest
Health and safety Monitoring Medical team assisting the Benefits team and providing ongoing services to employees relocated to off site locations. Medical team following up and/or caring for employees with injuries/illnesses. Medical team or third party vendor administering onsite healthcare center services. Onsite medical team responding to emergency events.	*Categories of data* Contact details Family information Health information Health insurance information Identification information *Relationship type* Colleague	Consent Legal requirement Legitimate interest
Improving our products and services Analyzing how you use our services to evaluate whether we can improve them and to assess the performance of our systems. Reviewing and using data and metrics from your interactions with our AI tools to improve and develop products, services, and enterprise technologies.	*Categories of data* Account preferences and analytics Communication records Contact details Device and electronic information Product and services preferences Service usage *Relationship type* Colleague	Legitimate interest
Maintaining corporate records Keeping records in compliance with applicable law. Maintaining and managing historical files.	*Categories of data* Authentication details Communication records Contact details Device and electronic information Product and service preferences Professional information Social network information *Relationship type* Colleague	Consent Legitimate interest
Obtaining work authorizations Immigration processing to secure/maintain work authorization for foreign nationals for CME Group locations.	*Categories of data* Family information Financial details Identification information Personal contact details Professional prior or current employment related information *Relationship Type* Colleague	Legal requirement Legitimate interest
Recruitment activities Administering our relationship with you or performing the contract we have entered into with you, where applicable. Checking that you are legally entitled to work in the country in which we are seeking to employ you. Conducting background checks and employment verification, criminal record checks, employment verification, fingerprints results, I-9 forms (US specific), and other identity verification. Determining the terms on which you work for us. Making a decision about your recruitment or appointment. Providing employment verification references to prospective employers. Sending satisfaction surveys to seek feedback on our onboarding processes.	*Categories of data* Application status Audio, electronic, visual, or similar information Biometric data Communication records Contact details Criminal convictions Demographics or protected class characteristics Family information Financial details Identification information Information about criminal convictions and offenses Information about sensitive characteristics Information regarding aptitude testing Internet or other electronic network activity information Personal contact details Prior or current professional or employment-related information Recruitment information Social network information *Relationship type* Colleague	Consent Legal requirement Legitimate interest Performance of a contract
Safeguarding our environments Administering activities that identify, monitor and manage the risk associated with people processes and systems within the business. Administering phone services for the organization including the recording of conversations for specific groups. Ensuring network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution (including to ensure the effective and efficient running of the business in keeping with all requirements to which we are subject). Leading, coordinating, and responding to an event that may be impacting CME Group operations, and planning, coordination and execution of testing exercises. Maintaining logs to monitor system health and access, such as application logs, network device system logs, access logs, file integrity logs, firewall logs, network logs, security logs and web server logs. Preventing fraud and other unlawful activities or misconduct. Safeguarding the use of our services to prevent malicious behavior through the monitoring of the use of our services.	*Categories of data* Audio, electronic, visual, or similar information Authentication details Communication records Contact details Device and electronic information Family information Internet or other electronic network activity information Personal contact details Professional information Service usage *Relationship type* Colleague	Consent Legal requirement Legitimate interest Performance of a contract

Additional information

For some roles, we are required by law to undertake background screening checks and we can process your personal data in this way because processing is necessary for the purposes of complying with a regulatory requirement. Background checks assist in verifying an individual’s qualifications and in identifying issues that pose a reputational or security risk or have the potential to pose such risks. This will be done both during onboarding and will be confirmed every three years as part of CME Group’s Global Background Check Policy. In any other circumstances, we will only collect and process criminal records information to the extent permitted by local law, or with your explicit consent where legally required and permitted, in accordance with applicable law.

We may de-identify, aggregate or anonymize your personal data in such a way that you may not reasonably be re-identified by us or any other party. We may use such de-identified information as permitted under applicable local law. To the extent we de-identify any personal data and are not required to re-identify it to comply with applicable laws, we will make reasonable efforts to maintain and use such data in a de-identified form and will not attempt to re-identify the data.

If you are located in the People's Republic of China ("PRC", for the purpose of this Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your personal data based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests).

How will we use information about your dependents?

Subject to applicable law, we may collect personal data about your dependents to administer benefits to them in accordance with your benefit entitlements or to comply with our legal obligations under immigration law.

We may share personal data about your dependents in accordance with this Notice or with governmental authorities where we are legally required to do so. All personal data about your dependents will be processed by us in accordance with this Notice and applicable law.

Hong Kong only: you undertake to notify your dependents of this Notice.

We may disclose your data to CME Group entities, service providers or other third parties for various purposes, to achieve our business objectives, and/or to comply with applicable laws as described in this Section.

CME Group entities – for payroll, administration and provision of benefits or employer-sponsored plans, maintenance of our standard record systems, workplace monitoring, expense reimbursement, travel and accommodations, relocation services, employee assessments, IT infrastructure, training, telephone services or wellness evaluations and services.
Law enforcement agencies – in relation to the detection and prevention of criminal activities, as permitted by applicable laws.
Prospective purchasers and assignees – to the extent reasonably necessary to proceed with the consideration, negotiation, or completion of a merger, reorganization, or acquisition of our business, or a sale, liquidation or transfer of some or all our assets, in the event our business, or part of it, may be or is sold or reorganized.
Regulators and governmental authorities – to comply with the law applicable to any member of CME Group, as permitted by applicable laws. This may include filing returns with tax authorities and making disclosures to our regulators (including, for example, the US Securities and Exchange Commission, the US Commodity Futures Trading Commission, the Health & Safety Executive and local financial regulation authorities and data protection authorities) and shareholders.
Service providers – to assist us in conducting employment-related activities. Such service providers may include equity plan administrators, brokers, benefits providers, payroll companies, IT or systems maintenance providers, systems or data hosts, communications providers, record-keeping companies, accountants, auditors, other professional advisors or other vendors that help support migration services.
Third parties as required by law – to comply with laws to which we are subject, as permitted by applicable laws. For example, we may share your personal data in response to a court order or subpoena, in response to a valid request from law enforcement or with your future employers where required by law.
Third parties for other purposes – to protect our legitimate business interests in protecting our rights; enforcing our Terms of Use; detecting, preventing, or responding to fraud, intellectual property infringement, or other illegal activities; and protecting the safety and security of tangible or intangible property belonging to us or a related third party.

We may also disclose de-identified or aggregated information to anyone and for any purpose permitted under applicable local law. To receive more information about the service providers or third parties to which we may disclose your data, you can contact us through the information provided in the 'Contact details' Section below.

We may process information collected from or about you in any country in which CME Group operates, as permitted by applicable laws.

In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the EU/UK/EEA). When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) or have put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.

Information located outside of your home country may be subject to access by that country's government or its agencies under a lawful order, as permitted by applicable laws.

We put in place appropriate procedures and safeguards in accordance with applicable legal requirements when conducting such transfers. For more information on the appropriate safeguards in place or to obtain a copy of these safeguards, please contact us through the information provided in the 'Contact details' Section.

People’s Republic of China (“PRC”):

All data, including personal data, as defined under the Personal Information Protection Law of the PRC, provided to us by you will be used, distributed, and maintained in accordance with this Notice, which forms a part of the contractual terms that you agree to. If you, as an institution, are providing us with this data, you confirm that you have obtained all the necessary consents from the relevant data subjects concerned, and your processing, use and transfer of data to us complies with all applicable PRC data privacy laws. If you, as a natural person, are providing us with your personal data, you expressly give us consent to any processing, use or transfer of such data. In each data transfer above, you acknowledge and agree that the data may be transferred outside of the territory of the PRC.

This Section provides California residents with additional information regarding our collection, use, disclosure, and retention of their personal data, as well as the rights that California residents may have under applicable law.

Categories of personal data we collect

The chart below describes the categories of personal data we collect from the sources identified above in Sections 3, 4 and 5 of this Notice, as well as the categories of third parties to whom we may disclose, “sell” or “share” (as those terms are defined under California law) each category of personal data for the business and commercial purposes described in Section 6 of this Notice.

Category of personal data	Categories of third parties to whom we may disclose personal data for a business purpose	Categories of third parties to whom we may "sell"¹ or "share"¹ personal data
Device and electronic information, such as information about your interaction with areas of our network and details we collect from devices issued by CME Group to Colleagues (e.g., which devices were issued, device type, IMEI number of device, MAC address of device, operating system, phone number of mobile phone), details of resource or device usage (e.g., mobile data usage, battery usage, applications used, browser, calls made, text messages sent), information about your use of our computer or other communication systems (e.g., logs of applications used, downloads, uploads, and actions taken), IP addresses, online identifiers, login and logout information, session length, log-in location, browsing history, search history, interaction with areas of our network and geolocation data.	CME Group Credit reference agencies Government and law enforcement agencies IT suppliers Marketing providers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	Advertising and analytics partners
Financial details, such as payroll records, expenses, corporate card details, compensation history, and benefit entitlements.	CME Group Government and law enforcement agencies IT suppliers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	None
Financial status, such as your credit rating, bank statements and tax information.	CME Group Government and law enforcement agencies IT suppliers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	None
Identification information, such as your name, date of birth, passport, visa, driver’s license, government-issued identification numbers, vehicle registration, security pass details and signature.	CME Group Credit reference agencies Government and law enforcement agencies IT suppliers Marketing providers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	Advertising and analytics partners
Information regarding aptitude testing and preferences, such as results from taking aptitude tests or psychometric tests that may reveal details about your characteristics, psychological tests, behavior, attitudes, predispositions, abilities or aptitudes.	CME Group Credit reference agencies Government and law enforcement agencies IT suppliers Marketing providers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	Advertising and analytics partners
Prior or current professional or employment-related information, such as your title, location of employment, terms of employment or engagement, work product, dates of employment, dates of leave, termination or separation details, dates of absence, working hours, work days, work duties, professional biography, skills and professional memberships, compliance/training records and records of key fob or security card usage.	CME Group Government and law enforcement agencies IT suppliers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	Service Provider
Sensitive personal data, as described above and defined under applicable law.	CME Group Credit reference agencies Government and law enforcement agencies IT suppliers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	None
Social network information, such as social media account information and personal data collected from social media accounts.	CME Group Credit reference agencies Government and law enforcement agencies IT suppliers Marketing providers Professional advisors Prospective purchasers and assignees Regulators and authorities Third party payment providers	Advertising and analytics partners

We may “sell”¹ or “share”¹ your personal data for cross-contextual behavioral advertising. While CME Group does not engage in selling your data as part of a monetary transaction, the Company does engage in the sharing of data through web tracking technologies, like cookies. For more information on these technologies, please refer to our Cookie Notice. We do not have actual knowledge of “selling”¹ or “sharing”¹ the personal data of consumers under the age of 16.

We do not use or disclose your sensitive personal data for purposes other than permitted under applicable law.

Your California Privacy Rights

In addition to certain rights described in Section 10 of this Notice, you may have the following rights under California law:

Not be discriminated against – not be unlawfully discriminated against for exercising your rights.

Opt-out – opt-out of “sales” of personal data or “sharing” of personal data for cross-contextual behavioral advertising purposes (as these terms are defined under California law).

Submitting Requests

To exercise your rights to know, access, correct and delete, please review the additional information provided in Section 10 of this Notice. You may also exercise these rights via our Privacy Request Form or our Cookie Settings. To exercise your right to opt out of our “sale”¹ or “sharing”¹ of your personal data, please submit a request through our Privacy Request Form or update your Cookie Settings.

Verification

We may request that you provide sufficient information that allows us to verify, to a reasonable degree of certainty, that you are the person about whom we collected personal data. Authorized agents may also be required to provide a copy of your signed permission authorizing the agent to submit requests on your behalf.

California Online Erasure. California residents under age 18 who are registered users of any of our services geared toward this age group may ask us to remove content or information that you have posted to CME Group websites or related platforms by contacting us using the information in the ‘Contact details’ Section below. Please note that your request does not ensure complete or comprehensive removal of the content or information, as, for example, some of your content may have been reposted by another user.

¹ As defined under California law.

Subject to local law, you may have the following rights regarding your personal data. These rights may be limited or denied in some circumstances. For example, we may retain your personal data where required or permitted by applicable law.

Access/Know – request a copy of your personal data and information relating to how it is processed.
Rectify/Correct – request any inaccuracies in the personal data we hold about you be corrected.
Erasure/Deletion – request that we erase your personal data from our records.
Restrict – request that your data is no longer processed by us.
Object – object to certain ways that we process your personal data.
Transfer – request that your personal data be disclosed to a third party.
Withdraw your consent – where we are relying on your consent to process your personal data, then you can withdraw your consent at any time.
Lodge a complaint – you may be entitled to lodge a complaint with your local data protection authority.

In some jurisdictions, you may also have post-mortem privacy rights. For example, you may have the right to designate an individual to exercise your privacy rights in the event of your death or incapacitation, where applicable by law.

Submitting Requests

To exercise your rights to know, access, correct, delete, restrict, object, portability, or withdraw your consent under applicable local law or if you are an authorized agent seeking to exercise rights on behalf of a consumer under applicable local law, please contact us on the details set out in the 'Contact details' Section of this Notice below. You may also exercise these rights via our Privacy Request Form or our Cookie Settings.

Please note that some of your rights are not absolute and there may be certain circumstances where we are unable to fulfill a request that you have made. In some circumstances we may also require that you provide additional personal data to confirm your identity.

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.

CME Group may do this via monitoring, or surveillance activities on any content or materials located on any CME Group information resource or CME Group facility, in accordance with applicable laws. CME Group may provide information obtained in the course of its monitoring activities to a third party, including regulators and law enforcement agencies. Additionally, CME Group may use the content you provide us with to improve our services or train the models that power our AI tools.

We use technical, administrative, and physical security safeguards and other reasonable security measures to protect the information that we collect or receive against loss and unauthorized access, use, modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including Internet and wireless networks.

CME Group retains personal data for the duration of the business relationship or where required, in accordance with the internal records management and retention policies, as well as regulatory requirements that may be applicable to us.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements.

When your employment or engagement is over, we may retain certain personal data for purposes such as complying with our legal obligations, resolving disputes, conducting workplace investigations, preventing fraud or misuse of our property or data, and protecting our rights and interests. We may be legally obligated, for example by local employment or tax laws, to retain personal data related to your employment for a period of time specified by law.

We make reasonable attempts to ensure that all instances of such information (e.g. production, backups, etc.) are deleted in their entirety, including any of your personal data. For requests for access, corrections, or deletion please see "Contact Us" below.

Please see our Cookie Notice for further information on how we use cookies and other tracking technologies on our website.

We occasionally allow children to be onsite for work experience/job shadowing. As a result, personal data (such as name, contact details and parent/guardian) may be processed to administer access to relevant CME Group facilities and while such individuals are onsite.

Our website and services are generally not directed at persons/users under the age of 18. If we obtain actual knowledge that any personal data we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our website from the EU/UK/EEA or if you access an EU/UK/EEA website, the age limit will be 16. If you access our website from the PRC or if you access a PRC website (if any), the age limit will be 14.

There may be certain circumstances where we process your personal data on behalf of one of our customers and do not use it for our own purposes. For instance, our customer may upload your information to one of our applications which is hosted on our servers. In these circumstances, CME Group is acting as a processor or a service provider in relation to another company that is the controller or business responsible for the handling of your personal data, as these terms are used in applicable data protection laws. This Notice will not apply to CME Group as a processor or service provider, and you should instead refer to the privacy notice of the organization that provides us with your personal data.

The above does not apply to CME Group under the applicable PRC data privacy laws, where no distinction between "data controller" and "data processor" is made. You should, however, still refer to the privacy notice of the organization that provides us with your personal data, where we would be deemed a third-party data processor.

We may update this Notice from time to time. For instance, there may be changes in the data we collect about you or the purposes for which we use it.

Whenever there are significant changes to the Notice, we will notify you.

If you have any comments, questions or concerns about how we process your data or to exercise any right, then please contact Privacy Compliance at Privacy@cmegroup.com. We can also be reached by post at below address and via telephone at the below telephone numbers.

ATTN: Privacy Compliance
CME Group Inc.
20 S. Wacker Drive
Chicago, IL 60606

+1 312 930-1000
+1 866 716-7274 (US Only)

Privacy@cmegroup.com

You may also contact us via our Privacy Request Form.

For the purposes of data protection in the EU/UK/EEA, Singapore or India:

Your controller is the company which employs or engages you. This entity is responsible for deciding how we hold and use your personal data. The list of employing controllers, across CME Group can be found here. In addition, CME Group Inc. (our US parent company) is also a joint data controller. This Notice is provided for CME Group, and on behalf of Chicago Mercantile Exchange Inc.
CME Group has a designated Data Protection Officer registered for a number of CME entities. They can be contacted at Privacy@cmegroup.com
CME Group Inc., CME Mercantile Exchange Inc. and the above non-EU/UK/EEA entities have designated CME Operations Limited as their representative within the EU/UK/EEA.

The full list of companies across CME Group and the contact details of each company can be found here.

Your Privacy Choices

We’re happy to help with any questions, comments, or requests related to CME Group’s Privacy Notices or data privacy practices. Please submit your inquiry in the form to the right and follow the instructions provided.

CUSTOMER SUPPORT

Connect with the right team contact worldwide.

First Name

Last Name

Business Email

Business Phone Number (Optional)

Location

State

Company Name

Job Role

Company Type

Other Job Role (Please Specify)

Other Company Type (Please Specify)

Data subject access requests

For data subject access requests, please choose the relevant option below and fill out the Message box with your specific request. (Optional)

Message (Required)

I have read and understand the Privacy Policy.

I have read and agree the Terms of Service and Cookie Policy.

Yes. I would like to receive communications regarding CME Group products, services, & events. I understand that I can unsubscribe at any time. By registering, I agree to the processing of my personal data in accordance with the CME Group Privacy Policy. (Optional)

Comment or Question

Markets Home

Market Data Home

Services Home

Insights Home

Education Home

CME Group Colleague Privacy Notice

Your Privacy Choices

CUSTOMER SUPPORT

U.S.

EMEA

APAC

Email

Data subject access requests