1. Purpose and Scope

This privacy notice supplements the CME Group Colleague Privacy Notice and describes how the CME Group will collect and process personal information about current and former employees, internal consultants, contractors, temporary personnel and agents with physical or logical access to CME Group (“Colleagues” "you", "your") as part of our response to the Coronavirus (COVID-19) pandemic. In particular, in order to access our facilities, you may be required to complete these COVID-19 response activities to the satisfaction of the CME Group:

  • Screening questionnaire;
  • Thermal screening; and
  • On-site contact tracing activities at our facilities or otherwise.

In the course of doing so, you may be required to provide personal information including information relating to your health, as further described in this policy. This supplemental privacy notice therefore sets out how we use and protect information collected in the context of the COVID-19 response activities, and your rights in relation to your personal information. Personal information, or personal data, means any information relating to you from which you can be identified. It does not include anonymous data. 

This privacy notice does not form part of any contract of employment or any other contract to provide services. To avoid doubt, the application of this privacy notice to any particular person is not intended to change your status or condition that results from your relationship with us.

The CME Group entity that employs or engages you is responsible for the use of the personal data collected using the channels described above and in countries where it is a relevant distinction, is the controller.

2. What personal data will we collect from you and why?

This section sets out how and why personal data will be processed in connection with workplace activities in response to COVID-19 as well as the types of personal data that each response activity may collect. These activities may be conducted by CME Group or through a third party. Please note that these response activities may vary by location.

Screening Questionnaire

Before being admitted to CME Group facilities, we will require you to complete a Screening Questionnaire (the "Questionnaire") in order to determine whether you may be displaying symptoms of COVID-19 or may have recently been exposed to COVID-19.  The questionnaire will ask questions about the state of your health, your recent travel, and your possible contact with individuals with or at risk of COVID-19.  The Questionnaire will help us determine who is available to report to work and is designed to protect other on-site Colleagues and visitors.

The Questionnaire will be provided to you through an application that you can access on your mobile device. If you are unable to access the application, please contact us to arrange alternative means to complete the Questionnaire. You must complete the Questionnaire each day before accessing any CME Group facilities. Once you complete the Questionnaire, the application will display either a clearance pass for that particular day or a denial message, which indicates whether you will be permitted access to any CME Group facility. You may be required to display the clearance pass for the corresponding day on the application in order to access our facilities.  You will not be permitted access if you receive a red-light denial message or if you have not completed the Questionnaire prior to arriving at the relevant CME Group facility.

Temperature Screening

We may process your temperature data.  In particular, we may screen individuals entering our facilities for elevated body temperature in order to determine whether you may be displaying symptoms of COVID-19. 

Colleagues who access the CME Group trading floor will be asked to undertake a temperature screening.

In conducting a temperature screening, we collect your body temperature as indicated by our temperature screening device at the time of the reading. When we use temperature reading equipment, we use a specialized camera that detects your body temperature and, in the event the technology senses you may have a fever, a video image of you. The equipment we use to take and store images only records temperature readings if the reading indicates that an individual may have a high temperature.  The equipment does not record sound and CME Group will not link the image it collects containing a temperature reading for those with an elevated temperature to any other information which identifies you.

Once the temperature reading equipment detects your body temperature, it will display a green, red or blue light which indicates whether you will be permitted access to any CME Group facilities. This display will only be visible to CME Group Global Security personnel. If your temperature reads above 100.4 degrees Fahrenheit/37.8 C degrees Celsius, a red light will be displayed, and you may be directed to a private area to be assessed by CME Healthcare Center personnel. CME Healthcare Center personnel may log initial assessment information.

For Colleagues with a temperature reading above 100.4 degrees Fahrenheit/37.8 C degrees Celsius, we may associate your temperature with your name and employee identification/badge number, and you may be denied access to the facility. CME Group may log information to maintain business records of Colleagues who were denied access to any CME Group facility.

Contact Tracing

In the event that a Colleague tests positive for COVID-19, we will use contact tracing methods to identify and notify other Colleagues with whom the infected individual may have come in contact in the workplace. We may use information provided as part of the screening questionnaire to contact the Colleague who tested positive. We will interview the Colleague and will leverage floor seating plans and badge activity records. We generally will not reveal the identity of the infected individual to other Colleagues or visitors. Contact tracing, outside of CME Group facilities, will be left to relevant government authorities.

Meetings and Communications

In order to conduct the COVID-19 response activities discussed in this privacy notice, we may discuss specific findings with you or respond to any questions you ask of us. For example, in conducting contact tracing, we may need to speak with you about areas of the workplace you have accessed or other Colleagues with whom you have had contact. These communications may be in person, by phone, or by electronic messaging.

Please note that we may use websites or applications to conduct any of our COVID-19 response activities and capture any of the personal data discussed in this section. The website or application may also collect certain information relating to how you accessed or used the website or application, such as your IP address, device ID, or other persistent identifiers.

We may also obtain information from third parties, such as laboratories that conduct COVID-19 testing. Your provision of personal data to any third party will be subject to the privacy policy of that third party.

Benefits Documentation

In order to administer the CME Group COVID-19 Caregiver Time Off Policy, we may collect data concerning the health of your family members as defined in that policy. The CME Group Human Resources Benefits Department or outside leave administrator may request verification of the family member’s positive COVID-19 test result and/or other documentation as necessary. We will collect this information directly from you.

3. In what circumstances might your personal data be shared with others?

In general, we will typically only share the personal data described in this privacy notice with non-CME Group parties (a) when required by law (e.g., if required to report to local health authorities), or (b) that we engage to assist us with our COVID-19 response activities, such as our service providers, medical personnel who will administer temperature screenings or advise symptomatic colleagues or application providers that will collect Questionnaire responses.

Within CME Group, we will only share the personal data described in this privacy notice with CME Group HR, CME Group Business Continuity Management, CME Group Global Security and CME Group Healthcare Center personnel and your supervisor/manager as is necessary for us to achieve the purposes described in this privacy notice.  Your supervisor/manager and CME Group department personnel listed above may need to inform other Colleagues of your situation.

4. What is CME Group's lawful basis for processing personal data (EU Only)?

We are committed to only using your personal data, including data concerning your health as derived from the Questionnaire and temperature screenings to the extent relevant, necessary and permitted by applicable local law. Unless other stated, our lawful basis for processing personal data is as follows:

  • To meet our legitimate interests, as per Article 6(1)(f) of the GDPR, for example to meet our legitimate need to assess your suitability for entry to our facilities in order to protect your health and safety, that of our Colleagues and other Visitors and to communicate with you. Note that our obligations under health and safety legislation may differ across regions in which we operate.
  • To ensure our compliance with CME Group's health and safety obligations under employment law, specifically Articles 6(1)(c) and 9(2)(b) of the GDPR.
  • For reasons of public interest in the area of public health, as per Article 9(2)(i) GDPR, we may need to process your personal data, including sensitive data. 

The special categories of personal data which we process under this Notice are:

  • Data concerning Colleague health derived from the Questionnaire, meetings and communications with you and temperature screenings
  • Data concerning the health of Colleague family members provided by colleagues to administer the CME Group COVID-19 Caregiver Time Off Policy

Where we process your personal data for other purposes related to your employment, for example in connection with maintaining sickness and other absence records, we will do so in accordance with the CME Group Colleague Privacy Policy.

5. For how long will we retain personal data collected under this Privacy Notice?

We will retain your Questionnaire responses for as long as necessary in order to fulfil the purposes described in this Privacy Notice.

We will retain your temperature reading no longer than the work day on which we obtained the reading.

For other data collected under this Privacy Notice, CME Group retains personal information for the duration of the business relationship, for the duration of CME Group’s COVID-19 response or where required, in accordance with the internal records management and retention policies.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements. We will also consider requirements and guidance issued by relevant health authorities and governments.

Personal data described in this Privacy Notice is retained and erased in accordance with the policies described in the CME Group Colleague Privacy Policy.

6. Consent (non-EU only)

To the extent that the applicable local law in your country requires us to obtain your consent to process your personal data, please note that by participating in the COVID-19 response activities you will be deemed to consent to the processing set out in this policy.

7. Who can you contact with questions?

If you have any questions about this privacy notice, how we handle your personal data or to exercise any right, please consult the details provided in the CME Group Colleague Privacy Notice.