Visitor

1. Purpose and scope

This privacy notice supplements the CME Group General Privacy Policy and describes how the CME Group will collect and process personal information about  visitors, suppliers, customers, personal guests, and public officials (collectively, “Visitors” or “you”)  as part of our response to the Coronavirus (COVID-19) pandemic. In particular, in order to access our facilities, you may be required to complete the following COVID-19 response activities to the satisfaction of the CME Group:

  • Screening questionnaire;
  • Thermal screening;
  • Waiver;
  • On-site contact tracing activities.

In the course of doing so, you may be required to provide personal information including information relating to your health, as further described in this policy. This supplemental privacy notice therefore sets out how we use and protect information collected in the context of the COVID-19 response activities, and your rights in relation to your personal information.  Personal information, or personal data, means any information relating to you from which you can be identified. It does not include anonymous data.

2. What personal data will we collect from you and why?

This section sets out how and why personal data will be processed in connection with our response to COVID-19. These activities may be conducted by CME Group or through a third party. Please note that these activities may vary by location.

Screening Questionnaire

Before being admitted to CME Group facilities, we may ask you to complete a screening questionnaire (the "Questionnaire") in order to determine whether you may be displaying symptoms of COVID-19 or may have recently been exposed to COVID-19.  The questionnaire will ask questions about the state of your health, your recent travel, and your possible contact with individuals with or at risk of COVID-19.

The Questionnaire will be provided to you through an application that you can access on your mobile device. If you are unable to access the application, CME Group Global Security will have a physical copy of the Questionnaire. CME Healthcare personnel may be on-site to assist with completing the Questionnaire in person. You must complete the Questionnaire each day before accessing any CME Group facilities. Once you complete the online Questionnaire, the application will display either a clearance pass for that particular day or a denial message, which indicates whether you will be permitted access to any CME Group facility. You may be required to display the clearance pass for the corresponding day on the application in order to access our facilities. You will not be permitted access if you receive a red-light denial message or if you have not completed the Questionnaire prior to arriving at the relevant CME Group facility.

Temperature Screening

We may process your temperature data.  In particular, we may screen individuals entering our facilities for elevated body temperature, in order to determine whether you may be displaying symptoms of COVID-19. 

Visitors who access the CME Group trading floor will be asked to undertake a temperature screening.

In conducting a temperature screening, we collect your body temperature as indicated by our temperature screening device at the time of the reading. When we use temperature reading equipment, we use a specialized camera that detects your body temperature and, in the event the technology senses you may have a fever, a video image of you. The equipment we use to take and store images only records temperature readings if the reading indicates that an individual may have a high temperature.  The equipment does not record sound and CME Group will not link the image it collects containing a temperature reading for those with an elevated temperature to any other information which identifies you.

Once the temperature reading equipment detects your body temperature, it will display a green, red or blue light which indicates whether you will be permitted access to any CME Group facilities. This display will only be visible to CME Group Global Security personnel. If your temperature reads above 100.4 degrees Fahrenheit/37.8 C degrees Celsius, a red light will be displayed, and you may be directed to a private area to be assessed by CME Healthcare Center personnel. CME Healthcare Center personnel may log initial assessment information.

For Visitors with a temperature reading above 100.4 degrees Fahrenheit/37.8 C degrees Celsius, we may associate your temperature with your name and visitor identification/badge number, and you may be denied access to the facility. CME Group may log information to maintain business records of Visitors who were denied access to any CME Group facility.

Waiver

Visitors to our trading floor may be required to sign a Waiver of Liability (“Waiver”) prior to entering our facilities in accordance with CME Group’s Guidelines for Trading Floor Access.  We will collect your name, email, badge number, phone number and signature as part of the Waiver. CME Group will maintain business records of Visitors who have completed Waivers. In addition, an indemnification agreement must be on file for the individual or firm hosting you. You may read more information about the Waiver for your convenience here.

Contact Tracing

In the event that a Visitor tests positive for COVID-19, we will use contact tracing methods to identify and notify other Visitors and Colleagues with whom the infected individual may have come in contact. We may use information provided as part of the screening questionnaire to contact the Visitor to ask them about any individuals they were in close contact with at a CME Group facility, and we will leverage floor plans and badge activity records. We generally will not reveal the identity of the individual to the other Visitors and Colleagues. Contact tracing, outside of CME Group facilities, will be left to the relevant government authorities.

3. In what circumstances might your personal data be shared with others?

In general, we will typically only share the personal data described in this Privacy Notice with non-CME Group parties (a) when required by law (e.g., if required to report to local health authorities), (b) with your employer, or (c) with service providers that we engage to assist us with our COVID-19 response activities, such as medical personnel who will administer temperature screenings or advise symptomatic visitors or application providers that will collect Questionnaire responses.

Within CME Group, we will only share the personal data described in this Privacy Notice with CME Group personnel as necessary for us to achieve the stated purposes. 

4. What is CME Group's lawful basis for processing personal data (EU only)?

We are committed to only using your personal data, including data concerning your health as derived from the Questionnaire and temperature screenings to the extent relevant, necessary and permitted by applicable local law. Unless otherwise stated, our lawful bases for processing personal data is as follows:

  • To meet our legitimate interests, as per Article 6(1)(f) of the GDPR, for example to meet our legitimate need to assess your suitability for entry to our facilities in order to protect your health and safety, that of our Colleagues and other Visitors and to communicate with you and your contracting/employing organization.  Note that our obligations under health and safety legislation may differ across regions in which we operate.
  • To ensure our compliance with CME Group's health and safety obligations under employment law, specifically Articles 6(1)(c) and 9(2)(b) of the GDPR.  
  • For reasons of public interest in the area of public health, as per Article 9(2)(i) GDPR, we may need to process your personal data, including sensitive data. 

5. For how long will we retain personal data collected under this Privacy Notice?

We will retain your Questionnaire responses for as long as necessary in order to fulfil the purposes described in this Privacy Notice.

We will retain your temperature reading no longer than the work day on which we obtained the reading.

For other data collected under this Privacy Notice, CME Group retains personal information for the duration of the business relationship, for the duration of CME Group’s COVID-19 response or where required, in accordance with the internal records management and retention policies.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements. We will also consider requirements and guidance issued by relevant health authorities and governments.

Personal data described in this Privacy Notice is retained and erased in accordance with the policies described in the  CME Group General Privacy Policy.

6. Consent (non-EU only)

To the extent that the applicable local law in your country requires us to obtain your consent to process your personal data, please note that by participating in the COVID-19 response activities you will be deemed to consent to the processing set out in this policy.

7. Who can you contact with questions?

If you have any questions about this Privacy Notice, how we handle your personal data or to exercise any right, please consult the details provided in the CME Group General Privacy Policy.