Effective November 17, 2023
CME Group Inc. and each of its subsidiaries and affiliates (collectively known as 'CME Group', 'we' and 'us') are committed to safeguarding your personal information. CME Group is the controller or processor of your personal information according to the privacy laws and regulations applicable to us. See section 17 below for details on how you can contact us.
The purpose of this privacy notice (‘Notice’) is to explain how we process your personal information so that you understand what we collect, what we do with it, who we share it with and the rights available to you. The processing we undertake may include the collection, storage, modification, access, or destruction of personal information, and may be completed manually or through automatic means.
Personal information (also referred to as 'personal data' or 'data') means any information that can be used to identify you, your device, or, if you live in California, your household. This includes direct identifiers such as your name and contact details, but also indirect identifiers such as data that we may collect from the electronic device that you use to access our services.
If you have any questions about this Notice or how we use your data, our details are provided in the 'Contact details' section below.
This Notice applies to you if you have any of the following relationships with us:
If you are an applicant or candidate for one of our job opportunities, then you can find out more about how we use your data via our Candidate Privacy Notice and our Cookie Notice.
Depending on the nature of the relationship you have with us, where you are located, and the products and services you utilize, we may collect and otherwise process the following personal information including, sensitive personal information in some cases about you:
In addition, we may also collect the following categories of personal data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:
In addition to any personal information that you provide to us directly, we may also collect and derive data about you through the following means:
Please see section 8 'Who we may receive your data from and why' for further information on the types of third parties from which we may receive your personal information.
Depending on the nature of the relationship that we have with you, where you are located, the purposes for which we may use your data are as follows:
To provide our services, some personal information is necessary so CME can provide you with the required access to CME platforms, information or products. CME also requires personal information to authenticate you so that we know it is you and not someone else. Should you choose not to provide the necessary personal information, we may be unable to facilitate your services or access. You may choose to opt-in or opt-out of receiving marketing communication at any time.
If you are located in the People's Republic of China ("PRC", for the purpose of this Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your personal information based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests).
We are committed to only using your personal data to the extent relevant, necessary and permitted by applicable local laws. Further information about the purposes for which we may use your data, the categories of personal information that are relevant to each purpose and the lawful basis we rely upon in the EU and elsewhere (as applicable) are outlined below. We have also clarified under what circumstances this processing activity is likely to be performed, with reference to the relationship that you have with us.
PROCESSING PURPOSE |
CATEGORIES OF DATA & TYPE OF RELATIONSHIP WITH US |
LEGAL BASIS FOR PROCESSING (RELEVANT JURISDICTIONS ONLY) |
---|---|---|
Membership applications
|
Categories of data
Relationship type Corporate Representative Service User |
|
Verifying your identity
|
Categories of data
Relationship type Corporate Representative |
|
Know your client checks
|
Categories of data
Relationship type Corporate Representative, Credit Reporting Bodies |
|
Customer services
|
Categories of data
Relationship type Corporate Representative, Service User, Web Visitor |
|
Communicating with you
|
Categories of data
Relationship type Corporate Representative, Service User, Purchaser, Supplier, Third Party Customer, Contributor, Scholarship Candidate |
|
Managing your account
|
Categories of data
Relationship type Service User |
|
Marketing purposes
|
Categories of data
Relationship type Corporate Representative, Service User, Subscriber |
|
Personalizing our services
|
Categories of data
Relationship type Corporate Representative, Service User, Subscriber |
|
Improving our products and services
|
Categories of data
Relationship type Service Users, Web Visitors |
|
Events
|
Categories of data
Relationship type Corporate Representatives, Service User, Subscriber, Event coordinators, Event sponsors |
|
Colleague training
|
Categories of data
Relationship type Corporate Representatives, Service Users |
|
Administration of our business
|
Categories of data
Relationship type Corporate Representatives, Professional services |
|
Compliance with laws applicable to us
|
Categories of data
Relationship type Government and law enforcement agencies. |
|
Legal proceedings and actions
|
Categories of data
Relationship type Law enforcement agencies, Legal counsel |
|
Safeguarding our environments
|
Categories of data
Relationship type Service Users, Web Visitors |
|
Detecting potential market abuses
|
Categories of data
Relationship type Service Users, Web Visitors, Law enforcement agencies, Legal counsel |
|
Administration of our political action committee
|
Categories of data
Relationship type Contributor, Corporate representative |
|
To assess scholarship applications
|
Categories of data
Relationship type Corporate representative |
|
We may de-identify, aggregate or anonymize your personal information in such a way that you may not reasonably be re-identified by us or any other party. We may use such de-identified information as permitted under applicable local law. To the extent we de-identify any personal information and are not required to re-identify it to comply with applicable laws, we will make reasonable efforts to maintain and use such data in a de-identified form and will not attempt to re-identify the data.
We may disclose your data to CME Group entities, service providers or other third parties for various purposes, to achieve our business objectives, and/or to comply with applicable laws. We have agreements in place with these external third parties who process your personal data to ensure their compliance with the applicable data protection laws.
We may disclose your personal information to the following parties to achieve our own purposes and not for money or other valuable consideration:
We may also share de-identified or aggregated information with anyone and for any purpose. To receive more information about the service providers or third parties to which we may disclose your data, you can contact us through the information provided in the 'Contact details' section below.
We may process information collected from or about you in any country in which the CME group operates, as permitted by applicable laws.
In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the European Union). When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) and/or put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.
Information located outside of your home country may be subject to access by that country's government or its agencies under a lawful order, as permitted by applicable laws.
We put in place appropriate procedures and safeguards in accordance with applicable legal requirements when conducting such transfers. For more information on the appropriate safeguards in place or to obtain a copy of these safeguards, please contact us through the information provided in the 'Contact details' section below.
People’s Republic of China (“PRC”):
All data, including personal information, as defined under the Personal Information Protection Law of PRC, provided to us by you will be used, distributed, and maintained in accordance with this Notice, which forms a part of the contractual terms that you agree to. If you, as an institution, are providing us with this data, you confirm that you have obtained all the necessary consents from the relevant data subjects concerned, and your processing, use and transfer of data to us complies with all applicable PRC data privacy laws. If you, as a natural person, are providing us with your personal information, you expressly give us consent to any processing, use or transfer of such data. In each data transfer above, you acknowledge and agree that the data may be transferred outside of the territory of the PRC.
We may receive certain data about you from various third parties from time to time, including:
This section provides California residents with additional information regarding our collection, use, disclosure, and retention of their personal information, as well as the rights that California residents may have under applicable law.
Categories of personal information we collect
The chart below describes the categories of personal information we collect from the sources identified above in Sections 4 and 8 of this Notice, as well as the categories of third parties to whom we may disclose, “sell” or “share” (as those terms are defined under California law) each category of personal information for the business and commercial purposes described in Section 5 of this Notice.
Category of personal information | Categories of third parties to whom we may disclose personal information for a business purpose | Categories of third parties to whom we may “sell”[1] or “share”1 personal information |
---|---|---|
Commercial information: Such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories and tendencies, product update preferences, account preferences and analytics, market activities reports, trading and technology communications, as well as clearing and market regulation advisories, and thought leadership and economic report subscriptions. |
|
|
Customer records: Such as your financial account information, credit card number, and debit card number, as well as information used to determine your credit worthiness, such as your credit rating bank statements and tax information. |
|
None |
Identification information: Such as your name, government identification number, driver’s license number, passport number, or similar government ID, mailing address, email address, telephone number, unique online identifier, IP address, or similar identifier that is used to verify your identity. |
|
|
Inferences: Such as inferences drawn to create a profile reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. |
|
|
Internet or other electronic network activity: Such as your browser type and operating system; browsing history, clickstream data, search history on the services, and information regarding your interaction with an internet website, application, email, newsletter, or advertisement, including access logs and other activity information related to your use of our services; electronic communication records between you and us; authentication details, IP address, cookies, and online identifiers; audio, electronic, visual, or similar information as defined above; the length of time you visit our services; and the referring URL, or the website or application that led you to our services. |
|
|
Professional or employment-related information: Such as your company name and type, job role/title, and the function and detail of the organization you work for. |
|
None |
Social network information: Such as social media account information and posts, comments or other information you submit on any public forums on CME websites. |
|
|
Sensitive personal information: As described above and defined under applicable law. |
|
None |
1 As defined under California law.
We may “sell” or “share” for cross-contextual behavioral advertising your personal information (as these terms are defined under California law). We do not have actual knowledge of “selling”[1] or “sharing”2 the personal information of consumers under the age of 16.
We do not use or disclose your sensitive personal information for purposes other than permitted under applicable law.
2 As defined under California law.
Your California Privacy Rights
In addition to certain rights described in Section 10 of this Notice, you may have the following rights under California law:
Submitting Requests
To exercise your rights to know, access, correct, and delete, please review the additional information provided in Section 10 of this Notice. To exercise your right to opt out of our “sale” or “sharing” of your personal information, please visit our Cookie Preference Center.
Verification
We may request that you provide sufficient information that allows us to verify, to a reasonable degree of certainty, that you are the person about whom we collected personal information. Authorized agents may also be required to provide a copy of your signed permission authorizing the agent to submit requests on your behalf.
California Online Erasure. California residents under age 18 who are registered users of any of our services geared toward this age group may ask us to remove content or information that you have posted to CME websites or related platforms by contacting us using the information in the ‘Contact details’ section below. Please note that your request does not ensure complete or comprehensive removal of the content or information, as, for example, some of your content may have been reposted by another user.
Subject to local law, you may have the following rights regarding your personal information. These rights may be limited or denied in some circumstances. For example, we may retain your personal information where required or permitted by applicable law.
If you reside in France, you also have the right to give instructions to us about the fate of your personal information after your death.
Submitting Requests
To exercise your rights to know, access, correct, delete, restrict, object, or portability under applicable local law or if you are an authorized agent seeking to exercise rights on behalf of a consumer under applicable local law, please contact us on the details set out in the 'Contact details' section of this Notice below. You may also exercise these rights via our Cookie Preference Center.
Please note that some of your rights are not absolute and there may be certain circumstances where we are unable to fulfill a request that you have made. In some circumstances we may also require that you provide additional personal information to confirm your identity.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.
CME may use automated analytics to identify individuals who would be most interested in our product, this may result in individuals being contacted about CME products or services.
We use technical, administrative, and physical security safeguards and other reasonable security measures to protect the information that we collect or receive against loss and unauthorized access, use modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including internet and wireless networks.
CME Group retains personal information for the duration of the business relationship or where required, in accordance with the internal records management and retention policies, as well as regulatory requirements that may be applicable to us.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements.
We make reasonable attempts to ensure that all instances of such information (e.g. production, backups, etc.) are deleted in their entirety, including any of your personal information. For requests for access, corrections, or deletion please see "Contact Us" below.
Please see our Cookies Notice for further information on how we use cookies on our website.
Our website and services are generally not directed at children under the age of 18. If we obtain actual knowledge that any personal information we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our website from the EU/EEA or if you access an EU/EEA website, the age limit will be 16. If you access our website from the PRC or if you access a PRC website (if any), the age limit will be 14.
There may be certain circumstances where we process your personal information on behalf of one of our customers and do not use it for our own purposes. For instance, our customer may upload your information to one of our applications which is hosted on our servers. In these circumstances, CME is acting a processor or a service provider in relation to another company that is the controller or business responsible for the handling of your personal information, as these terms are used in applicable data protection laws. This privacy notice will not apply to CME as a processor or service provider, and you should instead refer to the privacy notice of the organization that provides us with your personal information.
The above does not apply to CME Group under the applicable PRC data privacy laws, where no distinction between "data controller" and "data processor" is made. You should however still refer to the privacy notice of the organization that provides us with your personal information, where we would be deemed a third-party data processor.
We may update this Notice from time to time. For instance, there may be changes in the data we collect about you or the purposes for which we use it.
Whenever there are significant changes to the Notice then we will notify you of these.
If you have any comments, questions or concerns about how we process your data, then please contact Privacy Compliance at Privacy@cmegroup.com.
CME Group Inc.
20 S. Wacker Drive
Chicago, IL 60606
+1 312 930 1000
+1 866 716 7274 (US Only)
For the purposes of data protection in the EU/EEA:
The full list of companies across the CME Group and the contact details of each company can be found here.