CME Group General Privacy Notice
CME Group Inc. and each of its subsidiaries and affiliates (collectively known as 'CME Group', 'we' and 'us') are committed to safeguarding your personal information. CME Group is the controller or processor of your personal information according to the privacy laws and regulations appliable to us. See section 17 below for details on how you can contact us.
The purpose of this privacy notice (‘Notice’) is to explain how we process your personal information so that you understand what we collect, what we do with it, who we share it with and the rights available to you. The processing we undertake may include the collection, storage, modification, access, or destruction of personal information, and may be completed manually or through automatic means.
Personal information (also referred to as 'personal data' or 'data') means any information that can be used to identify you, your device, or, if you live in California, your household. This includes direct identifiers such as your name and contact details, but also indirect identifiers such as data that we may collect from the electronic device that you use to access our services.
If you have any questions about this Notice or how we use your data, our details are provided in the 'Contact details' section below.
2. Who this notice applies to
This Notice applies to you if you have any of the following relationships with us:
- Corporate Representative – you are a representative of any of our corporate customers (e.g. an employee or a director)
- Service User – you use any of our platforms or services
- Web Visitor – you visit our website at www.cmegroup.com, any of our social media pages or you interact with us via any third-party websites (e.g. comment on any of our blogs or posts published on a third-party website)
- Subscriber – you subscribe to receive communications from CME Group
- Purchaser – you purchase anything from us
- Communicator – you contact us either online, by telephone, post or any other method
- Supplier – you provide services to us or are employed by a company that provides services to us
- Third party customer – you are a customer of a third party and we have a relationship with that third party
- Shareholders – you hold a direct or indirect equitable interest in the CME Group
- Contributor – you contribute to our Political Action Committee (PAC) in the United States
- Scholarship candidates – you apply for a scholarship via the CME Foundation
If you are an applicant or candidate for one of our job vacancies, then you can find out more about how we use your data via our Candidate Privacy Notice.
3. What personal information we collect
Depending on the nature of the relationship you have with us, where you are located, and the products and services you utilize, we may collect and otherwise process the following personal information including, sensitive personal information in some cases about you:
- Account preferences and analytics
Information regarding your stated preferences and relating to your use of our services.
- Audio, electronic, visual, or similar information
Information including photographs taken in the workplace, at recruitment events or CCTV footage.
- Authentication details
Your credentials which allow you to access our services, including: your user ID, password, memorable information.
- Communication records
Records of any communications between you and us, including via email, our website (e.g. through our 'Send us feedback form'), telephone, social media and letter.
- Contact details
Your name, title, home address, office address, company name and type, job role, email address, telephone number and mobile number.
- Device and electronic information
Details we collect from your devices when you access our services: include your IP address, cookies, activity logs related to interactions with our systems, online identifiers, device type, operating system, browser, unique device identifiers, and geo-location data.
- Service usage
When you are operating our services (e.g. one of our software applications) we will collect records of your usage including transactions that you undertake, information that you select, logs of when you access the services and for how long, details of any failed login attempts and any information that you choose to download.
- Identification information
Information that is used to verify your identity such as: national insurance number (UK only), social security number, personal identify number (Sweden only), date of birth, place of birth, passport, driver’s license, and proof of address.
- Financial information
Credit/debit card details.
- Financial status
Information used to determine your credit worthiness, such as your credit rating, bank statements and tax information.
- Product and service preferences
Product update preferences, market activities reports, trading and technology communications as well as clearing and market regulation advisories, and though leadership and economic report subscriptions.
- Professional information
Your job role/title, function and details of the organization you work for.
- Social network information
Social media account information and personal information collected from social media accounts.
- Website posts
Posts, comments or other information you submit on any public forums on our website including message boards and chat rooms.
In addition, we may also collect the following categories of personal data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:
- Biometric data
We have a strict biometric policy. Fingerprint data is captured for Financial Industry Regulatory Authority (FINRA) purposes.
- Criminal convictions
Information relating to any criminal record that you may have, including suspicions, offences and convictions.
4. How your data is collected
In addition to any personal information that you provide to us directly, we may also collect and derive data about you through the following means:
- Cookies and similar technologies – when you visit our website or use any of our mobile applications, we may employ cookies and similar technologies. See section 13 below for further details.
- Monitoring of platforms and services – if you use any of our platforms (e.g. CME Globex) then we may collect data on your usage of these.
- Third party sources – other organizations may provide us with access to certain data, as further detailed in section 8 below.
- Data analytics – we may infer or derive certain data about you through our analytical processes, which are further explained in section 5 below.
Please see section 8 'Who we may receive your data from and why' for further information on the types of third parties from which we may receive your personal information.
Depending on the nature of the relationship that we have with you, where you are located, the purposes for which we may use your data are as follows:
- Processing any application (made via online forms or click-through agreements) you make to become an individual member of CME
- Verifying your identity
- Performing Know Your Customer (KYC) or Anti-Money Laundering (AML) reviews
- Assessing your creditworthiness
- Providing you with customer services and assistance relating to our services
- Communicating with you in relation to any services that we provide to you
- Assisting you with managing any account you have with us
- Monitoring of how you use any service you have with us and our services
- Conduct profiling based on your interactions with us to identify individuals most interested in our products and services
- Sending you newsletters and marketing materials, if you have chosen to subscribe to receive them and otherwise advertising our products and services
- Personalizing our services
- Improving our products and services
- Registering your attendance at our events and conferences
- Assisting with training our staff and our customers
- Administration of our business
- Compliance with laws that are applicable to us
- Defending ourselves and bringing claims in relation to legal proceedings
- Safeguarding our environments
- Administration of our political action committee
- To assess scholarship applications
- Shareholder services
- Security and protecting our systems
To provide our services, some personal information is necessary so CME can provide you with the required access to CME platforms, information or products. CME also requires personal information to authenticate you so that we know it is you and not someone else. Should you choose not to provide the necessary personal information, we may be unable to facilitate your services or access. You may choose to opt-in or opt-out of receiving marketing communication at any time.
If you are located in the People's Republic of China ("PRC", for the purpose of this Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your personal information based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests).
We are committed to only using your personal data to the extent relevant, necessary and permitted by applicable local laws. Further information about the purposes for which we may use your data, the categories of personal information that are relevant to each purpose and the lawful basis we rely upon in the EU and elsewhere (as applicable) are outlined below. We have also clarified under what circumstances this processing activity is likely to be performed, with reference to the relationship that you have with us.
PROCESSING PURPOSE
|
CATEGORIES OF DATA & TYPE OF RELATIONSHIP WITH US
|
LEGAL BASIS FOR PROCESSING (RELEVANT JURISDICTIONS ONLY)
|
---|
Membership applications
- Setting up your account with us and becoming a CME Group member
- Taking all other necessary steps to make your chosen products/services available to you
|
Categories of data
- Contact details
- Professional information
- Authentication details
- Financial information
- Identification information
- Criminal convictions
Relationship type
Corporate Representative
Service User
|
- Necessary for performance of the contract between you and us
- Legal obligation
- Consent
|
Verifying your identity
- Using information, you have provided to us to verify your identity for setting up your account and creating your profile
- Authenticate your use of our services (e.g. ensuring you have provided us the correct username and password to login to your account)
|
Categories of data
- Contact details
- Identification information
- Authentication details
Relationship type
Corporate Representative
|
- Necessary for performance of the contract between you and us
- Our legitimate business interest in ensuring that we are correctly provisioning access and services
|
Know your client checks
- Performing credit checks to determine your financial status if you apply for a membership with us
|
Categories of data
- Contact details
- Financial status
- Professional information
- Criminal convictions
Relationship type
Corporate Representative, Credit Reporting Bodies
|
- Necessary for performance of the contract between you and us
- Legal Obligation
|
Customer services
- Provide you with assistance with access to and use of our products and services both online and via telephone [for example, account access services]
- Review and respond to any queries, issues and complaints you may have
|
Categories of data
- Contact details
- Professional information
- Authentication details
- Communication records
- Website posts
Relationship type
Corporate Representative, Service User, Web Visitor
|
- Necessary for performance of the contract between you and us
- Our legitimate business interest to aid our customers with their accounts and questions.
|
Communicating with you
- Inform you about important details relating to your account
- Provide you with notifications and alerts relating to your account such as service announcements and details of maintenance or other disruptions
- Communicate with you as necessary to administer our relationship with you
|
Categories of data
- Contact details
- Professional information
- Communication records
- Website posts
- Updates to offerings you have registered for
- Device and electronic data
Relationship type
Corporate Representative, Service User, Purchaser, Supplier, Third Party Customer, Contributor, Scholarship Candidate
|
- Necessary for performance of the contract between you and us
- Our legitimate business interest to communicate with you about your account
|
Managing your account
- Provide you with access to your account information
- Maintain the security of your account
|
Categories of data
- Contact details
- Authentication details
- Communication records
Relationship type
Service User
|
- Necessary for performance of the contract between you and us
- Our legitimate business interest to keep your account secure and provide you with information regarding your account.
|
Marketing purposes
- Contacting you by email, phone, text or post (as applicable) about services, events, industries, product announcements and other marketing communications if you have agreed to receive this information
|
Categories of data
- Contact details
- Device and electronic information
- Product and service preferences
- Communication record
- Account preferences and analytics
- Internet or other electronic network activity information
- Professional information
- Service usage
- Social network information
Relationship type
Corporate Representative, Service User, Subscriber
|
|
Personalizing our services
- Sending news and product related update to customer based on account preferences.
|
Categories of data
- Account preferences and analytics
- Device and electronic information
- Product and services preferences
- Contact details
- Professional information
- Service usage
Relationship type
Corporate Representative, Service User, Subscriber
|
- Our legitimate interest of the administration of the Site, improving our services and statistical purposes
- Consent
|
Improving our products and services
- Undertaking market research and satisfactions surveys to help us understand how our products/services can be improved
- Analysis how you use our services to evaluate our we can improve them and to assess the performance of our systems.
|
Categories of data
- Account preferences and analytics
- Contact details
- Communication records
- Product and services preferences
- Device and electronic information
- Service usage
Relationship type Service Users, Web Visitors
|
- Our legitimate business interest to improve our products and services to meet our customers and client's needs.
|
Events
- Inviting you to our events and conferences
- Registration for attendance and personal requirements depending upon event capabilities.
|
Categories of data
- Contact details
- Professional information
- Communication records
- Account information
Relationship type
Corporate Representatives, Service User, Subscriber, Event coordinators, Event sponsors
|
- Consent
- Performance of a contract
|
Colleague training
- Use recordings of communications with you (e.g. telephone calls) to provide staff training and improve the quality of our customer services
|
Categories of data
- Communication records
- Contact details
- Authentication details
Relationship type
Corporate Representatives, Service Users
|
- Our legitimate business interest, which is to train our colleagues to ensure that they provide the highest quality services to you
|
Administration of our business
- Transfers to prospective or actual buyers of an interest in our business
- Receipt of professional services (e.g. legal advice and accountancy advice)
- Financial management such as internal audits
|
Categories of data
- Contact details
- Communication records
- Financial records
Relationship type
Corporate Representatives, Professional services
|
- Necessary for compliance with our legal obligations
- Performance of a contract
|
Compliance with laws applicable to us
- To cooperate fully with state, local, federal, and international legal, governmental and regulatory entities, authorities and officials in any investigation or governmental, legal or regulatory proceeding relating to any information collected or to any purported unlawful activities.
|
Categories of data
- Contact details
- Communication records
Relationship type
Government and law enforcement agencies.
|
- Necessary for compliance with our legal obligations
- Our legitimate business interest to cooperate with applicable laws and regulations
|
Legal proceedings and actions
- Defense against legal claims
- Enforcement of our legal rights
- Notification of law enforcement regarding alleged or potential criminal activities
|
Categories of data
- Contact details
- Communication records
Relationship type
Law enforcement agencies, Legal counsel
|
- Necessary for compliance with our legal obligations
- Our legitimate business interest to facilitate legal proceedings
|
Safeguarding our environments
- Safeguarding the use of our services to prevent malicious behavior through the monitoring of the use of our services
- Ensuring that there is no unauthorized access to CME offices
|
Categories of data
- Device and electronic information
- Service usage
- Contact details
Relationship type
Service Users, Web Visitors
|
- Necessary for compliance with our legal obligations
- Our legitimate interest of ensuring the security, integrity and availability of our systems and your account
|
Detecting potential market abuses
- Detecting any actions or behaviors that take place using our services which may breach CME's rules or constitute a criminal offence (e.g., fraud, money laundering, market abuse).
|
Categories of data
- Device and electronic information
- Service usage
- Trading history
- Contact information
Relationship type
Service Users, Web Visitors, Law enforcement agencies, Legal counsel
|
- Necessary for compliance with our legal obligations
|
Administration of our political action committee
- Process contributions made via the political action committee
|
Categories of data
- Contact details
- Payment information
- Professional information
Relationship type
Contributor, Corporate representative
|
|
To assess scholarship applications
- Process candidates on their applicability for scholarship opportunities.
|
Categories of data
- Contact information
- Scholarship application
Relationship type
Corporate representative
|
|
We may aggregate or anonymize your personal information in such a way that you may not reasonably be re-identified by us or any other company and may use this anonymized information for any other purpose.
6. To whom we may disclose your data and why
We may disclose your data to CME Group entities, service providers or other third parties for various purposes, to achieve our business objectives, and/or to comply with applicable laws. We have agreements in place with these external third parties who process your personal data to ensure their compliance with the applicable data protection laws.
We may disclose your personal information to the following parties to achieve our own purposes and not for money or other valuable consideration:
- Members of the CME Group – As needed facilitate our operations business, services and products.
- IT suppliers – including hosting providers, service providers and telecommunications providers to manage our business and support our environment and operations.
- Marketing service providers – who may, through the course of their professional services to CME be required to have access to CME services for providing required system services i.e. hosting services, database marketing, customer analytics.
- Credit references agencies – to check your creditworthiness in relation to your credit score and financial status for us undertaking 'KYC' checks if you apply for membership with us.
- Third party payment providers – to process payments when you purchase products or services from us.
- Regulators and authorities – As a global company CME Group is subject to a number of financial and information regulators internationally. CME Group is also based in a number of jurisdictions and subject to those applicable laws. CME Group will therefore, as permitted by applicable laws, share information with these parties to cooperate fully with state, local, federal, and international legal, governmental and regulatory entities, authorities and officials in any investigation or governmental, legal or regulatory proceeding relating to any information collected or to any purported unlawful activities.
- Professional advisors – including accountants, financial advisors, lawyers and other professional advisors to support auditing, compliance and corporate governance functions.
- Law enforcement agencies – in relation to the detection and prevention of criminal activities, as permitted by applicable laws.
- Prospective purchasers and assignees – if our business, or part of it, may be or is sold or reorganized.
We may also share de-identified or aggregated information with anyone and for any purpose. To receive more information about the service providers or third parties to which we may disclose your data, you can contact us through the information provided in the 'Contact details' section below.
7. International transfers of data
We may process information collected from or about you in any country in which the CME group operates, as permitted by applicable laws.
In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the European Union). When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) and/or put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.
Information located outside of your home country may be subject to access by that country's government or its agencies under a lawful order, as permitted by applicable laws.
We put in place appropriate procedures and safeguards in accordance with applicable legal requirements when conducting such transfers. For more information on the appropriate safeguards in place or to obtain a copy of these safeguards, please contact us through the information provided in the 'Contact details' section below.
People’s Republic of China (“PRC”):
All data, including personal information, as defined under the Personal Information Protection Law of PRC, provided to us by you will be used, distributed, and maintained in accordance with this Notice, which forms a part of the contractual terms that you agree to. If you, as an institution, are providing us with this data, you confirm that you have obtained all the necessary consents from the relevant data subjects concerned, and your processing, use and transfer of data to us complies with all applicable PRC data privacy laws. If you, as a natural person, are providing us with your personal information, you expressly give us consent to any processing, use or transfer of such data. In each data transfer above, you acknowledge and agree that the data may be transferred outside of the territory of the PRC.
8. Who we may receive your data from and why
We may receive certain data about you from various third parties from time to time, including:
- Members of the CME Group – as needed to facilitate our operations business, services and products.
- Our corporate customers – we may receive information directly from our customers (e.g. the company that you represent)
- Third party agencies – who may provide us with information that they have collected from you on our behalf (e.g. companies that perform background checks on behalf of CME)
- Social media platforms – including publicly available information sources from social media pages or via services provided via social media platforms (e.g. LinkedIn, WeChat, Weibo, Facebook, Twitter, etc.)
- Third parties that you have a relationship with – if you are a customer of a third party and we have a relationship with that third party, we may receive information from them
- Publicly available government and non-government data – information about you that are available from the government or otherwise publicly available
Subject to local law, you may have certain rights regarding your personal information.
For example, if you are based in the United Kingdom, the European Union and certain other countries including you may have the following rights:
- Access – request a copy of your data and information relating to how it is processed
- Rectify – request any inaccuracies in the data we hold about you be corrected
- Erasure – request that we erase your data from our records
- Restrict – request that your data is no longer processed by us
- Object – object to certain ways that we process your data
- Transfer – request that your data be shared with a third party
- Withdraw your consent – where we are relying on your consent to process your data, then you can withdraw your consent at any time
- Lodge a complaint – you may be entitled to lodge a complaint with your local data protection authority.
If you reside in France, you also have the right to give instructions to us about the fate of your personal information after your death.
If you reside in California, you may have certain rights with respect to your personal information, including the right to access the personal information we hold about you and the right to opt out of the sharing of your personal information in certain circumstances.
California residents under age 18 who are registered users of any of our services geared toward this age group may ask us to remove content or information that you have posted to CME websites or related platforms by contacting us using the information in the ‘Contact details’ section below. Please note that your request does not ensure complete or comprehensive removal of the content or information, as, for example, some of your content may have been reposted by another user.
To exercise any of your rights, please contact us on the details set out in the 'Contact details' section of this Notice below.
Please note that some of your rights are not absolute and there may be certain circumstances where we are unable to fulfil a request that you have made. In some circumstances we may also require that you provide additional personal information to confirm your identity.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.
CME may use automated analytics to identify individuals who would be most interested in our product, this may result in individuals being contacted about CME products or services.
We use technical, administrative, and physical security safeguards and other reasonable security measures to protect the information that we collect or receive against loss and unauthorized access, use modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including internet and wireless networks.
CME Group retains personal information for the duration of the business relationship or where required, in accordance with the internal records management and retention policies, as well as regulatory requirements that may be applicable to us.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means, and the applicable legal requirements.
We make reasonable attempts to ensure that all instances of such information (e.g. production, backups, etc.) are deleted in their entirety, including any of your personal information. For requests for access, corrections, or deletion please see "Contact Us" below.
Please see our Cookies Notice for further information on how we use cookies on our website.
Our website and services are generally not directed at children under the age of 18. If we obtain actual knowledge that any personal information we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our website from the EU/EEA or if you access an EU/EEA website, the age limit will be 16. If you access our website from the PRC or if you access a PRC website (if any), the age limit will be 14.
15. CME as processor or service provider
There may be certain circumstances where we process your personal information on behalf of one of our customers and do not use it for our own purposes. For instance, our customer may upload your information to one of our applications which is hosted on our servers. In these circumstances, CME is acting a processor or a service provider in relation to another company that is the controller or business responsible for the handling of your personal information, as these terms are used in applicable data protection laws. This privacy notice will not apply to CME as a processor or service provider, and you should instead refer to the privacy notice of the organization that provides us with your personal information.
The above does not apply to CME Group under the applicable PRC data privacy laws, where no distinction between "data controller" and "data processor" is made. You should however still refer to the privacy notice of the organization that provides us with your personal information, where we would be deemed a third-party data processor.
16. Updates to this notice
We may update this Notice from time to time. For instance, there may be changes in the data we collect about you or the purposes for which we use it.
Whenever there are significant changes to the Notice then we will notify you of these.
If you have any comments, questions or concerns about how we process your data, then please contact us at:
Email: Privacy@cmegroup.com
Post:
20 S Wacker Drive
Chicago
IL 60606
Phone: +1 866 716 7274
For the purposes of data protection in the EU/EEA:
The full list of companies across the CME Group and the contact details of each company can be found here.
- The CME Group has a designated Data Protection Office registered for a number of CME entities. They can be contacted at Privacy@cmegroup.com