CME Group General Privacy Notice

CME Group Inc. and each of its subsidiaries and affiliates (collectively known as "CME Group", "we" and "us") are committed to safeguarding the data we collect and hold about you ("Personal Data"). CME Group is either the controller or processor of your Personal Data according to the privacy laws and regulations applicable to us.

The purpose of this privacy notice ("Notice") is to explain how we process your Personal Data so that you understand what we collect, what we do with it, who we disclose it to and the rights available to you. The processing we undertake may include the collection, storage, modification, access, or destruction of Personal Data, and may be completed manually or through automatic means, including through the use of artificial intelligence ("AI") technologies.

Personal Data (also referred to as "personal information" or "data") means any information that can be used to identify you, your device, or, if you live in California, your household. This includes direct identifiers such as your name and contact details, but also indirect identifiers such as data that we may collect when you access our services through our websites, mobile apps, or other online applications that link to this Notice (individually and collectively, our "Site").

If you have any questions about this Notice or how we use your data, our details are provided in the 'Contact Details' Section of this Notice (Section 16).

This Notice applies to you if you have any of the following relationships with us: 

• Communicator – an individual who contacts us either online, by telephone, post or any other method. 
• Contributor – an individual who contributes to our Political Action Committee (PAC) in the United States.
• Corporate Representative – an individual who is a representative of any of our corporate customers (e.g., an employee or a director). 
• Purchaser – an individual who purchases anything from us. 
• Service User – an individual who uses any of our platforms or services.
• Scholarship Candidate – an individual that applies for a scholarship via the CME Group Foundation.
• Shareholder – an individual who holds a direct or indirect equitable interest in CME Group. 
• Subscriber – an individual who subscribes to receive communications from CME Group. 
• Supplier – a contact at a company that provides services to us. 
• Third-Party Customer – an individual who is a customer of a third party and we have a relationship with that third party. 
• Web Visitor – an individual who visits our website at www.cmegroup.com, any of our social media pages or interacts with us via any third-party websites (e.g., comment on any of our blogs or posts published on a third-party website). 

If you are an applicant or candidate for one of our job opportunities, then you can find out more about how we use your data via our Candidate Privacy Notice and our Cookie Notice.

We may collect, store, and use the following categories of personal data about you to the extent relevant, necessary and permitted by applicable local laws and depending on the nature of the relationship you have with us:

• Basic Personal Data 
  Name, title, company, job responsibilities, professional and educational qualifications, phone number, mailing address, email address, and other contact details. 
• Transactional Data
  Payment information and transactional history.
• Registration Data
  Newsletter requests, downloads, posts, comments, other information you submit on our public forums, and authentication information, such as usernames/passwords and memorable information.
• Device Data
  Computer Internet Protocol (IP) address, unique device identifier (UDID), cookies and other data linked to a device, data about your usage of our Site and communications, the websites you visited immediately prior to and upon exiting the Site, and the browser software you are using to access the Site. This may also include account preferences and analytical information regarding your stated preferences and relating to your use of our services. For more information regarding cookies, please see Section 14 of this Notice. 
• Demographic Data
  Data about individual credentials, associations, services you are interested in, and other preferences.
• Compliance Data
  Government identifiers, including passport or driver’s license numbers, civil/criminal history, financial status metrics (e.g., credit ratings, tax information), background checks, and other trade compliance and due diligence data, to the extent required or permitted by applicable law.
• Security Data
  CCTV footage, photographs collected for badges/physical security, biometric data, and related information.
• Communications and Media Data
  Records of any communications exchanged between you and us, including scholarship applications, via email, our website (e.g., through our 'Send us feedback form'), telephone, social media, and letter. 

In addition, we may also collect or possess the following categories of Personal Data about you, in very limited cases and in compliance with applicable laws, that may be of a sensitive nature:

• Sensitive Data
  Certain categories of Compliance Data identified above may be considered "sensitive" or "special" within the meaning of applicable laws, such as government identifiers, biometric identifiers, information about your health, details regarding your nationality, race or ethnicity, or religious beliefs where required by applicable laws or provided voluntarily by you, payment information including debit or credit card numbers, and civil/criminal history. Additionally, Sensitive Data may also include information relating to any criminal record that you may have, including suspicions, offenses and convictions.and information related to accidents on CME Group property reported in accordance with the law. 

Where we collect your Personal Data outside of the scope above or for purposes beyond those specified in this Notice, we will communicate this to you.

In addition to any personal data that you provide to us directly, we may also collect and derive data about you through the following means:

• Automated means – for example, when you interact with areas of our network.
• Cookies and Similar Technologies – when you visit our Site or use any of our mobile applications, we may employ cookies and similar technologies. See Section 14 of this Notice for further information.
• Data Analytics – we may infer or derive certain data about you through our analytical processes, including those driven by AI, which are further explained in Section 6 of this Notice.
• Monitoring of platforms and services – if you use any of our platforms (e.g., CME Globex) then we may collect data on your usage of these.
• Third-Party Sources – other organizations, including the one that you may work for, may provide us with access to certain data, as further detailed in Section 5 of this Notice. 

You may not be required to provide us with certain information requested and the provision of such is voluntary. However, some information is necessary for the purposes described in this Notice. If you fail to provide certain information requested as mandatory, we may not be able to administer our relationship with you, where applicable, or we may be prevented from complying with our legal obligations.

We may receive certain data about you from various third parties from time to time, including:

• CME Group – including CME Group systems, colleagues and departments, as needed to facilitate our business operations, services and products and to fulfill our legal obligations to you.
• Electronic Devices – including data sourced from any electronic devices (e.g., mobile devices and laptops) used to access our services.
• Our Corporate Customers –  information we may receive directly from our customers, which may include the company that you represent.
• Publicly Available Government and Non-Government Data – information about you that is available from the government or otherwise publicly available.
• Social Media Platforms – such as email accounts, chat logs, and publicly available information sources from social media pages or via services provided via social media platforms (e.g., LinkedIn, WeChat, Weibo, Facebook, X (formerly Twitter), etc.).
• Third-Party Agencies – who may provide us with information that they have collected from you on our behalf (e.g., companies that perform background checks on behalf of CME Group).
• Third Parties That You Have a Relationship With – if you are a customer of a third party and we have a relationship with that third party, we may receive information from them. We may also receive information from a former employer or your other reference providers.

The purposes for which we may process your personal data are as follows to the extent relevant, necessary and permitted by applicable law:

Additional information

We may de-identify, aggregate or anonymize your Personal Data in such a way that you may not reasonably be re-identified by us or any other party. We may use such de-identified information as permitted under applicable local law. To the extent we de-identify any Personal Data and are not required to re-identify it to comply with applicable laws, we will make reasonable efforts to maintain and use such data in a de-identified form and will not attempt to re-identify the data. 

If you are located in the People's Republic of China ("PRC", for the purpose of this Notice, excluding the Hong Kong SAR, the Macau SAR and Taiwan), we process your Personal Data based on lawful basis permitted under Chinese data privacy laws (and not based on legitimate interests). 

If you are located in the Dubai International Financial Centre ("DIFC"), we process your Personal Data based on lawful basis permitted under DIFC data protection laws. Where the basis is listed as Legitimate Interest, our specific interests being pursued include, but are not limited to:

• Operational Security and Efficiency: Maintaining the security and efficiency of our platforms (e.g., CME Globex), protecting our systems from risk, and ensuring business continuity for the administration of our business and management of your account.
• Safety and Asset Protection: Ensuring physical security and fraud prevention for the protection of our people, property, and assets.
• Service Improvement: Analyzing user interaction, account preferences, and feedback to develop, personalize, and improve the quality and relevance of our products and services.
• Legal Protection: Enforcing and defending our legal rights, property, and safety, and cooperating with governmental and regulatory bodies.

We may disclose your data to CME Group entities, service providers or other third parties for various purposes, to achieve our business objectives, and/or to comply with applicable laws as described in this Section.

• Affiliates – We disclose Personal Data to our affiliated companies for the purposes identified in this Notice.. 
• Customers, Distributors, and Business Partners – As data controllers, we disclose Personal Data to customers, distributors, and business partners in order to provide the services you requested, respond to your inquiries, and carry out the purposes identified in this Notice.
• Mandatory Disclosures and Legal Rights – We disclose Personal Data in order to comply with any subpoena, court order or other legal process, or other governmental request, as allowed by applicable laws.  We also share Personal Data to establish or protect our legal rights, property, or safety, or the rights, property, or safety of others, or to defend against legal claims.
• Professional advisors – We disclose Personal Data to professional advisors including accountants, financial advisors, lawyers and other professional advisors to support auditing, compliance and corporate governance functions.
• Credit Reference Agencies – We disclose Personal Data to credit reference agencies to check your creditworthiness in relation to your credit score and financial status for us undertaking 'Know Your Client/Customer' (“KYC”) checks if you apply for membership with us.
• Business Reorganization – We disclose Personal Data to any corporate purchaser or prospect to the extent permitted by law as part of any merger, acquisition, sale of company assets, or transition of service to another provider, as well as in the event of insolvency, bankruptcy, or receivership in which Personal Data would be transferred as an asset of CME Group.
• Regulators and governmental authorities –  We disclose Personal Data to comply with the law applicable to any member of CME Group, as permitted by applicable laws. This may include filing returns with tax authorities and making disclosures to our regulators (including, for example, the US Securities and Exchange Commission, the US Commodity Futures Trading Commission, the Health & Safety Executive and local financial regulation authorities and data protection authorities) and shareholders.
• Service Providers – We disclose Personal Data to service providers acting as our data processors to enable such parties to perform functions on our behalf and under our instructions in order to carry out the purposes identified above, such as marketing and web hosting. We require service providers by contract to provide reasonable security for Personal Data and to use and process such Personal Data only in accordance with our instructions..

We may also disclose de-identified or aggregated information to anyone and for any purpose permitted under applicable local law. To receive more information about the service providers or third parties to whom we may disclose your data, you can contact us through the information provided in the 'Contact Details' Section (Section 16) below.

We may process information collected from or about you in any country in which CME Group operates, as necessary for the purposes described above. 

In some cases, your information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for information under applicable laws (such as those in the EU/UK/EEA). When we conduct such transfers, we rely on your explicit consent (as required under applicable laws) or ensuring that we have put in place appropriate safeguards (including without limitation signing standard contractual clauses) in accordance with applicable legal requirements.

Information located outside of your country of residence may be subject to access by that country's government or its agencies under a lawful order, as permitted by applicable laws.

We put in place appropriate measures and safeguards in accordance with applicable legal requirements when conducting such transfers. For more information on the appropriate safeguards in place or to obtain a copy of these safeguards, please contact us through the information provided in the 'Contact Details' Section (Section 16).

People's Republic of China: 

All data, including Personal Data, as defined under the Personal Information Protection Law of the People’s Republic of China (“PRC”), provided to us by you will be used, distributed, and maintained in accordance with this Notice, which forms a part of the contractual terms that you agree to. If you, as an institution, are providing us with this data, you confirm that you have obtained all the necessary consents from the relevant data subjects concerned, and your processing, use and transfer of data to us complies with all applicable PRC data privacy laws. If you, as a natural person, are providing us with your Personal Data, you expressly give us consent to any processing, use or transfer of such data. In each data transfer above, you acknowledge and agree that the data may be transferred outside of the territory of the PRC. 

You have control regarding our use of your Personal Data for direct marketing. To the extent consent is required, we obtain consent from you. If you no longer wish to receive any marketing communications, remain on a mailing list to which you previously subscribed, or receive any other marketing communication, you can choose to not receive such communications at any time. Please follow the unsubscribe link in the relevant communication sent by us. or contact us as detailed in this Notice (Section 16). In addition, information about your control over Cookies follows below (Section 14).

This Section provides California residents with additional information regarding our collection, use, disclosure, and retention of their identifiable information (“California Personal Information”), as well as the rights that California residents may have under applicable law.

Categories of California Personal Information We Collect

The chart below describes the categories of California Personal Information we collect from the sources identified above in Sections 3, 4 and 5 of this Notice, as well as the categories of third parties to whom we may disclose, "sell" or "share" (as those terms are defined under California law) each category of California Personal Information for the business and commercial purposes described in Section 6 of this Notice.

Do Not Sell or Share My Information

We may "sell"¹ or "share"¹ your California Personal Information for cross-contextual behavioral advertising. While CME Group does not engage in selling your data as part of a monetary transaction, we do engage in the sharing of data through web tracking technologies, like cookies. We have configured our cookie management tool to honor opt-out preference signals sent by Global Privacy Control ("GPC") within the browser. Due to technical limitations, the GPC signal is only honored within the particular browser. Beyond GPC, we do not currently respond to web browser “do not track” signals or other mechanisms that indicate your preference for not having information collected over time and across different Web sites or digital apps following your visit to one of our sites. For more information on these technologies, please refer to our Cookie Notice. We do not have actual knowledge of "selling"1 or "sharing" the California Personal Information of consumers under the age of 16.

We do not use or disclose sensitive California Personal Information for purposes other than permitted under applicable law.

Your California Privacy Rights

In addition to certain rights described in Section 11 of this Notice, you may have the following rights under California law:

• Not be discriminated against – not be unlawfully discriminated against for exercising your rights.

• Opt-out – opt-out of "sales" of California Personal Information or "sharing" of California Personal Information for cross-contextual behavioral advertising purposes (as these terms are defined under California law). 

Exercising Your Rights

To exercise your rights to know, access, correct and delete, please review the additional information provided in Section 11 of this Notice. You may also exercise these rights via our Privacy Request Form or our Cookies Settings. To exercise your right to opt out of our "sale"1 or "sharing"1 of your California Personal Information, please submit a request through our Privacy Request Form or update your Cookies Settings.

We may request that you provide sufficient information that allows us to verify, to a reasonable degree of certainty, that you are the person about whom we collected California Personal Information. 

Authorized Agents

To the extent that you elect to designate an Authorized Agent to make a request on your behalf, Authorized Agents may also be required to provide a copy of your signed permission authorizing the Agent to submit requests on your behalf, proof of your identity, and verification of their identity; or a valid, designated power of attorney as defined under the California Probate Code.

California Online Erasure. California residents under age 18 who are registered users of any of our services geared toward this age group may ask us to remove content or information that they have posted to CME Group websites or related platforms by contacting us using the information in the 'Contact Details' Section of this Notice (Section 16). Please note that a request does not ensure complete or comprehensive removal of the content or information, as, for example, some content may have been reposted by another user.

¹  As defined under California law.

Subject to local law, you may have the following rights regarding your Personal Data. These rights may be limited or denied in some circumstances. For example, we may retain your Personal Data where required or permitted by applicable law.

• Access/Know –  subject to certain exceptions, you have the right to request a copy of your Personal Data and information relating to how it is processed, and, where that is the case, to request access to the Personal Data as well as further information. You may have the right to request a copy of the Personal Data we are processing about you, which we will provide to you in electronic form.
  
  

• Rectify/Correct – request any incomplete or inaccuracies in the Personal Data we hold about you be corrected.
  
  

• Erasure/Deletion – request that we erase your Personal Data from our records, unless we are required to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
  
  

• Restrict – request that your data is no longer processed by us where, e.g.: (i) you believe such data to be inaccurate; (ii) our processing is unlawful and you oppose to the erasure of the Personal Data and request the restriction instead; or (iii) we no longer need to process such data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
  
  

• Object – where the legal justification for our processing of your Personal Data is our legitimate interest, you have the right to object to certain ways that we process your Personal Data. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defense of a legal claim.

  • Direct Marketing - you have the right to object to our use of Personal Data for direct marketing. Please note that we may need to retain certain Personal Data as required or permitted by applicable law.
    
    

• Transfer/Portability – request that your Personal Data be transferred to you or disclosed to a third party in a structured, commonly-used, machine-readable format, where this is: (i) Personal Data which you have provided to us; and (ii) we are processing that data on the basis of your consent or in order to perform our obligations under contract to you (such as to provide legal services).
  
  

• Withdraw Your Consent – where we are relying on your consent to process your Personal Data, then you can withdraw your consent at any time. This includes cases where you wish to opt-out from marketing messages that you receive from us.
  
  

• Lodge a Complaint – you may be entitled to lodge a complaint with your local data protection authority if you believe that we have not complied with applicable data protection laws. For details about the competent supervisory authority for European residents, see https://edpb.europa.eu/about-edpb/board/members_en. In some jurisdictions, such as the United Kingdom, under applicable law, you may also be entitled to lodge a data protection related complaint directly with us. Where you have this right, you can contact us using the ‘Contact Details’ Section of this Notice (Section 16) or via CME Group social media pages. We may request that you provide sufficient information that allows us to verify, to a reasonable degree of certainty, that you are the person the Personal Data pertains to. 

In some jurisdictions, you may also have post-mortem privacy rights. For example, you may have the right to designate an individual to exercise your privacy rights in the event of your death or incapacitation, where applicable by law.

In certain jurisdictions, such as the PRC, you may have the right to opt-out of receiving personalized content and recommendations based on automated processing, including profiling.

In certain jurisdictions, such as the DIFC, where Personal Data is processed under a Legal Requirement or for the Performance of a Contract, we may be restricted from fulfilling requests to exercise the right to rectification, erasure, or objection. The expected impact on your rights in these instances is that your data will be retained and processed as necessary for us to meet mandatory regulatory or contractual duties, even if you request deletion or object to the processing.

Submitting Requests

To exercise your rights to know, access, correct, delete, restrict, object, portability, complain, or withdraw your consent under applicable local law or if you are an Authorized Agent seeking to exercise rights on behalf of a consumer under applicable local law, please contact us on the details set out in the 'Contact Details' Section of this Notice (Section 16). You may also exercise these rights via our Privacy Request Form or our Cookies Settings.

Please note that some of your rights are not absolute and there may be certain circumstances where we are unable to fulfill a request that you have made. In some circumstances we may also require that you provide additional Personal Data to confirm your identity.

We use technical, administrative, and physical security safeguards and other reasonable security measures to protect the information that we collect or receive against loss and unauthorized access, use modification, or disclosure. Please be aware that, despite our ongoing efforts, no security measures are perfect or impenetrable. Moreover, we are not responsible for the security of information that you transmit to us over networks that we do not control, including Internet and wireless networks. You should not share your username and password with anyone, and you should not re-use passwords across more than one website. If you have any reason to believe that your username or password has been compromised, please contact us as detailed in this Notice (Section 16).

1. Artificial Intelligence

   Like many other companies, CME Group may use artificial intelligence (“AI”) to help process your Personal Data for the purposes explained in this Notice, including to enhance operational efficiency and improve service functionality.

2. Automated Decisions

Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention.

CME Group may do this via monitoring, or surveillance activities on any content or materials located on any CME Group information resource or CME Group facility, in accordance with applicable laws. CME Group may provide information obtained in the course of its monitoring activities to a third party, including regulators and law enforcement agencies. CME Group may use automated analytics to identify individuals who would be most interested in our product, which may result in individuals being contacted about CME Group products or services. 

Ultimately, we do not use automated decision-making without human intervention, including profiling, in a way that produces legal effects concerning you or otherwise significantly affects you.

Dubai International Financial Centre

The logic involved in automated decision-making includes identifying patterns in user activity, trade data, and device information to assess risk or categorize product interest. The significance of this processing is to protect market integrity and tailor our communications. The possible outcomes are manually reviewed by CME Group compliance teams, and can include receiving targeted communications about CME Group products or services.

3. Children's Data

   Our website and services are generally not directed at persons/users under the age of 18. If we obtain actual knowledge that any Personal Data we collect has been provided by a child under the age of 13, we will promptly delete that information. If you access our website from the EU/UK/EEA or if you access an EU/UK/EEA website, the age limit will be 16. If you access our website from the PRC or if you access a PRC website (if any), the age limit will be 14.

4. Data Retention

   CME Group retains Personal Data for the duration of the business relationship or where required, in accordance with our internal records management and retention policies, as well as regulatory requirements that may be applicable to us.

   To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve these purposes through other means, and the applicable legal requirements.

   We make reasonable attempts to ensure that all instances of such information (e.g., production, backups, etc.) are deleted in their entirety, including any of your Personal Data. For Personal Data collected through cookies, please see Section 14. 

   For requests for access, corrections, or deletion please see the "Contact Details" Section of this Notice (Section 16).

5. CME Group as Processor or Service Provider

   There may be certain circumstances where we process your Personal Data on behalf of one of our customers and do not use it for our own purposes. For instance, our customer may upload your information to one of our applications which is hosted on our servers. In these circumstances, CME Group is acting as a processor or a service provider in relation to another company that is the controller or business responsible for the handling of your Personal Data, as these terms are used in applicable data protection laws. This Notice will not apply to CME Group as a processor or service provider, and you should instead refer to the privacy notice of the organization that provides us with your Personal Data.

   The above does not apply to CME Group under the applicable PRC data privacy laws, where no distinction between "data controller" and "data processor" is made. You should however still refer to the privacy notice of the organization that provides us with your Personal Data, where we would be deemed a third-party data processor.

Please see our Cookies Notice for further information on how we use cookies and other tracking technologies on our website.

We reserve the right to update this Notice from time to time by publishing a new version online. For instance, there may be changes in the data we collect about you or the purposes for which we use your Personal Data.

Whenever there are significant changes to the Notice that materially affect previously collected Personal Data, we will provide additional notice to you, as required by applicable law.

You can see the date of the last revision at the beginning of this Notice.

If you have any comments, questions or concerns about how we process your data or to exercise any right, then please contact Privacy Compliance at Privacy@cmegroup.com. We can also be reached by post at below address and via telephone at the below telephone numbers.

ATTN: Privacy Compliance
CME Group Inc.
20 S. Wacker Drive
Chicago, IL 60606

 +1 312 930-1000
+1 866 716-7274 (US Only)

Privacy@cmegroup.com

You may also contact us via our Privacy Request Form.

For the purposes of data protection in the EU/UK/EEA, Singapore, India, or the DIFC:

Your controller is the company which employs or engages you. This entity is responsible for deciding how we hold and use your Personal Data. The list of employing controllers across CME Group can be found here. In addition, CME Group Inc. (our US parent company) is also a joint data controller. This Notice is provided for CME Group, and on behalf of Chicago Mercantile Exchange Inc.

CME Group has a designated Data Protection Officer registered for a number of CME entities. They can be contacted at Privacy@cmegroup.com.

CME Group Inc., CME Mercantile Exchange Inc. and the above non-EU/UK/EEA and non-DIFC entities have designated CME Operations Limited as their representative within the EU/UK/EEA and Brokertec Europe Limited in the DIFC.

The full list of companies across CME Group and the contact details of each company can be found here.