Fisher Investments Europe
Privacy & Cookie Policy

Last Updated: May 2019

1.General

This Privacy & Cookie Policy (this “Policy”) sets out how Fisher Investments Luxembourg, Sàrl, trading as Fisher Investments Europe, and its branches (“Fisher Investments Europe”), uses information about natural people (“Individuals”). This includes:

• prospective clients, clients, and their representatives;
• website users;
• business contacts working with service providers and vendors; and
• individuals who agree to participate in market research.

For more information about Fisher Investments Europe, please see the Regulatory Information section at the bottom of Fisher Investments Europe’s websites.

Fisher Investments Europe is committed to privacy, and will only use information about identified or identifiable Individuals (“Personal Data”) in accordance with this Policy. This Policy applies to Fisher Investments Europe’s websites and all interactions of Fisher Investments Europe with Individuals resident in the European Economic Area (“EEA”).

Individuals can contact Fisher Investments Europe in relation to this Policy using the following details:

Fisher Investments Luxembourg, Sàrl,
trading as Fisher Investments Europe
Attn: Frank Nies, Data Protection Officer
2, rue Albert Borschette
L-1246 Luxembourg
privacy@fisherinvestments.lu
+1 650 851 3334

2. What Personal Data Fisher Investments Europe Uses

Fisher Investments Europe uses the following Personal Data for the following categories of Individuals:

a. Prospective clients, clients, and their representatives:

• Fisher Investments Europe uses the name, address and email address of Individuals provided by third party list vendors to provide offers for Fisher Investments Europe’s informational materials. Such Personal Data may come from public sources and/or such vendors’ private databases.
• Fisher Investments Europe uses the name, address, telephone numbers, email address, and asset level category of Individuals who provide such information at the time that they request Fisher Investments Europe informational materials, and at the time that they express an interest in services offered by Fisher Investments Europe.
• When Individuals request that Fisher Investments Europe provide a suitability assessment and investment strategy recommendation and/or engage Fisher Investments Europe as discretionary investment manager, Fisher Investments Europe use the Personal Data which Individuals provide directly, including:
  • Information provided in the Confidential Client Profile;
  • Information provided in the Confidential Client Agreement, account statements, account opening documents for the custodian, and any instruction or mandate form with respect to Fisher Investments Europe’s discretionary investment management service;
  • Information provided to employee representatives of Fisher Investments Europe in-person and by telephone, including information Fisher Investments Europe may request from time to time to assist in providing services to the Individual.
• To conduct a suitability assessment and design a recommended investment strategy for Individuals, as well as conduct ongoing suitability assessments for clients, Fisher Investments Europe uses information provided by Individuals about their mental and physical health (“Health Data”), including in the context of conducting a proprietary assessment of an Individual’s life expectancy and any impact on the investment time horizon for the Individual’s assets.
• Fisher Investments Europe is required under the EU Directive 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AML Directive”) and other applicable anti-money laundering laws and regulations (collectively “AML Laws”) to carry out identity verification, sanctions checks, and anti-money laundering and anti-terrorist financing screens. Accordingly, Fisher Investments Europe uses the name, date of birth and address provided by Individuals seeking to become clients of Fisher Investments Europe to perform a sanctions and anti-money laundering check using the services of a third party service provider, which may reveal information relating to criminal convictions or offences.
• Fisher Investments Europe is required under the Markets in Financial Instruments Directive 2014/65/EU (“MiFID II”) and Commission Delegated Regulation (EU) 2017/565 (“CDR 2017/565”) to record telephone conversations that relate to activities in financial instruments. Accordingly, certain telephone calls between the Individual and Fisher Investments Europe will be recorded.

b. Website users:

• Fisher Investments Europe may place ads on publishers’ websites or within email content, either directly through the publisher or via a third party. As a result of Individuals interacting with the advertising content, ad server companies will collect Individuals’ domain types, IP address, and clickstream data.
• Fisher Investments Europe’s websites use cookies and other online tracking technologies that collect information about internet browsing habits and history (collectively referred to in this Policy as “cookies”). For more information, please see Section 9

c. Business contacts at service providers and vendors:

• In dealing with service providers and vendors, Fisher Investments Europe obtains information about the business contact, including name, title, name, address, telephone and fax numbers and email address.

d. Individuals who agree to participate in market research:

• When Individuals agree to participate in market research, Fisher Investments Europe uses information about Individuals’ marketing, investment and servicing preferences. Such data is provided directly by Individuals to Fisher Investments Europe or to a third party service provider engaged by Fisher Investments Europe to conduct such market research.

3. Fisher Investments Europe’s Use of Personal Data

a. Purposes and Lawful Bases

Fisher Investments Europe may use Personal Data for the following purposes, and upon the legal bases set out in the table below.

Where Fisher Investments Europe has relied upon its ‘legitimate interests’ as a legal basis for a particular purpose, it has performed a ‘balancing test’ to ensure that Individuals’ rights and interests are taken into account when their Personal Data is used. Further information on the balancing test can be obtained by contacting Fisher Investments Europe’s Data Protection Officer.

b. If Individuals fail to provide Personal Data

Where Fisher Investments Europe needs to collect Personal Data to comply with a legal obligation, or under the terms of a contract Fisher Investments Europe has with an Individual or at the request of an Individual prior to entering a contract, and the Individual does not provide such data, Fisher Investments Europe may not be able to provide services and may need to cancel the contract. Similarly, if an Individual does not consent to providing Health Data for the purpose described above, Fisher Investments Europe may not be able to provide services and may need to cancel the contract. Fisher Investments Europe will notify the Individual if this is the case at the time. If an Individual requesting informational materials and ongoing insights does not consent to receiving the same, Fisher Investments Europe will not be able to provide such materials and insights.

4. ‘Special Category Personal Data’ and Data Relating to Criminal Convictions

“Special Category Personal Data” includes data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes genetic data, biometric data for the purpose of uniquely identifying an Individual, data concerning health or data concerning an Individual’s sex life or sexual orientation.

As noted above, Fisher Investments Europe collects and uses Health Data to assess suitability with consent of the Individual. In addition, Fisher conducts sanctions and anti-money laundering checks to comply with AML Laws, which may reveal data concerning criminal convictions or offences. The collection or use of any other types of Special Category Personal Data will only be with consent of the Individual.

5. Fisher Investments Europe’s Sharing of Personal Data

a. Who will Fisher Investments Europe share data with?

Fisher Investments Europe will not sell or lease Individuals’ Personal Data to third parties.

For the purposes listed in Section 3 above, Fisher Investments Europe may share Personal Data with:

• Fisher Group companies, including:
  • Fisher Investments (“FI”), Fisher Investments Europe’s parent company in the United States;
  • Fisher Investments Europe Limited, trading as Fisher Investments UK (“FI UK”), a wholly-owned subsidiary of FI in the UK; and
  • Fisher Investments Ireland Limited (“FII”), a wholly-owned subsidiary of FI in the EU.

FI, FI UK and/or FII (the “Outsourced Fisher Companies”) act as service providers of marketing, human resources, finance, information technology, legal support services, and investment sub-management and trading functions to Fisher Investments Europe. In these capacities, all data collected and used by Fisher Investments Europe will be accessible by the Outsourced Fisher Companies. For clients, Fisher Investments Europe obtains their consent in order to share Personal Data with the Outsourced Fisher Companies. In addition, Fisher Investments Europe has put in place safeguards in the form of Model Clauses with Outsourced Fisher Companies located outside the EEA, as described below.

• Fisher Investments Europe-authorised vendors, service providers, agents and representatives. These organisations are as follows:
  • Custodians that hold custody of Individuals’ assets managed by Fisher Investments Europe, as well as custodians, brokers and dealers that execute trade order instructions for Individual clients of Fisher Investments Europe. The custodians holding Individuals’ assets will also have a direct contractual relationship with the Individuals whose assets they hold. Such custodians are generally located in the EEA and are subject to applicable Financial Services Laws. If an Individual requests an account held by a custodian located in the United States, Fisher Investments Europe will transfer Personal Data in connection with such account only with consent of the Individual.
  • Regulatory DataCorp, Inc. (“RDC”) and Tracesmart Ltd. (“TraceSmart”), which carry out the sanctions and anti-money laundering checks on behalf of Fisher Investments Europe as described above in Section 3. RDC is located in the United States; accordingly, Fisher Investments Europe has put in place safeguards in the form of Model Clauses with RDC as described below. TraceSmart is based in the UK.
  • Information technology security providers, such as internet firewall and malware detection providers. Such providers are generally located in the United States; accordingly, Fisher Investments Europe has ensured such providers have safeguards in the form of Model Clauses as described below or are Privacy Shield certified.
  • Direct marketing agents and service providers, including website host companies that collect Personal Data on behalf of Fisher Investments Europe from Individuals interested in Fisher Investments Europe’s informational materials, calling service providers that follow up with Individuals who have expressed an interest in Fisher Investments Europe’s informational materials, merge-purge service providers that ensure mailing lists are accurate, and mailing service providers that send mail to Individuals on behalf of Fisher Investments Europe. Such agents and service providers may be located either within or outside the EEA; Fisher Investments Europe has put in place safeguards in the form of Model Clauses with those located outside the EEA as described below.
  • Providers of third party professional advice, such as lawyers and auditors.
• Regulators (such as the CSSF and NDPC) and law enforcement organisations, as described above in Section 3.
• If Fisher Investments Europe sells, transfers or merges part or all of its business, or attempts to do so, then third parties may receive Personal Data.

b. What safeguards are in place where data is transferred outside of the EEA?

Where data is transferred by Fisher Investments Europe to FI, Individuals’ data will be transferred to the United States, where the laws do not provide the same level of data protection as the country in which the Individual initially provided the data. Fisher Investments Europe will therefore make the transfer in accordance with the European Commission Standard Contractual Clauses (“Model Clauses”). The European Commission has determined that the Model Clauses offer sufficient safeguards to protect Individuals’ privacy and their fundamental rights and freedoms, including the ability to exercise their rights. For more information on EU Standard Data Protection Clauses please visit https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. Furthermore, as described above, some of the third party service providers that process Personal Data on behalf of Fisher Investments Europe are located in countries outside the EEA that have not been recognised by the European Commission as providing an adequate level of data protection. In these cases, Fisher Investments Europe has put in place measures to ensure that Individuals’ Personal Data is adequately protected, including by having the third party service provider entering into Model Clauses or by ensuring that the third party service provider is certified to the EU-US Privacy Shield. Please contact Fisher Investments Europe using the contact details in Section 1 above with any questions about the safeguards in place to protect Personal Data when transferred outside the EEA (including how to obtain a copy or consult these safeguards).

6. Consent

In accordance with applicable data protection laws, Individuals who consent to Fisher Investments Europe using their Personal Data may contact Fisher at any time to say that they withdraw that consent, and that they do not want their Personal Data to be used for those purposes. Individuals may do so by contacting Fisher Investments Europe using the details set out in Section 1 above.

When doing so, Individuals should:

• ensure that a full name and address and/or email address is provided in exactly the form in which it was originally provided to Fisher Investments Europe to avoid any possible confusion with a different Individual; and
• ensure that the particular uses for which consent is being withdrawn are specified. The uses for which Fisher Investments Europe relies on consent are set out in Section 3

Individuals may also unsubscribe from direct email marketing by emailing info@fisherinvestments.lu .

7. Individuals’ Rights

In accordance with applicable data protection laws, Individuals may exercise rights in relation to the Personal Data that Fisher Investments Europe holds about them.

An Individual’s rights under applicable law may include access to the Personal Data that Fisher Investments Europe processes about the Individual, the right to have such Personal Data corrected or erased, the right to restrict the processing of the Individual’s Personal Data, as well as the right to data portability. Where Fisher Investments Europe has obtained an Individual’s consent for the processing of Personal Data, the Individual has the right to withdraw consent at any time. This will not affect the lawfulness of the processing that has happened based on consent prior to the withdrawal. An Individual also has the right to object, at any time, to the processing of Personal Data which is based on Fisher Investments Europe’s legitimate interests. Where Fisher Investments Europe processes Personal Data for direct marketing purposes, an Individual has the right to object at any time to such processing, including for profiling purposes to the extent that it is related to direct marketing. If an Individual objects to processing for direct marketing purposes, Fisher Investments Europe will no longer process the Individual’s Personal Data for such purposes.

To exercise these rights, Individuals should contact Fisher Investments Europe using the contact details set out in Section 1 above. In each case, Individuals should ensure that the full name and address and/or email address are provided in exactly the form in which they were originally provided to Fisher Investments Europe to avoid any possible confusion with a different Individual. If Individuals are not satisfied with the way Fisher Investments Europe handles the request, they may lodge a complaint with the supervisory authority in their country of residence.

8. Security

Fisher Investments Europe is committed to ensuring that Personal Data is secure. In order to prevent unauthorised access or disclosure, Fisher Investments Europe has put in place suitable physical, electronic and managerial procedures to safeguard and secure Personal Data collected. Fisher Investments Europe uses encryption when collecting or transferring sensitive data.

9. Cookies

For further information on cookies and how to manage them, please click here.

A cookie is a small text file with an identification tag that is created and downloaded to a user’s computer (or other device) when accessing websites that use cookies. Cookies allow a website to, among other things, store and retrieve information about a user’s online activity, browsing habits of a user or user’s computer (or other device) and, depending on the information they contain and the way a user uses a computer (or other device), may be used to recognise the user. 

Cookies can be categorised by who places them:

• First-party cookies: These cookies are downloaded to a user’s computer (or other device) from a computer or domain managed by the publisher of the website whose service the user is requesting.
• Third-party cookies: These cookies are downloaded to a user’s computer (or other device) from a server or domain that is not managed by the publisher of the website, but by another entity that may be seeking data obtained through cookies.

Cookies can also be categorised by their duration:

• Session cookies: These cookies are designed to collect and store data while the user accesses a website. They are often used to store information for the duration of a visit to the website (e.g. what account user is logged into). Once a user leaves the website, the session cookie is deleted.
• Persistent cookies: These cookies store data on the user’s computer (or other device) for the duration period set within the cookie’s file, which is determined by the entity controlling the cookie and can range from a few minutes to several years, or until the user manually deletes them.

Lastly, cookies can be categorised by the function they serve. Fisher Investments Europe uses the following types of first- and third-party cookies:

a. Functionality Cookies

Fisher Investments Europe uses functionality cookies to keep track of whether or not a user has consented to have other types of cookies placed on their computer (or other device) and, if the user has consented, to note when consent was obtained. Functionality cookies do not collect any Personal Data. Enabling functionality cookies may be necessary to access the full content of website material.

b. Personalisation Cookies

Personalisation cookies allow the website to remember information that changes the page’s appearance or behaviour, such as, for example, the language selected for viewing the page.

c. Analytics Cookies

Analytics cookies analyse site statistics and how users browse the Fisher Investments Europe websites and enable Fisher Investments Europe to measure the number of visitors to the website, as well as to measure and analyse how users interact with the website. This information is used to improve Fisher Investments Europe’s websites and the products or services offered.

d. Behavioural Cookies

Fisher Investments Europe serves advertisements on various websites using third-party companies. If a user visits a Fisher Investments Europe website or clicks on one of Fisher Investments Europe’s advertisements, behavioural cookies will be placed on the user’s computer (or other device). Behavioural cookies allow Fisher Investments Europe to manage and optimise its digital marketing (e.g. banner ads, pages offering informational brochures, email campaigns, etc.). Behavioural cookies may be used to build a user profile to provide users with content more relevant to their interests. They adapt advertising and the content users see on other websites based on their browsing habits, including how users navigate the Fisher Investments Europe websites and other websites that the user may visit, as well as how users interact with internet advertising.

Fisher Investments Europe uses the third party personalisation, analytics and behavioural cookie services provided by the companies below and these companies may have access to information collected by the cookies. More information about these cookies can be found here.

10. How to Manage Cookies

A user can manage cookie preferences for the Fisher Investments Europe websites by using Fisher Investments Europe’s online cookie preference tool at Privacy Options.

Some browsers have a “Do Not Track” setting that allows users to send a signal to the websites they visit that the user does not wish to be tracked. Fisher Investments Europe’s website may not respond to these signals.

11. How Long Fisher will keep Data for

Information of Individuals that are clients of Fisher Investments Europe (meaning any Individual who has received an investment strategy recommendation or has retained Fisher Investments Europe as discretionary investment manager) will be kept for the duration of the client relationship plus ten years in order for Fisher Investments Europe to satisfy its recordkeeping obligations under applicable Financial Services Laws, as well as to enforce or defend its legal rights. Information on identity verification and sanctions and anti-money laundering checks will be kept for the duration of the client relationship plus five years in order for Fisher Investments Europe to satisfy its recordkeeping obligations under applicable AML Laws. Recordings of telephone calls will be retained for a period of five years in order for Fisher Investments Europe to satisfy its recordkeeping obligations under applicable Financial Services Laws. Information of Individuals will be kept for a period of five years from the date the Individual consented to direct marketing or until the Individual requests earlier erasure of their information. However, where an Individual consents to have their information retained by the Company to receive ongoing information and insights (subscription) from the Company, their information will be kept until they opt out unless they did not receive a regular opportunity to opt out in which case such information will be retained for five years from consent. In some cases, such general retention periods may be extended for up to ten years for some Individuals who are in more advanced discussions with Fisher Investments Europe or have had regular interactions or meetings with Fisher Investments Europe about its investment management services, unless the Individual requests earlier erasure of their information. Information collected for the purposes of conducting market research will be kept for up to two years following such research, unless the Individual requests earlier erasure of their information. Contact information for vendors/service providers and contact information for Individuals on suppression lists (i.e. name, address, email address and/or phone number) will be retained indefinitely.

12. Questions and Complaints

If Individuals have any questions or complaints in relation to Fisher Investments Europe’s data protection practices, Fisher Investments Europe encourages Individuals to get in contact using the contact details set out in Section 1 above. Individuals also have the right to lodge a complaint with a data protection authority where they believe that Fisher Investments Europe has infringed data protection rules. In particular, this complaint can be made to the data protection authority in the country in which that Individual usually lives, usually works, or the country where the Individual believes the infringement took place.

13. Changes to Privacy & Cookie Policy

From time to time, Fisher Investments Europe may use Personal Data for new, unanticipated uses not previously disclosed in this Policy to the extent permitted by law. If its practices regarding Personal Data change at some time in the future, Fisher Investments Europe will post the policy changes to https://www.fisherinvestments.com/en-gb/privacy and notify Individuals of these changes and provide the ability to “opt out” or unsubscribe from these new uses.

Fisher Investments Europe
Employee and Tied Agent Privacy Policy

Last Updated: May 2019

1. General

This Employee and Tied Agent Privacy Policy (“Policy”) describes how Fisher Investments Luxembourg, Sàrl, trading as Fisher Investments Europe, and its branches (collectively, the “Company”), uses information about employees (“Employees”) and contractors including tied agents (collectively, “Tied Agents”). Employees and Tied Agents together include current, former, prospective/candidate, permanent or temporary employees and contractors of the Company.

In this Policy, “Personal Data” means any information about Employees or Tied Agents who are identified or identifiable. The Company is committed to fulfilling its obligations under the applicable data protection laws in respect of all processing of Personal Data in connection with its business. This Policy does not distinguish between manual and electronic Personal Data.

This Policy may be updated from time to time, should it become necessary to do so.

The Company can be contacted about this Policy using the following details:

Fisher Investments Luxembourg, Sàrl,
trading as Fisher Investments Europe
Attn: Frank Nies, Data Protection Officer
2, rue Albert Borschette
L-1246 Luxembourg
privacy@fisherinvestments.lu
+1 650 851 3334

2. Types of Employee and Tied Agent Personal Data

The Company processes the following types of Employee and Tied Agent Personal Data for the purposes set out in this Policy:

• records of work history (including internal and external work history and references), education and qualifications (including information provided on an application or CV);
• identification data (e.g. name, photograph, address, identification numbers);
• contact details (e.g. name, address, email address, telephone number)
• contact information of spouse / partner / dependent(s) and emergency contact details;
• date and place of birth and nationality;
• marital status;
• background check information, which may reveal data concerning criminal convictions or offences;
• bank details and account numbers;
• compensation, fees, bonus or incentive information, tax rates and withholding information (including invoices, amounts paid or withheld, the frequency and currency of payments);
• expense reimbursements (including receipts and amounts paid)
• Employee benefits information (e.g. health insurance, pension contributions) (including amounts paid, the frequency and currency of payments);
• records of performance (including evaluations of competence, ongoing supervision and monitoring under financial services regulations, economic viability and ratings, complaints, grievances, and disciplinary records);
• information relating to Employee absences from work;
• information relating to Employees’ mental and physical health and mental or physical disabilities (collectively, “Health Data”);
• information relating to Employees’ religious beliefs and trade union membership;
• general organisational data (such as department, work location, job title and seniority);
• information technology data (e.g., passwords, access rights and usage data);
• recordings of telephone calls made by certain representatives of the Company;
• photographic and video images; and
• other data that the Employee or Tied Agent provides to the Company or its affiliates (collectively, the “Fisher Group”).

Personal Data are collected from a variety of sources, but mainly from Employees and Tied Agents themselves. In addition, the Company collects reference check information from previous employers of (or companies to which services were provided by) Employees and Tied Agents. Background check information, which may reveal data concerning criminal convictions or offences, is collected from Sterling Talent Solutions UK Limited (“Sterling”), a background checking firm located in the UK that collects Personal Data from both public and private sources with consent of the Employee or Tied Agent.

3. The Company’s Use of Employee and Tied Agent Personal Data

a. Purposes and Lawful Bases

Employee and Tied Agent Personal Data may be processed by the Company for the following purposes:

Where the Company has relied upon its ‘legitimate interests’ as a legal basis for a particular purpose, it has performed a ‘balancing test’ to ensure that Employees’ and Tied Agents’ rights and interests are taken into account when their Personal Data is used. Further information on the balancing test can be obtained by contacting the Company’s Data Protection Officer.

b. If Employees/Tied Agents fail to provide Personal Data

Failure of an Employee or Tied Agent to provide Personal Data to the Company, in whole or in part, could make it impossible for the Company to fulfil some or all of its obligations towards the Employee or Tied Agent, such as payment of compensation or fees, calculation of withholdings, or consideration of an employment application.

4. The Company’s Sharing of Personal Data

a. Who will the Company share Personal Data with?

Employee and Tied Agent Personal Data may be disclosed to the extent necessary for the purposes in Section 3 to the following recipients:

• Fisher Group companies, including:
  • Fisher Investments (“FI”), the Company’s parent company in the United States;
  • Fisher Investments Europe Limited, trading as Fisher Investments UK (“FIUK”), a wholly-owned subsidiary of FI in the UK; and
  • Fisher Investments Ireland Limited (“FII”), a wholly-owned subsidiary of FI in the EU.

FI, FI UK and/or FII (the “Outsourced Fisher Companies”) act as service providers of marketing, human resources, finance, information technology, legal support services, and investment sub-management and trading functions to the Company. In these capacities, all data collected and used by the Company will be accessible by the Outsourced Fisher Companies. The Company ensures adequate safeguards in the form of Model Clauses with Outsourced Fisher Companies located outside the EEA, as described below.

• Company-authorised vendors, service providers, agents and representatives. These are as follows:

• Other tied agents of the Fisher Group who have access to Company systems, including email, and receive emails that may include Personal Data of Employees or Tied Agents. All tied agents who may access such Personal Data are located in the EEA and are registered with the financial service regulators in the countries where they interact with individuals on behalf of the Fisher Group.
• Workday, Inc. (“Workday”), which provides the Company’s cloud-based human resources administration system. Workday is located in the United States; accordingly, the Company ensures adequate safeguards in the form of Workday’s Privacy Shield certification, as described below.
• iCIMS, Inc. (“iCIMS”), which provides the Company’s cloud-based candidate administration system. iCIMS is located in the United States; accordingly, the Company ensures adequate safeguards in the form of Model Clauses with iCIMS, as described below.
• ADP International Services B.V. (“ADP”) and ADP partners, which process payroll and payments on the Company’s behalf. ADP and its partners are located in the EEA.
• Providers of the Company’s employee benefit programmes. Such service providers are located in the EEA, UK and/or United States. For those providers located outside the EEA, the Company ensures an Adequacy Decision or adequate safeguards in the form of Model Clauses or Privacy Shield certification, as described below.
• Service providers that carry out checks and assessments at the request of the Company, including Sterling, a background check firm located in the UK. In some cases Sterling may use the services of its affiliates located outside the EEA. For Sterling and its affiliates located outside the EEA, the Company ensures an Adequacy Decision or adequate safeguards in the form of Model Clauses or Privacy Shield certification, as described below.
• Service providers that assist Employees with work authorisation/visas and/or relocation, including Newland Chase Limited, a global immigration consultant headquartered in the UK, and Crown Worldwide Limited, a global relocation specialist located in the United States. The Company ensures an Adequacy Decision or adequate safeguards in the form of Model Clauses or Crown’s Privacy Shield certification, as described below.
• Vendors providing training or firm events, which may receive names and/or Company email addresses of Employees or Tied Agents. Such vendors are generally located in the EEA. For any such vendors located outside the EEA, ensures an Adequacy Decision or adequate safeguards in the form of Model Clauses or Privacy Shield certification, as described below.
• Photographers and videographers capturing images of Employees or Tied Agents. Such photographers and videographers are generally located in the EEA. To the extent they are located outside the EEA, the Company ensures an Adequacy Decision or adequate safeguards in the form of Model Clauses or Privacy Shield certification, as described below.
• Providers of third party professional advice, such as lawyers and auditors.

• Future employers requesting reference checks and third parties (including banks, mortgage lenders and landlords) to which the Employee or Tied Agent has requested the Company provide an employment/earnings confirmation letter.
• Courts and tribunals, as described above in Section 3.
• Regulators (including the relevant financial regulators), tax authorities, other government agencies and law enforcement organisations, as described above in Section 3.
• If the Company sells, transfers or merges part or all of its business, or attempts to do so, then third parties may receive Personal Data.

b. What safeguards are in place where data is transferred outside of the EEA?

Where data is transferred to FI, the Company’s parent, Employee and Tied Agent Personal Data will be transferred to the United States, where the laws do not provide the same level of data protection as the country in which the Employee or Tied Agent initially provided the data. The Company will therefore make the transfer in accordance with the European Commission Standard Contractual Clauses (“Model Clauses”). The European Commission has determined that the Model Clauses offer sufficient safeguards to protect individuals’ privacy and their fundamental rights and freedoms, including the ability to exercise their rights. For more information on EU Standard Data Protection Clauses please visit https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

Where data is transferred to FIUK, the Company’s affiliate, Employee and Tied Agent Personal Data will be transferred to the United Kingdom, where the European Commission may have issued a decision that the laws of the jurisdiction provide an adequate level of data protection (an “Adequacy Decision”). In the event the European Commission does not issue an Adequacy Decision for the UK, the Company will make the transfer in accordance with Model Clauses.

As described above, some of the third party service providers that process Personal Data on behalf of the Company are located in countries outside the EEA that do not have an Adequacy Decision. In these cases, the Company has put in place or ensured there are measures to ensure that Personal Data is adequately protected, including by having the third party service provider enter into Model Clauses or by ensuring that the third party service provider is certified to the EU-US Privacy Shield. Please contact the Company using the contact details in Section 1 with any questions about the safeguards in place to protect Personal Data when transferred outside the EEA (including how to obtain a copy or consult these safeguards).

5. Consent

In accordance with applicable data protection laws, Employees and Tied Agents who consent to the Company using their Personal Data may withdraw that consent at any time. Employees and Tied Agents may do so by contacting the Company using the details set out in Section 1 above.

6. Rights of Employees and Tied Agents

In accordance with applicable data protection laws, Employees and Tied Agents may exercise rights in relation to the Personal Data that the Company holds about them.

An Employee’s or Tied Agent’s rights under applicable law may include access to the Personal Data the Company processes about them, the right to have such Personal Data corrected or erased, the right to restrict the processing of their Personal Data, as well as the right to data portability. Where the Company has obtained the Employee’s or Tied Agent’s consent for the processing of Personal Data, the Employee or Tied Agent has the right to withdraw consent at any time. This will not affect the lawfulness of the processing that has happened based on consent prior to the withdrawal. An Employee or Tied Agent also has the right to object, at any time, to the processing of Personal Data which is based on the Company’s legitimate interests. Where the Company processes an Employee’s or Tied Agent’s personal data for direct marketing purposes, the Employee or Tied Agent has the right to object at any time to such processing, including for profiling purposes to the extent that it is related to direct marketing. If an Employee or Tied Agent objects to processing for direct marketing purposes, the Company will no longer process their Personal Data for such purposes.

To exercise these rights, Employees and Tied Agents should contact the Company using the contact details set out in Section 1 above.

It is every Employee’s and Tied Agent’s responsibility to provide the Company with accurate Personal Data and to inform the Company of any changes (e.g. new home address or change of name).

7. Security

The Company and the Fisher Group have put in place adequate security measures to ensure (a) there is no unauthorised access to, or amendment or deletion of, personal data, and (b) access is only be granted to appropriate persons when and to the extent necessary (this entails the use of appropriate password protection for computer held databases and appropriately secured areas, or locked cabinets for manual files).

8. Cookies

The website used by the Company for Employee and Tied Agent positions (i.e. hosted by iCIMS) uses only first- and third-party functional session cookies, as described below. The Company’s main websites for clients, prospective clients and general website users uses additional cookies. By visiting such other websites, Employees and Tied Agents will be subject to the Privacy & Cookie Policy disclosed on such websites.

A cookie is a small text file with an identification tag that is created and downloaded to a user’s computer (or other device) when accessing websites that use cookies. Cookies allow a website to, among other things, store and retrieve information about a user’s online activity, browsing habits of a user or user’s computer (or other device) and, depending on the information they contain and the way a user uses a computer (or other device), may be used to recognise the user. 

Cookies can be categorised by who places them:

• First-party cookies: These cookies are downloaded to a user’s computer (or other device) from a computer or domain managed by the publisher of the website whose service the user is requesting.
• Third-party cookies: These cookies are downloaded to a user’s computer (or other device) from a server or domain that is not managed by the publisher of the website, but by another entity that may be seeking data obtained through cookies.

Cookies can also be categorised by their duration:

• Session cookies: These cookies are designed to collect and store data while the user accesses a website. They are often used to store information for the duration of a visit to the website (e.g. what account user is logged into). Once a user leaves the website, the session cookie is deleted.
• Persistent cookies: These cookies store data on the user’s computer (or other device) for the duration period set within the cookie’s file, which is determined by the entity controlling the cookie and can range from a few minutes to several years, or until the user manually deletes them.

Lastly, cookies can be categorised by the function they serve. The Company uses the following types of first- and third-party cookies:

a. Functionality Cookies

Functionality cookies can keep track of whether or not a user has consented to have other types of cookies placed on their computer (or other device) and, if the user has consented, to note when consent was obtained. Functionality cookies do not collect Personal Data. Enabling functionality cookies may be necessary to access the full content of website material. Functionality cookies may also include authentication cookies.

b. Personalisation Cookies

• Personalisation cookies allow the website to remember information that changes the page’s appearance or behaviour, such as, for example, the language selected for viewing the page.

c. Analytics Cookies

Analytics cookies analyse site statistics and how users browse the website and enable measuring the number of visitors to the website, as well as to measure and analyse how users interact with the website. This information can be used to improve the website and the products or services offered.

d. Behavioural Cookies

Behavioural cookies can include behavioural advertising cookies, allowing advertisements on various websites using third-party companies. If a user visits a website or clicks on one an advertisement that uses behavioural cookies, a behavioural cookie will be placed on the user’s computer (or other device). Behavioural cookies allow a company to optimise its advertising. Behavioural cookies may also be used to build a user profile to provide users with content more relevant to their interests. They adapt advertising and the content users see on other websites based on their browsing habits, including how users navigate the website and other websites that the user may visit, as well as how users interact with internet advertising.

9. How Long the Company will Keep Data for

Information of Employees and Tied Agents who have entered into an employment or tied agent agreement with the Company will be kept for the duration of the employee/contractor relationship plus seven years in order for the Company to satisfy its recordkeeping obligations under applicable tax laws and Financial Services Laws, as well as to enforce or defend its legal rights. However, information of Employees or Tied Agents that forms part of the records of clients may need to be kept for a longer period to satisfy the Company’s recordkeeping obligations under Financial Services Laws with respect to such client records as set out in the Company’s Privacy & Cookie Policy. Recordings of telephone calls will be retained for a period of five years in order for the Company to satisfy its recordkeeping obligations under applicable Financial Services Laws. Information of Employee and Tied Agent candidates will be kept for a period of one year from the date the open position is closed. However, where an Employee or Tied Agent candidate consents to have their information retained by the Company for consideration for future positions with the Company, their information will be kept for five years unless the Employee or Tied Agent requests earlier erasure of their information.

10. Questions and Complaints

If Employees or Tied Agents have any questions or complaints in relation to the Company’s data protection practices, the Company encourages them to get in contact using the contact details set out in Section 1 above. Employees and Tied Agents also have the right to lodge a complaint with a data protection authority where they believe that the Company has infringed data protection rules. In particular, this complaint can be made to the data protection authority in the country in which that Employee or Tied Agent usually lives, usually works, or the country where the Employee or Tied Agent believes the infringement took place.