Finastra External Privacy Policy

Updated: 30 June 2018

INTRODUCTION

Finastra Technology, Inc. and its group companies, (“we”, “us” or “Finastra”) is a leading financial technology provider that the world s financial institutions rely on every day to help them grow and succeed. Our customers, consumers, prospects, registered users, applicants for employment, and others with whom we do business entrust us with their personal data and personally identifiable information (“Personal Information”) and they expect us to protect that Personal Information with the same level of care we do our own. This is fundamental to the way we do business.

This Finastra Privacy Policy External (the “Policy”) describes the practices we have adopted with respect to processing Personal Information including the collection, use, storage or disclosure of Personal Information, (i) on our websites that link to this Policy (collectively the “Sites”); (ii) when you interact with our support centre or other online forums; (ii) when you participate in our webinars, events and demonstrations; (iii) when you purchase our products or services (“Services”); or (v) when you interact with us as a vendor, partner or sub-contractor, except where there are specific privacy requirements for a Service and a separate policy has been published for that particular Service.

SCOPE

Whether acting as a data controller, a data processor or data intermediary, Finastra is required to comply with all applicable laws and regulations protecting the privacy of Personal Information in the jurisdictions where Finastra conducts business.

We may amend this Policy from time to time, should it become necessary or advisable to do so to comply with regulatory requirements or best practices. The most recent modification date of this Policy will appear at the top of this page. If we materially change our practices in processing Personal Information, we will post an updated policy in place of this Policy.

GENERAL DEFINITIONS

These definitions may vary slightly according to local data privacy laws.

“Personal Information” is any information relating to an identified or identifiable natural person (which in some jurisdictions may include individuals who are recently deceased, and whether or not the information is true) or to a legal entity (to the extent protected under applicable data protection law), recorded in any medium including but not limited to electronic, paper, or voice recordings. It may include information such as name, address, date of birth, identification numbers, financial information and any other identifiable personal information. Personal Information may include non-identifiable information which, when combined with other information to which Finastra is likely to have access, can be used to identify an individual.

Individuals or entities that are identified or identifiable by Personal Information are referred to as “data subjects”.

Examples of Personal Information relevant to Finastra may include:

• Customer or Prospect Information: Customer or potential customer’s name, email address, business address, company-related information and Site registration details such as user name/password details.
• Event Attendee and/or Sponsor Information: Name, email address, business address, company-related information, and travel arrangements.
• Applicants for Employment at Finastra: We regularly post available positions in the “Careers” section of our Sites and we collect the necessary information to assess a candidate’s qualifications.
• Usage Information: Information collected from our Sites, including pages visited and documents viewed and information about the browser, device or application you used to access the site. Some of this information is collected using cookies and related technologies. To learn more, please see below.

“Processing” means any operation that is performed on Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, blocking, disabling or destruction.

“Sensitive Personal Information” is a subset of Personal Information, which due to its sensitive nature has been classified by law or policy as requiring additional privacy protection. Sensitive Personal Information may include, without limitation, race, ethnicity, health information, biometric information, religion, gender, sexual orientation, medical/health records, credit card information, dietary requirements, political beliefs and criminal history.

“Third Party” or “Third Party Service Provider” is any natural or legal person, public authority, agency, or other body apart from Finastra that processes or stores Personal Information solely on behalf of and under the instructions of Finastra.

FINASTRA PRIVACY PRINCIPLES
We take our responsibilities as a controller, processor, intermediary or custodian of Personal Information very seriously. We adhere to the following privacy principles:

1. NOTICE

We will provide notice and, where required by law, obtain consent, in order to Process Personal Information for the purposes set out in this Policy. We will provide information about Finastra offerings that may be relevant in accordance with applicable laws.

For Processing carried out by Finastra when acting as a data controller within the European Economic Area (“EEA”) or in respect of any Processing of Personal Information relating to data subjects in the EEA carried out by Finastra when acting as a data controller (“European Processing Activities”), please see our supplemental notice that meets applicable European data protection notice requirements (“Finastra EEA Privacy Notice”). If you are a candidate applying for a position at Finastra in the EEA please refer to our Finastra EEA Applicant Privacy Notice.

The nature of the information we collect or receive varies depending on the Service being provided. We process Personal Information in a reasonable and lawful manner for relevant business purposes. Personal Information is retained for as long as is necessary for the purpose(s) for which it was collected. We request that only the information necessary to fulfill the Service requested.

We collect Personal Information in several ways for different purposes, in particular the following:

• Direct Marketing: We may occasionally use direct marketing to introduce new Services that may be of interest, or to point out different ways that users may be able to take advantage of existing Services. Where required by law, we will obtain consent before using Personal Information for direct marketing purposes. We will also provide an “unsubscribe” or other mechanism to allow opt out from receiving direct marketing messages from us. However, because of the nature of our Services, users who elect not to receive direct marketing messages from us may still be contacted with messages relating to servicing an account with us, or with notifications about software upgrades or release availability, or of other information related to licensed products, if applicable.
• Service Delivery: In order to deliver some Services, we may gather specific information (contact, financial, and other general information), as well as information relating to business needs and preferences and non-identifiable information (such as core system, domain server, computer operating system, or web browser). We collect this information when we on-board a customer using methods described in this Policy and, to the extent permissible under applicable law, by other publicly available means (such as by accessing publicly available databases).
• Email Alerts: We may ask for an email address upon registration for email alerts on Finastra Sites or through a Finastra mobile app. Additional information may be collected depending on the type of alert requested. We will provide an “unsubscribe” or other mechanism to allow individuals who no longer wish to receive email alerts from us to opt out.
• Event Registration: We may collect Personal Information (such as hotel, meal, and other travel preferences) as part of the registration process for Finastra events. This information is used solely for confirmation and billing purposes and to service the registration. We will not disclose such information to any Third Party (other than in connection with administration of the Finastra event) without consent. We do not rent, sell, or otherwise disclose this Personal Information for non-event related mailings without consent.
• Finastra Sites: Finastra Sites may require users to create an account and choose a password. Passwords are for individual use only and may not be shared with others. We do not sell, rent or share Personal Information collected on the Finastra Sites, except as described in this Policy. We may provide links to various third party websites. We do not control or access information users provided to other websites. We are not responsible for the privacy practices of unaffiliated websites to which a Finastra Site may link. We encourage users to become familiar with the privacy practices of such websites before providing them with Personal Information.
• Mobile Computing Devices: Some Finastra Sites and Services are specifically designed to be compatible with and used on mobile computing devices. Information about the use of each mobile version or mobile application will be associated with user account credentials. Some of the Finastra Sites enable download of applications, widgets or other tools that can be used on a mobile device. These tools may transmit Personal Information to us (i) to enable access to a user account, and (ii) to enhance and track use of these tools as well as develop new tools for quality improvement.
• Purchases and Fulfillment: When Services are purchased, additional Personal Information, such as credit card number and expiration date may in some instances be requested. In doing so, Personal Information may be collected in connection with the specific order and in accordance with the privacy practices associated with that specific Service.

2. CHOICE

We do not share Personal Information outside of Finastra unless we have been given permission to do so, on behalf of one of our customers who has authorized us to do so in order to provide that Service, or as permitted or required by law, or as described in this Policy.

• We will only collect, use or disclose Personal Information where we have consent to do so or where otherwise permissible under applicable law. Consent can be withdrawn at any time as described under “Rights”; however, the withdrawal of consent may affect our ability to provide the requested Services or information. Where Services are used by our customers to provide services to their customers, employees or other data subjects, and particularly where our customer provides us with its customers’, employees’ and other data subjects’ Personal Information, we may rely on our customers to obtain the consent of their customers, employees or other data subjects to the collection, use and disclosure of their Personal Information by Finastra.
• We may collect, use or disclose Personal Information we hold without consent in circumstances of emergency that threatens life, health or safety or as permitted or required by law.

We will limit the collection, use and disclosure of Personal Information to that which is reasonably necessary for the identified purposes for which it was collected. We will not collect, use or disclose any Personal Information that is provided to us, except as necessary to provide the Services that we have been contracted to provide or as permitted or required by law.

3. ONWARD TRANSFER

We are accountable for all Personal Information under our control or provided to us, including any Personal Information transferred to Third Party Service Providers for the purpose of providing the Services that we have been contracted to provide. When using Third Party Service Providers, we use contractual or other safeguards to provide a comparable level of protection.

• We take our obligation to protect and safeguard Personal Information seriously and we ensure that our Third Party Service Providers apply the same care when processing information on our behalf.
• Finastra may share Personal Information, consistent with this Policy, with Finastra’s group companies or related entities for the purposes of delivering our Services, managing your accounts, hosting, IT, security, support, billing, marketing and communications, provided those group companies or related entities apply at least the same level of protection as set out in this Policy.
• To perform certain software upgrades or changes, or to provide certain Services, it may be necessary to allow Third Party Service Providers of Finastra to access Personal Information. If so, the Third Party Service Providers will have signed an appropriate Finastra non-disclosure agreement before receiving access to Personal Information and will be bound to treat that Personal Information in a manner consistent with our commitment to privacy and data security.
• If we become aware that a Third Party Service Provider is using Personal Information in a way that is contrary to this Policy, we will take the appropriate measures to prevent or stop such use of Personal Information.
• We will comply with requests to disclose Personal Information where required by local law or government authorities to comply with a legal obligation, and where permissible, we will provide advance notice of such disclosure to the individuals concerned.
• We may transfer Personal Information in connection with a contemplated reorganization, sale, bankruptcy or transfer of all or a portion of our business or assets, to the extent permitted by applicable law. Following such a sale or transfer, the entity to which we transferred Personal Information will be the data controller and point of contact for any inquiries concerning the processing of that Personal Information.

Finastra is a global business. To provide our Services, we may transfer Personal Information around the world, including to the United States and to countries outside of the EEA and Switzerland, which may have different data protection standards to those from the country in which the information was initially provided. Where information is transferred outside the EEA and Switzerland, and where this is to a group company or Third Party Service Provider in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses or Swiss standard contractual clauses, an appropriate Privacy Shield certification or a Third Party Service Provider’s Processor Binding Corporate Rules.

4. SECURITY

The security of Personal Information is extremely important to Finastra.

• We implement and maintain a data security program that includes appropriate standard administrative, technical, physical and operational safeguards designed to:
  • Maintain the security and confidentiality of Personal Information entrusted to us; and
  • Protect Personal Information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use that could result in harm.
• We implement and maintain practices designed to secure the access, storage and transmission of Personal Information.
• We maintain appropriate security upon the disposal and destruction of records containing Personal Information.
• The nature and extent of protection maintained will correspond to applicable local laws and regulations.
• We restrict access to Personal Information to those employees of Finastra who need to know that information to provide our Services. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of Personal Information. Our employees are also required to attest to the values embodied in our Code of Ethics and Business Conduct. We commit to taking appropriate disciplinary measures to enforce our employees privacy responsibilities.
• We have implemented protocols to verify ongoing compliance with this Policy and to enforce disciplinary action against those who violate the privacy and security practices. To report a privacy violation, contact privacy@finastra.com.

5. DATA INTEGRITY

We endeavour to keep Personal Information accurate and current; and we update it whenever we receive a request to do so, as described below under “Rights”.

• We take reasonable steps to ensure the Personal Information we have collected is accurate, complete, and current.
• We rely on the accuracy and completeness of the Personal Information that has been provided to us to perform the Services requested.
• We will ensure that any changes that we are required to make to Personal Information be updated in a timely fashion.

6. RIGHTS

We honour data subjects’ rights under applicable law to access, correct, update, erase, disable and block their Personal Information when lawfully requested to do so. In some circumstances, a data subject may have the right to obtain a copy of his or her Personal Information or object to processing of his or her Personal Information; to withdraw consent to the collection, use or disclosure of his or her Personal Information for any purpose; and/or to obtain information about how his or her Personal Information has been used or disclosed.

• We will provide data subjects with access to their Personal Information and honour other rights (such as withdrawal of consent) as applicable upon request sent to privacy@finastra.com.
• We will correct a data subject’s Personal Information upon request sent to privacy@finastra.com.
• Data subjects may also opt out of direct marketing by contacting privacy@finastra.com.
• Where we are processing Personal Information on behalf of one of our customers we will refer requests from data subjects for accessing, correcting, updating, erasing, disabling, and/or blocking their Personal Information to that customer for handling and we will assist our customers in responding to access requests we receive.

For more details on in respect of our European Processing Activities, please see the “Finastra EEA Privacy Notice”.

7. ENFORCEMENT

We have policies and procedures in place to implement and audit the privacy principles set forth in this Policy. We have adopted a procedure to receive and respond to complaints and inquiries about our policies and practices relating to the handling of Personal Information. We will investigate all complaints in respect of Personal Information. If a complaint is justified, we will take appropriate measures, including, as necessary, amending our policies and practices. Where we are collecting, using or disclosing Personal Information on behalf of one of our customers, we will assist them in responding to questions and complaints respecting their customers’ Personal Information maintained by us on their behalf. Any inquiries or complaints regarding this Policy or our practices relating to the handling of Personal Information should be addressed to privacy@finastra.com.

8. CONSENT

Except in respect of our European Processing Activities, use of any of our Services in conjunction with this Policy is deemed to be consent to the collection, retention, processing, transfer to third parties and transfer to other countries of your Personal Information, all in accordance with the purposes set forth herein. Data subjects provide Personal Information at their own volition and may be entitled to withdraw consent as described above under “Rights”. The lawful basis for processing Personal Information in respect our European Processing Activities is set out in our “Finastra EEA Privacy Notice”.

9. CONTACT US

For further information on our privacy policies and practices relating to the handling of Personal Information, contact our Privacy Officer by postal mail to Four Kingdom Street, Paddington, W2 6BD, United Kingdom or by email to privacy@finastra.com.