TISE Logo

Privacy Policy

1. Scope of this Privacy Policy

1.1 The privacy of your personal data is extremely important to us and this privacy policy sets out important information about how The International Stock Exchange Group Limited and The International Stock Exchange Authority Limited (together, "TISE", "we" or "us") collects, handles and uses your personal data as a part of the TPM Platform (defined below).

1.2 Personal data is any information from which you can be identified. We're committed to protecting the privacy and security of your personal data.

1.3 In this privacy policy, "processing" means the collection, recording, storage, use, disclosure and generally any other uses, form of operations or dealings with your personal data.

1.4 This Notice was last updated on 30 August 2023.

2. About us

2.1 TISE provides financial markets and securities services to public and private companies. TISE Private Markets is a subscription-based private online investment marketplace platform ("TPM Platform") allowing issuers to facilitate the buying and selling of equity securities or managed investment products ("Issuers") and holders to buy and sell equity securities or managed investment products of the issuers. If you are registered on the TPM Platform and using it to buy and sell your equity securities or managed investment products, we refer to you as a "Holder".

2.2 In order for us to operate the TPM Platform, TISE must process personal data and when doing so, TISE will be a "controller" of certain personal data; this means we are responsible for the processing of your personal data.

2.3 This privacy notice covers the situations where we are a controller of your personal data in relation to the TPM Platform. This is predominantly when we are processing personal data about the directors and shareholders of the Issuers.

2.4 Where we process personal data of Holders who use the TPM Platform, with the exception of the data we process to set up a Holder account (see Section 3.6 below), we will be doing this as a processor on behalf of the Issuer. This means that we will only be acting on and in accordance with the instructions of the Issuer and Holders should contact the Issuer for information on how the Issuer is processing Holder personal data in relation to the TPM Platform.

2.5 We are committed to protecting your privacy and processing your personal data fairly and lawfully in compliance with all data protection laws in Guernsey and the United Kingdom, including the Data Protection (Bailiwick of Guernsey) Law 2017, UK GDPR and the Data Protection Act 2018 ("Data Protection Laws").

3. Whose personal data do we use?

3.1 The personal data that we collect, use and process and the purposes for doing so will depend on your relationship with us. We obtain and process personal data relating to: (i) directors at Issuers (ii) material shareholders at Issuers (iii) administrator users of the TPM Platform at Issuers; and (iv) Holders who use the TPM Platform.

3.2 Please see the relevant heading below (which correlates to your relationship with TISE) to learn more about how we use your personal data.

3.3 Directors at Issuers

This section will apply to those directors at Issuers and whose information is processed as a part of the onboarding process for the Issuer onto the TPM Platform.

(a) What personal data do we collect and use?

     (i) general information such as your full name, address, email address and date of birth;
     (ii) professional details such as your job title, information about your job role, industry and current employer;
     (iii) other positions you may hold as a director;
     (iv) identity documents such as copies of passports and utility bills;
     (v) details of any bankruptcy or similar arrangement;
     (vi) details of any criminal record, fraudulent activity or disqualifications;
     (vii) information about you in relation to the Issuer, for example percentage of ownership, directorships; and
     (viii) any other information we collect directly from you during our onboarding process.

(b) How do we obtain your personal data?

We collect most of your personal data directly from you or the Issuer. In some instances, this is requested through our onboarding application forms, but we may also use our own records and information from other sources for compliance with legal and regulatory obligations. For example we use a third party screening tool to undertake PEPs, sanctions and adverse media checks.

(c) For what purpose do we use your personal data and with whom is it shared?

We only process personal data for the purposes described in this Notice. Data Protection Laws require companies to have a "lawful basis" to collect and use personal data.

For TISE this will be that it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interest.

We will process your personal data for the following purposes and in reliance of the listed lawful bases:

Purpose for processing your personal data Lawful basis
Providing the services requested by the Issuer and/or Holder on the TPM Platform and carrying out our obligations relation to the Agreement • Legitimate interests (to provide our TPM Platform service)
Conducting a risk assessment as prescribed by
applicable legal provisions by collecting and archiving
required documentary evidence regarding your identity for onboarding purposes
• Legitimate interests (to provide our TPM Platform service)
Processing requests related to the TPM Platform (deposit, withdrawals, auction actions etc.) • Legitimate interests (to provide our TPM Platform service)
General business management, record keeping,
operations and planning, including accounting and
auditing
• Legitimate interests (business administration and operations)
Meeting our regulatory obligations  • Necessary for a legal obligation imposed on TISE
• Legitimate interests (to meet our regulatory obligations)


(d) Who do we share your personal data with?

When we share your personal data, we do so in accordance with Data Protection Laws and our internal security standards. Below are the parties with whom we may share personal data and why:

  • Within the TISE group: We may share your personal data with other companies within the TISE group. This data may be transferred in order to allow us to provide a full service to you, where other companies within the TISE group perform components of the full service offering such as financial, IT maintenance or support services.

  • With Shieldpay: See Section 4 for more information.

  • Our third party service providers: We may share personal data with third party service providers such as providers/vendors and agents (including their subcontractors) such as identity verification service providers, IT suppliers, software providers and information security providers which are only authorised to process your personal data strictly for the purposes of providing these services and in accordance with our instructions. If applicable, we will enter with such third party service providers into the relevant contractual agreements or the standard data protection clauses that would be required under Data Protection Laws to ensure compliance with our instructions.

  • Other third parties: We may share your personal data with any lawyers, external auditors or advisors, professional consultants, credit reference agencies, notaries, bailiffs, law enforcement agencies, as well as any courts, regulatory, governmental, administrative or other official bodies as agreed or may be required by law, where such disclosure is necessary (i) to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our services; and (iv) to protect our rights and interests.


3.4 Material Shareholders at Issuers

This section will apply to those shareholders of Issuers who hold a material shareholding either when the Issuer is onboarded onto the TPM Platform or subsequently. A material shareholder means a shareholder who holds or controls 25% or more of the Issuer’s share capital.

(a) What personal data do we collect and use?

      (i) general information such as your full name, address, email address and date of birth;
      (ii) your percentage shareholding in the Issuer; and
      (iii) identity documentation.

(b) How do we obtain your personal data?

We collect most of your personal data directly from the Issuer. In some instances, this is requested through our onboarding application forms, but we may also use our own records and information from other sources for compliance with legal and regulatory obligations. For example we use a third party screening tool to undertake PEPs, sanctions and adverse media checks.

(c) For what purpose do we use your personal data and with whom is it shared?

We only process personal data for the purposes described in this Notice. Data Protection Laws require companies to have a "lawful basis" to collect and use personal data. In this situation:

      (i) we have a legal obligation, in order to comply with our legal and regulatory obligations to which we are subject. Examples of such regulatory obligations include, among others: reporting obligations to the GFSC; providing information to financial crime authorities of suspicious money-laundering transactions or in the context of financial criminal proceedings; providing information to tax authorities; and/or
      (ii) it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interest.

(d) Who do we share your personal data with?

When we share your personal data, we do so in accordance with Data Protection Laws and our internal security standards. Below are the parties with whom we may share personal data and why:

  • Within the TISE group: We may share your personal data with other companies within the TISE group. This data may be transferred in order to allow us to provide a full service to you, where other companies within the TISE group perform components of the full service offering such as financial, IT maintenance or support services.

  • With Shieldpay: See Section 4 for more information.

  • Our third party service providers: We may share personal data with third party service providers such as providers/vendors and agents (including their subcontractors) such as identity verification service providers, IT suppliers, software providers and information security providers which are only authorised to process your personal data strictly for the purposes of providing these services and in accordance with our instructions. If applicable, we will enter with such third party service providers into the relevant contractual agreements or the standard data protection clauses that would be required under Data Protection Laws to ensure compliance with our instructions.

  • Other third parties: We may share your personal data with any lawyers, external auditors or advisors, professional consultants, credit reference agencies, notaries, bailiffs, law enforcement agencies, as well as any courts, regulatory, governmental, administrative or other official bodies as agreed or may be required by law, where such disclosure is necessary (i) to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our services; and (iv) to protect our rights and interests.

3.5 Issuer Administrator users of the TPM Platform

This section will apply to individuals authorised by the Issuer to access and undertake activities on the TPM Platform on the Issuer's behalf whom we liaise with and set up an account for on the TPM Platform.

(a) What personal data do we collect and use?

     (i) general information such as your name and date of birth, and contact details including phone number and email address;
     (ii) professional details such as your job title and information about your job role;
     (iii) usernames and passwords for the TPM Platform; and
     (iv) identity documents such as passport copies and utility bills.

(b) How do we obtain your personal data?

We collect most of your personal data directly from you or the Issuer. In some instances, this is requested through our onboarding application forms, but we may also use our own records and information from other sources for compliance with legal and regulatory obligations. For example we use a third party screening tool to undertake PEPs, sanctions and adverse media checks.

(c) For what purpose do we use your personal data and with whom is it shared?

We only process personal data for the purposes described in this Notice. Data Protection Laws require companies to have a "lawful basis" to collect and use personal data. For TISE these will be:

      (i) it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interest.


We will process your personal data for the following purposes and in reliance of the listed lawful bases:

Purpose for processing your personal data  Lawful basis
To set up an account for you on the TPM Platform on
behalf of the Issuer
• Legitimate interests (to provide our TPM Platform services)
For general correspondence purposes in relation to the TPM Platform • Legitimate interests (to provide our services and keep you updated about the TPM Platform)
For marketing purposes • Legitimate interests (to send you information about our services)


(d) Who do we share your personal data with?

When we share your personal data, we do so in accordance with Data Protection Laws and our internal security standards. Below are the parties with whom we may share personal data and why:

Within the TISE group: We may share your personal data with other companies within the TISE group. This data may be transferred in order to allow us to provide a full service to you, where other companies within the TISE group perform components of the full service offering such as financial, IT maintenance or support services.

With Shieldpay: See Section 4 below for more information.

Our third party service providers: We may share personal data with third party service providers such as providers/vendors and agents (including their subcontractors) such as identity verification service providers, IT suppliers, software providers and information security providers which are only authorised to process your personal data strictly for the purposes of providing these services and in accordance with our instructions. If applicable, we will enter with such third party service providers into the relevant contractual agreements or the standard data protection clauses that would be required under Data Protection Laws to ensure compliance with our instructions.

Other third parties: we may share your personal data with any lawyers, external auditors or advisors, professional consultants, credit reference agencies, notaries, bailiffs, law enforcement agencies, as well as any courts, regulatory, governmental, administrative or other official bodies as agreed or may be required by law, where such disclosure is necessary (i) to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our services; and (iv) to protect our rights and interests.

3.6 Holders who use the TPM Platform

This section will apply to Holders who will be using the TPM Platform.

Where we process personal data of Holders who use the TPM Platform, we will be doing this as a processor on behalf of the Issuer; meaning that we will only be acting on and in accordance with the instructions of the Issuer when you are using the TPM Platform. Therefore much of the information that is being processed about Holders on the TPM Platform is under the control of the relevant Issuer and Holders should contact the Issuer for information on how the Issuer is processing Holder personal data.

The only exception to this will be where we process personal data for the Holder in order to set up an initial account for them on the TPM Platform ("Holder User Account Administration");

3.7 Holder User Account Administration

(a) What personal data do we collect and use?

Personal details such as your name, address, date of birth, country of residence and contact details including phone number and email address and other information we require to enable two factor authentication.

(b) How do we obtain your personal data?

We collect most of your personal data directly from you, primarily through our onboarding application forms which you fill out when you sign up to the TPM Platform or we receive it from the Issuer. Information we receive about you from the Issuer includes your name and contact details.

(c) For what purpose do we use your personal data and with whom is it shared?

We only process personal data for the purposes described in this Notice. Data Protection Laws require companies to have a "lawful basis" to collect and use personal data. For TISE these will be:

      (i) it is necessary in order to take steps to enter into a contract with you; and/or
      (ii) it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interest.
     
We will process your personal data for the following purposes and in reliance of the listed lawful bases:

Purpose for processing your personal data Lawful basis
To set up an account for you on the TPM Platform • Legitimate interests (to provide our TPM Platform services)
General business management, record keeping, operations and planning, including accounting and auditing • Legitimate interests (business administration and operations)

Improving and personalising our services to enhance
your trading experience
• Legitimate interests (to provide our TPM Platform service)


(d) Who do we share your personal data with?

When we share your personal data, we do so in accordance with Data Protection Laws and our internal security standards.

Within the TISE group: We may share your personal data with other companies within the TISE group. This data may be transferred in order to allow us to provide a full service to you, where other companies within the TISE group perform components of the full service offering such as financial, IT maintenance or support services.

Our third party service providers: We may share personal data with third party service providers such as providers/vendors and agents (including their subcontractors) such as identity verification service providers, IT suppliers, software providers and information security providers which are only authorised to process your personal data strictly for the purposes of providing these services and in accordance with our instructions. If applicable, we will enter with such third party service providers into the relevant contractual agreements or the standard data protection clauses that would be required under Data Protection Laws to ensure compliance with our instructions.

Other third parties: we may share your personal data with any lawyers, external auditors or advisors, professional consultants, credit reference agencies, notaries, bailiffs, law enforcement agencies, as well as any courts, regulatory, governmental, administrative or other official bodies as agreed or may be required by law, where such disclosure is necessary (i) to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our services; and (iv) to protect our rights and interests.

4. Shieldpay

4.1 We have engaged a third party provider called Shieldpay to (i) carry out identity and bank account verification services in relation to the users of the TPM Platform and (ii) process payments in relation to auctions on the TPM Platform.

4.2 In some circumstances we provide personal data on Holders and Issuers to them for the purposes of carrying out identity verification services and in other situations Holders and Issuers provide information direct to Shieldpay. In all situations Shieldpay are a controller of the personal data they have in connection with the TPM Platform and their Privacy Policy.

5. How do we protect your personal data when sending it outside UK and/or Europe?

5.1 In some circumstances, we may need to transfer your personal data to a country or territory outside Guernsey, Jersey, the UK and/or the European Economic Area (which means all the European Union (EU) countries plus Norway, Iceland and Liechtenstein, together "EEA").

5.2 When we do so, we will ensure that such transfers are appropriately safeguarded and in compliance with Data Protection Laws. This may mean that we transfer data to countries considered adequate by the Guernsey data protection authority or otherwise enter into standard clauses approved by the Guernsey data protection authority.

6. What marketing activities do we carry out?

6.1 We may from time to time provide you with information about our services or information about any relevant industry developments which we think will be of interest to you or which you have asked us to provide you with. This may be sent by email or we may contact you by phone.

6.2 Please note that you can opt out of receiving any marketing communications at any time. An "unsubscribe" link appears in all our marketing emails. To unsubscribe from emails sent by us, simply click on the link at any time. Alternatively, you can contact us to update your preferences using the contact details in the "Contacting Us" section below (see Section 10).

7. Your rights

7.1 When we have identified in this privacy policy that we are a data controller you have the right to make certain requests of us in relation to the personal data that we hold about you. If you wish to exercise these rights at any time please contact us using the details set out in the "Contacting us" section (see Section 10). Please note that if your query concerns any information processed by Shieldpay, you can contact them at dpo@shieldpay.com. If your query concerns the personal data processed in the context of the auction on the TPM Platform, you will need to contact the relevant Issuer who will liaise with us as appropriate.

7.2 Please note that not all of your data subject rights will be absolute; this means that there may be some circumstances where we may not be able to comply with your request (such as where this would conflict with our obligation to comply with legal requirements). However, if we cannot comply with your request, we will tell you the reason, and we will always respond to any request you make. In some locations, not all rights will be available. We have set out a summary of relevant rights available to you under the locations in which we operate.

7.3 There may also be circumstances where exercising some of these rights (such as the right to erasure, the right to restrict processing and the right to withdraw consent) will mean we can no longer provide you with our services. We will inform you of these consequences when you exercise your right.

7.4 Your rights under data protection laws are:

(a) the right to access your personal data:

     (i) you are entitled to a copy of the personal data we control and hold about you and certain details of how we use it; and
     (ii) we will usually provide you with your personal data in writing, unless you request otherwise, or where you have made the request using electronic means, in which case the information will, where possible, be provided to you by electronic means;

(b) the right to rectification: we take reasonable steps to ensure that your personal data that we hold is accurate and complete, however, you can ask us to amend or update the personal data if you do not believe that this is so or if your details change;

(c) the right to erasure: you have the right to ask us to erase your personal data in certain circumstances, for example where you withdraw your consent or where the personal data we obtained is no longer necessary for the original purpose; this right, will, however, need to be balanced against other factors, for example, we may have legal obligations which mean we cannot comply with your request;

(d) the right to restrict processing: in certain circumstances, you are entitled to ask us to stop using your personal data, for example where you think that we no longer need to use your personal data or where you think that the personal data we hold about you may be inaccurate;

(e) the right to data portability: you have the right, under certain circumstances, to ask that we transfer personal data that you have provided to us to another third party of your choice;

(f) the right to object to marketing: you can ask us to stop sending you marketing messages at any time. You can exercise this right by either clicking on the "unsubscribe" link which is contained in any email that we send to you or you can use the details set out in the "Contacting us" section to contact us (see Section 10). Please note that exercise of this right does not extend to service related communications which, where necessary, we will continue to send;

(g) the right to object to processing: where we process your personal data based on our legitimate business interests (indicated in this privacy policy), you can object to our processing. We will consider your objection and determine whether or not our legitimate business interests prejudice your privacy rights;

(h) the right to withdraw consent: we may ask for your consent for certain uses of your personal data – we have indicated in this privacy policy where we need your consent. You have the right to withdraw your consent at any time;

(i) rights relating to automated decision-making: we do not carry out any automated decision making. If this changes in the future, we will let you know; and

(j) to the right to lodge a complaint with the Office of the Data Protection Authority: you can find out more information at their website: www.odpa.gg. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

8. How do we protect your personal data?

8.1 We have put in place:

(a) appropriate security measures, policies and procedures to prevent your personal data from being accidentally lost, used, interfered with or accessed in an unauthorised manner, altered or disclosed; and

(b) procedures to address any suspected personal data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.

8.2 We review our security measures periodically. We also ensure that our employees receive appropriate data security training.

9. How long do we keep your personal data?

9.1 We will only keep your personal data for as long as is necessary to fulfil the relevant purposes as set out in this privacy policy and more widely to comply with our legal obligations.

9.2 The exact time period will depend on your relationship with us and the type of personal data we hold; for example:

Nature of data  Retention period
Holder Accounts 6 months from the Holder closing your account
Issuer Administrator Accounts 6 months from the Issuer closing your account
Issuer information (e.g. directors, material shareholders) 6 years after the relationship with the Issuer ends

10. Contacting us

If you have any queries about how we handle your personal data, the contents of this privacy policy, your data protection rights under applicable data protection laws, how to update your records or how to obtain a copy of the personal data that we hold about you, please email us at data.protection@tisegroup.com or write to us at: The International Stock Exchange Authority Limited, PO Box 623, Helvetia Court, Block B, 3rd Floor, Les Echelons, St Peter Port, Guernsey GY1 1AR.

11. Updates to this Privacy Policy

We may change or update parts of this Notice from time to time in order to maintain compliance with applicable Data Protection Laws and any changes to other laws or following an update to our internal practices. We will publish the updated version of the privacy policy and you can check our website here periodically to view it.