FinDatEx

1.     Who does this privacy statement apply to?

FinDatEx (Financial Data Exchange Templates) is a joint structure established by the following associations: Insurance Europe, the European Banking Federation (EBF), the European Fund and Asset Management Association (EFAMA), the European Savings and Retail Banking Group (ESBG), the European Association of Cooperative Banks (EACB), and the European Structured Investment Products Association (EUSIPA). 

FinDatEx is led by a Steering Group that consists of one senior representative from Insurance Europe, EBF, EFAMA, ESBG, EACB and EUSIPA. The Steering Group creates Technical Working Groups (TWGs) that will be in charge of one or several template(s) and disbands them as appropriate.

FinDatEx’ mission is to coordinate, organise and carry out standardisation work, in the form of technical templates, to be used for the exchange of data between stakeholders, in particular regarding the exchange of information resulting from European legislation related to Financial Markets such as MiFID II, PRIIPs and Solvency II.

Insurance Europe, the EBF, EFAMA the ESBG (“the associations”) run the secretariat of the Steering Group on a rotating basis.

The association that runs the secretariat of the steering group is responsible for requesting data subjects’ consent, when needed for processing their data.

The associations are based in Brussels and act as data controllers as they jointly determine the purposes and means of processing personal data in the context of FinDatEx’s activities and are jointly responsible for providing to data subjects information about the collection and use of their personal data.

The associations process personal data in the context of FinDatEx as safely and reasonably as possible and in strict compliance with the applicable data protection legislation, including the General Data Protection Regulation 2016/679 of 27 April 2016 (‘GDPR’).

Please note that data protection rules apply to personal data. Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

This Privacy Statement covers the following data subjects:

• Members of FinDatEx
• Coordinators and Vice-Coordinators of the Technical Working Groups
• Members of the Technical Working Groups
• Staff members of the associations
• Stakeholders providing comments and reaching out to FinDatEx and to any of the categories of data subjects mentioned above
• Candidates for the position of Coordinators and Vice-Coordinators of the Technical Working Groups
• Candidates for membership to the Technical Working Groups
• FinDatEx’s website visitors
• Extranet users

2.     What is covered by this Privacy Statement?

This Privacy Statement tells you what personal data we process, why and how we process your personal data when we perform FinDatEx’s business activities, when you use FinDatEx’s website, or extranet, to whom we give that information, what your rights are and who to contact for more information or queries.

When we refer to website, we mean the web pages containing the domain name ‘findatex.eu.’ and including all its subsites, including but not limited to www.findatex.eu When we refer to the extranet website, we mean the webpages containing the domain name “extranet.findatex.eu”.

The website may link to other websites provided by members, members’ members or third parties. Whilst we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices of other websites.

When linking to any such websites, we strongly recommend that you read the Privacy Statements on those websites before disclosing any personal information.

3.     What personal data do we collect?

The main personal data that we generally collect and hold in our database includes:

• identification data (eg name, company, address, e-mail address, phone number, job title, personnel number where relevant)
• data regarding the communication between us (eg e-mails, comments, questions sent and received, meetings)
• your picture if we have obtained your consent for this
• your CV and motivation letter (only for candidates for the position of Coordinators and Vice-Coordinators of the Technical Working Groups)
• when you use our website, the browser on your device automatically sends information to the server of our websites/application which temporarily stores it in a log file. More specifically, your IP address is automatically recorded without your intervention and stored until it is automatically deleted.

The FinDatEx website does not use cookies. The extranet website uses only functional cookies that do not involve processing of personal data. For more information about the cookies we use and how you can control them, please consult the cookie section hereafter.

4.     How do we obtain your personal data?

We may obtain your personal data in the framework of the execution of our business activities that serves the mission of FinDatEx and in particular because:

• you provided it to us by filling in the online form on FinDatEx’s website in order to register as a member of one or several Technical Working Groups
• you visited FinDatEx’s website (only regarding IP addresses)
• you applied for the position of Coordinators and Vice-Coordinators of the Technical Working Groups and/or for membership to one or several Technical Working Groups
• you sent an email to FinDatEx, eg to [email protected], to FinDatEx members or their staff, or to a Coordinator or Vice-Coordinator

5.     Why do we process your personal data?

For legitimate business purposes including:

• arranging and managing the Steering Group and the Technical Working Groups (eg drafting, circulating and updating members lists), as well as their meetings, including physical meetings as well as tel and video calls
• carrying out FinDatEx’s tasks (eg when drafting and circulating meeting participant lists and conclusions, sending notifications to members of FinDatEx, processing comments, questions or queries from members and other stakeholders)
• responding to any form of communication with us
• managing FinDatEx’s extranet
• processing your application to be appointed Coordinators and Vice-Coordinators of one of FinDatEx’s Technical Working Groups or your application for membership to Technical Working Groups
• security and troubleshooting purposes for processing your IP address when you visit FinDatEx’s website or extranet page

We will use your personal data only for the purposes for which we collected it or for reasons compatible with the original purpose. If we intend to use your personal data for reasons that are not related to the original purpose, we will contact you and notify you of the legal basis that allows us to do so. 

6.     What are the legal grounds for processing your personal data?

We process your personal data for the purposes mentioned in the previous section relying upon the following legal bases:

• The legitimate interests of FinDatEx, whose mission is to coordinate, organise and carry out standardisation work, in the form of technical templates, to be used for the exchange of data between stakeholders, in particular regarding the exchange of information resulting from European legislation related to Financial Markets such as MiFID II, PRIIPs and Solvency 2. When you use our websites, your IP address is processed based on our legitimate interest to ensure the functionality and security of the websites. In this respect, we will always determine case by case whether our interests are not overridden by your interests, fundamental rights and freedoms.
• Consent, where necessary.

7.     What are your rights?

You have several rights concerning the personal data we hold about you. You have the right to:

• access your personal data, obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete
• restrict our processing of your personal data where you believe that the data is not accurate or we may not have grounds for processing it
• ask that we delete the personal data that we hold about you, if you believe that there is no (longer a) lawful ground for us to process it
• withdraw your consent to our processing of your personal data (to the extent such processing is based on consent)
• ask to receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract)
• object to our processing of your personal data for which we use legitimate interest as a legal basis, in which case we will cease the processing unless we have compelling legitimate grounds for the processing
• object at any time to the processing of your personal data for direct marketing purposes

Should you wish to stop any of our communications then you may disable these by logging in to our Extranet and clicking Settings.

Insurance Europe will be your contact point for submitting a request to exercise any of your rights. To this end, you can send us a request, indicating the right you wish to exercise by e-mailing us at [email protected]. You may also use these contact details if you wish to make a complaint to us relating to your privacy.

If you are unhappy with the way we have handled your personal data or any privacy query or request that you have raised with us, you have a right to complain to the Data Protection Authority (“DPA”) in your jurisdiction.

8.     Who are the recipients of your personal data?

Staff members of the associations that are dealing with FinDatEx’s business activities, their members and members’ members, as well as the Coordinators, Vice-Coordinators and the members of the Technical Working Groups will have access to your personal data on a “need-to-know” basis for the purposes described above.

International transfers

In principle, we do not intend to transfer your data to third countries or international organisations. In case your data needs to be transferred to a third country or an international organisation (eg if we engage an non EU-based processor), we will transfer your data only when an adequate level of protection according to an adequacy decision issued by the European Commission is provided or when there are appropriate safeguards (eg by means of Standard Contractual Clauses) that ensure your personal data is protected or when we can rely on derogations within the limits permitted by the GDPR. You can ask for more information and/or obtain a copy of those safeguards by sending us an e-mail ([email protected]).

We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Statement.

We reserve the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or freedoms and/or comply with a judicial proceeding, court order and/or injunction, request from a regulator or any other legal process, including out of court proceedings, served on us.

9.     For extranet visitors: cookies

The extranet website use Cookies. Cookies are small text files that are stored by your browser onto your computer or mobile device when you visit these websites. The extranet website uses only functional cookies that enable us to ensure the proper functioning of the website.

You can refuse the installation of cookies on your device. The ability to enable, disable and/or delete cookies can be completed in your browser. You can delete all cookies that are already on your device and you can set most browsers to prevent them from being placed. The settings are usually in the “options” or “preferences” menu of your browser. To understand them, the “Help” option in your internet browser or the following links may be helpful:

• Cookie settings in Internet Explorer
• Cookie settings in Firefox  
• Cookie settings in Chrome
• Cookie settings in Safari

You can find more information about cookies at: www.allaboutcookies.org. Please note that turning off functional cookies might restrict the use of the extranet website.

The extranet website uses the following types of cookies:

Functional cookies

• Session cookies - A session cookie is posted each time you log in our extranet for authentication purposes only. All session cookies are deleted after your visit to our extranet.
• Authentication cookies - A cookie is posted for authentication purposes so that you stay logged in. This cookie will be removed as soon as you log out, or if a year is reached.
• First-party cookies - A first-party cookie is a cookie set by us or any of our processors.

10.     How is the security of your personal data ensured?

The associations employ strict technical and organisational (security) measures to protect your personal data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.

These measures may include:

• training relevant staff to ensure they are aware of our privacy obligations when handling personal data
• administrative and technical controls to restrict access to personal data to staff members of the associations
• technological security measures, including fire walls, encryption and anti-virus software
• back-up systems
• login access blocks in case of loss or theft of devices
• physical security measures, such as staff security badges to access the associations’ premises

Although we use appropriate security measures once we have received your personal data, the transmission of data - especially over the internet (including by e-mail) - is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.

We limit access to your personal data to those who we believe reasonably need to access that information to carry out their tasks.

11.     Data retention

We will retain your personal data for as long as:

• it is necessary to fulfil the purposes we collected it for
• you have a role or function that is relevant to FinDatEx’s mission

For website visitors: the IP that we collect when you visit our websites is retained for 90 days.

For more information about the expiry dates of the cookies used on the extranet websites, please consult the cookie section.

12.     Automated Decision-making

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of personal data and that produce legal effects that significantly affect the individuals involved.

As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data. 

13.     How to contact us?

We hope that this Privacy Statement helps you understand and feel more confident about the way we process your data. If you have any further queries about this Privacy Statement, please contact us: 

• by e-mailing us at [email protected]; or
• by calling us at +32 2 894 30 00.

14.     Changes to this privacy statement

We may modify or amend this Privacy Statement in the future. Should this happen, the revised Privacy Statement will be posted on FinDatEx’s website, and you may also be notified by e-mail.

10 May 2019