This Privacy Statement describes how and why The Bermuda Stock Exchange Limited and BSD Nominee Limited, which holds securities in the Bermuda Securities Depository (“BSD”) on behalf of investors, (collectively, the “BSX”), collects and processes information about you, how this information is protected, and your rights in relation to it. Please note that the BSX may be required by law to collect and use certain personal information about you in order to fulfill its regulatory obligations.  The BSX will process your Personal Information (as defined below) consistent with this Privacy Statement and the BSX will not collect, retain, use, or disclose, your Personal Information for any purpose other than performing the Service, evaluating an application for employment, enabling the BSX to meet its legal and regulatory requirements, marketing the BSX’s Services, or service improvement and development.

 

1.       Collection and Use of Data; Retention

a.       Each of the following sections will set forth the types and categories of data that the BSX may collect about you and the purpose for such collection. This section of the Privacy Statement is divided into categories, including “BSX Service”, “Employment”, “BSD Service”, and “Website”. If you use a BSX Service, including, but not limited to the Bermuda Stock Exchange or the Bermuda Securities Depository (the “BSD”) (collectively and individually a “Service” or “Services”), your representative uses a Service on your behalf, or if you are an officer or director of a legal entity that is listed or traded on the Bermuda Stock Exchange or has membership of the BSX or BSD, the “Service” section is applicable to you. If you have applied for employment with the BSX, the “Employment” section is applicable to you. If you have otherwise submitted your information to the BSX, such as through a web form, or you are a bsx.com visitor, the “Website” section is applicable to you.

b.      BSX Service

                                                               i.      The BSX may collect personal information from you, the entity of which you are an officer, director or employee, or your representative in order to use the Service as part of your entity’s listing, membership as a listing sponsor, trading member or BSD participant. The type of information that the BSX collects from you depends on your particular interaction with the Service. The BSX may collect information from you directly, and from other sources, including through your representative, the entity of which you are an officer, director or employee, a listing sponsor, trading member, BSD participant or their representatives. In order to fulfill our legal and regulatory obligations and in order to provide the Services, we may collect the following information from you:

·         Individual data, such as your name, date of birth, age, address, country of residence, signature, phone number, mailing address, email address, national identification number, or other identification details (such types of data collectively, “Personal Identifiers”);

·         Identification verification information, such as a copy of your passport, driver’s license, utility bill, or alternative verification information;

·         Professional information, such as your job title, work history, education history, your CV/resume;

·         Audio, electronic, visual, or similar information, such as photographs or voice recordings if you visit our premises; and,

                                                             ii.      Your preferences, such as how often you wish to receive marketing or other communications. Failure to provide this information may prevent you from using the Services. The BSX primarily uses your personal information to provide our Services to you, confirm your identity in accordance with our legal obligations, and to respond to your inquiries. We also may use your personal information as follows:

·         To communicate with you;

·         To comply with legal and/or regulatory requirements and cooperate with regulators and law enforcement bodies;

·         To send you marketing communications and advertising in line with your communications preferences; and,

·         To protect our rights, your rights, and the rights of others, and to meet our own high standards of business practice.

                                                           iii.      Retention. The BSX will retain and use your data for the duration that it provides Services to you, or for so long as you are an officer, director, or employee of a listed entity, member, listing sponsor, or BSD participant and for a seven (7) year period following the end of Services in accordance with its regulatory obligations. Following the cessation of any obligation to retain your data, the BSX shall dispose of or render permanently unusable any of your data then in its possession.

c.       BSD Service.

                                                               i.      The BSX may collect personal information from you or from a BSD participant about you in order to provide the BSD Service. The BSD Service is provided through BSD Nominee Limited, a nominee company, which holds investments in securities which are listed and traded on the BSX on behalf of shareholders or noteholders in those securities. The type of information that the BSX collects about you depends on your particular interaction with the Service which will be handled through a BSD participant. In order to fulfill our legal obligations and in order to provide the BSD Service, we may collect the following information from you:

·         Individual data, such as your name, date of birth, age, address, country of residence, signature, phone number, mailing address, email address, national identification number, or other identification details (such types of data collectively, “Personal Identifiers”);

·         Identification verification information, such as a copy of your passport, driver’s licence, utility bill, or alternative verification information;

·         Documentation evidencing ownership of securities held by the BSD Service, such as share transfer forms, estate planning documentation, court orders, etc.

                                                             ii.      Retention. The BSX will retain and use your data for the duration that it provides Services to you, and for a period of ten (10) years following the end of Services. Following the cessation of any obligation to retain your data, the BSX shall dispose of or render permanently unusable any of your data then in its possession.

d.       Employment

                                                               i.      We collect personal information from you when you apply for employment with us. We collect information from you directly as part of your application and retain it for a period following your application or during the course of your employment with the BSX. This information may include:

·         Individual identifiers, such as your name, date of birth, age, address, country of residence, signature, marital status, parental status, phone number, mailing address, email address, national identification number, immigration information, or other identification details;

·         Identification verification information, such as a copy of your passport, driver’s licence, utility bill, or alternative verification information;

·         Account information, such as your bank account number;

·         Professional information, such as your job title, work history, education history, your CV/resume; and,

·         Audio, electronic, visual, or similar information, such as photographs or voice recordings if you visit our premises.

                                                             ii.      The BSX collects this information to communicate with you, to evaluate your fitness for employment if you are an applicant, or, if you are offered employment to verify your identity, credentials, and legal right to work at the BSX, and if you are an employee of the BSX, to administer your benefits (such as your pension, insurance, etc.), to provide payroll, and to meet the BSX’s legal obligation to retain employment records.

                                                           iii.      Retention. The BSX will retain and use your personal employment during any evaluation period and, if you are not offered employment, for a period of up to one (1) year following the decision. If you are offered employment, the BSX will retain your information for the duration of your employment and for a period of up to 7 years (or 10 years if related to any health and safety investigation/ reporting) following the cessation of your employment. Following the end of the retention period, the BSX shall dispose of or render permanently unusable any of your data then in its possession. Notwithstanding the forgoing, the BSX will indefinitely retain your name, the dates you were employed at the BSX, and your job title and whether you are eligible to be rehired.

e.       Website. If you visit our website, bsx.com, we may collect various data about you in order to provide access to the website or to contact you following your request. Some of this data you may choose to provide to us through a “Contact Us” form or through email, including certain individual identifiers, such as your name, country of residence, phone number, mailing address, email address, or other identification details.

2.       Disclosures and Transfer of Data

a.       Disclosures. We only disclose your data (1) to BSX employees on a need-to-know basis in order to enable them to perform the Services as set forth in Section 1, above, and (2) to our third-party services providers as set forth in Section 2(c), below.  

b.       Overseas Transfers. We may transfer, process, and store your personal information outside of your home country, including in the United States. For the avoidance of doubt, your personal information will be transferred from within Bermuda to the United States. We have put in place appropriate safeguards for international transfers, such as standard contractual clauses approved by the European Commission as well as technical safeguards in accordance with legal requirements and the recommendations of the Office of the Privacy Commissioner of Bermuda and the European Data Protection Board.  

c.       We share your personal information for our business purposes with the following persons/entities and in the following circumstances:

                                                               i.      Third Party Service Providers: To enable us to more efficiently provide the service you have requested from us, we may share your personal information with selected entities that act on our behalf as our agents, suppliers, or providers, or these entities may collect your personal information on our behalf. These service providers may provide services such as marketing support, technical assistance, and data hosting. We may also engage third-party analytics providers, such as Google analytics, to help us understand how users engage with our website. These analytics providers may use cookies and similar technologies to collect information about your use of our website. As of the effective date of this Privacy Statement, the following are the categories of third parties that we may share your data with:

·         AML screening providers;

·         Bermuda Job Board for applications and job postings;

·         Benefits administration providers (including insurers, pension administrators, options administrators, etc.);

·         Financial institutions (such as banks, custodians, transfer agents, etc.);

·         HR Payroll/Employee Management Software Provider; and,

·         Miami International Holdings, Inc., the BSX’s parent company, which provides the BSX with corporate information technology solutions and data centres.

                                                             ii.      Legal Compliance and the Protection of Our Rights: We will share information with regulators, government authorities, and third parties where we believe it is necessary to comply with a court order, subpoena, to fulfill our legal and regulatory obligations, or following a regulatory request. We may disclose information when we believe in good faith that such disclosures will: help protect our rights or enforce our contractual rights; support our detection of, prevention of, or response to fraud or intellectual property infringement; help protect your safety or security; or protect the safety and security of the Service, our website, or any individual.

                                                           iii.      Transfer of Business Assets: As we continue to develop our business, we might acquire or buy other businesses or assets. In such transactions, customer information generally is one of the transferred business assets. Also, we may transfer any information we have about you as an asset to third parties in connection with the consideration, negotiation, or completion of a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of BSX and/or the BSD Nominee, or as part of a corporate reorganization or stock sale or other change in corporate control, for the purposes of such third parties carrying on our business in relation to the continued provision of our Services to you as described in this Privacy Statement.

                                                           iv.      Additional Sharing: From time to time we share your information with our attorneys, banks, auditors, securities brokers, AML/ATF verification service providers, and other professional service providers and advisors in connection with the purposes described above. The following categories of your personal information may be shared with these parties:

·         Personal Identifiers;

·         Commercial information;

·         Electronic Identifiers;

·         Financial information;

·         Professional information;

·         Education information; and,

·         Inferences drawn from any of the above information categories.

d.       Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the Services).

3.       General

a.       Your Rights in relation to Your Personal Information. Subject to local law, you may have certain rights regarding your personal information. These may include, depending on the circumstances, the following rights to:

·         access your personal information;

·         rectify the personal information we hold about you;

·         request to erase your personal information;

·         stop or restrict our use of your personal information;

·         object to our use of your personal information;

·         receive your personal information in a usable electronic format and transmit it to a third party (also known as the right of data portability);

·         receive additional information regarding the sources from which we collect information, the purposes for which we collect and share personal information, the information of yours we hold, and the categories of parties with whom we share your information;  and,

·         lodge a complaint with your local data protection authority; and withdraw any consent you have given to uses of your personal information.

b.      Exercising Your Rights

                                                               i.      If you would like to discuss or exercise the rights you may have, feel free to contact our Data Privacy Officer, Ailish Byrne,  via email at bsxprivacy@bsx.com, or through the mail to The Bermuda Stock Exchange, attn.: Ailish Byrne, 110 Pitts Bay Road, Pembroke HM08, Bermuda. 

                                                             ii.      You may exercise your rights without fear of being denied Service. We may, however, be unable to comply with your request if it interferes with our regulatory obligation, provide a different level of service, or charge a different rate as permitted by applicable law.

                                                           iii.      In order for us to authenticate your request, you must include the following information:

·         Your first name;

·         Your last name;

·         The full address of your primary residence, including country and state;

·         The BSX Service to which you use or are subscribed or if you are an applicant or former employee;

·         The email address we have on file for you as well as the email address at which we should contact you about the request; and,

·         Please also indicate what action you are requesting, i.e. return and/or deletion of your personal information, ‘do not sell’, etc.

The preceding information is necessary to authenticate your request and will be held by BSX for legal and regulatory purposes, including to comply with any rules or regulations applicable to the BSX, for the length of time necessary to comply. We will acknowledge your request within 14 days and we will respond within 45 days. If we are unable to authenticate your request, we will reply as such to the email address from which your request originated. We will provide the requested information, along with any details of actions we’ve taken, to you at the email address you specify in your request.

c.       Security & Data Integrity. We have put in place safeguards to help prevent unauthorized access and maintain data security with respect to your personal information. Despite these protections, however, we cannot guarantee that your data will be 100% secure. You should take measures to protect your personal information. We retain your personal information for as long as we have a relationship with you and for a period after the relationship has ended, as set forth above. When determining how long to keep your personal information after our relationship with you has ended, we take into account how long we need to retain the information to fulfil the purposes described above and to comply with our legal obligations, including regulatory obligations. We may also retain personal information to investigate or defend against potential legal claims in accordance with the limitation periods of countries where legal action may be brought.

d.       Children. This website and our Services are not intended for use by minors (persons under the age of majority in your jurisdiction). If you are a minor, do not our Services. If parents believe their minor children have accessed our Services and provided their personal information, please contact us using the information provided in the "Your Rights in relation to Your Personal Information" section of this Privacy Statement so that we may delete the information.

e.       Other Sites. Our Services or our website may contain links to other sites or products that we do not own or operate. Also, links to our Services may be featured on third party websites. Except as provided herein, we will not provide any of your personal information to these third parties without your consent. We provide links to third party websites as a convenience to the user. These links are not intended as an endorsement of or referral to the linked websites. We recommend you read carefully the privacy statements, notices and terms of use of any linked websites. We do not have any control over such websites, and therefore we have no responsibility or liability for the manner in which the organizations that operate such linked websites may collect, use or disclose, secure and otherwise treat your personal information.

f.        Changes to Privacy Statement. This Privacy Statement is current as of the effective date set forth above. We reserve the right to change this Privacy Statement from time to time. Changes and modifications to this Privacy Statement will be effective immediately upon posting of the changes and modifications on the Services, except where prohibited by law. You should therefore periodically visit this page to review the current Privacy Statement. If we change this Privacy Statement, we will notify you of the changes by updating the effective date at the top of this Privacy Statement and, if required by applicable laws, by other means, such as email or notice within the Services. Where the changes will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will, as required by applicable laws, provide you with notice in advance. If at any time you choose not to accept the terms of this Privacy Statement, you should not use the Services, apply for employment, or use the Website.

4.       Information For UK and EU Users

a.       Some of the processing we conduct will involve making decisions about you based on automated processing of your personal information. For example, we may conduct profiling activities to select personalized offers or recommendations for you based on your use of the Service and browsing history. If you are in the UK or the EEA, where these decisions are based solely on our automated processing of your personal data (e.g. not subject to human review), these types of decisions will not have legal or similar effects on you, but you can still contact us for further information and to object to this use of your personal information.

b.       Under EU privacy law, we must have a legal basis to process personal information. In most cases the legal bases for our processing, under EU law, will be one of the following:

                                                               i.      to fulfill our contractual obligations to you, for example to provide the Services or to ensure that invoices are paid correctly;

                                                             ii.      to comply with our legal and/or regulatory obligations, for example obtaining proof of your identity to enable us to meet our anti-money laundering obligations; and/or,

                                                           iii.      to meet our legitimate interests, for example to:

·         understand how you use the Services and to enable us to use this knowledge to improve our Service and to develop new ones;

·         communicate with you about the service that you use or we offer;

·         maintain our accounts and records;

·         assess patterns of use; and,

·         plan and evaluate our marketing and business development programs.

When we process personal information to meet our legitimate interests, we put in place, when needed, technical and contractual safeguards designed to protect your privacy interests, freedoms, and rights under applicable laws.

c.       We may obtain your consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to some direct marketing activities, our use of cookies and tracking technologies or when we process sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details in Section 3b of this Privacy Statement.

d.       We may anonymize your personal information and use it for other purposes. For example, we may prepare aggregated reports about how users interact with the Services.

5.       California Privacy Rights

a.       Under California's "Shine the Light" law, California residents who provide personal information in obtaining products or services for personal, family or household use are entitled to request and obtain from us once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g. requests made in 2025 will receive information regarding 2024 sharing activities).

b.       To obtain this information, please send an email message in accordance with Section 3(b) “Exercising your Rights.” Please be aware that not all information sharing is covered by the "Shine the Light" requirements and only information on covered sharing will be included in our response.