Dear Client of the Nasdaq Nordic and Baltic Exchanges*
As a premier financial services and technology firm, acting with integrity and compliance with applicable law are foundations of Nasdaq’s business. Like yourselves, we are aware of the importance of the General Data Protection Regulation (the “GDPR”), which will come into force on May 25, 2018. As a business whose vision is to Rewrite Tomorrow, we look forward to the GDPR as an important contributor to making the business of tomorrow one that effectively integrates innovations in technology and data use with the protection of individuals’ fundamental right to privacy.
Executive Summary
Since the GDPR was finalized two years ago, we have been working across our organization so that we are prepared to meet our compliance obligations and continue to serve as an excellent business partner to our clients, members and other market participants. These efforts have intensified over the past year-plus as we put in place a formal multi-workstream project spanning our business operations, technology, information security, legal and compliance, human resources communication and other teams to ready ourselves to comply with the relevant requirements of the regulation.
In this letter, we would like to briefly review with you:
(1) An overview of our GDPR readiness program,
(2) How the GDPR applies to our services and impacts on related contract terms and privacy notices, and
(3) Our Privacy Governance Model.
At Nasdaq, through consistent “tone from the top” as well as reinforcement through policies, training and outreach, we have endeavored to build a values-based ethical culture that prioritizes information security. Across our global enterprise, we have used the GDPR as an opportunity to enhance our privacy program with a focus in all instances to process personal data with Integrity, Transparency and Accountability – values that meet the principles set forth in the GDPR in a way that is relevant to our business. By doing so, we seek to further emphasize respect for privacy and individual personal data rights within our culture.
We welcome the opportunity to discuss our program as implemented for the Nasdaq Nordic and Baltic Exchanges, our other Nordic and Baltic regulated businesses** or any other portion of our business with you or any other interested party. Please do not hesitate to contact us or any of the resources identified in this letter.
1. Overview of our GDPR Readiness Program
Under the direction of our GDPR Project Steering Committee, chaired by our Global Chief Legal and Policy Officer and Vice-Chaired by our Global Chief Information Security Officer, Nasdaq has devoted substantial time, funding and executive focus to prepare for the requirements of the GDPR and establish a robust ongoing privacy compliance program that will be able to respond to evolution in law and guidance as well as address changes within our business or individual incidents that may occur. The following are some of the key initiatives that we have undertaken or are undertaking with completion to be done prior to the GDPR going into effect:
- Comprehensive Data Processing Assessment and Analysis: Consistent with GDPR requirements, we have conducted a thorough data mapping of our business systems and processes across our enterprise. Where we have identified personal data processing subject to GDPR, we assessed the basis for processing and evaluated that appropriate technological and organizational measures are in place to protect the data. This includes support from our Legal and Regulatory and Information Security Departments.
- Governance Structure: As further detailed below, we assessed our privacy governance structure, identified our ongoing corporate structure for overseeing privacy globally and designated a Data Protection Officer (as defined in the GDPR) for certain legal entities in our corporate family.
- Policy and Notice Review: We have updated our company-wide Code of Ethics to include core elements of GDPR and implemented updates to certain policies and related procedures to account for GDPR. This has included development of updates to our public facing privacy statements and updates to certain forms to incorporate GDPR requirements.
- Contracting Processes: To ensure that we meet the requirements of the GDPR, we have updated our contract templates and terms where relevant to include new personal data processing terms. We have also updated certain existing contracts to ensure that they include updated terms that address GDPR requirements. Contract changes relevant to your services are further described below.
- Product Development: Our updated Product Development Lifecycle process will apply privacy-by-design and default standards and a process for conducting a data protection impact assessment if required.
- Mechanisms for Addressing Individual Requests: We have developed processes for addressing data subject requests where Nasdaq is the data controller and for referring such requests to the controller for the limited services where we serve as a processor. Any data subject may contact us at privacy@nasdaq.com or other identified resources to initially exercise his/her rights.
- Data Breach Response: We have incorporated GDPR into our overall corporate data breach response program and are conducting scenario-based training to prepare for potential situations that may require notification under GDPR.
- Training: We have conducted numerous awareness and function-specific training events for our staff and continue to do so.
2. How the GDPR applies to our Services and impacts on Related Contract Terms and Privacy Notices
With respect to its delivery of services to clients, members and other market participants, the Nasdaq Nordic and Baltic Exchanges process personal data in two primary contexts: (1) to administer our business and (2) as part of the delivery of contracted products and services by our customers.
We process personal data as part of the administration of business in several contexts. Examples of these include screening new issuers and members to comply with law and prevent fraud, credentialing individuals from members to use our system and ensuring effective information security, addressing help desk or system user questions, providing system user notifications and marketing new services to designated users.
We process personal data as part of the delivery of our products and services as required by applicable law and/or our agreement with you. Under applicable laws such as MiFID 2/MiFIR and the Market Abuse Directive/Market Abuse Regulation as well as to fulfill our role as a trading venue operator, we collect and process certain data about individual orders and transactions that may include personal information. One example of this may include processing as part of our market surveillance to identify market abuse, fraud and other inappropriate actions; this may include reporting suspected misconduct to authorities. Another example may include processing of personal data related to our exchange oversight role, such as conducting disciplinary reviews and hearings. All such processing aligns with requirements under applicable law and none involves automated decisionmaking.
To reflect requirements under GDPR, we will make updates to the following documents:
- Member Portal General Terms and Conditions (posted to our Member Portal).
- Privacy Policy (posted to our website).
Because we may receive personal data from you about your individual customers when you use our exchange to complete transactions (which is normally limited in such a manner that we cannot effectively identify individuals or contact them), it is your responsibility to advise your customers to consult our published Privacy Policy (http://business.nasdaq.com/list/Rules-and-Regulations/European-rules/index.html), this letter (which will be publicly posted on our website) and other information posted on our website on how we process their data.
3. Privacy Governance Model
Building on our self-regulatory history, Nasdaq has a deep foundation in applying strong governance to our business and compliance activities. Like other compliance requirements, we seek to integrate GDPR compliance into our business functions as part of the “first line” of defense. This is then reinforced with compliance and risk management expertise as part of our “second line” functions with Internal Audit providing the “third line” of defense conducting risk-based reviews of our program. To ensure accountability and vigilance, we have established executive management structures and board oversight to provide mechanisms for escalating risk, prioritizing actions and providing support to initiatives.
Specific to our GDPR and privacy program governance, we have implemented the following governance model:
- Boards of Directors Oversight: Ultimate oversight of our GDPR privacy program is conducted by the Board of Directors of each of the Nordic and Baltic Exchanges and other group companies with further enterprise-wide oversight by the Board of Directors of our ultimate parent company, Nasdaq, Inc. Our boards have been briefed on GDPR’s implications for Nasdaq and will be updated regularly on privacy program changes and elements.
- Global Privacy Steering Committee: Due to the enterprise-wide impacts of GDPR, we are converting our GDPR project steering committee into a permanent Global Privacy Steering Committee. The Steering Committee will be chaired by Andreas Gustafsson – our Senior Vice President and General Counsel for Europe – and vice-chaired by Lou Modano – our Senior Vice President and Global Chief Information Security Officer. Members will include business operations executives and senior representatives from our Technology, Office of General Counsel, Human Resources, and Global Risk Management functions. The Steering Committee will report to our top level management risk committees including our Global Risk Management Committee (chaired by our CFO), Compliance Council (chaired by our General Counsel) and Technology Risk Committee (chaired by our CIO).
- Data Protection Officer (DPO) and Operational Privacy Function Leadership: We have appointed Lindahl Law Firm represented through Caroline Olstedt Carlström as our DPO for Nasdaq Nordic and Baltic regulated entities. Ms. Carlström will serve in this role as an external DPO (so remains employed by Lindahl where she is a partner and lead of the firm’s privacy practice). We believe that having an external DPO avoids potential conflicts of interests and ensures that we are engaged in industry best practices.
Within our organization, operational management of our privacy program will handled within our Office of General Counsel, which also is responsible for our other corporate compliance functions. Our commercial law group will be responsible for managing customer and vendor contracts.
Conclusion - Points of Contact
As exchange members and customers, we look forward to working with you to ensure that we are able to meet the principles of the GDPR and expectations of those with whom we do business as they relate to the services that we deliver. We welcome the opportunity to discuss our efforts further with you either now or in the future.
You may contact any of the resources below quoting the service, product and Nasdaq legal entity your query relates to:
- General Contact for Privacy Team at: privacy@nasdaq.com
- Office of General Counsel, Stockholm office;
Post address: Tullvaktsvägen 15, 10578 Stockholm, Sweden
Att: General Counsel Office
- Andreas Gustafsson; General Counsel for Europe at: Andreas.Gustafsson@nasdaq.com
- Wesam Alkawka; Associate General Counsel, Nordics and Baltics Data Privacy Liaison, at: Wesam.Alkawka@nasdaq.com
- Nasdaq DPO: Lindahl Law Firm represented through Ms. Caroline Olstedt Carlström
Address: Advokatfirman Lindahl KB, Box 1065, 101 39 Stockholm, Sweden
Att: Caroline Olstedt Carlström
- Your regular Nasdaq contact person
Thank you for your consideration and attention to this important topic.
Yours sincerely,
Nasdaq Inc.
Andreas Gustafsson
General Counsel Europe and Global Co-Chief Compliance Officer
*The Nasdaq Nordic and Baltic Exchanges consist of Nasdaq Copenhagen A/S, Nasdaq Helsinki Ltd, Nasdaq Iceland hf., Nasdaq Oslo ASA, Nasdaq Riga AS, Nasdaq Stockholm AB, Nasdaq Tallinn AS and AB Nasdaq Vilnius.
**In addition to the Nasdaq Nordic and Baltic Exchanges, these include Nasdaq Broker Services AB, Nasdaq Clearing AB, Nasdaq CSD SE, Nasdaq CSD Iceland hf. and AS Pensionikeskus.