1. SS&C and data privacy
SS&C Technologies Holdings Inc. and its subsidiaries (“SS&C”) is committed to protecting personal data and respecting your privacy.
This privacy statement describes how we collect, use, share, protect, and otherwise process personal information about you. This statement applies to personal information that you provide to us:
- as a visitor to our websites or as a user of our client portals;
- when you send us personal information in connection with an inquiry about SS&C providing products and services directly to you;
- as a visitor to our premises; and
- and as a contact at one of our customers or their customers, potential customers, suppliers or other business partners.
Notice to Customers of SS&C Clients
Where we collect personal information on behalf of our clients, SS&C acts as a “data processor” (as defined in the European General Data Protection Regulation (GDPR)) on behalf of its clients and this privacy policy does not apply. Customers of our clients (e.g. Fund investors or any person providing information in connection with obtaining a product or service from a client of SS&C) should consult directly with the applicable client to obtain a copy of the privacy policy issued by the client as “controllers”(as described in GDPR) which will apply in such instance.
2. What information do we collect from you?
We may collect and process the following information (personal data) about you:
Information that you give us:
- This includes information about you that you give to us by filling in forms on our website (or other forms that we ask you to complete), giving us a business card (or similar), or corresponding with us by telephone, post, email or other means.
- It may include, for example, your name, address, email address, work telephone number, mobile telephone number, information about your business relationship with us, information about you necessary to complete anti-money laundering checks in order to comply with requirements relating to anti-money laundering and other legislation applicable to us; and information about your professional role, background and interests.
Information that our website and other systems collect about you:
- If you visit our website it will automatically collect certain information about you and your visit, including the Internet protocol (IP) address used to connect your device to the Internet and other information such as your browser type and version. We may also collect information about the pages on our site that you visit. Our website may also download “cookies” to your device – this is described in our separate cookie statement.
- If you email, telephone, write, or exchange other electronic communications with our employees and other staff members, our information technology systems will record details of those conversations and exchanges, sometimes including their content.
- Some of our premises have closed circuit TV systems which may record you if you visit our premises, for security and safety purposes.
Other information: We may also collect some information from other sources. For example:
- If we have a business relationship with the organisation that you represent, your colleagues or other business contacts may give us information about you, such as your contact details or details of your role in the organisation that you represent.
- We sometimes collect information from other third parties, which can include third party data providers, or from publicly available sources for anti-money-laundering, background checking and similar purposes, to protect our business and to comply with our legal and regulatory obligations.
3. How will we use your information?
We may use your information for the following purposes:
- to personalize and customize your experience with us; conduct research and analysis; and fulfil orders and requests for products, services, or information from you or the organization that you represent;
- to send you marketing communications regarding our products and services;
- for ordinary business purposes, including to operate and administer the products and services provided by SS&C in accordance with the terms of any agreements that we may have with our clients.
- to operate, administer and improve our website and premises and other aspects of the way in which we conduct our operations.
- to protect our business from fraud, money-laundering, breach of confidence, theft of proprietary materials and other financial or business crimes.
- to comply with our legal and regulatory obligations, and to bring and defend legal claims where the information is pertinent (including to allow us to pursue available remedies or limit the damages that we may sustain).
- to comply with our internal policies and maintain our records or as otherwise required by applicable data protection laws.
- to respond to requests from our clients that are not already addressed above.
We may from time to time be required to review information about you held in our systems – including the contents of and other information related to your email and other communications with us – for compliance and business-protection purposes as described above.
This may include reviews for the purposes of disclosure of information relevant to litigation and/or reviews of records relevant to internal or external regulatory or criminal investigations.
To the extent permitted by applicable law, these reviews will be conducted in a reasonable and proportionate way, and approved at an appropriate level of management. They may ultimately involve disclosure of your information to governmental agencies and litigation counterparties as set out below.
Your emails and other communications may also be accessed occasionally by persons other than the member of staff with whom they are exchanged for ordinary business management purposes (for example, where necessary when a staff member is out of the office or has left our organisation).
We will only process your personal information as necessary to pursue the purposes described above.
In exceptional circumstances, we may also be required by law to disclose or otherwise process your personal information.
We will tell you, when we ask you to provide information about yourself, if:
- provision of the requested information is necessary for compliance with a legal obligation, or
- it is purely voluntary and there will be no implications if you decline to provide the information.
If you are uncertain as to SS&C’s need for information that we request from you, please contact the SS&C representative asking for the information, or Contact us, with your query.
4. Disclosure and international transfer of your information
We may disclose personal information about you, where reasonably necessary and appropriate for the various legitimate purposes set out above:
- to the other legal entities within SS&C.
- if we receive the personal information from you as a representative of one of our business partners or clients, to your colleagues within the organisation that you represent.
- to third party service providers who host our website or other information technology systems or otherwise hold or process your information on our behalf, under substantially similar conditions of confidentiality and security.
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit; in accordance with our legal obligations, including to competent regulatory, prosecuting and other governmental agencies, or litigation counterparties, in any country or territory or where we are otherwise required by law to disclose.
These disclosures may involve transferring your personal information overseas. If you are dealing with us within the European Economic Area or the UK, you should be aware that this may include transfers to countries outside the European Economic Area and/or the UK, which do not have similarly strict data privacy laws and which may therefore afford a lower standard of personal data protection. In those cases, where we transfer personal data to other legal entities within SS&C or our service providers, we will ensure that our arrangements with them are governed by data transfer agreements, designed to ensure that your personal information is protected, on terms approved for this purpose by the European Commission.
As part of our SS&C Data Protection Compliance Program, SS&C has executed the new standard contractual clauses (SCCs) for the transfer of personal data to third countries published by the European Commission on 4 June 2021, to ensure that any international transfer of your information is in compliance with GDPR. In addition, our UK domiciled legal entities have executed with the relevant SS&C subsidiaries the UK Addendum published by the UK supervisory authority, the Information Commissioner’s Office (ICO), to ensure compliance with UK data protection laws. The purpose of the UK Addendum, approved by the UK Parliament on 21 March 2022, is to amend the EU SCCs to work in the context of UK data transfers to third countries.
5. How we keep your personal information safe?
We are committed to protecting your personal information submitted to us. We maintain an information security program including internal policies addressing the acceptable use and access to confidential business information and personal information which may be contained within SS&C’s information systems. We maintain physical, electronic and procedural safeguards reasonably designed to guard personal information from loss, misuse or unauthorized access, disclosure, alteration or destruction of the information that has been provided to us through our on-line services.
6. How long do we keep your personal information?
We will retain your data in accordance with our Personal Data Retention Policy, which provide for a period of at least 7 years or longer as required by applicable law or our internal data protection policies.
We will delete the information that we hold about you when we no longer need it.
Note that we may retain some limited information about you even when we know that you have left the organization that you represent, so that we can maintain a continuous relationship with you if and when we are in contact with you again, representing a different organization.
7. What are your rights?
Rights of access, correction, restriction and deletion: You have a right of access to the personal information that we hold about you under European data protection legislation, and to some related information. You can also require any inaccurate personal information to be corrected or deleted as well as that any further data processing is restricted.
Right to object: You can object to our use of your personal information for direct marketing purposes at any time and you have the right to object to our processing of some or all of your personal information (and require them to be deleted) in some other circumstances.
Right to request a copy of SCCs and UK Addendum: SS&C has executed the new standard contractual clauses (SCCs) for the transfer of personal data to third countries published by the European Commission on 4 June 2021, to ensure that any international transfer of your information is in compliance with GDPR.
Our UK domiciled legal entities have also executed with the relevant SS&C subsidiaries the UK Addendum published by the ICO, to ensure compliance with UK data protection laws.
In accordance with the transparency requirements set out in the SCCs, a copy of the SCCs and UK Addendum implemented by SS&C is available upon simple request (subject to the redaction of information to include confidential information, and personal data not relevant to you).
If you wish to exercise any of these rights, please contact usas set out below.
Complaints: If you wish to make a complaint as regards our compliance with the SCCs when processing your information, please contact the Data Protection Office at gdpr_dpo@sscinc.com
You can also lodge a complaint about our processing of your personal information with the body regulating data protection in your country.
8. Your California Privacy Rights
Under the California Consumer Privacy Act and its implementing regulations (CCPA), you (if you are a California resident) may have certain privacy rights in connection with your Personal Information (as such term is described in the CCPA). Some of those rights and disclosure requirements are already outlined in the various Sections above. In addition, we collect the personal information categories outlined below, which we may disclose to other legal entities within SS&C, third party service providers who host our website or other information technology systems or otherwise hold or process your information on our behalf, under substantially similar conditions of confidentiality and security, and business partners, suppliers and sub-contractors for our operational business purposes:
- Identifiers, such as name, contact information, and online identifiers.
- Personal information, as defined in the California customer records law.
- Internet or network activity information, such as browsing history and interactions with our website.
- Professional or employment-related information, such as company name.
- Inferences drawn from any of the personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics.
- Performance of any contract we enter into with business partners, suppliers and sub-contractors or you.
- In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit; in accordance with our legal obligations, including to competent regulatory, prosecuting and other governmental agencies, or litigation counterparties, in any country or territory or where we are otherwise required by law to disclose.
We do not share or sell your personal information with third parties for such third parties’ direct marketing practices; nor do we sell personal information (as contemplated by the CCPA) about you that you have provided to us or that we may have collected.
If you are a California resident, you have the following rights as set forth in the CCPA:
a) Right to Know. You have the right to request that we disclose to you the following information covering the 12 months preceding your request.
- The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information.
- The specific pieces of Personal Information we collected about you.
- The business or commercial purpose for collecting Personal Information about you.
- The categories of Personal Information about you that we otherwise shared or disclosed, and the categories of third parties with whom we shared or to whom we disclosed such Personal Information.
b) Right to Request Deletion. You have the right to request that we delete Personal Information we collected from you.
c) Right to Be Free from Discrimination. You have the right to be free from unlawful discrimination for exercising your rights under the CCPA.
9. Your Australian Privacy Rights
Under the Australian Privacy Act 1988 (Cth), as amended, including the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (collectively “Aus PA”)), you (if you are an Australian resident) may have certain privacy rights in connection with your Personal Information (as such term is described in the Aus PA). Some of those rights and disclosure requirements are already outlined in the various Sections above.
Collection of Information
We collect the personal information categories outlined below, which we may disclose to other legal entities within SS&C, third party service providers who host our website or other information technology systems or otherwise hold or process your information on our behalf, under substantially similar conditions of confidentiality and security, and business partners, suppliers and sub-contractors for our operational business purposes:
- Identifiers, such as name, contact information, date of birth, gender, tax file number, financial details, online identifiers and any other required information to maintain a super fund’s records in a format that identifies the member. These records are essential to the proper management of a superannuation fund (Fund) and to enable the Fund to provide members with superannuation benefits and may be provided by the Fund to us.
- Personal information, as defined in the Aus PA.
- We might also collect health information on behalf of our clients to enable death or disability insurance cover from the Fund’s insurer or to process a member’s disability claim. Information about a member’s potential beneficiaries is also held by us or our client.
- Professional or employment-related information, such as company name.
Depending on how you choose to interact with us, we may collect your personal information when you contact us by telephone, email, through our website or when you complete an application form.
We do not share or sell your personal information with third parties for such third parties’ direct marketing practices; nor do we sell personal information (as contemplated by the Aus PA) about you that you have provided to us or that we may have collected.
If you are an Australian resident, you have the following rights as set forth in the Aus PA:
Access to and Correction of Personal Information
- You can access your own personal information by contacting us. Requests for access to your personal information will be responded to within a reasonable period after the request is made. Access to your personal information will be given in the manner requested by you, if it is reasonable and practical to do so. A fee for providing the requested access may apply. There are some circumstances in which we are entitled to deny you access to your personal information. These include circumstances where such personal information is used in confidential decisions or in a commercially sensitive decision-making process, where the privacy of others may be breached if the personal information was accessed or where the law requires or authorizes such access to be denied. If access to requested information is refused or not provided in the manner requested, or there is a refusal to correct the information, then written notice will be provided setting out reasons for the refusal and mechanisms available to complain about the refusal.
- If we are holding personal information in relation to you that is inaccurate, out of date, incomplete, irrelevant or misleading or you request to correct the information, we will take reasonable action to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.
Transfer of Personal Information Overseas
In certain situations, personal information that we collect may be disclosed to other legal entities within SS&C, third party service providers that operate overseas. This may include India and the United Kingdom that may lead to personal information disclosed to overseas recipients.
Before disclosing personal information overseas, reasonable steps will be taken to ensure the recipient does not breach the Aus PA or the effect is that the information will be protected in at least a substantially similar way in which the Aus PA protect the personal information.
Notifiable Privacy Data Breaches
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. Where we assess that we have reasonable grounds to believe that an eligible data breach has occurred, we will notify you and the Australian Information Commissioner about the breach when a data breach involving personal information is likely to result in serious harm.
How do you Contact Us regarding your rights under the Aus PA?
In addition to the contact details in section 10 of this SS&C group privacy policy, if you have any questions, complaints, feedback, or would like further information about this Australian privacy policy, or if you wish to make a complaint as regards our compliance with the Aus PA when processing your information you can contact us by:
Post: Level 17, 469 La Trobe St Melbourne VIC 3000
Phone: (03) 9903 6700
Website: www.ssctech.com/about/disclosures/dst-bluedoor
10. Contact us
We welcome questions, comments and requests regarding this privacy policy and our processing of personal information. Please send them to 1 St. Martin’s Le Grand, London, EC1A 4AS or email us at gdpr_dpo@sscinc.com.
To make a request for the disclosures or deletion described under Section 8, please contact us by phone toll free at +1-800-234-0556 or by email at gdpr_dpo@sscinc.com.
We will respond to your request consistent with applicable data protection laws. Depending upon the type of business relationship that you have with us, we may need to notify you that additional information is necessary to authenticate your identity for your data security or that we will refer your inquiry to the financial services entity that holds the primary relationship with you.
For requests to delete your personal information as permitted under applicable data protection laws, we will work with you to accomplish your requests unless otherwise exempted under applicable data protection laws, such as compliance with applicable law or regulatory inquiry.
11. Changes to this policy
Any changes we make to this privacy policy in the future will be posted to our website and also available if you contact us. Please check back frequently to see any changes.