Privacy Notice for Global Shares Group

Last Updated: January 2022

1. About Us

We are GLOBAL SHARES PUBLIC LIMITED COMPANY and its related companies which include:

Global Shares Execution Services Limited – Malta
Global Shares Financial Services Inc – USA

The following trust companies:

Global Shares Trustees Ireland Ltd – Ireland
Global Shares Trustee Company Limited – UK
Global Shares Trustee (UK) Limited – UK

Our headquarters is at West Cork Technology Park, Clonakilty, Cork, Ireland

Email: [email protected]

Website is www.globalshares.com

References to “We”, “Us” and “Global Shares” shall apply to the company in the group that is processing your Personal Data.

We are a company that:

designs and develops enterprise software;
provides equity compensation management solutions for corporate Users who use share plans to engage, align and reward their employees through share ownership and profit sharing;
is authorised by MFSA, FINRA and SEC to provide share dealing services;
is a trust service provider.

The Global Shares group has its headquarters in Ireland which means that we must comply with the EU General Data Protection Regulation (“EU GDPR”) when processing the Personal Data of all our Users. This means we must provide information to you about how we process Personal Data and set out the basis on which any Personal Data we collect from You, or that You provide to Us, will be used by Us where We are controllers of that Personal Data for the purposes of the GDPR.

In this Privacy Notice, we provide further information about what Personal Data we collect, what we use it for, why we collect it and what our legal basis is, who we share it with and how long we retain it. We also provide detailed information about your rights in relation to your Personal Data. If you have further questions, please get in touch with us using the contact details below.

For Users who are not based in the EU, we have provided additional supplementary information, where relevant to local data protection and privacy laws.

2. Contact details

We have appointed a Data Protection Officer (“DPO”). If you have any questions about this Privacy Notice or the way in which your Personal Data is being used by us, please contact:

The Data Protection Officer

West Cork Technology Park,

Clonakilty, Cork,

Ireland


Email	[email protected]
Telephone	+353 (076) 888 7662
Our website is	globalshares2.wpengine.com

3. The purpose of this privacy notice

This Privacy Notice applies to Personal Data and applies specifically to Users of the Equity Gateway platform who have a share dealing account with Global Shares (“Share Account”).

For Platform Users (hereafter “Users”) who have a Share Account please note that some additional processing activities will be carried out on behalf of your employer in order to administer your Employee Share Scheme. This includes Global Shares receiving information about eligible participants in order to set-up User Share Accounts and providing participation reports and other regulatory scheme information from Global Shares relating to the administration of the Share Scheme
For Users who do not have a share dealing account with Global Shares your employer as controller of your personal data is responsible for providing you with a Privacy Notice on how your personal data is processed. In the case of these schemes Global Shares will only process your personal data on the instructions of your employer and in accordance with your employer scheme rules.

The definition of Personal Data is as follows:

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This Privacy Notice describes our approach to data protection and sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be used by us where we are controllers of that Personal Data for the purposes of the GDPR. Please read this Privacy Notice carefully to understand our views and practices regarding the Personal Data we collect, as controllers under the GDPR, and how we will treat it.

4. Who this privacy notice applies to

This Privacy Notice provides specific information relating to Users who have Share Accounts whose Personal Data we process.

Global Shares has split our Privacy Notice into four separate notices as follows:

Our General Business Privacy Notice describes how we process personal data of business contacts and website visitors.
Our User Privacy Notice (this document) describes how we process data of registered Users who have a Share Account.
Our Recruitment Privacy Notice informs job applicants how we will process their data through our recruitment process.
Our Employee Privacy Notice is made available to all employees via our HRIS platform.

5. Sources of personal data

USERS CONTACT PERSONAL DATA

We collect Contact Personal Data from our Users who have a Share Account.

We source Personal Data in order to manage the Share Accounts. We will only ever source Personal Data that is necessary and in a way that would be generally expected.

We receive Personal Data about you from a variety of sources, as follows:

the Personal Data may be provided by your employer as part of the share scheme administration process;
the Personal Data is provided by you as part of the account activation process;
the Personal Data may be collected through your interaction on the Equity Gateway platform;

6. Categories of personal data

We process the following categories of Personal Data. For each category we have included an example of the type of Personal Data that may be part of that category:

Personal Data Category	Description
Identification Data	may include name, marital status, title, date of birth, gender, PPSN, photographs, job title and employer. It also includes background and verification data such as a copy of passport, driver’s license or utility bills as well as other information we require to comply with our obligations under anti-money laundering legislation.
Contact Data	may include a person’s email address, phone number, postal address, other communication details.
Communication Data	If you interact with us, we will record details of those interactions. For example, we will process details of phone calls to our call centre, email correspondence and any hard copy correspondence.
Platform Data	may include registration information, account number, Communication Data, details of share scheme eligibility and allocations, user logfiles, transaction history, job position, payment details.
Marketing Data	may include Identification Data and Contact Data and any preferences in receiving marketing from us and your communication preferences.
Financial Data	may include financial data such as your account status and history, transaction data, contract data, credit checks, details of the scheme the User is associated with. This also includes payment related information or bank account details and financial data received as part of the services that we offer.
Tax Data	may include Tax identification number (TIN) and Tax residencies
Log Data/APP Data	may include Personal Data provided on any forms on our Equity Gateway platform or via our mobile app.

7. Our legal basis for processing personal data

We process all Personal Data lawfully and in accordance with the requirements of the law. The GDPR sets out the legal grounds for processing Personal Data.

When we process Personal Data, it is generally on one of the following legal basis:

CONTRACT

We will process Personal Data where necessary to perform our obligations relating to or in accordance with any contract that we may have with you or to take steps at your request prior to entering into that contract. When you activate a Share Account, you enter into a contract with us when you complete the account opening task and accept the Share Account terms and conditions.

CONSENT

For certain processing activities we may rely on your consent.

Where we are unable to collect consent for a particular processing activity, we will only process the Personal Data if we have another lawful basis for doing so.

You can withdraw consent provided by you at any time by contacting us at [email protected]

LEGITIMATE INTEREST

At times we will need to process your Personal Data to pursue our legitimate business interests, for example for administrative purposes, to provide information to you, to operate, evaluate, maintain, develop and improve our platform, mobile app and services or to maintain their security and protect intellectual property rights.

We will not process your Personal Data on a legitimate interest basis where the impact of the processing on your interests or fundamental rights and freedoms outweighs our legitimate interests.

You may object to any processing we undertake on this basis.

If you do not want us to process your Personal Data on the basis of our legitimate interests, contact us at [email protected] and we will review our processing activities.

LEGAL OBLIGATION

If we have a legal obligation to process Personal Data, such as anti-money laundering, anti-terrorist legislation or financial markets regulations we will process Personal Data on this legal ground.

8. Out processing activities

We use your Personal Data to provide you with our services and to assist us in the operation of our Employee Share Accounts. Under data protection law, we must ensure that the purpose of processing is clear.

We have set out below the general purpose of processing, the categories of Personal Data processed and the related lawful basis for processing for the Share Accounts.

USERS WITH SHARE ACCOUNTS

Purpose of Processing	Categories of Personal Data	Lawful Basis
Account Activation and Administration • to create a Share Account for you • to contact you in relation to activating your Share Account • to collect information from you in order to complete your Share Account set-up • to fulfil our legal and contractual obligations with regard to setting up a Share Account	• Identification Data • Contact Data • Communication Data	• Contract • Legal Obligation
Management of Share Accounts • to notify you of any outstanding tasks in relation to your Share Account • to complete any transfer or trade requests submitted • to collect up to date demographic information from your Share Account for reporting purposes	• Identification Data • Contact Data • Communication Data	• Contract • Legitimate Interest of Global Shares to effectively manage and operate the Share Accounts
Managing payments and share trade orders • to process payments between us and you, including the use of third-party payment providers • to manage and administer our contracts • to notify you in the event of any issues regarding payments • to process any transfer requests initiated by you • to collect any fees or taxes owed by you	• Identification Data • Contact Data • Communication Data • Financial Data	• Contract • Legitimate Interest of Global Shares to effectively manage and operate the Share Accounts • Legal Obligation
Communications • to send newsletters and other information that maybe of interest • to inform you of events or webinars that might be of interest • to send notifications about changes/updates to our platform and mobile app • to notify you of updates to this Privacy Notice	• Marketing Data • Contact Data • Communication Data • Web Data	• Consent • Legitimate Interest of Global Shares to effectively manage corporate communications
Administration of User Relationship • to respond to any requests from you • to ensure any help request is resolved in a quick and efficient manner • to manage/respond to a complaint/appeal • to edit your record in the event of a change in status • to communicate with you when there are new grants or awards available	• Identification Data • Contact Data • Communication Data • Financial Data	• Contract • Legitimate Interest of Global Shares to effectively manage communications with Users in the employee public share schemes
Platform and Mobile App Delivery • for the proper functioning of the Global Shares Equity Gateway platform and mobile app • administration and management of the Global Shares Equity Gateway platform and mobile app • for internal operations, including support, troubleshooting, data analysis, testing, research, statistical and survey purposes • to ensure the safety and security of our platform and mobile app and our services.	• Contact Data • Identification Data • Platform Data • Log data / App data	• Consent • Legitimate Interest of Global Shares to effectively manage the functioning of the platform and mobile app
To meet our regulatory obligations: • to comply with anti-money laundering (AML) and the countering of the financing of terrorism (CFT) regulations. • to comply with applicable laws including European Directives and US Federal regulations	• Identification Data • Contact Data • Financial Data	• Legal Obligation

9. Disclosure of personal data

In certain circumstances, we may disclose Personal Data to third parties as follows:

To your employer where it is necessary for the employer administration of their Employee Share Schemes;
To business partners and subcontractors for the performance of any contract relating to our services, including email, communication platforms, customer relationship management system, web developers, payment processors, data aggregators, hosting service providers, external consultants, auditors, IT consultants and lawyers;
If we or substantially all of our company is merged with another company or acquired by a third party, in which case Personal Data held by us will be one of the transferred assets;
to other companies in the Global Shares group of companies for the purposes of administration, marketing and provision of our services;
if we are under a duty to disclose or share Personal Data in order to comply with any legal obligation (including tax, audit or other financial regulatory authorities), or in order to enforce or apply any contracts that we have;
to protect our rights, property, or safety, or that of our Users. This may include exchanging Personal Data with other companies and organisations for the purpose of fraud protection. When we engage another organisation to perform services for us, we may provide them with information including Personal Data, in connection with the performance of those functions. We do not allow third parties to use Personal Data except for the purpose of providing these services.
If you use the Global Shares mobile app, Personal Data will be processed by third party service providers such as Google and Apple in the manner contemplated by the services, including, without limitation, disclosure of use of technology to track Users’ activity and otherwise collect information from Users.

10. Security measures

We will take all steps reasonably necessary to ensure that all Personal Data is treated securely in accordance with this Privacy Notice and the relevant law, including the GDPR.

In particular, we have put in place appropriate technical and organisational procedures to safeguard and secure the Personal Data we process.

We monitor for and do everything we can to prevent security breaches of the Personal Data that we process.

Once we have received your Personal Data, we will use strict procedures and security features for the purpose of preventing unauthorised access and ensuring that only those who need to have access to your Personal Data can access it.

We also use secure connections to protect Personal Data during its transmission. Where you have been given (or where you have chosen) a password which enables you to access services, you are responsible for keeping this password confidential. Please do not share your password with anyone.

If you think that there has been any loss or unauthorised access to Personal Data of any individual, please let us know immediately.

11. Transfers outside the EEA

In order to provide our products and services we may need to transfer Personal Data outside the European Economic Area (EEA). We ensure that any transfer of Personal Data outside the EEA is undertaken using legally compliant transfer mechanisms and in accordance with the GDPR.

If we transfer Personal Data outside of the EEA, we generally rely on the Standard Contractual Clauses under Article 46.2 of the GDPR adopted by the EU Commission. We may also rely on some of the other legally compliant transfer mechanisms provided under the GDPR.

12. Retention

In some circumstances it is not possible for us to specify in advance the period for which we will retain your Personal Data. In such cases we will determine the appropriate retention period based on balancing your rights against our legitimate business interests. We may also retain certain Personal Data beyond the periods specified herein in some circumstances such as where required by law or for the purposes of legal claims.

Further information about our retention practices are set out below:

Purpose of Processing	Categories of Personal Data	Retention Period
Account Activation and Administration	• Identification Data • Contact Data • Communications Data	24 months after completion of account activation and service delivery activities in the case where there is no further meaningful engagement.
Management of Equity Gateway	• Identification data • Contact data	24 months after completion of account activation and service delivery activities in the case where there is no further meaningful engagement.
Managing payments and administration of share trades	• Identification Data • Contact Data • Communication Data • Financial Data	24 months after completion of account activation and service delivery activities in the case where there is no further meaningful engagement.
Communications	• Marketing Data • Contact Data • Communication Data • Web Data	7 years after User account closure
Platform and Mobile App Delivery	• Platform Data • Log data / App data	12 months or less
To meet our regulatory obligations:	• Identification data • Contact data	7 years after account closure or longer in the case where there is a specific statutory requirement in your country of residence.

13. Your Rights

EU Users

You have various rights relating to how your Personal Data is used.

Right of access to the Personal Data we hold on you

You have the right to ask for all the Personal Data we have about you. When we receive a request from you in writing, we must give you access to everything we’ve recorded about you as well as details of the processing, the categories of Personal Data concerned and the recipients of the Personal Data.

We will provide the first copy of your Personal Data free of charge, but we may charge you a reasonable fee for any additional copies.

We cannot give you access to a copy of your Personal Data in some limited cases including where this might adversely affect the rights and freedoms of others.

Right of rectification of Personal Data

You should let us know if there is something inaccurate in your Personal Data.

We may not always be able to change or remove that Personal Data, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

Right of erasure of Personal Data (right to be forgotten)

In some circumstances you can ask for your Personal Data to be deleted, for example, where:

your Personal Data is no longer needed for the reason that it was collected in the first place
you have removed your consent for us to use your Personal Data (where there is no other lawful basis for us to use it)
there is no lawful basis for the use of your Personal Data
deleting the Personal Data is a legal requirement

Where your Personal Data has been shared with others, we will do what we can to make sure those using your Personal Data comply with your request for erasure.

Please note that we can’t delete your Personal Data where:

we are required to have it by law
it is used for freedom of expression
it is used for public health purposes
it is used for scientific or historical research or statistical purposes where deleting the Personal Data would make it difficult or impossible to achieve the objectives of the processing
it is necessary for legal claims.

Right to restrict what we use your Personal Data for

You have the right to ask us to restrict what we use your Personal Data for where:

you have identified inaccurate Personal Data, and have told us of it
where we have no legal reason to use the Personal Data, but you want us to restrict what we use it for rather than erase the Personal Data altogether

When Personal Data is restricted, it can’t be used other than to securely store the Personal Data and with your consent to handle legal claims and protect others, or where it’s for important public interests.

Right to have your Personal Data moved to another provider (data portability)

You have the right to ask for your Personal Data to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

This right only applies if we’re using your Personal Data with consent and if decisions were made by a computer and not a human being. It does not apply where it would adversely affect the rights and freedoms of others.

Right to object

You have the right to object to processing of your Personal Data which is based on public interest or legitimate interest processing. We will no longer process the Personal Data unless we can demonstrate a compelling ground for the processing.

Right not to be subject to automated decision-making

You have the right not to be subject to a decision based solely on automated processing. This right shall not apply where the processing is necessary for a contract with you, or the processing is undertaken with your explicit consent, or the processing is authorised by law.

You can make a complaint

You have the right to lodge a complaint with the local supervisory authority for data protection in the EU member state where you usually reside, where you work or where you think an infringement of data protection law took place.