GDPR Privacy Notice
This privacy notice (“GDPR Privacy Notice”) describes how Affiliated Managers Group, Inc. (“AMG”) collects and uses personal data (“GDPR Personal Data”) covered by the European Union’s General Data Protection Regulation 2016/679 (the “GDPR”). AMG is committed to protecting the privacy of those who share their GDPR Personal Data with us, and this notice summarizes the standards we will apply in relation to GDPR Personal Data.
GDPR Personal Data may be collected by AMG or by one of our global distribution offices (each an “AMG Company” and, together with AMG, the “AMG Group”), listed below:
- Affiliated Managers Group Limited
- AMG Limited (DIFC Representative Office)
- Affiliated Managers Group (Hong Kong) Limited
- Affiliated Managers Group (Asia) Limited
- Affiliated Managers Group Korea, LLC
- Affiliated Managers Group Pty Limited
- AMG Funds LLC
References to AMG throughout this GDPR Privacy Notice should be understood to reference the AMG entity that collected, or was provided with, your GDPR Personal Data.
1. COLLECTION AND USE OF GDPR PERSONAL DATA
Who we collect GDPR Personal Data about
AMG may collect GDPR Personal Data of current or prospective clients of our Affiliates, through marketing and distribution activities. Where clients are businesses, we may collect GDPR Personal Data about the employees or representatives of those businesses for these purposes. We may also collect relevant GDPR Personal Data of employees of Affiliates.
How we use and share GDPR Personal Data
We may collect, store and use GDPR Personal Data in order to conduct our business as a global asset manager, and to provide support to the business activities of our Affiliates. Due to the global nature of our business, we may share GDPR Personal Data among the entities in the AMG Group and with our Affiliates. GDPR Personal Data of Affiliates’ clients may be shared among the entities in the AMG Group, in connection with marketing activities, or to support strategic business opportunities for our Affiliates.
Similarly, GDPR Personal Data may be shared with third parties who provide professional services to us, such as technology companies who support our computer systems, or to our external auditors or other professional consultants. We may process GDPR Personal Data or make disclosures to third parties or government agencies as required by law, for example, in support of our anti-money laundering (“AML”) controls.
As part of our commitment to confidentiality, we do not share confidential information of employees or partners at our Affiliates, or potential Affiliates, with other Affiliates.
How we collect GDPR Personal Data
AMG may collect GDPR Personal Data from general business and marketing activities with Affiliate clients, as part of investment due diligence processes, from our Affiliates (including in investment agreements). AMG may also collect GDPR Personal Data from authorized third parties acting on behalf of our Affiliates, such as accountants, attorneys and consultants.
The types of GDPR Personal Data we may collect directly from Affiliates’ clients are generally limited to contact information. From time to time, we may also collect incidental health or family information for relationship management purposes.
The types of GDPR Personal Data we collect (directly or indirectly) from Affiliates or their authorized agents may include contact information, financial information and, in certain cases, health information and background check information.
Why we collect GDPR Personal Data
We may collect and process GDPR Personal Data for our legitimate interests or the legitimate interests of Affiliates, and third parties to whom we transfer your GDPR Personal Data (provided that such legitimate interests are not overridden by your interests or your fundamental rights and freedoms). Our legitimate interests include the following:
- enabling collaboration within the AMG Group and with our Affiliates;
- ensuring business continuity within the AMG Group and with our Affiliates;
- improving the quality of the services of the AMG Group and of our Affiliates;
- performing investment related due diligence in connection with potential new investments;
- ensuring that the AMG Group and our Affiliates comply with applicable laws;
- enabling the AMG Group and our Affiliates to exercise and defend legal claims; and
- ensuring the AMG Group and our Affiliates comply with requests from governmental, quasi-governmental and judicial bodies and regulators for information relating to its business.
We also may collect and process GDPR Personal Data in connection with the performance of a contract with you, or in order to take steps at your request before entering into that contract, or to comply with our legal obligations.
2. INTERNATIONAL TRANSFERS OF GDPR PERSONAL DATA
The sharing of GDPR Personal Data may require the transfer of the data outside the European Economic Area (“EEA”) (or the UK), including to AMG Companies in the United States, Australia, Hong Kong, Korea, Japan and the Dubai International Finance Centre, as well as Affiliates in the Channel Islands, the United States, Canada and Hong Kong, and to third party service providers in Switzerland, the United States, Australia, Hong Kong, Korea, Japan and the Dubai International Finance Centre.
Of these countries, currently only the laws of the Channel Islands and Switzerland have been deemed by the European Commission to provide for an adequate level of protection of GDPR Personal Data. Nevertheless, all transfers are subject to appropriate safeguards, specifically on the basis of contracts with the recipients that include standard data protection clauses adopted by the European Commission (which can be found here).
3. KEEPING INFORMATION SECURE AND LIMITING ACCESS
AMG has a formal information security program, designed to develop and maintain privacy and data security practices to protect company assets and sensitive third-party information (including GDPR Personal Data). We seek to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorized access to, or use of, GDPR Personal Data that creates a substantial risk of financial loss, identity theft, fraud or reputational harm.
Our information security protocols comprise internal and external resources designed to identify, protect, detect, resolve, and recover from various threats and attacks of malicious actors. We have documented strategies, policies and procedures in place to protect employee, business, and client data (including GDPR Personal Data) in the event of an emergency or natural disaster. We also have a documented incident response plan, with defined roles and responsibilities that address notification obligations and procedures in the event of a data breach.
4. RETENTION OF GDPR PERSONAL DATA
The length of time that we may hold your GDPR Personal Data will vary, depending on the purpose for which we are using it and any applicable legal obligations in the relevant various jurisdictions. Your GDPR Personal Data will be destroyed or erased from our systems when it is no longer required for the purposes set out above, provided that we may retain your personal data in order to comply with applicable laws, rules and regulations.
5. YOUR RIGHTS
You have various rights under data protection laws regarding the processing of your GDPR Personal Data, including, in certain circumstances, those summarized below:
The right of access – Upon request, you are entitled to access a copy of your GDPR Personal Data held by us and to be provided with information in relation to that GDPR Personal Data.
The right to accuracy – Upon request, you are entitled to have inaccurate GDPR Personal Data amended or erased, and to have incomplete GDPR Personal Data completed. We encourage you to contact us if you believe there are any inaccuracies in any communications to you, so that we may promptly make any necessary corrections.
The right to erasure (‘right to be forgotten’) – You have the right to request that we delete your GDPR Personal Data, such as where we no longer require your information or no longer have a lawful basis for processing it. However, there are circumstances where we may not be able to respond to your request due to another overriding regulatory or legal obligation (such as AML obligations).
The right to restrict processing – In certain circumstances, you may request that processing of your GDPR Personal Data be restricted. For example, where the accuracy is contested, you may request a restriction until we verify the data.
The right to object – In certain circumstances, you have the right to object to us processing your GDPR Personal Data (such as, where our processing is on the basis of our legitimate interests and/or where we process for direct marketing purposes).
The right to portability – Where we are processing your GDPR Personal Data on the basis of a contract with you, you have the right to request a copy of your GDPR Personal Data in a machine-readable format for the purposes of transferring it to another data controller and/or for us to transfer your GDPR Personal Data to another data controller.
You may exercise these rights by submitting a request via email or in writing using the contact details provided below. You also have the right to lodge a complaint with a supervisory authority (such as the Information Commissioner’s Office in the UK).
6. CONTACT INFORMATION
If you have any questions concerning this notice, please contact Simon Osborne (AMG Data Protection Specialist) at +44 20 7290 6817, via email at firstname.lastname@example.org, or in writing at Affiliated Managers Group Limited, 35 Park Lane, London W1K 1RB.