Background
This privacy notice (“U.S. Privacy Notice”) describes how Affiliated Managers Group, Inc. (“AMG”) collects, uses, and discloses Personal Data. When we use the term “Personal Data” (also referred to under various laws as “Personal Information”) in this U.S. Privacy Notice, we mean any information that identifies an individual person or reasonably relates to an identifiable individual. This notice describes the types of Personal Data that AMG may process in compliance with applicable legal and regulatory requirements, the purposes for which we use the data, the circumstances in which we may share the data, and the steps we take to safeguard the data. You agree to the practices regarding your Personal Data described in this U.S. Privacy Notice when you use the AMG website or other AMG services, whether online or offline, or otherwise provide Personal Data to us.
References to AMG throughout this U.S. Privacy Notice should be understood to reference AMG only.
Personal Data collected by the offices in our global capital formation group (each an “AMG Company” and, together with AMG, the “AMG Group”) may be covered by a separate privacy notice, depending on the relevant entity and jurisdiction. This U.S. Privacy Notice is not intended to supersede or replace any policies or rights that may be in effect in other jurisdictions or nations. Please see our Privacy Notice (Non-U.S.) for information regarding how AMG processes Personal Data covered under the European Union’s General Data Protection Regulation 2016/679 (“GDPR”).
1. Collection and Use of Personal Data
AMG does not sell Personal Data to third parties.
Who we collect Personal Data about
AMG may receive Personal Data of current or prospective clients of our Affiliates. Where clients are businesses, we may receive Personal Data about the employees or representatives of those businesses. We may also receive relevant Personal Data of employees or partners of Affiliates.
Types of Personal Data Collected
The types of Personal Data we may receive directly from Affiliates’ clients are generally limited to contact information, such as postal or email address and phone number. From time to time, we may also receive incidental health or family information for relationship management purposes.
The types of Personal Data we receive (directly or indirectly) from Affiliates or their authorized agents may include contact information, financial information and, in certain cases, health information and background check information.
The types of Personal Data we may receive from the AMG Group is typically limited to contact information for the various service providers to the company, and name and contact information on the directors of the company required for corporate administration purposes.
AMG may also receive Personal Data in connection with the performance of a contract, or in order to take steps before entering into that contract, or to comply with our legal obligations.
How we use and share Personal Data
We do not sell Personal Data.
We may receive, store, and use Personal Data in order to conduct our business as a global asset manager, and to provide support to the business activities of our Affiliates. Due to the global nature of our business, we may share Personal Data among the entities in the AMG Group and with our Affiliates. Personal Data of Affiliates’ clients may be shared among the entities in the AMG Group, in connection with marketing activities, or to support strategic business opportunities for our Affiliates.
Similarly, Personal Data may be shared with third parties who provide professional services to us (“Service Providers”), such as technology companies that support our computer systems, or to our external auditors or other professional consultants. Service Providers may only use the Personal Data that we share with them for AMG business purposes, as we direct, and cannot otherwise store, use, or disclose Personal Data they receive from AMG. We may use Personal Data or make disclosures to third parties or government agencies as required by law, for example, in support of our anti-money laundering (“AML”) controls.
We may share Personal Data for the following reasons:
- To cooperate with regulators during periodic regulatory examinations or in accordance with law enforcement requests, court orders, or other judicial or administrative proceedings;
- To investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our policies, or as evidence in litigation in which we are involved or as otherwise permitted or required by law or regulation;
- In the event we are acquired by or merged with another company or if our assets are restructured or transferred to another company; and
- In connection with the making, management, or disposition of any investment by an Affiliate’s client.
As part of our commitment to confidentiality, we do not sell or share confidential information of employees, partners or clients at our Affiliates, or potential Affiliates, with other Affiliates.
How we collect Personal Data
AMG may receive Personal Data through the general business and marketing activities of the AMG Group, as part of investment due diligence processes, or from our Affiliates. AMG may also receive Personal Data from authorized third parties acting on behalf of our Affiliates, such as accountants, attorneys, and consultants.
2. Data Retention
AMG retains Personal Data for as long as necessary to fulfill the purposes for which such Personal Data was collected or to comply with its legal obligations, resolve disputes or enforce agreements. The criteria used to determine the retention periods include: (i) how long the Personal Data is needed to provide the services and operate the business; (ii) the type of Personal Data collected; and (iii) whether AMG is subject to a legal, contractual, or similar obligation to retain the data.
3. Keeping Information Secure and Limiting Access
AMG has a formal information security program, designed to develop and maintain privacy and data security practices to protect company assets and sensitive third-party information (including Personal Data). We seek to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorized access to, or use of, Personal Data that creates a substantial risk of financial loss, identity theft, fraud, or reputational harm.
Our information security protocols comprise internal and external resources designed to identify, protect, detect, resolve, and recover from various threats and attacks of malicious actors. We have documented strategies, policies, and procedures in place to protect employee, business, and Affiliate client data (including Personal Data) in the event of an emergency or natural disaster. We also have a documented incident response plan, with defined roles and responsibilities that address notification obligations and procedures in the event of a data breach. Unfortunately, no security system is 100% secure, and we cannot guarantee the security of all information you provide to us.
4. Your Rights
Residents of some U.S. states, including residents of California, Connecticut, and several other states have certain privacy rights, including the right to: (i) request additional disclosures about the Personal Data we collect, use, and disclose, i.e., a “Request to Know (Categories of Information)”; (ii) obtain a copy of Personal Data, i.e., a “Request to Know (Specific Pieces of Information),” sometimes called the Right to Access or Right to Data Portability; (iii) request deletion of Personal Data, i.e., a “Request to Delete Information,” sometimes called the Right to Be Forgotten; (iv) request the correction of Personal Data; and (v) opt out of the sale of Personal Data, sharing of Personal Data for purposes of cross-context behavioral advertising, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects, i.e., a “Request to Opt Out.”
You may exercise these rights by submitting a request by phone, email, or in writing using the contact details provided below.
We will not discriminate against you for exercising any of these rights by, for example, offering a different level of service; however, we may be unable to provide certain services, such as if you ask us to delete information required to deliver the service.
When you submit a request, we may need to obtain information about you or your request to verify your identity before we can process your request. You may submit requests through an authorized agent, in which case we will need to verify the agent’s identity, your identity, and their authority to act on your behalf before we can process the request.
5. Contact Information
If you have any questions concerning this notice, please contact Shari Marshall (AMG Data Protection Specialist) at 1.800.345.1100, via email at shari.marshall@amg.com, or in writing at Affiliated Managers Group, Inc., P.O. Box 1000, Prides Crossing, MA 01965.
6. Changes to this U.S. Privacy Notice
AMG may change or update this U.S. Privacy Notice from time to time and the “Effective Date” at the top of the page indicates when this U.S. Privacy Notice was last revised. It is your obligation to review the U.S. Privacy Notice from time to time. By using our services and visiting our website, you represent that you read, understand, and accept the terms of this U.S. Privacy Notice. Your continued use of our website and services following the posting of changes to terms contained in this notice will mean you understand and accept those changes.
Background
This privacy notice (“Non-U.S. Privacy Notice”) describes how AMG collects and uses personal data covered by the European Union’s General Data Protection Regulation 2016/679 (the “EU GDPR”) and the EU GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) (“Personal Data”). AMG is committed to protecting the privacy of those who share their Personal Data with us, and this notice summarises the standards we will apply in relation to Personal Data.
Personal Data may be collected by AMG or by our global capital formation team (each an “AMG Company” and, together with AMG, the “AMG Group”), through any of the entities listed below:
- Affiliated Managers Group Limited (“AMG UK”)
- Affiliated Managers Group (Europe) Limited (“AMG Europe”)
- AMG Limited (DIFC Representative Office) (“AMG Dubai”)
- Affiliated Managers Group Pty Limited (“AMG Australia”)
- AMG Funds LLC (“AMG Funds”)
- Affiliated Managers Group, Inc. (“AMG, Inc.”)
References to AMG throughout this Non-U.S. Privacy Notice should be understood to reference the AMG entity that collected, or was provided with, your Personal Data.
1. Collection and Use of Personal Data
Who we collect Personal Data about
AMG may collect Personal Data of current or prospective clients of our Affiliates, through marketing and distribution activities. Where clients are businesses, we may collect Personal Data about the employees or representatives of those businesses for these purposes. We may also collect relevant Personal Data of employees of Affiliates.
How we use and share Personal Data
We may collect, store and use Personal Data in order to conduct our business and provide support to the business activities of our Affiliates. Due to the global nature of our business, we may share Personal Data among the AMG Group and with our Affiliates. Personal Data of Affiliates’ clients may be shared among the entities in the AMG Group, in connection with marketing activities, or to support strategic business opportunities for our Affiliates.
Similarly, Personal Data may be shared with third parties who provide professional services to us, such as technology companies who support our computer systems, or to our external auditors or other professional consultants. We may process Personal Data or make disclosures to third parties or government agencies as required by law, for example, in support of our anti-money laundering (“AML”) controls.
As part of our commitment to confidentiality, we do not share confidential information of employees or partners at our Affiliates, or potential Affiliates, with other Affiliates.
How we collect Personal Data
AMG may collect Personal Data from general business and marketing activities with Affiliate clients, as part of investment due diligence processes, or from our Affiliates (including in investment agreements). AMG may also collect Personal Data from authorised third parties acting on behalf of our Affiliates, such as accountants, attorneys and consultants.
The Personal Data we collect
The Personal Data we may collect directly from Affiliates’ clients is generally limited to contact information. From time to time, we may also collect incidental health or family information for relationship management purposes.
The types of Personal Data we collect (directly or indirectly) from Affiliates or their authorised agents may include contact information, financial information and, in certain cases, health information and background check information.
Our lawful bases for using Personal Data
We may collect and process Personal Data for our legitimate interests or the legitimate interests of our Affiliates, and third parties to whom we transfer your Personal Data (provided that such legitimate interests are not overridden by your interests or your fundamental rights and freedoms). Our legitimate interests for processing Personal Data are:
- enabling collaboration within the AMG Group and with our Affiliates;
- ensuring business continuity within the AMG Group and with our Affiliates;
- improving the quality of the services of the AMG Group and of our Affiliates;
- performing investment related due diligence in connection with potential new investments;
- ensuring that the AMG Group and our Affiliates comply with applicable laws;
- enabling the AMG Group and our Affiliates to exercise and defend legal claims, and
- ensuring the AMG Group and our Affiliates comply with requests from governmental, quasi-governmental and judicial bodies and regulators for information relating to its business.
2. International Transfers of Personal Data
The sharing of Personal Data may require the transfer of the data by AMG Companies in the European Economic Area (“EEA”) or the United Kingdom (“UK”) outside the EEA and the UK, including to AMG Companies in the United States, Australia, Malta and the Dubai International Finance Centre, as well as Affiliates in the Channel Islands, the United States, Canada and Hong Kong, and to third party service providers in Switzerland, the United States, Australia, Hong Kong, Japan and the Dubai International Finance Centre.
Of these countries, currently only the laws of the Channel Islands, Japan and Switzerland have been deemed by the European Commission and the Information Commissioner’s Office in the United Kingdom (“ICO”) to provide for an adequate level of protection of Personal Data (and the ICO’s adequacy finding about Japan is applicable to private sector organisations only). Nevertheless, AMG provides appropriate safeguards when transferring Personal Data outside the EEA or the UK, specifically on the basis of contracts with the recipients that include standard data protection clauses adopted by the European Commission (which can be found here) or the ICO (which can be found here), as appropriate.
3. Keeping Information Secure and Limiting Access
AMG has a formal information security program, designed to develop and maintain privacy and data security practices to protect company assets and sensitive third-party information (including Personal Data). We seek to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorised access to, or use of, Personal Data that creates a substantial risk of financial loss, identity theft, fraud or reputational harm.
Our information security protocols comprise internal and external resources designed to identify, protect, detect, resolve, and recover from various threats and attacks of malicious actors. We have documented strategies, policies and procedures in place to protect employee, business, and client data (including Personal Data) in the event of an emergency or natural disaster. We also have a documented incident response plan, with defined roles and responsibilities that address notification obligations and procedures in the event of a data breach.
4. Retention of Personal Data
The length of time that we may hold Personal Data will vary, depending on the purpose for which we are using it and any applicable legal obligations in the relevant various jurisdictions. We periodically review the Personal Data that we hold to verify whether it is still required. We will not retain your Personal Data for longer than is necessary for the purposes set out above and we will destroy it, or erase it from our systems, when it is no longer required for those purposes, provided that we may retain your Personal Data in order to comply with applicable laws, rules and regulations.
5. Your Rights
You have various rights under data protection laws regarding the processing of your Personal Data, including:
- The right of access – Upon request, you may be entitled to access a copy of your Personal Data held by us and to be provided with information in relation to that Personal Data.
- The right to rectification – Upon request, you may be entitled to have inaccurate Personal Data amended or erased, and to have incomplete Personal Data completed. We encourage you to contact us if you believe there are any inaccuracies in any communications to you, so that we may promptly make any necessary corrections.
- The right to erasure (‘right to be forgotten’) – You have the right to request that we delete your Personal Data, such as where we no longer require your information or no longer have a lawful basis for processing it. However, there are circumstances where we may not be able to respond to your request, such as another overriding regulatory or legal obligation (such as AML obligations).
- The right to restrict processing – In certain circumstances, you may request that processing of your Personal Data be restricted. For example, where the accuracy is contested, you may request a restriction until we verify the data.
- The right to object – In certain circumstances, you have the right to object to us processing your Personal Data (such as where our processing is on the basis of our legitimate interests and/or where we process for direct marketing purposes). In these circumstances, we will terminate: (a) all processing for direct marketing purposes; and (b) processing on the basis of our legitimate interests if we cannot demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is undertaken for the establishment, exercise or defence of legal claims.
- The right to portability – Where we are processing your Personal Data on the basis of consent or a contract with you, and we are carrying out the processing by automated means, you have the right to request a copy of your Personal Data in a machine-readable format and/or for us to transfer your Personal Data to another data controller.
You may exercise these rights by submitting a request via email or in writing using the AMG contact details provided in Section 6 below.
You also have the right to lodge a complaint with us (using the AMG contact details provided in Section 6), and with a supervisory authority such as the ICO using the following details:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://ico.org.uk
6. Contact Information
If you have any questions concerning this notice, please contact Simon Osborne (AMG Data Protection Specialist) at +44 20 7290 6817, via email at dataprivacy@amg.com, or in writing at Affiliated Managers Group Limited, 35 Park Lane, London W1K 1RB.