European Union Data Privacy Addendum

Last Updated April 2, 2020

PURPOSE OF ADDENDUM

This European Union Data Privacy Addendum, including any future modifications (the “Addendum“), forms a material part of the Company’s Privacy Policy and applies to any “personal data” (as defined under the GDPR) that we may “process” (as defined under the GDPR) through your use of the Services, whether as a guest or as a registered user. While the Company is an American company that is subject to American law, the Company will attempt to give effect to the GDPR for its European users that are entitled to enforce rights under the GDPR to the extent commercially reasonable and to the extent that the GDPR’s requirements do not conflict with the requirements of American law. The purpose of this Addendum is to briefly describe: 1) rights under the GDPR; 2) the legal bases that support the Company’s processing activities; and 3) whether any automated processing methods are used for processing your personal data.

RIGHTS UNDER THE GDPR FOR EUROPEAN DATA SUBJECTS

The GDPR provides “data subjects” (essentially human beings that are the subject of personal data and are residents of the EU or U.K.) with a wide array of rights related to data privacy. The Company may be considered to be a “data controller” under the GDPR with respect to its processing of your personal data. A data controller is essentially a person or organization that can determine how and why your personal data is processed and is responsible for ensuring that you are able to exercise certain privacy rights. Although the Company’s affiliates, service providers, and business partners may also collect and process your personal data, as described in the main body of the Privacy Policy, the Company will always be the data controller with respect to such processing.

If you wish to exercise any of the rights detailed below, please send an email sufficiently detailing such request to: privacy@oneilglobaladvisors.com. Please note that if we receive a request from you to exercise your rights, the Company has the right to have you take reasonable steps to confirm your identity, including your residency within the EU or U.K. The Company is not obligated to, and will not, provide any individualized information or give effect to data subject rights unless the Company can reasonably confirm your identity.

RIGHT TO TRANSPARENT COMMUNICATION

You are entitled to a receive information from the Company regarding its collection and processing of your personal data. All such information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Such information has been provided by the Company in the main body of the Privacy Policy and in this Addendum, as they are amended from time to time.

RIGHT TO ACCESS BASIC INFORMATION

You have the right to obtain confirmation from the Company as to how your personal data are being processed, including the following information:

• Confirmation of whether, where, and by whom your personal data are being processed;
• Purpose(s) for the processing;
• Categories of personal data being processed;
• Categories of recipients with whom the data may be shared;
• The period for which the data will be stored (or the criteria used to determine that period);
• The source of the data (where you were not the source); and
• Information about the existence of, and an explanation of the logic involved in, any automated decision-making that has a significant effect on you.

You may also request to receive an electronic copy of your personal data that are processed by the Company. The Company will generally provide any requested information within one (1) month of receiving an access request; however, if the Company receives a large numbers of requests, or especially complex requests, this time limit may be extended by a maximum of two (2) further months as long as the Company provides you with an explanation for the delay within the original one (1) month timeframe. If the Company fails to meet these deadlines, you may complain to the relevant Data Protection Authority (explained below) and may be able to request a judicial remedy in the relevant EU Member State’s court system.

RIGHT TO DATA PORTABILITY

You have the right to transfer your personal data between controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:

• Receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• Transfer your personal data from one controller to another;
• Store your personal data for further personal use on a private device; and
• Have your personal data transmitted directly between controllers without hindrance.

Please note that any inferred or derived data (data derived through use of analytical processes) do not fall within the right to data portability, because such data are not provided by you. Additionally, the Company is not obliged to retain personal data for longer than is otherwise necessary simply to service a potential data portability request.

RIGHT TO RECTIFY INFORMATION

The Company is required to ensure that inaccurate or incomplete data are erased or corrected. You have the right to request that the Company corrects or erases personal data that you believe to be inaccurate or incomplete.

RIGHT TO WITHDRAW CONSENT

Your consent can provide a lawful basis for the Company to process your personal data and/or transfer your data internationally. However, you have the right to withdraw such consent. However, please note that the Company will likely have other lawful bases that may apply to the processing or transfer of your data.

RIGHT TO ERASURE/RIGHT TO BE FORGOTTEN

Under the GDPR, in certain circumstances, you may have the right to have the Company erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing your data upon your request. This right is commonly referred to as the “right of data erasure” or “the right to be forgotten.” You have the right to erasure of your personal data if:

• The data are no longer needed by the Company for their original purpose (and no new lawful purpose exists);
• The lawful basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists for the Company to process the information;
• You exercise your right to object to processing and the Company has no overriding grounds for continuing the processing;
• The data have been processed unlawfully; or
• Erasure is necessary for compliance with other EU laws or the national law of a relevant EU Member State.

RIGHT TO OBJECT TO PROCESSING PERSONAL DATA FOR PUBLIC OR LEGITIMATE INTERESTS

Where the Company is processing your personal data on the basis of having a “public interest” or “legitimate interests”, those bases are not absolute and you may have a right to object to such processing. If you object, the Company must cease such processing unless it either: 1) demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms; or 2) requires the data in order to establish, exercise, or defend legal rights.

RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING

You have the right to object to the processing of your personal data for the purposes of receiving direct marketing from the Company (including “profiling” activities as detailed further below).

RIGHT TO OBJECT TO PROCESSING FOR SCIENTIFIC, HISTORICAL, OR STATISTICAL PURPOSES

Where your personal data are processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

RIGHT TO NOT BE EVALUATED SOLELY ON THE BASIS OF AUTOMATED DECISION-MAKING PROCESSES

Subject to certain exceptions detailed below, you generally have the right to not have any decisions made about you that are based solely on “automated decision-making” processes. An automated decision-making process involves using automated processing activities (activities that do not use human intervention) to make a decision about you that will materially affect you (i.e., a decision that would produce “legal effects” or otherwise have a similar “significant effect”).

Automated decision-making can include “profiling” activities whereby automated processing is used to evaluate certain personal characteristics in order to analyze or predict your preferences, behavior, performance, reliability, location, or movements. Please note that if a human being reviews and takes other factors into account in making a final decision, that decision is not considered to be “based solely” on automated processing.

A legal effect is something that will affect your legal rights, such as your freedom to associate with others, vote in an election, or take legal action. A legal effect could also be something that affects your legal status or rights under a contract, e.g., something that could lead to cancellation of a contract. For data processing to have a significant effect, the effects of the processing must be sufficiently great or important to be worthy of attention. In other words, the decision must have the potential to: significantly affect your circumstances, behavior, or choices; have a prolonged or permanent impact; or at its most extreme, lead to exclusion or discrimination.

In general, the use of automated decision-making processes are permitted where:

• It is necessary for a data controller to enter into or perform a contract with you;
• It is authorized by law; or
• You have explicitly consented and appropriate safeguards are in place.

If a data controller is making decisions based on any automated decision-making processes, you are entitled to a description of what portions of the decision-making will be automated, reasons why automation is logical, and the significance and consequences behind the decision to automate the processing. The Company does not currently utilize any automated decision-making processes that would materially impact data subjects.

RIGHT TO RESTRICT PROCESSING

In some circumstances, you may be entitled to limit the purposes for which the Company can process your personal data. Specifically, you have the right to restrict the processing of your personal data if:

• The accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
• The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
• The Company no longer needs the data for their original purpose, but the data are still required by the Company to establish, exercise, or defend legal rights; or
• If verification of overriding grounds is pending in the context of an erasure request.

FEES FOR REQUESTS

The Company is required to give effect to your rights of access, rectification, erasure, and the right to object free of charge. However, the Company may charge a reasonable fee for repetitive requests, unfounded or excessive requests, or further copies beyond the initial copy provided.

RIGHT TO MAKE A COMPLAINT TO THE RELEVANT DPA

Data Protection Authorities (“DPAs”) are the regulatory authorities responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR, and bring legal proceedings where necessary. If you believe that your rights have been infringed by the Company, you have the right to ask the Company to remedy the situation. If you believe you have not received an adequate response from the Company, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs can be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 (current as of September 2018).

COMPANY’S LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

Under the GDPR, in order to process your personal data, the Company is required to identify a legal basis (or bases) for its processing activities. The Company’s legal bases for processing your personal data are as described below.

CONSENT

The Company is permitted to process your personal data to the extent you have given consent for the Company to perform processing activities. Please note that your consent to processing can be revoked at any time (though there may be other applicable legal bases that may justify ongoing processing of your personal data). Your consent may be revoked by sending an email that details your desire to revoke consent to: privacy@oneilglobaladvisors.com.

CONTRACTUAL NECESSITY

The Company is permitted to process your personal data to the extent the Processing is necessary:

In order for you to be able to access the Services, it is critical that the Company be able to process your personal data. For example, without being able to process your personal data, the Company would be unable to offer you employment opportunities.

LEGITIMATE INTERESTS

The Company is permitted to process your personal data to the extent the processing is necessary for the purposes of legitimate interests pursued by the Company or a third party (“legitimate interests”), except where those legitimate interests are overridden by your interests, fundamental rights, or freedoms. In order to establish that the Company has a legitimate interest in processing your information, it will complete a Legitimate Interest Assessment Form (“LIA Form”) to ensure that there is adequate consideration and accountability for the decision to conduct the processing. The LIA Form is intended to: 1) assess whether a legitimate interest exists; 2) establish the necessity of the processing; and 3) perform a balancing test to ensure that a particular processing operation does not cause undue interference with your interests, rights, or freedoms. You have the right to object to the Company’s processing of your personal data on the basis of legitimate interests; if you wish to raise such an objection, please send an email detailing your specific objection(s) to privacy@oneilglobaladvisors.com. The Company’s identified legitimate interests for processing your personal data include:

• Processing your data is necessary for legitimate and common business purposes, including operational, administrative, HR, and/or recruitment purposes, and/or to otherwise manage actual and/or potential employment relationships. This includes processing your information in order to:
• As the Company is part of a larger group of related companies, it may be necessary for the Company to transmit your personal data within the organizational group (including to our parent company). Processing is necessary so that data can be shared amongst our affiliates so that each entity can carry out their legal, regulatory, and/or contractual responsibilities and/or coordinate/implement business plans, logistics, and/or operations.
• Processing your personal data is necessary to facilitate the day-to-day operation of our business and to allow for business planning for strategic growth. This includes: managing our relationship with you, our employees, other users/clients, vendors, business partners, and/or others; sharing intelligence with internal stakeholders; implementing training procedures; planning and allocating resources and budgets; performing data modelling; facilitating internal reporting; analyzing growth strategies; aggregating analytics; and/or processing personal information to create anonymized data (e.g., for product improvement, analytics, etc.).
• Processing your personal data is necessary to enable the Company’s business operations to run more efficiently, e.g., establishing how to allocate resources or to predict future demand.
• Processing your personal data is necessary for us to deliver and/or improve our products and services. This includes processing your personal data to determine whether a product or service is working as intended, monitoring usage and conduct, and identifying and troubleshooting issues.
• The Company has a legitimate need to conduct market intelligence so that we can create a better understanding of our users’ preferences. This could include using diagnostic analytics to optimize products and services by assessing/monitoring users’ usage of the products or services and/or conduct while using the products or services. Common metrics for evaluation could include monitoring pages and links accessed, number of posts, number of page views, patterns of navigation, time at a page, devices used, user reviews, where users are coming from, hardware used, operating system version, advertising identifiers, unique application identifiers, unique device identifiers, browser types, languages, wireless or mobile network information, etc. These metrics could be used to: personalize services and communications; determine which users should receive specialized communications based on how they use the product or service; create aggregate trend reports; and/or measure the audience for a certain communication.
• We process personal data in order to enhance and personalize the “consumer experience” we offer our current and/or prospective users/customers in our products and services.
• In order to identify recurring problems and/or analyze the patterns of behavior of users and/or customers, it is necessary for the Company to monitor your performance/behavior on our Services.
• The Company has a legitimate interest in processing personal data in the context of processing the information of a business contact in order to enter into a business relationship with a data subject’s employer.
• It is necessary for the Company to process your personal data for the purposes of conducting due diligence. This could include, for example, monitoring official watch lists, sanction lists, and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
• Processing your personal data is necessary for the Company to help detect and prevent fraud.
• Processing your personal data is necessary to verify the accuracy of your user data and to create a better understanding of our past, present, and/or prospective users.
• Processing your personal data is necessary for the purposes of ensuring our network and information security, e.g., monitoring users’ access to our network for the purpose of preventing cyber-attacks, inappropriate use of data, corporate espionage, hacking, system breaches, etc. This could include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping “denial of service” attacks and damage to computer and electronic communication systems.
• The Company processes your personal data because it is necessary to allow for the backup and protection of your information (e.g., utilizing cloud-based services to archive/protect data) in order to ensure that such information is not improperly lost or modified. Such processing is also necessary to archive/protect data in accordance with legal, regulatory, organizational, and/or contractual obligations.
• In processing your personal data, the Company may process your data utilizing an algorithm that helps to streamline organizational processes.
• The Company is subject to binding legal or regulatory obligations and needs to process your personal data in order to comply with such laws or regulations. Examples include complying with reporting obligations, complying with screening obligations, responding to law enforcement requests, and/or responding to judicial/regulatory agency requests.
• The Company’s Affiliates are part of several industry self-regulatory organizations, including data privacy and security organizations. Such organizations were formed in order to address various concerns, including developing industry standards and best practices to protect the industry; sharing intelligence or concerns about individuals (e.g., industry-specific watch lists); sharing intelligence or concerns that may have a negative or detrimental impact on the industry; and/or ensuring that participants in the industry are following agreed-upon standards. We are required to process data so that we may stay in compliance with these self-regulatory schemes.
• The Company has a legitimate interest in reporting possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.

BINDING LEGAL OR REGULATORY OBLIGATIONS

The Company is permitted to process your personal data where it has a binding legal or regulatory obligation to perform the processing to stay in compliance with applicable laws or regulations (e.g., tax reporting purposes). Other examples could include where the Company or one of its Affiliates is required to respond to a court order, subpoena, or law enforcement agency request, to prevent fraud or abuse, or to protect the safety of individuals. Were the Company not able to process your personal data for such purposes, the Company could be subject to fines, penalties, and/or civil or criminal liability.

INTERNATIONAL DATA TRANSFERS

If you access the Services from the EU or U.K., you are voluntarily transmitting your personal data to the United States so that the Company can conduct certain processing activities as identified in the Privacy Policy and/or in this Addendum. Your data will also be processed by certain third-party data processors located in the United States (including the Company’s affiliated entities, Business Partners, and service providers). The Company shall ensure that any transfers made between itself and any data processors are made with appropriate safeguards in place to protect the information from unauthorized uses or disclosures to the extent reasonably possible. For processors that process your personal data on the Company’s behalf, and will then transfer data to the United States or another jurisdiction that is not deemed to have adequate safeguards, the Company shall ensure that appropriate safeguards (e.g., “Standard Contractual Clauses”), are in place between the Company and the processor. Standard Contractual Clauses are a set of standard data protection clauses approved by the European Commission (“EC”) as an appropriate safeguard for protecting personal data when personal data are transferred internationally. The applicable Standard Contractual Clauses may be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=EN.

PERSONAL DATA OF DATA SUBJECTS UNDER THE AGE OF SIXTEEN (16)

The Services are for a general audience and are not targeted to data subjects under the age of sixteen (16). The Company and its affiliates do not knowingly process personal data from EU residents under the age of sixteen (16) without parental consent. If such a situation is discovered, we will delete that information immediately. If you believe the Company has any information from an EU resident under the age of sixteen, please contact us online via privacy@oneilglobaladvisors.com