Privacy Statement

Privacy Statement

Last revised: 18th May 2018

Introduction

Welcome to the CDX website (the "Website"). This Privacy Statement applies to the entity within the Deloitte Network that invited you to use this Website, and it describes the ways in which your personal information is collected in connection with your use of this Website, the purposes for which your personal information is used, and how it is shared.

This Website may contain links to other sites, including, without limitation, sites maintained by other entities within the Deloitte Network, which may not be governed by this Privacy Statement. Users of this Website are encouraged to review each website's privacy statement before disclosing any personal information. As used in this Privacy Statement, the "Deloitte Network" means Deloitte Touche Tohmatsu Limited (“DTTL”), the member firms of DTTL, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. To learn more about Deloitte’s global network of member firms, please visit www.deloitte.com/about.

Information Collection and Use

In order to gain access to this Website, limited personal information will be collected from you or the company for which you work as an employee, director, partner, or principal, including your name, your company name, your email address, and your phone number. This information is used to create and manage your account and verify your identity each time you log in to this Website. Your information may also be used to communicate with you and provide you with information that is relevant to you, to customize and improve this Website, and to respond to your inquiries and requests.

In addition to the purposes described above, your personal information may be used for the purposes of, or in connection with, applicable legal or regulatory requirements, professional standards, requests from and communications with competent authorities, and protecting the rights and/or property of entities within the Deloitte Network and users of this Website.

To the extent permitted by applicable local laws and regulations on data protection and data security, and subject to application of this Privacy Statement, your personal information may be used for marketing purposes or to send you promotional materials or communications regarding services provided by entities within the Deloitte Network that may be of interest to you. You may also be contacted for feedback on services provided by entities within the Deloitte Network or for market or other research purposes.

You may request that entities within the Deloitte Network discontinue sending you emails or other communications at any time.

Use of this Website may be subject to review, monitoring, and recording at any time to confirm compliance with the Terms of Use for this Website and that only authorized parties are accessing this Website using your user login and password.

Please note that this Privacy Statement covers the personal information that is collected in connection with your use of this Website only. Any other information uploaded to or posted on this Website will be used in accordance with the terms of the relevant engagement letter or this Website’s Terms of Use, as applicable.

Legal Basis for Information Processing

Your personal information will be used for the purposes outlined above because: (a) one or more entities within the Deloitte Network have a legitimate interest in the effective delivery of services to you or a client of an entity/entities within the Deloitte Network; (b) the information is required in order to provide services to you or a client of an entity/entities within the Deloitte Network; or (c) one or more of the entities within the Deloitte Network are subject to legal or regulatory obligations, such as providing information to a public body or law enforcement agency.

Log Information, Cookies and Web Beacons

This Website collects standard internet log information, including a user’s IP address, browser type and language, access time, and referring website address.

This Website also uses cookies (small text files stored on a user’s device) to identify users when they connect to the site. A user’s browser must be enabled to allow cookies in order to access this Website. Upon successful login, cookies are created and placed on the user’s machine. In addition to information related to authentication, information may be stored in the cookies in order to direct a user to the correct site location. To ensure that this Website is well managed and to facilitate improved navigation, cookies or web beacons (electronic images that allow a website to count visitors who have accessed a particular page and access certain cookies) may be used to collect aggregate data.

Most browsers can be set to inform you when a cookie has been sent to you and provide you with the opportunity to reject that cookie. However, in some cases, refusing a cookie may preclude you from using or negatively impact the display or function of this Website or certain areas or features of this Website.

By using this Website, you agree that cookies can be placed on your computer or device as explained above. Please contact the CDX Response Centre if you would like more detailed information on the cookies used by this Website.

Disclosure of Information to Third Parties

In connection with one or more of the purposes outlined in the "Information Collection and Use" section above, the personal information that is collected from you or the company for which you work may be disclosed to:

• other entities within the Deloitte Network;
• third parties that provide services to one or more entities within the Deloitte Network, such as website and system hosting, management, and support;
• other entities within the Deloitte Network and other third parties as part of a corporate transaction, such as a divesture, reorganization, merger, or acquisition; and
• competent authorities, including courts and authorities regulating one or more entities within the Deloitte Network, in each case to comply with legal or regulatory obligations or requests.

Please note that this Website is hosted in the United Kingdom and the United States. Additionally, some of the recipients of your personal information referenced above may be based in countries or regions outside of your home jurisdiction. Accordingly, any personal information that is collected in connection with your use of this Website may be transferred to countries or regions without data protection rules similar to those in effect in your home jurisdiction.

In such cases, adequate safeguards designed to protect your personal information will be put in place. Where the recipient is outside of the European Economic Area ("EEA"), the adequate safeguard might be a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal information to third countries.

For further details on the transfers described above and the adequate safeguards used with respect to such transfers, please contact the CDX Response Centre.

Non-personal, de-identified, and aggregated information may also be shared with third parties for several purposes, including data analytics, research, submissions, thought leadership, and promotional purposes.

Information Security

Reasonable commercial standards of technology and operational security are in place and designed to protect your personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

Information Retention

Your personal information will be retained as long as is necessary for the fulfillment of the purposes identified above in the “Information Collection and Use” section or as otherwise necessary to comply with applicable laws or professional standards. Where personal information is no longer necessary or relevant for the identified purposes, your personal information will be disposed of securely.

Your Rights

You have various rights in relation to your personal information. In particular, you have a right to:

• obtain confirmation that your personal information is being processed, and request a copy of your personal information; and
• ask that the personal information held about you be corrected or supplemented if such information is inaccurate or incomplete.

Depending on the jurisdiction in which you are located, you may also have the right to:

• ask that the personal information held about you be deleted, or restrict the way in which such information is used; and
• object to the processing of your personal information.

If you are interested in exercising any of the abovementioned rights or would like to raise a question about the processing of your personal information, please contact the CDX Response Centre.

You may also contact the CDX Response Centre if you wish to make a complaint relating to your personal information or privacy.

If you are located in the EEA and are unsatisfied with the way in which your personal information has been processed or the manner in which a privacy query or request that you have raised has been handled, you may have a right to complain to the relevant Data Protection Authority ("DPA"). For additional information or to be directed to the appropriate DPA, please contact the CDX Response Centre.

Changes to this privacy statement

This Privacy Statement may be modified or amended from time to time. When changes are made to this Privacy Statement, the revision date at the top of this page will be amended, and such modified or amended privacy statement shall be effective as to you and your personal information as of that revision date. As a user of this Website, you are encouraged to review this Privacy Statement periodically to be informed about how your personal information is protected.

Questions

If you have any questions regarding this Privacy Statement or your personal information or would like additional information, please contact the CDX Response Centre.