Last Updated: February 11, 2019
BBH is the data controller for personal information that we collect through the Site. We are also the controller for personal data we collect for our key business contacts. For personal data provided in relation to our business products there are times when we are a controller. If you have questions on when we are acting as a controller or our processing of your personal data (or about any content in this policy) please find our contact details, including the contact details of our Data Protection Officers in the How to Contact Us section at the end of this policy.
Please read this policy carefully. Your use of the Site and/or the Services, including your disclosure of any personal information into the Site and/or Services is subject to and governed by this policy.
Information we collect
We collect and store information that you voluntarily provide to us, information related to your Site visit and usage, as well as information provided to us by or through our clients in connection with our Services. We also collect certain information when you:
- submit enquiries via an online form;
- sign up to Services offered by BBH; or
- apply for jobs with BBH via our online portal.
Information that you provide us
Personal information that you provide directly to us will be apparent from the context in which you provide it, for example:
- if you fill out a form on our Site, you will generally provide your name, contact details and any other information required by the form, such as the content of your inquiry;
- if you sign up to receive electronic marketing communications from us, you will generally provide your name, email address and other contact information, and your product preferences;
- if you sign up for any of the online services we provide, you will generally provide your name and contact information and any other information necessary to access the feature;
- if you apply for a role with BBH via our online application facility, you will generally provide your name, contact details and a copy of your CV or resume, and if you apply using your LinkedIn profile, you will generally provide information about your LinkedIn account.
- If you are a key contact in a business that has a business account with BBH, we generally have your name, email address, phone number, title and other information relevant to your interaction with BBH on behalf of your employer.
- if you are a person that we hold information on in relation to a business product or service held with us, we generally have information you have provided to us in order to open and administer your account and or the register of the Fund(s) you own shares of, which could include data to detect and prevent fraud, anti-money laundering and terrorism financing as well as to perform negative news and sanctions screening.
Information that we collect automatically
Our web servers may log information such as your device type, operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. The web server logs may also record information such as the address of the web page that referred you to our Site and the IP address of the device you use to connect to the Internet. They may also log information about your interaction with the Site, such as which pages you visit. To control which web servers collect information by automated means, we may place tags called “web beacons” – small files that link web pages to particular web servers and their cookies. We may also collect information from your browser, such as your browsing history, and use it in conjunction with data gathered from forms and emails to help understand and respond to your needs.
“Do Not Track” Signals
We recognize that certain jurisdictions have enacted laws that require higher protection of certain sensitive personally identifiable information, such as state or national ID numbers, or other information regarding racial or ethnic origin, health or medical records (“Sensitive Data”). As a general rule, we do not collect Sensitive Data from you.
In the limited cases where we do seek to collect such information, we will seek to do so only in accordance with applicable data privacy law requirements.
How we use and share personal information
Information that we collect from you
We may use your personal information provided for a number of reasons, including, but not limited to:
- To respond to inquiries or service requests and monitor such responses;
- To provide information about and market our products or Services;
- To manage and improve the Site and assess its usage and usage of the Services we provide; and
- To operate our business in accordance with industry standards and applicable law, which may include, in addition to supporting the Services; responding to inquiries and requests, prevent fraud; and monitoring and archiving communications.
- Administering client accounts, including anti-money laundering, sanctions and anti-fraud checks.
We use the personal information for the purposes described above because we have a legitimate interest in operating and improving our business that is not overridden by your interests, rights and freedoms to protect personal information about you. We will only send you direct marketing materials if you have given consent for us to do so, unless such consent is not required, in which case you will be provided the opportunity to opt-out of receipt of direct marketing materials.
Information that we collect automatically
Other uses of your personal information
We also may use the personal information that we collect to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use personal information for these purposes when it is necessary to protect, exercise or defend our legal rights, or when we are required to do so by law that applies to us.
Mobile Phone Information
In connection with certain of our products and services, we may authenticate instructions which purport to come from you by calling back a telephone number which you have previously provided to us. By providing us with a mobile phone number for call back purposes, or by submitting an instruction, you authorize (on behalf of yourself and any Authorized Person) that the appropriate carrier (AT&T, Sprint, T-Mobile, U.S. Cellular, Verizon or any other branded operator) may disclose to us and our third-party service providers the mobile number, network status, customer type, customer’s role, billing type, mobile device identifiers (IMSI [International Mobile Subscriber Identity] and IMEI [International Mobile Equipment Identifier]) and other subscriber status and device details, if available, solely to verify the caller’s identity and prevent fraud for the duration of the relationship. Please note that this information is used only as part of the call back procedure to verify your instruction, and this information is not retained by us after completion of the verification.
In addition to the uses described above, we may use personal information that you provide to us or that we collect for other purposes. Where this is the case, we will provide an additional privacy notice to you that describes the purposes for which we will use the personal information and our legal basis for doing so.
Sharing your personal information
We do not sell any personal information that we collect about you. We do not disclose any personal information about our current or former clients to anyone, except as described in this policy, as permitted by contract or law and subject to confidentiality obligations that apply in certain jurisdictions.
We may disclose or share personal information about our customers to our affiliates, as permitted by law, for our affiliates to provide services. We also may share your personal information with service providers that perform services on our behalf, such as hosting providers and advisers. All service providers have entered into legally binding agreements requiring them to use or disclose personal information only as necessary to perform services on our behalf or comply with applicable legal requirements. We may share personal information with our affiliates and service providers for a number of reasons, including:
- You have requested information about our affiliates’ products and services;
- We rely on services provided by our affiliates and service providers to provide you with the services you require;
In addition, we may disclose your personal information (i) at the request of a bank or other regulatory agency or in connection with an examination of us by bank or other examiners ; (ii) to our internal or external auditors or attorneys; (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss (iv) if we are required or permitted to do so by law or legal process, for example due to a court order or a request from a law enforcement agency, (v) if disclosure is necessary to protect the vital interests of a person, or (vi) in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation).
How we transfer and store personal information
BBH is a global organization; personal information we collect may be transferred internationally throughout the world to countries where we do business, which may not have the same data protection laws as the country in which you reside. We have internal policies and procedures in place to achieve an equivalent level of protection in place across our organization. The transfer of personal information to other countries is based on a business need or to comply with applicable laws. Personal information stored or processed in a foreign jurisdiction may be accessed under a lawful order made in that jurisdiction.
If you are in the European Economic Area (“EEA”), we will comply with applicable legal requirements providing adequate protection for the transfer of personal information to recipients in countries outside of the EEA and Switzerland. In all such cases, we will only transfer your personal information if:
- The country to which the personal information will be transferred to has been granted a European Commission adequacy decision;
- The recipient of the personal information is located in the U.S. and has certified to the EU-U.S. Privacy Shield Framework;
- We have put in place appropriate safeguards in respect of the transfer, for example the EU Model Clauses;
- The recipient of the personal information has adopted Binding Corporate Rules in relation to the personal information transferred; or
- The transfer is otherwise authorized by applicable legal requirements.
You may request a copy of the safeguards that we have put in place in respect of transfers of personal information by contacting us as described in the How to Contact Us section below.
How long we keep personal information
The time period for which we keep personal information depends on the purpose for which we collect it. In all cases we keep it for as long as is necessary to fulfil the purposes for which we collected it. We will then delete or anonymize the personal information, unless we are legally required to retain it or if we need to retain it in order to comply with our legal obligations (for example, for tax and accounting purposes).
Subject to any applicable legal requirements, we typically retain personal information as follows:
- Personal information you provide to us through our Site: we keep this personal information for as long as necessary to respond to your request, and for a short further period in the event that you send us further requests.
- Personal information you provide when you sign up to receive direct marketing communications: we keep most of this personal information for the duration of our relationship with you until you opt out or we do not have any contact with you for a long period of time.
- Personal information collected for analytics purposes: we keep this personal information for a short period of time necessary for us to carry out the analytics. We anonymize or aggregate personal information used for analytics once it is no longer required.
- Website logs: we keep Site audit logs, which may contain your personal information, for several months.
As a person who provides us with personal information, you may inquire as to the nature of the personal information stored at and/or processed by us. You will be provided reasonable access to your personal information held by us and, where appropriate, with the ability to review and correct inaccuracies. We will cooperate in providing such access. All such requests for access may be made by sending a request in writing to: DPO@bbh.com.
If you are in the EEA or Switzerland, you may have the following rights in relation to your personal information that we hold about you:
- To request confirmation of whether we process personal information relating to you and, if so, to request a copy of that personal information;
- To request that we rectify or update your personal information that is inaccurate, incomplete or outdated;
- To request that we erase your personal information in certain circumstances, such as where we collected personal information on the basis of your consent and you withdraw your consent;
- To request that we restrict the use of your personal information in certain circumstances, such as while we consider another request that you have submitted, for example as a request that we update your personal information;
- Where you have given us consent to process your personal information, to withdraw your consent; and
- To request that we provide a copy of your personal information to you in a structured, commonly used and machine-readable format in certain circumstances.
To help protect your privacy and provide security, we may take reasonable steps to verify your identity before we satisfy your request. We shall respond to such reasonable request made by you within such time period as required under applicable law after your identity has been confirmed.
You also have the right to lodge a complaint with the data protection supervisory authority in your country.
We recognize the need to provide particular privacy protections with respect to personal information that may be collected from children. This Site and Services are not aimed at or intended for children.
Effective date and policy changes
How to contact us
By email at: GlobalPrivacy@bbh.com.
In writing at:
50 Post Office Square
Boston, Massachusetts 02110
You may also contact our Data Protection Officers:
By email at: DPO@bbh.com
In writing at:
Attention: Data Protection Officer
Brown Brothers Harriman Luxembourg
80 Route d'Esch, 1470 Luxembourg
Brown Brothers Harriman
30 Herbert St, Grand Canal Dock, Dublin 2, Ireland