Privacy Statement Securities Services & Exchanges

This Privacy Statement explains how and why Securities Services & Exchanges of SIX processes personal data. It applies to all natural persons with whom we come into contact (referred to as “you” in this document). This includes employees, officers, directors, beneficial owners and other personnel of our customers as well as service providers, authorities, and other business counterparties.

Securities Services & Exchanges aims at strong protection of natural persons in regards to processing of their personal data. Our services are offered to institutional customers only,  nonetheless the processing of transactions might include personal data where this is necessary to ascertain  the business purpose. In addition, we process personal data in the context of business contact information.

The legal entities of Securities Services & Exchanges listed below are the controllers of your personal data. They are responsible for processing your data.  

• SIX Exfeed AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
• SIX Repo AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
• SIX Securities Services AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
• SIX SIS AG
  Baslerstrasse 100
  4601 Olten
  Switzerland
  
• SIX Swiss Exchange AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
• SIX Trade Repository AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
  
• SIX x-clear AG
  Hardturmstrasse 201
  8005 Zurich
  Switzerland
• Sociedad Rectora de la Bolsa de Valores de Madrid, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Sociedad Rectora de la Bolsa de Valores de Barcelona, S.A.U.
  Paseo de Gracia 19
  08006, Barcelona
  España
• Sociedad Rectora de la Bolsa de Valores de Bilbao, S.A.U. 
  Calle José María Olabarri 1
  48003, Bilbao
  España
• Sociedad Rectora de la Bolsa de Valores de Valencia, S.A.U. 
  Calle Pintor Sorolla 23
  46002, Valencia
  España
• Sociedad de Bolsas, S.A.
  Plaza de la Lealtad 1
  28014, Madrid
  España
• MEFF Sociedad Rectora del Mercado de Productos Derivados, S.A.U.
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Bolsas y Mercados Españoles Renta Fija, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Bolsas y Mercados Españoles Sistemas de Negociación, S.A. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Sociedad de Gestión de los Sistemas de Registro, Compensación y Liquidación de Valores, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• BME Clearing, S.A.U 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• BME Regulatory Services, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• MEFF Tecnología y Servicios, S.A.U.
  Paseo de Gracia número 19
  08006, Barcelona
  España
• BME Post Trade Services, S.A.U.
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Bolsas y Mercados Españoles Inntech, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España
• Bolsas y Mercados Españoles Inntech, S.A.U. 
  Plaza de la Lealtad 1
  28014, Madrid
  España

We process personal data about you where:

• It is necessary to enter into a contract or carry out a contract with our customer
• It is necessary to comply with our legal obligations, or
• It is in our legitimate business interests, e.g. for security compliance if you visit our office, or to protect our IT infrastructure.

We process your personal data for the following reasons:

• To enable internal collaboration and commercial follow-ups across different business units within SIX, particularly in the context of events and business development activities
• To enter into contract
• To record and register certain telephone calls and electronic communications, legitimately in compliance with the legal obligations applicable to entities, as well as based on SIX's legitimate interest in guaranteeing the quality of service, verifying the veracity and integrity of communications and for evidential purposes.
• To provide services and products to our customers including any communication required to render them
• To ensure fair and orderly markets
• To receive customer requests and improved services/products accordingly
• To receive, investigate and respond to customer complaints
• To  inform customers, suppliers and authorities about incidents and their impacts and resolution
• To manage relationships with our business partners, customers and service providers
• To carry out analyses with the intention to strengthen our relationships and improve the quality of our services and products
• For testing and support purposes
• To operate and maintain our information technology
• To comply with the requirements of the regulatory authorities, administrative and/or judicial authorities and the legal obligations of SIX, based on the legal grounds of fulfilment of the legal obligations required.
• To establish, exercise and/or defend legal claims and rights
• To protect, exercise and enforce our rights, property or safety, or to assist our customers or others to do so
• For other purposes

Personal data processed by Securities Services & Exchanges is limited to basic contact information for individuals. In general this includes name, job title, position, work address, telephone number, email address. Other categories depend on the respective business product or service, e.g. voice recording, beneficial owner identifiers in transaction reports.

We collect data from the following sources:

• Personal data obtained from customers when you
  -  Give us contact data for relationship management, sales or any other purpose
  -  Send us your data on forms, e-forms, e-mail or by post
  -  Send us information for client on-boarding or admission
  -  Provide us data to enter into a contract or service level agreement including billing
  -  Provide us with data during the performance of our services for issue management, collection of customer experience,  service improvement and other legitimate reasons
  
• Personal data obtained from service providers required to
  -  Establish and maintain a contact
  -  Enter into and maintain contracts, service level agreements and other types of service descriptions
  -  Facilitate billing and payment
  -  Monitor and control service delivery to ensure and enhance quality
  -  Collaborate on solution design and delivery
  
• Personal data we receive from other sources
  -  Background information from third party providers
  -  Information from authorities
  -  Information from publicly available sources
• Other SIX companies

Your personal data may be disclosed to and / or transferred to

• Our business partners (e.g. custodians, correspondent banks) if your data is included in business transactions which need to be processed by them
• Your own organization in connection with issue and problem resolution, contract management, service and billing requests, requests of your compliance office, client relationship management concerns
• The Swiss National Bank (SNB) and the Bank of Spain
• Competent regulatory (e.g. FINMA, CNMV), prosecuting, judicial authorities or tax authorities
• Our auditors and legal advisors involved in or contemplating legal proceedings
• Our technology suppliers that provide support for incident handling
• Other persons where disclosure is required by law

Personal data may be transferred to other legal entities of SIX and to the relevant supervisory bodies, law enforcement agencies, tax authorities and courts as well as service providers and other business partners of SIX that are involved both within and outside the European Economic Area (EEA). This includes countries whose data protection standard deviates from the EEA standard. If data is transferred to a recipient in a country with a lower level of  data protection appropriate safeguards are implemented to ensure an adequate level of protection. These safeguards may include data transfer agreements based on standard contractual clauses or other legally recognized mechanism.

In the international custody business data may be transferred in the countries in which the sub-custodian is located. For other services, data may be transferred to the following countries if necessary for the provision of the service: Austria, Belgium, Colombia, Cyprus, France, Germany, Greece, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Poland, Singapore, Spain, Sweden, United Arab Emirates, United Kingdom, United States.

As a general rule, we keep personal data as long as we have a client relationship. After a client relationship ends, we usually must keep it for a period of 10 years.  In cases where the relevant client or counterparty informs us that employment of a certain persons has ceased, the retention period starts from that point in time.

You can ask us to: (i) to provide information on whether we may save personal data and what form this personal data may take (which categories of data, recipients or categories of recipients, retention periods for Personal Data or criteria governing retention periods); (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also opt out of the processing of your personal data for direct marketing purposes or object to our other processing of your personal data. These rights will be limited in some situations; for example, where we are required to process your personal data by law.

To exercise these rights or if you have questions about how we process your personal data, please contact us using the contact details on the last page. You can also complain to the relevant data protection authorities where you live or work or where the alleged infringement of data protection law occurred.

This Privacy Statement was last updated on 31/10/2025. Future updates may be required in response to changing legal, technical or business developments.

To exercise your rights with regards to data protection please use this link. You can also direct your queries to: SIX Group Services Ltd., Data Protection Officer, Hardturmstrasse 201, 8005 Zurich, Switzerland, E-Mail: dataprotection@six-group.com and/or BME Group Data Protection Officer, Plaza de la Lealtad, 1, 28014 Madrid, Spain, protecciondedatos@grupobme.es