- DAY TRADING
- HEDGE FUNDS
- FOREX RISK DISCLOSURES
- SEC RULE 606
- TJM CUSTOMER DISCLOSURE
DAY TRADING RISK DISCLOSURE
The following general requirements regarding day-trading have been imposed by the FINRA and are enforced by TJM:
Pattern Day-Traders are characterized by transacting four or more stock or options day-trades within a five-day period in a margin account. Pattern Day-Traders must maintain at least $25,000.00 in account value in order to continue day-trading practices.
In the event that a Pattern Day-Trader does not maintain $25,000.00 in account value they will be required to provide cash-on-hand for same-day stock transactions. Additionally, an account may be flagged for day-trading if it regularly recycles funds within the same day, for example, an investor sells a security (stock or option) for a premium of $400 and proceeds to purchase another security (stock or option) for $400 when no other capital is available and prior to funds being cleared.
If an account becomes designated as a pattern day-trading account and does not maintain the minimum required equity, at least $25,000.00, a call will be issued which must be met within 5 business days, otherwise the account will be restricted to Cash only for a period of 90 days or until the account equity is brought above the minimum equity requirement or at least $25,000.00. Additionally, if your account meets or exceeds the minimum equity amount, it may be eligible for day-trading margin, which is 4 times account buying power. This buying power may only be used intra-day and may not be held past market close. Orders exceeding Day-Trading Buying Power will be rejected.
TJM does not promote day-trading, however, the following disclosure applies to any customers utilizing day-trading as a strategy at TJM:
FINRA Day-Trading Risk Disclosure Statement
You should consider the following points before engaging in a day-trading strategy. For purposes of this notice, a “day-trading strategy” means an overall trading strategy characterized by the regular transmission by a customer of intra-day orders to effect both purchase and sale transactions in the same security or securities.
Day-trading can be extremely risky. Day-trading generally is not appropriate for someone of limited resources and limited investment or trading experience and low risk tolerance. You should be prepared to lose all of the funds that you use for day-trading. In particular, you should not fund day-trading activities with retirement savings, student loans, second mortgages, emergency funds, funds set aside for purposes such as education or home ownership, or funds required to meet your living expenses. Further, certain evidence indicates that an investment of less than $50,000 will significantly impair the ability of a day-trader to make a profit. Of course, an investment of $50,000 or more will in no way guarantee success.
Be cautious of claims of large profits from day-trading. You should be wary of advertisements or other statements that emphasize the potential for large profits in day-trading. Day-trading can also lead to large and immediate financial losses. Day-trading requires knowledge of securities markets. Day-trading requires in-depth knowledge of the securities markets and trading techniques and strategies. In attempting to profit through day-trading, you must compete with professional, licensed traders employed by securities firms. You should have appropriate experience before engaging in day-trading.
Day-trading requires knowledge of a firm’s operations. You should be familiar with a securities firm’s business practices, including the operation of the firm’s order execution systems and procedures. Under certain market conditions, you may find it difficult or impossible to liquidate a position quickly at a reasonable price. This can occur, for example, when the market for a stock suddenly drops, or if trading is halted due to recent news events or unusual trading activity. The more volatile a stock is, the greater the likelihood that problems may be encountered in executing a transaction. In addition to normal market risks, you may experience losses due to system failures.
Day-trading will generate substantial commissions, even if the per trade cost is low. Day-trading involves aggressive trading, and generally you will pay commissions on each trade. The total daily commissions that you pay on your trades will add to your losses or significantly reduce your earnings. For instance, assuming that a trade costs $16 and an average of 29 transactions are conducted per day, an investor would need to generate an annual profit of $111,360 just to cover commission expenses.
Day-trading on margin or short selling may result in losses beyond your initial investment. When you day-trade with funds borrowed from a firm or someone else, you can lose more than the funds you originally placed at risk. A decline in the value of the securities that are purchased may require you to provide additional funds to the firm to avoid the forced sale of those securities or other securities in your account. Short selling as part of your day-trading strategy also may lead to extraordinary losses, because you may have to purchase a stock at a very high price in order to cover a short position.
FUND INFORMATION DISCLAIMER
THE RISK OF LOSS IN TRADING COMMODITIES CAN BE SUBSTANTIAL. YOU SHOULD THEREFORE CAREFULLY CONSIDER WHETHER SUCH TRADING IS SUITABLE FOR YOU IN LIGHT OF YOUR FINANCIAL CONDITION. THE HIGH DEGREE OF LEVERAGE THAT IS OFTEN OBTAINABLE IN COMMODITY TRADING CAN WORK AGAINST, AS WELL AS, FOR YOU. THE USE OF LEVERAGE CAN QUICKLY LEAD TO LARGE LOSSES AS WELL AS LARGE GAINS. IN SOME CASES, MANAGED COMMODITY ACCOUNTS ARE SUBJECT TO SUBSTANTIAL CHARGES FOR MANAGEMENT AND ADVISORY FEES. IT MAY BE NECESSARY FOR THOSE ACCOUNTS THAT ARE SUBJECT TO THESE CHARGES TO MAKE SUBSTANTIAL TRADING PROFITS TO AVOID DEPLETION OR EXHAUSTION OF THEIR ASSETS.
THE DISCLOSURE DOCUMENT CONTAINS A COMPLETE DESCRIPTION OF THE PRINCIPAL RISK FACTORS AND EACH FEE TO BE CHARGED TO YOUR ACCOUNT BY THE COMMODITY TRADING ADVISOR (CTA). THE REGULATIONS OF THE COMMODITY FUTURES TRADING COMMISSION (CFTC) REQUIRE THAT PROSPECTIVE CLIENTS OF A CTA RECEIVE A DISCLOSURE DOCUMENT WHEN THEY ARE SOLICITED TO ENTER INTO AN AGREEMENT WHEREBY THE CTA WILL DIRECT OR GUIDE THE CLIENT’S COMMODITY INTEREST TRADING AND THAT CERTAIN RISK FACTORS BE HIGHLIGHTED. THIS DOCUMENT IS READILY ACCESSIBLE AT THE CTA’S SITE.
THIS BRIEF STATEMENT CANNOT DISCLOSE ALL OF THE RISKS AND OTHER SIGNIFICANT ASPECTS OF THE COMMODITY MARKETS. THEREFORE, YOU SHOULD PROCEED DIRECTLY TO THE DISCLOSURE DOCUMENT AND STUDY IT CAREFULLY TO DETERMINE WHETHER SUCH TRADING IS APPROPRIATE FOR YOU IN LIGHT OF YOUR FINANCIAL CONDITION. YOU ARE ENCOURAGED TO ACCESS THE DISCLOSURE DOCUMENT BY CONTACTING YOUR CTA. YOU WILL NOT INCUR ANY ADDITIONAL CHARGES BY REQUESTING THE DISCLOSURE DOCUMENT. YOU MAY ALSO REQUEST DELIVERY OF A HARD COPY OF THE DISCLOSURE DOCUMENT, WHICH ALSO WILL BE PROVIDED TO YOU AT NO COST. THE CFTC OR SEC HAS NOT PASSED UPON THE MERITS OF PARTICIPATING IN ANY OF THE FOLLOWING TRADING PROGRAMS NOR ON THE ADEQUACY OR ACCURACY OF THE DISCLOSURE DOCUMENT. OTHER DISCLOSURE STATEMENTS ARE REQUIRED TO BE PROVIDED TO YOU BEFORE A COMMODITY OR SECURITIES ACCOUNT MAY BE OPENED.
HEDGE FUND RISK DISCLOSURE
Historically, hedge funds have been offered as unregistered securities that, because of the risks they posed, were only available to a limited number of wealthy, financially sophisticated investors. Now there are funds that are registered with the SEC and invest in unregistered, private hedge funds. These “funds of hedge funds” provide the opportunity to invest in private hedge funds through a single fund that is composed of underlying hedge funds. Registered funds of hedge funds can have lower minimum investment requirements than traditional unregistered hedge funds, and permit a greater number of investors. Even though they are registered with the SEC, they use investment strategies that involve risks similar to those of traditional hedge funds.
Before you consider investing in a registered fund of hedge funds, you should understand the features of these investments, how they are regulated, what risks are involved, and how you can get more information on them.
What are Hedge Funds?
There is no exact definition of the term “hedge fund” in federal or state securities laws. Hedge funds are basically private investment pools for wealthy, financially sophisticated investors. Traditionally, they have been organized as partnerships, with the general partner (or managing member) managing the fund’s portfolio, making investment decisions, and normally having a significant personal investment in the fund. Hedge fund managers typically seek absolute positive investment performance. This means that hedge funds target a specific range of performance, and attempt to produce targeted returns irrespective of the underlying trends of the stock market. This stands in contrast to investments like mutual funds, where success or failure is often measured in terms of performance in relation to a stock index, like the Dow Jones Industrial Average.
To get positive investment performance, hedge fund managers use sophisticated investment strategies and techniques that may include, among other techniques:
- short selling (sale of a security you do not own)
- arbitrage (simultaneous buying and selling of a security in different markets to profit from the difference between the prices)
- hedging (buying a security to offset a potential loss on an investment)
- leverage (borrowing money for investment purposes)
- concentrating positions in securities of a single issuer or market
- investing in distressed or bankrupt companies
- investing in derivatives, such as options and futures contracts
- investing in volatile international markets
- investing in privately issued securities
Managers are paid based on the fund’s performance. Performance fees of 20% of profits are common, along with a fixed annual asset-based fee of 1 to 2%.
Because they are usually only open to limited numbers of wealthy, financially sophisticated investors and do not advertise or publicly offer their securities, private hedge funds are usually not required to register with the SEC. As a result, unregistered private hedge funds do not provide many of the investor protections that apply to registered investment products, such as mutual funds. For example, hedge funds generally are not subject to numerous mutual fund rules, such as regulations:
- requiring a certain degree of liquidity
- limiting how much can be invested in any one investment
- requiring that fund shares be redeemable
- protecting against conflicts of interests
- assuring fairness in pricing of the fund shares
- requiring disclosure of information about a fund’s management, holdings, fees and expenses, and performance
- limiting the use of leverage
The general prohibitions against securities fraud do apply.
What are Funds of Hedge Funds?
Funds of hedge funds are pooled investments in several unregistered hedge funds. Unlike the underlying private hedge funds, the fund of funds itself can register with the SEC under the Investment Company Act of 1940. In addition, the fund of fund’s securities also can be registered for sale to the public under the Securities Act of 1933. Registered funds of funds can have lower minimum investments than private hedge funds (some as low as $25,000). A registered fund of hedge funds can be offered to an unlimited number of investors. However, unlike an open-ended mutual fund, there is no investor right of redemption – shares cannot be redeemed directly with the fund unless the fund offers to redeem them. Nor are the shares usually listed on a securities exchange like exchange-traded funds (ETFs). With very limited exceptions, there is no secondary market available, so you won’t be able to sell your investment readily.
An investment in a fund of hedge funds does have some potential advantages over a direct investment in a private hedge fund. For example, a fund of funds may diversify between a number of different investment styles, strategies and hedge fund managers, in an effort to control risk.
High Fees and Expenses
Expenses in funds of hedge funds are significantly higher than most mutual funds. For example, one such fund of funds has an annual asset base fee of 2.15%. In comparison, mutual funds have expense ratios averaging 1.36%, based on data from the SEC’s Report of Mutual Fund Fees and Expenses. The manager of this fund of funds also gets 10% of any annual gain that exceeds an 8% return. Because it invests in a number of private hedge funds, a fund of funds also bears part of the fees and expenses of those underlying hedge funds as well. You should be sure you understand the fee structure of any fund of hedge funds that you consider investing in.
What are the Risks of Investing in a Fund of Hedge Funds?
Funds of hedge funds generally invest in several private hedge funds that are not subject to the SEC’s registration and disclosure requirements. As discussed above, many of the normal investor protections that are common to most traditional registered investments are missing. This makes it difficult for both you and the fund of funds manager to assess the performance of the underlying hedge funds or independently verify information that is reported. All of this can make it easier for an unscrupulous hedge fund manager to engage in fraud.
Risky Investment Strategies
As noted, hedge funds very often use speculative investment and trading strategies. Many hedge funds are honestly managed, and balance a high risk of capital loss with a high potential for capital growth. The risks hedge funds incur, however, can wipe out your entire investment. If you can’t afford to lose your entire investment, then perhaps hedge funds and funds of hedge funds are not for you.
Lack of Liquidity
Hedge funds, both the unregistered and registered variety, are illiquid investments and are subject to restrictions on transferability and resale. Unlike mutual funds, there are no specific rules on hedge fund pricing. Registered hedge fund units may not be redeemable at the investor’s option and there is probably no secondary market for the sale of the hedge fund units. In other words, you may not be able to get the money you invested in the hedge fund back when you want out of the investment.
Adverse Tax Consequences
The tax structure of registered fund of hedge funds may be complex. There also may be delays in receiving important tax information. This may require you to obtain an extension to file your income tax return.
NASD Notice to Members 03/07 – FINRA Reminds Members of Obligations When Selling Hedge Funds
The Investment Company Institute – The Differences Between Mutual Funds and Hedge Funds
Securities and Exchange Commission – Hedging Your Bets: A Heads Up on Hedge Funds and Funds of Hedge Funds
FUTURES RISK DISCLOSURE STATEMENT & ACCOUNT OPENING DISCLAIMERS
This information is not to be construed as an offer to sell or a solicitation or an offer to buy the commodities herein named. The factual information of this report has been obtained from sources believed to be reliable, but is not necessarily all-inclusive and is not guaranteed as to the accuracy, and is not to be construed as representation by TJM. The risk of trading futures and options can be substantial. Each investor must consider whether this is a suitable investment. Past performance is not indicative of future results.
THE RISK OF LOSS IN TRADING COMMODITY FUTURES CONTRACTS CAN BE SUBSTANTIAL. YOU SHOULD, THEREFORE, CAREFULLY CONSIDER WHETHER SUCH TRADING IS SUITABLE FOR YOU IN LIGHT OF YOUR CIRCUMSTANCES AND FINANCIAL RESOURCES. YOU SHOULD BE AWARE OF THE FOLLOWING POINTS:
(1) You may sustain a total loss of the funds that you deposit with your broker to establish or maintain a position in the commodity futures market, and you may incur losses beyond these amounts. If the market moves against your position, you may be called upon by your broker to deposit a substantial amount of additional margin funds, on short notice, in order to maintain your position. If you do not provide the required funds within the time required by your broker, your position may be liquidated at a loss, and you will be liable for any resulting deficit in your account.
(2) Under certain market conditions, you may find it difficult or impossible to liquidate a position. This can occur, for example, when the market reaches a daily price fluctuation limit (“limit move”).
(3) Placing contingent orders, such as “stop-loss” or “stop-limit” orders, will not necessarily limit your losses to the intended amounts, since market conditions on the exchange where the order is placed may make it impossible to execute such orders.
(4) All futures positions involve risk, and a “spread” position may not be less risky than an outright “long” or “short” position.
(5) The high degree of leverage (gearing) that is often obtainable in futures trading because of the small margin requirements can work against you as well as for you. Leverage (gearing) can lead to large losses as well as gains.
(6) You should consult your broker concerning the nature of the protections available to safeguard funds or property deposited for your account.
ALL OF THE POINTS NOTED ABOVE APPLY TO ALL FUTURES TRADING WHETHER FOREIGN OR DOMESTIC. IN ADDITION, IF YOU ARE CONTEMPLATING TRADING FOREIGN FUTURES OR OPTIONS CONTRACTS, YOU SHOULD BE AWARE OF THE FOLLOWING ADDITIONAL RISKS:
(7) Foreign futures transactions involve executing and clearing trades on a foreign exchange. This is the case even if the foreign exchange is formally “linked” to a domestic exchange, whereby a trade executed on one exchange liquidates or establishes a position on the other exchange. No domestic organization regulates the activities of a foreign exchange, including the execution, delivery, and clearing of transactions on such an exchange, and no domestic regulator has the power to compel enforcement of the rules of the foreign exchange or the laws of the foreign country. Moreover, such laws or regulations will vary depending on the foreign country in which the transaction occurs. For these reasons, customers who trade on foreign exchanges may not be afforded certain of the protections which apply to domestic transactions, including the right to use domestic alternative dispute resolution procedures. In particular, funds received from customers to margin foreign futures transactions may not be provided the same protections as funds received to margin futures transactions on domestic exchanges. Before you trade, you should familiarize yourself with the foreign rules, which will apply, to your particular transaction.
(8) Finally, you should be aware that the price of any foreign futures or option contract and, therefore, the potential profit and loss resulting therefrom, may be affected by any fluctuation in the foreign exchange rate between the time the order is placed and the foreign futures contract is liquidated or the foreign option contract is liquidated or exercised.
SPECIAL DISCLAIMER FOR NEW ACCOUNT APPLICANTS
Account documents are not an offer of solicitation for the purchase or sale of any Commodity. Before trading one should be aware that with potential profits there is also potential for losses that may be very large. Futures investing involves risk and is not suitable for everyone. Those acting on this information are responsible for their own actions.
ATTENTION NON-U.S. RESIDENTS
The services provided by TJM may not be available in all jurisdictions. It is possible that the country in which you are a resident prohibits us from opening and maintaining an account for you. If in doubt, please contact an TJM account representative.
THIS BRIEF STATEMENT CANNOT, OF COURSE, DISCLOSE ALL THE RISKS AND OTHER ASPECTS OF THE COMMODITY MARKETS.
CHARACTERISTICS AND RISKS OF STANDARDIZED OPTIONS
This publication refers solely to options issued by OCC. Prior to buying or selling an option, a person must receive a copy of this brochure. It includes a discussion on basic option terminology, types of options available for trading, general provisions for exercise and settlement, unique tax considerations, risks, and other supplemental material.
FOREX INTERMEDIARY DISCLOSURES
What Investors Need to Know (NFA) – http://www.nfa.futures.org/nfa-investor-information/publication-library/forex.pdf
Before deciding to participate in the Forex market, you should carefully consider your investment objectives, level of experience and risk appetite. Most importantly, do not invest money you cannot afford to lose.
There is considerable exposure to risk in any off-exchange foreign exchange transaction, including, but not limited to, leverage, creditworthiness, limited regulatory protection and market volatility that may substantially affect the price, or liquidity of a currency or currency pair.
Moreover, the leveraged nature of forex trading means that any market movement will have an equally proportional effect on your deposited funds. This may work against you as well as for you. The possibility exists that you could sustain a total loss of initial margin funds and be required to deposit additional funds to maintain your position. If you fail to meet any margin requirement, your position may be liquidated and you will be responsible for any resulting losses.
ANTI-MONEY LAUNDERING POLICY
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth and other information that will allow us to identify you. We may also ask for a copy of your driver’s license or other identifying documents.
We are required to verify the information or documents you provide us. Until you provide and we have verified the information or documents we need, we may not be able to open an account or effect any transactions for you.
For TJM’s full AML policy please contact the Compliance Department at 312-432-6552.
SEC RULE 606
In accordance with U.S. Securities and Exchange Commission (SEC) Rule 606, TJM Investments LLC is publishing statistical information about our routing practices for non-directed orders in U.S. exchange-listed equity securities and options.
This report is divided into four sections: one for securities listed on the New York Stock Exchange LLC; one for securities listed on The Nasdaq Stock Market LLC; one for securities listed on the NYSE MKT, LLC or other regional exchanges and one for exchange-listed options. For each section, this report identifies the venues most often selected by the Firm, sets forth the percentage of various types of orders routed to the venues, and discusses the material aspects of the Firm’s relationship with the venues.
Regardless of whether the orders were directed orders, TJM will disclose to the customer upon request, the identity of the venue to which the customer’s orders were routed for execution in the six months prior to the request, and the time of the transactions, if any, that resulted from such orders. Singularly listed options directed to the floor of an Exchange are treated as Directed Orders for purposes of this report. Written copies of the firm’s order routing reports are available free of charge upon request. Please direct written report requests to firstname.lastname@example.org
TJM prepares two separate reports with respect to its Rule 606 reporting. One report is generated for its TJM Investments business (MPID: TJMI). This report includes options data. A second report is generated for its NYSE Floor Brokerage business also known as MND Partners (MPID: MNDX).
Each report may be accessed via the link below:
General Data Protection Regulation Policy
The General Data Protection Regulation (‘GDPR’ – EU 2016/679) came into force on 25th May 2018, and results in the Group being required to process the personal data of European data subjects in accordance with the more stringent requirements set out in the Regulation. Furthermore, where a Group company is located within the European Economic Area (‘EEA’) it is required to apply the requirements of GDPR to all personal data that it controls or processes, not just that of a European data subject.
• Non-EEA office: Required to comply with GDPR in relation to the personal data of any EEA data subject; and
• EEA office: Required to comply with GDPR in relation to the personal data of all data subjects (Herein ‘a relevant data subject’).
This policy sets out the scope and applicability of the GDPR, and the Group’s approach to adhering with the Regulation, via the following Annexes:
Annex I: Definitions of some commonly used terms in the GDPR
Annex II: Lawfulness of processing
Annex III: Information to be provided to the individual concerned
Annex IV: The six principles of processing personal data
Applicability to TJM
As set out in Annex I, personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a file reference etc. Processing includes, but is not limited to, collecting, storing and using personal data. For the purposes of the GDPR, TJM will be primarily a ‘data controller’ but will also process personal data.
This document sets out TJM’s policy for adherence to the GDPR and expected behaviours and applies to all of TJM’s employees and outsourced service providers when personal data of a relevant data subject (as set out above) is processed. Unless specified to the contrary, any reference to TJM processing data can also be read to refer to third parties that process data on behalf of TJM.
Personal data can be collected by TJM in respect of:
• Staff for the purposes of e.g. maintaining employment and sickness records, payroll etc.
• Clients/investors (either actual or proposed)
• Firms providing services to TJM
All personal data will be collected and processed in accordance with the ‘lawfulness of processing’ (‘legal basis’) obligations under the GDPR (see Annex II). Generally, personal data relating to clients/investors and the firm’s employees will be for the purposes of ‘legitimate interests’. However, each case will be considered and determined in line with the ‘lawfulness of processing’ requirements. Where deemed appropriate e.g. for marketing purposes, then freely given specific consent will be requested (see Annex II).
For these purposes ‘freely given’ means that the individual has made a positive decision to consent to the processing of their personal data. As such, a pre-ticked box or a general statement etc. that consent is assumed will not be deemed to be freely given.
Where the provision of a service is conditional on consent being given to the processing of personal data that is not necessary for the provision of that service e.g. a requirement to consent to the receipt of marketing material then this will not be deemed to be freely given.
Personal data will be retained no longer than is necessary for the purposes for which it processed, subject to any legal or regulatory obligations imposed upon TJM.
Informing data subjects
When personal data is collected directly from the data subject then that individual will be provided with the information required under the GDPR at the time the personal data are collected. This includes, but is not limited to, the purposes of the processing, the legal basis for the processing and whether there is an intention to transfer personal data outside the EU (‘third-country’) (see Annex III).
Where personal data is collected from someone other than the data subject then the latter will be informed of this in accordance with GDPR requirements.
Limitation of data collected and purpose
The collection of personal data by TJM will be limited to that necessary for:
• Providing services, including administration services, to clients/investors
• The general day-to-day running of TJM
• Marketing, including newsletters
Special categories of data (‘sensitive data’)
The GDPR imposes further requirements on the processing of sensitive data. Such personal data includes e.g. that revealing ethnic origin, political opinions, criminal convictions and offences etc. TJM collects and process personal data in accordance with U.S. law and the requirements of various regulatory bodies.
Rights of data subjects
The GDPR provides data subjects with the following rights:
• An individual has the right to confirmation of whether their personal data is being processed and, if such is the case, its purpose and envisaged storage period (‘right of access’)
• An individual has the right to require ‘without undue delay’ rectification of inaccurate personal data (‘right to rectification)
• An individual has the right to be forgotten, subject to the limited circumstances set out in GDPR, including when consent is withdrawn (‘right to erasure’)
• An individual has the right to restrict processing of personal data in certain circumstances including where the accuracy of the data is contested by the individual (right to restriction of processing’)
• An individual has the right to receive personal data concerning the individual and the right to have it transmitted to another data controller (‘right to data portability’)
• An individual can object to the processing of personal data which is being processed on the basis of ‘legitimate interest’ unless the controller demonstrates compelling legitimate grounds. Where the processing is for direct marketing purposes then the controller must desist from any further processing for these purposes (‘right to object’)
• An individual has the right not to be subject to a decision based solely upon automated processing or profiling
Not all of the above rights will be applicable to TJM’s business model e.g. ‘profiling’ and nor are they absolute e.g. the right to be forgotten will not apply to the extent that the processing is in compliance with a legal or regulatory obligation to maintain it. TJM will consider any such requests from data subjects on a case-by-case basis.
TJM makes use of services provided by various third-parties (‘outsourcing’).
These providers have been reviewed to determine if they have undertaken processes to meet the standards expected by TJM and required of them by GDPR. Some of these entities will be involved in the transfer of, and the processing of, personal data on behalf of the firm and as such will be ‘data processors’.
For such firms, the due diligence performed by TJM will include a review of the procedures and processes developed to ensure compliance with the GDPR and the security of personal data processed. In addition, processing of personal data will be governed by a contract whose terms are in accord with that specified in GDPR.
Any intention to transfer personal data to a third-country must be notified to the data subject when the data is collected (see ‘Informing data subjects’ above). Transfers to a third-country are only permissible in limited situations including:
• Where the European Commission has determined that third-country offers equivalent protection for personal data (‘adequacy decision’)
• Where appropriate safeguards are in place such as appropriate contractual clauses authorised by the supervisory authority
• Where the transfers will be subject to binding corporate rules (only relevant between members within a group of undertakings or engaged in a joint economic activity)
• Where the individual has explicitly consented to the proposed transfer after being made aware of the potential risks
• Where the transfer is necessary for the performance, or conclusion, of a contract.
Communication with data subjects
Information provided to data subjects, whether as a result of the exercise of a data subject’s rights or when informing the individual that their personal data is being collected and its purpose, will be free of charge. However, where such requests are excessive or manifestly unfounded then TJM reserves the right to charge a reasonable fee.
Data Protection Officer
The appointment of a ‘Data Protection Officer’ (DPO) is required for those firms that process large amounts of sensitive data or that undertake regular and systematic monitoring of data subjects. As such this obligation does not apply to TJM.
Both TJM and its service providers have procedures in place to protect sensitive data as outlined in the firm’s cybersecurity procedures.
In the event of a data breach, all potential data breaches should be promptly reported to TJM’s technology department who will promptly investigate any data protection issues and notify Senior Management with respect to the:
• potential data breach
• extent of the breach
• any corrective measures taken; and
• any data compromised
Both internal and external data protection issues may be reported to the following distribution list: Datasec@tjmbrokerage.com
Personal Data: The Role of TJM’s Employees
Although this Policy is based upon the firm’s responsibilities under GDPR, all members of staff have a role to play in ensuring that TJM complies with these responsibilities.
TJM notes that the GDPR provides for the imposition of administrative fines for breaches of its obligations of up to €20m (or 4% of worldwide total turnover if higher).
Personal Data: Breaches
Any personal data breach(es) must be immediately reported to Datasec@tjmbrokerage.com. Where possible, such notifications should include:
• The nature of the breach including categories and approximate number of data subjects concerned and data records concerned
• A description of the likely consequences of the personal data breach
• A description of any measures taken, or proposed, to address the data breach and to mitigate its possible adverse effects.
TJM is required to notify the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result to result in a risk to the rights and freedoms of natural persons. The ICO may be reached at this address: https://ico.org.uk
Where it is deemed that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons then the data subjects must also be notified “without undue delay”. Exceptions to this requirement include:
• When the data affected is e.g. encrypted so that the data in unintelligible to persons not authorised to access it
• If it would involve disproportionate effort, in which case a public communication, or similar measure, will be required
• Where subsequent measures are taken to ensure that the high risk to the rights and freedom of data subjects is no longer likely to materialise TJM’s technology department will document and assess the breach to determine the need to alert data subjects and/or the ICO.
Annex I Definitions
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
See ‘personal data’ below.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A data subject can request receipt of their personal data which they have provided to a controller and has the right to transmit it to another data controller without hindrance (or can request that data be transmitted directly to another data controller where technically feasible).
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing then it will be considered to be a controller.
Data Protection Impact Assessment
An assessment of the impact of processing operations on the protection of personal data. Sometimes referred to as a ‘privacy impact assessment’.
Lawfulness of processing
Personal data must be processed lawfully and in a transparent manner in relation to the data subject. Article 6 of the GDPR (reproduced in Annex I) sets out six scenarios, including consent to the processing being given by the data subject, which will comply with ‘lawfulness of processing’.
Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A low bar is set for “identifiable”; if anyone can identify a natural person using “all means reasonably likely to be used” the information is personal data, so data may be personal data even if the organisation holding the data cannot itself identify a natural person (e.g. name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address). Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and radio frequency identification tags all listed as examples.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Privacy impact assessment
Also known as a ‘Data Protection Impact Assessment’ (see above).
Special categories of personal data (‘sensitive data’)
Terms used in GDPR to refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, also capture genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Article 9 of GDPR prohibits the processing of such data unless it meets one of the conditions set out therein e.g. explicit consent. Article 10 of GDPR imposes stricter requirements on the processing of personal data relating to criminal convictions and offences.
Annex II Lawfulness of processing
Processing is lawful only if and to the extent that at least one of the following applies:
1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Annex III Information to be provided to the data subject
Information to be provided where personal data are collected from the data subject (refer to Article 14 for information to be provided where personal data have not been collected from the data subject)
1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c) where the processing is based on point (a) of Article 6(1) (‘consent’) or point (a) of Article 9(2) (‘explicit consent’ re ‘special categories’), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which the
personal data were collected, the controller shall provide the data subject prior to that further processing with
information on that other purpose and with any relevant further information as referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information
Annex IV Principles relating to processing of personal data
A data controller is responsible for, and be able to demonstrate compliance with, the following principles.
Lawfulness, fairly and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.