This Policy is based on the privacy and data protection principles common to the countries in which we operate. This Policy is intended to summarize IBKR's data protection practices generally and to advise our customers, prospective customers, job applicants, website visitors and other third parties about IBKR's privacy policies that may be applicable to them.
This Policy is specifically addressed to those who provide Personal Information to IBKR or who visit or use IBKR's websites, trading platforms, software application and social media sites.
Who is responsible for your Personal Information?
IBKR is responsible for the Personal Information that we may collect in the manner discussed below. IBKR includes: Interactive Brokers LLC, One Pickwick Plaza, Greenwich, CT 06830 United States; IBKR Ireland, incorporated and registered in Ireland with company number 657406 whose registered office is at 10 Earlsfort Terrace, Dublin D02 T380; Interactive Brokers Central Europe Zrt. incorporated and registered in Hungary with company number 01-10-141029 whose registered office is at 1075 Budapest, Madách Imre út 13-14., Hungary; Interactive Brokers Luxembourg SARL incorporated and registered in Luxembourg with company number B229091 whose registered office is at 4, Rue Robert Stumper, L-2557 Luxembourg; Interactive Brokers (U.K.) Limited, (03958476) a Private Limited Company with registered office address, Level 20 Heron Tower, 110 Bishopsgate, London EC2N 4AY; and their respective affiliates (the "IBKR Entities"). Specifically, your Personal Information will be controlled by the IBKR Entity that is providing services or communication to you. In some instances your Personal Information will be controlled by more than one IBKR Entity.
How do we collect your Personal Information and what Personal Information do we collect?
IBKR collects and processes Personal Information from you. This may include, among other things, information:
For what purposes will we use your Personal Information?
We may use your Personal Information for the following purposes ("Permitted Purposes"):
We may also process your Personal Information for the following purposes (after obtaining your express consent where such consent is legally required) in accordance with your preferences:
Where legally required, with regard to marketing-related communication, we will only provide you with such information after you have opted in or had an opportunity to object and we will also provide you with the opportunity to opt out at any time if you do not wish to receive further marketing-related communication from us. We like to keep our customers, personnel and other interested parties informed of company developments, including news relating to IBKR that we believe is of interest to them. If you do not wish to receive publications or details of events or seminars that we consider may be of interest to you, please let us know by following this link: https://www.interactivebrokers.com/en/index.php?f=464. Where legally required, we will not use your Personal Information for taking any automated decisions affecting you or creating profiles other than described above.
Depending on which of the above Permitted Purposes we use your Personal Information for, we may process your Personal Information on one or more of the following legal grounds:
In addition, the processing may be based on your consent where we have expressly sought and you have expressly given that to us.
Who we share your Personal Information with, and in what circumstances
We may share your Personal Information in the following circumstances:
Otherwise, we will only disclose your Personal Information when you direct us or give us permission to do so, when we are allowed or required by applicable law or judicial or official request to do so, or as required to investigate actual or suspected fraudulent or criminal activities.
Personal Information about other people that you provide to us
Keeping Personal Information about you secure
To the extent required by law, we will take appropriate technical and organizational measures to keep your Personal Information confidential and secure in accordance with our internal procedures covering the storage, disclosure of and access to Personal Information. Personal Information may be kept on our Information Technology systems, those of our contractors or in paper files.
Transferring your Personal Information outside the European Economic Area ("EEA") (if GDPR applies)
For Personal Information subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") we may transfer your Personal Information outside the EEA for the Permitted Purposes as described above. This may include countries that do not provide the same level of protection as the laws of your home country (for example, the laws within the EEA or the United States). We will ensure that any such international transfers are made subject to appropriate or suitable safeguards if required by the GDPR or other relevant laws. You may contact us at any time using the contact details below if you would like further information on such safeguards.
With respect to persons covered by GDPR, in case Personal Information is transferred to countries or territories outside of the EEA that are not recognized by the European Commission as offering an adequate level of data protection, we have put in place appropriate data transfer mechanisms to ensure Personal Information is protected.
Updating your Personal Information
If any of the Personal Information that you have provided to us changes, for example if you change your email address or if you wish to cancel any request that you have made of us, please let us know by contacting IBKR Customer Service through the IBKR website at interactivebrokers.com/help. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete Personal Information that you provide to us.
How long do we retain your Personal Information?
We retain your Personal Information in an identifiable form in accordance with our internal policies which establish general standards and procedures regarding the retention, handling and disposition of your Personal Information. Personal Information is retained for as long as necessary to meet legal, regulatory and business requirements. Retention periods may be extended if we are required to preserve your Personal Information in connection with litigation, investigations and proceedings.
Further rights for persons or information covered by GDPR
With respect to EEA residents and where your Personal Information is processed by an IBKR Entity established in the EEA ("Covered Individuals"), you have a number of legal rights under GDPR in relation to the Personal Information that we hold about you. These rights include:
We have designated a Data Protection Officer ("DPO") to enhance and promote compliance with and understanding of privacy and data protection principles. If you wish to do any of the above please send an email to firstname.lastname@example.org.
We may request that you prove your identity by providing us with a copy of a valid means of identification in order for us to comply with our security obligations and to prevent unauthorized disclosure of data. We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your data and for any additional copies of the Personal Information you request from us.
We will consider any requests or complaints that we receive and provide you with a response in a timely manner. If you are not satisfied with our response, you may take your complaint to the relevant privacy regulator. We will provide you with details of your relevant regulator upon request.
How to contact us
AMENDMENT FOR INTERACTIVE BROKERS CENTRAL EUROPE ZRT.
This amendment is valid for the data processing performed by Interactive Brokers Central Europe Zrt. (“IBCE”), incorporated and registered in Hungary with company registry number 01-10-141029 whose registered office is at 1075 Budapest, Madách Imre út 13-14. A. ép. V. em. IBCE is an affiliate of IBKR and everything set out in the main part of this policy is also valid for IBCE.
Questions or requests involving the processing of personal data by IBCE may be addressed to IBCE’s data protection officer at email@example.com.
The following terms shall have the following meaning:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘supervisory authority’ means the Hungarian National Authority for Data Protection and Freedom of Information;
DATA PROCESSING PERFORMED BY IBCE
IBCE performs the following data processing activities:
|Data Processing Activity||Processed personal data||Purpose||Legal Basis||Recipient of the Personal Data||Period of Storing|
|Anti-money laundering due diligence and transaction monitoring||Potentially every piece of information regarding trading activities, funds of the client and information necessary for the due diligence and to identify the beneficial owner as set out in sections 7-9. of the AML act.||To perform the obligations prescribed by the AML regulation.||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing)||Financial Information Unit in case of reporting a suspicious transaction||Eight years from the termination of the business relationship with the client.|
|Anti-money laundering due diligence via video call (audited electronic means of communication, as regulated in the AML Act and the Decree No. 26/2020 (VIII.25.) of the National Bank of Hungary).||Information necessary for the due diligence as set out in sections 7-9 of the AML Act and in sections 17-19 in the Decree No. 26/2020.||To perform the obligations prescribed by the AML Act.||Article 6. (1) (c) of the GDPR (legal obligation where the legal obligation is prescribed by Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing).||Eight years from the termination of the business relationship with the client.|
|Conclusion of client agreement and various other agreements thereunder||Name (corporate name), address, registry number, tax number, bank account number, ID document number||Prepare and conclude client agreement||Article 6. (1) b) of the GDPR (performance of a contract)||Five years after the termination of the agreement.|
|FATCA and CRS reporting||Name (corporate name), address, Tax residency||Perform reporting obligations||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by Act XXXVII. of 2013 and Act XIX of 2014.||Hungarian Tax Authority, IRS and other foreign tax authorities.||Five years after the performance of the reporting obligation|
|Performing the obligation regarding MiFID appropriateness test||Contents of the MiFID test (the experience of the client regarding investment in asset classes)||Performing the obligation regarding MiFID appropriateness test||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by article 56 of regulation 2017/565/EU)||Five years after the termination of the agreement.|
|Client complaint handling||Client’s name, contents of the complaint||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by section 121. of Act CXXXVIII of 2007 on Investment Firms)||Five years from the receipt of the complaint.|
|Recording of client communications||Contents of the communication (either written of recorded telephone calls)||Performance of recording obligation||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by article 76 of regulation 2017/565/EU)||Five years from the recording.|
|Recordkeeping for accounting purposes||Contents of any accounting documents (agreements, receipts, invoices, etc.)||Performance of recordkeeping obligation||Article 6. (1) c) of the GDPR (legal obligation where the legal obligation is prescribed by section 169 of Act C of 2000 on accounting)||Eight years|
Where the legal basis of the data processing is the conclusion or performance of the agreement, the consequence of failure to provide such data by the client results in the agreement not being concluded. Where the legal basis of the data processing is obligation by law, consequence of failure to provide such data by the client results in the termination of the client agreement by IBCE and the possible reporting of the failure of provision to the competent authority.
RIGHTS OF THE DATA SUBJECTS
You have the right to request the rectification and completion, deletion, restriction of your personal data, as well as to request information and access to the personal data processed by IBCE or to withdraw you previous consent by sending a request via e-mail (firstname.lastname@example.org) or mail (1075 Budapest, Madách Imre út 13-14. A. ép. V. em.). These rights are set out in Articles 15-18 and 21 of the GDPR and are detailed below.
Right to information:
IBCE shall take appropriate measures to provide you with information on the processing of personal data in accordance with this policy (all information referred to in Articles 13 and 14 of the GDPR and all information pursuant to Articles 15-22 and 34) in a concise, transparent, comprehensible and easily accessible form, worded in a clear and comprehensible manner, but in a precise manner.
Right of access:
You have the right to access your personal data (receive a copy) and to receive feedback from IBCE as to whether your personal data is being processed. If personal data is being processed, you have the right to be informed of the personal data and the following information:
Right of rectification:
You may request the correction of inaccurate personal data concerning you managed by the Data Controller and the completion of incomplete data.
Right of cancellation:
You have the right to have your personal data deleted without undue delay at your request for any of the following reasons:
Deletion of data may not be initiated if the data processing is necessary for the following purposes:
Right to restrict data processing:
At your request, the processing may be restricted under the conditions set out in Article 18 of the GDPR:
Where data processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the European Union or a Member State. You must be informed in advance of the lifting of the data processing restriction.
Withdrawal of consent:
You have the right to withdraw your consent to data processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Rules of procedure:
IBCE shall inform you without undue delay, but in any case within one month from the receipt of the request, of the action taken on the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. IBCE will inform you of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
If IBCE does not take action on your request, it shall inform you without delay, but no later than one month from the receipt of the request, of the reasons for the non-action and that you may lodge a complaint with the supervisory authority and have a judicial remedy.
IBCE shall inform all recipients to whom it has communicated personal data of any rectification, erasure or restriction on the processing of personal data, unless this proves impossible or requires a disproportionate effort. At your request, IBCE will inform these recipients.
If you believe that your data protection rights have been violated, you may lodge a complaint with IBCE or with the competent supervisory authority or enforce your claim before the competent court.
National Authority for Data Protection and Freedom of Information:
H-1055 Budapest, Falk Miksa utca 9-11.
Telefon: +36 -1-391-1400