Privacy at CIBC Mellon

At CIBC Mellon, your privacy is protected.

At CIBC Mellon, we respect your privacy. Keeping your personal information in confidence is a cornerstone of our business and an integral part of our commitment to service excellence.

To help us meet this commitment, CIBC Mellon maintains a corporate Confidentiality and Privacy Program (“Program”). The Program is aligned to Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and designed to support compliance with applicable privacy legislation in the jurisdictions where CIBC Mellon operates in Canada. The program includes the appointment of a Chief Privacy Officer to oversee our privacy practices and our efforts to follow applicable Canadian privacy laws.  These efforts include developing and maintaining policies and procedures that manage and reduce privacy risk, a monitoring program that oversees business unit risk assessment and documented controls, incident management procedures, enterprise-wide Program training, a records management program, and complaint handling procedures.

You can reach our Chief Privacy Officer by contacting CIBC Mellon’s Privacy Office at the address found in the section “Addressing Any Privacy Concerns” below.

We encourage you to read this privacy disclosure so that you can understand how we collect, use, share and protect your personal information and how you can manage your information in a way that best suits you.

Personal information is information about an identifiable individual (e.g., name, address, financial information, etc.) per Canadian privacy law. This information can be in any form, including paper, electronic, audio, video or biometric data. Business contact information is not personal information if used for the purpose of communicating or facilitating communications with an individual in relation to their employment or business.

  • About this Privacy Disclosure

    This privacy disclosure applies to the collection, use, sharing, protection, accuracy of and access to personal information at CIBC Mellon.

    This privacy disclosure applies for as long as CIBC Mellon holds your information, including after the end of the business relationship under which we collect, use or share the information. By giving us your information, you consent to the collection, use and sharing of your information as described in this privacy disclosure.

    Our policies and procedures are in place across CIBC Mellon.  Applicable legislation provides for certain exceptions to the steps discussed within this privacy disclosure, some of which will modify our privacy practices in certain circumstances. We may change this privacy disclosure from time to time as new privacy legislation comes into force or as the understanding of good privacy practices evolve.

    Throughout this document, the words “we”, “our” and “us” refer to CIBC Mellon. The words “you” and “your” refer to CIBC Mellon clients, former clients, potential clients, clients’ employees, pensioners, unit holders, as well as visitors to the CIBC Mellon website or persons who otherwise provide personal information to CIBC Mellon.

    Our privacy commitment is described in the following sections.

  • What information do we have?

    CIBC Mellon will make all reasonable efforts to limit its collection, use and sharing of personal information to that which is required for valid business purposes, to comply with applicable law and which a reasonable person would consider appropriate in the circumstances.  The type of personal information depends on several factors, such as the type of services you use, any applicable legal and regulatory obligations, and the channel you use to communicate with us.

    Trustee Services Information. The collection, use and sharing of personal information may occur when an individual purchases a retirement savings or similar plan through some one such as a broker, financial intermediary who has engaged CIBC Mellon to act as trustee. 

    Agent Services Information. The collection, use and disclosure of personal information may also occur when someone such as a corporate, business or governmental client has hired us to handle information for them. A client might hire us to perform recordkeeping for a plan, fund or trust, or to perform other administration related to a plan, fund, trust or custodial assets. Such activities may include the processing of plan holder or unit holder transactions or payments, the administration of pension benefit payments and processes, mailings and recordkeeping associated with these activities.

    Information on Individuals is provided to us by our clients or their agents, or by you or your representatives, in order that we might provide these trustee or agent services.  Information provided may include without limitation:

    • Name
    • Address
    • Date of Birth / Date of Death
    • Social Insurance Number (SIN)
    • Member ID / Internal reference number
    • Transaction information and balances  
    • Banking information
    • Beneficiary information
    • Previous employer's name / pension plan

    Contact information is used to communicate with you and verify your identity when you contact us, or a third party acting on our behalf, regarding your account or services.  This may include the use of general contact information, such as name, address and email, and/or security question answers.  In addition, biometric information, such as voice patterns, may be used to validate your identity.

    Voice Recording Information may be collected, used and shared in conjunction with  CIBC Mellon telephone assistance lines, which support various trustee and agent services. Your call is recorded when you call into one of our recorded lines.  You will be notified that you are speaking on a recorded line and by staying on the line, you are providing your consent to be recorded. This helps protect both you and us by providing a record of the conversation. It also helps us monitor the quality of service we offer.

    We may record your comments and opinions in the course of events like fireside chats, client forums or hosted industry events.  In such instances, we will notify you that such recording will occur.  Once we notify you of the recording, your attendance will be considered consent to our making of the recordings and the use and distribution.  If you have any concerns regarding a recording you can reach our Chief Privacy Officer by contacting CIBC Mellon's Privacy Office at the address found in section "Addressing Any Privacy Concerns" below.

    Web browser Information (CIBC Mellon website) is collected and used to help CIBC Mellon measure website usage and to help improve website functionality.

    CIBC Mellon may use your IP address to diagnose problems with our servers, to understand the geographical location of our visitors and to enhance our websites (an IP address is a unique identifier for a device on the internet). In addition, personal information can be requested via the website if a visitor chooses to respond to online surveys, send CIBC Mellon an email message or use one of our online tools.

    In some cases, we may collect information about you that is not associated with an identifiable individual. Examples of this type of information include the Internet browser you are using, the type of operating system, the domain name of the website that linked you to our site, and the pages you visited while you were using the website or our online tools. In this context, we use non-personally identifiable information in a non-identifying, anonymized and aggregated form to determine the overall reaction to various sections of the website, measure the effectiveness and usefulness of various pages and to improve the flow and interconnectivity of the site.

    When you view our website, essential information is stored on your computer that helps support security and the basic functionality of the site. This information is in the form of "cookies" or "web beacons." A "cookie" is a small file placed on your device when you visit certain websites. "Cookies" help us tailor the website or advertisement to better match your interests and preferences. "Web beacons" are tiny graphic images placed on our website pages or in our emails. They may be used to measure response rates to our communications and to help us improve our web pages. Internet browsers allow you to block, receive a warning or erase all "cookies" from your hard drive. Please refer to your browser instructions or help screen to learn more about these functions.

    You can manage your cookie consent with us via our website Privacy Tool by clicking on the "Manage Cookie Consent" button in the bottom right of the browser window. An overlay will appear, and you can either select specific cookie categories or accept or reject all cookie categories. You have the right to withdraw your cookie consent at anytime.

    CIBC Mellon websites may contain links to non-CIBC Mellon websites. CIBC Mellon is not responsible for these websites in any way, including, without limitation, for their information and privacy practices. We recommend that you read the privacy policy of each of these websites to learn about its information and privacy practices before you provide any personal information in any non-CIBC Mellon website.

  • How do we obtain information?

    In general, CIBC Mellon’s clients, and/or their agents, provide us with the personal information required to provide services, and CIBC Mellon does not collect personal information directly from individuals. We may however collect personal information on behalf of clients, client employees and/or pensioners or unitholders when we are providing trustee or agent services, such as when an individual contacts us directly about their account or plan to provide an address change for pensioner communications or tax forms.

    Information is provided to us in a variety of ways including, but not limited to:

    • Trade instructions
    • Verbal interaction
    • Online activities
    • Other documentation that is provided by clients or their representatives

    We may also receive personal information from third party partners to assist us in administering your account and processing transactions on your behalf.

    We may collect your comments and opinions in surveys or questionnaires, however, we will obtain your consent within the survey or questionnaire before doing so. 

  • How we use personal information

    CIBC Mellon may use your personal information:

    • For the purposes documented in agreement(s) with us entered into by you, or a party working on your behalf, and as described in this privacy disclosure
    • To verify your identity to authenticate you when you contact us
    • So that we can act on your instructions (e.g., by recording phone conversations, maintaining records of email communications and in-person conversations)
    • To communicate to you any benefit, feature or other information about services you have with us or with a broker, financial intermediary or other person who has engaged CIBC Mellon to provide services, including responding to your inquiries
    • To perform tax reporting functions
    • To meet legal and regulatory requirements and industry practices applicable to services provided
    • To measure website usage and improve functionality
    • In a de-identified format to facilitate general service improvement
  • Who we share personal information with

    CIBC Mellon will not share any personal information that we have collected to anyone except as described in this privacy disclosure. Examples of specific ways we may share your personal information include:

    When we must share information for legal reasons or regulated industry practices

    We may be required to share information by law (including tax reporting, anti-money laundering, terrorist financing and securities legislation in Canada and other countries, including the United States), by court order, or to a regulatory authority or to a successor trustee or agent or a successor to our business. We may also share certain personal information to corporate, business or government bodies to enable them to comply with similar legal and regulatory requirements applicable to them. Our policy is to release information only to the extent required to fulfill these requirements and meet industry practices and we will contact you if sharing is not within the scope of agreed services and we are permitted to do so.

    When CIBC Mellon is processing information for another

    When someone hires us to process information for them, or to act as trustee for a relationship they may have with you, we will share that information with them. Examples include pension plan sponsors and investment fund managers.

    When entering into certain business transactions

    Personal information may be used by CIBC Mellon and shared to parties connected with the contemplated or actual financing, securitization, insuring, reorganization, sale, assignment or other disposal of all or part of CIBC Mellon or our business or assets.

    Third parties

    In providing any of the trustee services or agent services set out above, personal information may be shared with related or affiliated companies (including parent companies) or third parties who have been retained by CIBC Mellon to assist us in conducting administrative or technological functions. In such cases, they are provided the information only for the purposes of performing those services, which includes, without limitation, the following:

    • Document management, such as printing cheques, statements and letters, shredding, and physical storage
    • Marketing and communications, such as inquiries made on our website, and client surveys and questionnaires and mailings
    • Operational activities, such as quality assurance, document delivery and courier services, corporate security, and fraud protection
    • Professional services, such as tax processing, legal support, external audits, employee recruitment, and general consulting
    • Pensioner, beneficiary or unitholder payments to domestic or foreign jurisdictions
    • Technology support, such as providing information technology infrastructure and support, systems and applications that process transactions and host information, and scanning documents and cheques

    We may share information with other third parties as permitted or required by law:

    • To comply with laws, regulations, subpoenas, or court orders
    • To respond to valid and authorized information requests from domestic and international authorities
    • To prevent and detect fraud and suppress financial abuse
    • To protect the personal safety of employees, clients or other third parties on CIBC Mellon property

    We require third parties to protect the information in accordance with applicable law and in a manner that is consistent with our privacy policies and security practices.

    When we transfer your information to another jurisdiction

    In accordance with Program standards, it is our policy to retain personal information within Canada except where consent has been provided to make payments, or where it is required in order to carry out the service we have been engaged to provide, such as to provide tax information to a foreign jurisdiction on an individual’s behalf. Personal information in a foreign jurisdiction, such as, but not limited to, the United States, may become subject to the laws of that jurisdiction, including laws governing disclosure. When CIBC Mellon uses the services of a company in another jurisdiction, we select the company carefully and require that it uses standards comparable to ours, subject to requirements in foreign jurisdictions applicable to those organizations.

    Personal information originating within and communicated outside of Québec will be subject to measures to protect your personal information, including appropriate contract clauses or other applicable safeguards. CIBC Mellon conducts privacy risk assessments with third parties that collect, use, or have access to personal information to ensure that they have measures in place to adequately protect the personal information. CIBC Mellon completes privacy impact assessments prior to the acquisition, development or redesign of an information system or electronic service delivery project involving the collection, use, sharing or destruction of personal information.

  • How you consent to the use of your personal information

    By appointing CIBC Mellon to perform trustee or agent services, or by subscribing for a product or service from a CIBC Mellon client which has engaged CIBC Mellon to provide trustee or agent services, you consent to CIBC Mellon’s collection, use and sharing of personal information as described in this privacy disclosure. 

    Consent can be express or implied. Express consent can be verbal or written. For example, an application for registration of a retirement savings plan may contain a written consent for our use of your information to conduct the role of a retirement savings plan trustee. Or you might consent to release the information over the phone. Consent is implied when we can reasonably conclude that you have given consent by an action you have taken or not taken, or where the context reasonably requires that we have and use information to carry out what you have asked us to do.

    You can withdraw your consent any time after you have given it to us by contacting our Privacy Officer, provided there are no legal or contractual requirements to prevent this and on reasonable notice. If you do not consent to certain uses of information or if you withdraw your consent, we may not be able to provide a particular service. If so, we will explain the situation to you to help you with your decision.

    CIBC Mellon may be required or permitted under statute or regulation to collect, use or share personal information without your consent, for example, to comply with a court order, to comply with local, federal or foreign regulations or a legally permitted inquiry by a Canadian or foreign government agency, or to collect a debt owed to us. When someone hires CIBC Mellon to process your information for them, you may have provided them with express or implied consent to share that information with CIBC Mellon so that CIBC Mellon can conduct the information processing. This is in accordance with requirements they may have to obtain consent. Once shared with us, we will safeguard it and handle it in accordance with this privacy disclosure.

  • Protecting your personal information

    CIBC Mellon takes the protection of your personal information seriously. We will keep your information in confidence and make reasonable efforts to prevent unauthorized use, sharing, loss or theft of information. We regularly audit our security procedures and assess their effectiveness and appropriateness.

    Chief Privacy Officer ("CPO")

    The CPO directs and oversees the Program, including, but not limited to, the development, implementation and maintenance of corporate policies and procedures, monitoring activities, issue investigation, tracking and resolution, corporate training, and recurring and ad-hoc reporting. The CPO is supported by a network of designated governance officers who are responsible for the administration of the Program within their respective business units and subject matter experts across various fields enterprise wide.

    Policies and procedures

    CIBC Mellon has principles and procedures in place to assist our employees in complying with our policies. Internal Audit monitors the adherence to these policies and reports any findings to a committee of the Board of Directors of CIBC Mellon. Principles and procedures governing information are outlined in CIBC Mellon's corporate Confidentiality and Privacy, Records Management, Code of Conduct, Information Security, and Acceptable Use policies. These policies establish corporate standards, roles and responsibilities and outline procedures for the administration of information. Business units are required to maintain detailed procedures that align with corporate policy requirements.

    Monitoring program

    Each business unit is required to design, implement and maintain its own business-unit-specific confidentiality and privacy compliance program. Business unit programs include risk assessment and the detailed documentation of controls. An independent monitor periodically reviews controls and results are sent to Corporate Compliance for review. In addition, Corporate Compliance reviews the design of each business unit program, performs company-wide privacy reviews and control effectiveness is assessed by Internal Audit.

    Issue management

    Employees who become aware of a potential information issue are responsible for reporting the issue to CIBC Mellon's Privacy Office. The Privacy Office has an Incident Response Guideline that establishes containment, preliminary assessment, evaluation, notification and prevention procedures. A record of every issue is maintained that documents the details and actions undertaken for each issue. A "Real Risk of Significant Harm" framework is in place to determine if notification is necessary and who specifically to notify.

    If you become aware of a potential information issue, please contact our Privacy Office at the address found in section "Addressing Any Privacy Concerns" below.

    Training

    Our employees and agents who have access to your personal information are aware of the importance of keeping it confidential. All CIBC Mellon full- and part-time employees, including contract and temporary employees, must complete corporate policy training, including with respect to Confidentiality and Privacy. Training includes a test of employees' knowledge and where applicable, an annual attestation confirming each employee's adherence to policy requirements. Employees must attest annually that they have maintained the confidentiality of Personal Information entrusted to them.

    Record retention

    Except as otherwise permitted or required by applicable law, we keep your information only as long as needed to provide services in accordance with CIBC Mellon's Records Management Policy and Records Retention Schedule, and personal information is destroyed and erased when no longer required to fulfil the identified purposes.

    Complaint handling procedures

    CIBC Mellon has a Complaints Management Program in place, which is a system of controls to manage the receipt, processing, and resolution of complaints for the protection of consumers and to safeguard the name and reputation of CIBC Mellon and our clients.

    Safeguarding

    CIBC Mellon's detailed and coordinated Information Security Program protects the confidentiality, integrity and availability of our information, systems and technology. Our strategic approach to information security is shaped by our business priorities, the evolving threat landscape, regulatory trends, technological developments and internal security posture assessments. Our strategies are strengthened, validated and updated by risk assessments, audit and compliance reviews, and the identification of regulatory requirements and benchmarking exercises across our industry. CIBC Mellon's Information Security Program includes, without limitation:

    • Governance over Information Security
    • Corporate Information Security Policy
    • Acceptable Use Policy
    • Code of Conduct
    • Clean Workspace Requirements
    • Record Retention
    • Data Classification and Handling Standards
    • System Access Control
    • Cryptography
    • Physical and Environmental Security
    • Data Governance
    • Data Loss Prevention Program
    • Vulnerability Management
    • Malware and Virus Protection
    • Risk Assessments and Assessments of New Technology
    • Cyber Security Threat Intelligence
    • Vendor Governance and Information Security in Supplier Relationships
    • Change Control Management
    • Compliance
    • Fraud Management
    • Cyber Resiliency Exercises
    • Handling of Security Incidents
    • Staff Training, Testing, and Awareness
    • Screening

    CIBC Mellon possesses the International Organization for Standardization's (ISO) 27001:2022 Certification, issued by the British Standards Institution, recognizing our commitment, policies and programs related to information security. Supporting our information security strategies are our well-established business continuity protocols that conform to the ISO 22301:2019 Societal Security and Business Continuity Management Systems Standard.

  • Accessing Your Personal Information and Maintaining Accuracy

    CIBC Mellon will support your control over, and access to, your information.

    Upon written request, you can check your information to verify, update and correct it, and have obsolete information removed. There is no charge for verifying or correcting information. There may be a charge if you want a copy of records or if special expense is involved in retrieving your information. We will advise you of any charges in advance.

    CIBC Mellon will deal with your request to see your information within 30 days. If we need to extend the time, we will notify you of the reasons for the extension and your rights under applicable legislation. If we must refuse the request, we will tell you why (subject to any legal restrictions).

    Whenever reasonably possible and appropriate, we will correct any information we have shared with any other organization. If we have received the information from another party, if possible, we will let you know the name and address of the party so that you can ask them to correct it (subject to any legal restrictions).

    There may be files that comingle information about you and other people which is confidential, the property of CIBC Mellon or other clients, protected by legal privilege or otherwise not subject to access. Because we value everyone’s confidentiality and legal rights, we cannot make these files available outside of CIBC Mellon or our related companies (including parent companies). However, where we can, through reasonable efforts, separate your information from the information of others without affecting another’s confidentiality or legal rights, we will make available to you your information contained in the files.

  • Addressing Any Privacy Concerns

    If there are any questions or complaints about this privacy disclosure, or practices related to managing your personal information that we have not answered, please let us know right away. In most cases, a complaint, question or concern can be resolved by talking to us about it.

    CIBC Mellon is committed to treating everyone with the greatest respect and consideration and to providing the highest level of service. Even so, from time to time, there may be a misunderstanding, or someone may feel treated unjustly. Whatever the circumstances, resolving the problem is our primary concern. Any questions or concerns regarding your personal information or regarding our personal information policies or procedures, or requests to withdraw consent can be sent to our Privacy Officer by any of the following means.

    By Mail:

    CIBC Mellon Privacy Officer
    1 York Street, Suite 500
    Toronto, Ontario
    M5J 0B6
    Canada

    By Phone: (416) 643-5000

    By E-Mail: privacyofficer@cibcmellon.com

Have a concern? Here’s how CIBC Mellon can help.

At CIBC Mellon, we are committed to client service excellence, and it is important that we hear your concerns. To help us resolve your concerns, please follow our complaints handling process.