I. Scope of Privacy Policies and Procedures
In the course of its business, the Firm  may come into possession of certain types of personally identifiable information about natural persons who are prospective, existing or prior employees of or partners in any entity comprising Point72 International  (“Personally Identifiable Information” or “PII”). It is the Firm’s policy to comply with the privacy legislation within each jurisdiction in which the Firm operates outside of the United States. These laws that govern the privacy and protection of Personally Identifiable Information may impose requirements and restrictions on the ability of the Firm to Process  PII, transfer such information internally within the Firm and disclose such information to non-affiliated third parties.
Personally Identifiable Information collected by the Firm may include:
- identification data about an individual that can be used to distinguish or trace an individual’s identity such as the person’s first or middle name (or initial) and last name;
- information related to the employee’s private life (including marital status or dependents);
- information related to the employee’s professional life; and
- economic and financial information.
This Policy is intended to comply with the laws and regulations of the countries in which the Firm operates outside of the United States, and may be supplemented by separate policies to address specific local requirements. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
II. Basic Principles on PII Protection and Processing
The following principles apply to all PII collected, held or Processed by the Firm:
- Lawfulness, fairness and transparency: PII shall be collected, held and Processed lawfully, fairly and in a transparent manner in relation to identified or identifiable natural persons;
- Purpose limitation: PII shall be collected for specified, explicit and legitimate purposes, according to the Firm’s legitimate interests of recruiting new employees, managing its relationship with its employees and conducting its activities, or when the processing of such data is required by the performance of its obligations under the applicable laws and regulations, and not further processed in a manner that is incompatible with those purposes;
- Data minimization: PII shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected and processed. Where possible, the Firm shall anonymize PII or aggregate PII data (such as statistical or research results) to reduce the risks to the natural persons concerned;
- Accuracy: PII shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that PII that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
- Storage period limitation: PII shall be kept for no longer than is reasonably necessary for the purposes for which it is processed, or for legal purposes;
- Security: Taking into account the state of technology and other available security measures, the implementation cost, and the likelihood and severity of privacy risks, the Firm must take appropriate security and contractual measures to safeguard PII against any accident, leakage, loss, destruction, damage, or unauthorized access or unlawful Processing.
- Cross-border transfer of PII: all Point72 International prospective and/or existing employees are hereby notified that it may be necessary for the Firm to transfer their PII to other offices the Firm may have and/or to nonaffiliated third parties in a country other than where the employee is employed in order to Process such PII for a purpose set forth in this Policy.
- The Firm will monitor and take reasonable steps to ensure compliance with the applicable regulations concerning cross-border transfers of PII; and
- Access to and correction of PII: all Point72 International employees are entitled, on written request, to be supplied by the Firm with a copy of PII held about them, the purpose for which it is held, information about the ways in which the PII has been or may have been used or disclosed by the Firm within the storage duration period and where appropriate and subject to any access or correction exemptions or restrictions under applicable laws or regulations, to have that PII corrected or erased.
In respect of PII that Point72 International employees and potential employees have provided to the Firm themselves, those individuals will be entitled, on written request, to receive copies of some PII in a structured, commonly used and machine-readable format and/or request that the Firm transmits that PII to a third party (in cases where this is technically feasible). Point72 International employees and potential employees may also, on written request, ask that the Firm restricts the processing of their PII in certain circumstances; however there may be circumstances in which the Firm will be legally entitled to refuse such requests.
All written requests from employees should be addressed to the Program Administrators in writing. It should identify the employee making the request and include sufficient detail to enable the Firm to identify the access or correction being requested or consent being withdrawn.
III. Purposes of Processing PII
The Firm may collect, hold and Process PII for employment purposes and as required by applicable laws, rules, regulations, policies and procedures. These include, but are not limited to:
A. the effective recording, management and administration of human resources data and performance of the human resources functions of the Firm;
B. collecting and processing securities accounts, holdings and transaction information provided by Firm employees or potential employees;
C. processing and providing Firm employees with compensation and benefits information and services;
D. managing applicable social and labor insurance and tax proceedings;
E. evaluation of Firm employees’ individual performance;
F. determining the suitability, eligibility or qualifications of prospective employees;
G. organizing the Firm employees’ training; and
H. providing IT tools for professional purposes.
IV. Identification and Non-Disclosure of PII
The categories of recipients who may have access to the PII are the following:
- Immediate superiors of the concerned employee,
- Authorized employees from the legal, compliance, accounting, finance, human resources, audit and IT departments of the Firm.
The Program Administrators will identify which other Firm departments have access to PII and report this to the GC/CCO, COO and CISO or their respective designees.
The Firm does not share any PII with third parties, except (and subject always to any local laws requiring the relevant employee’s prior consent):
1) as necessary or appropriate in connection with the Firm’s general business operations, including to vendors for employment and benefits-related purposes, and the Firm’s business partners; or
2) for other purposes required or permitted by law, such as where reasonably necessary to prevent fraud, unauthorized transactions or liability, to respond to judicial process or subpoena, or to comply with federal, state or local laws.
When the Firm shares any PII and/or authorizes a third party to Process PII on behalf of the Firm, the Firm shall seek to ensure that the third party will provide security measures to safeguard PII that are appropriate to the risks associated with the PII. In the event that unauthorized parties receive access to PII, the Firm will take all required actions, including for example, notifying those affected individuals of the privacy breach as might be required by applicable law.
V. Safeguarding PII
Employees of the Firm must comply with certain minimum procedures, as set forth herein, that are designed to address administrative, technical and physical safeguards for the protection of PII of Point72 International employees that the Firm possesses. Any Firm employee who violates this Policy may be subject to disciplinary action within the Firm and the employee may also be subject to civil or criminal liabilities if their conduct violates applicable laws or regulations.
If the Firm learns about a suspected PII breach incident, the Firm shall carry out an internal investigation and take appropriate remediation measures.
The Firm’s policies and procedures designed to address these requirements are described below:
A. Secure Records Containing PII
Records containing PII must be stored in a secure location. The Program Administrators are responsible for ensuring that:
- Hard-copy records: Any records stored in hard copy should be kept in a secure, locked location, such as designated filing cabinets.
- Diskette stored records: Any records stored on diskettes or other portable media should be safeguarded by keeping the diskettes or other portable media in a secure locked location, such as designated filing cabinets or secured datacenter.
- Electronically stored records: Any records stored electronically on a hard drive server or otherwise should be safeguarded by restricting access through the use of passwords or other access-limiting devices.
B. Limit Access to Records Containing PII
Except as otherwise provided herein, the Firm restricts access to PII to those employees who need to know such information in order to provide the appropriate services. Any employee who is authorized to have access to PII in connection with the performance of such employee’s duties and responsibilities must keep such information secure and confidential.
C. Document Destruction
The time period for which the Firm retains PII will vary, but the Firm shall determine the retention period for PII using various criteria such as:
- the purpose for which the Firm is using the PII – the Firm will need to keep the PII for as long as is necessary for that purpose; and
- legal obligations – applicable laws or regulations may set minimum periods for which the Firm has to retain PII.
Any employee discarding any document or electronic media containing PII must take reasonable steps to ensure that such documents and electronic media are shredded, permanently erased, or otherwise destroyed so that the information cannot be read or reconstructed.
The Firm must ensure that any companies engaged to dispose of PII perform their duties in accordance with this section. Steps to be taken to reasonably ensure appropriate disposal may include, among other things:
- Reviewing an independent audit of the disposal company’s operations;
- Obtaining information about the disposal company from references or other reliable sources;
- Ensuring that any agreements entered into with the disposal company includes sufficient confidentiality and data protection provisions;
- Requiring that the disposal company be certified by a recognized trade association or similar third party; and/or
- Taking other appropriate measures to determine the competency and integrity of the disposal company.
- Information Security Program
The Firm has established an information security program (the “Program”) setting forth standards for maintaining administrative, technical and physical safeguards to: (1) ensure the security and confidentiality of PII; (2) protect against any anticipated threats or hazards to the security of such information; and (3) protect against unauthorized access to or use of such information.
The Firm has delegated the responsibilities of administering the Program to the “Program Administrators.” The Program Administrators are responsible for the Firm’s information security compliance efforts. All inquiries from and reports by employees pertaining to Firm information security should be directed to the Program Administrators.
The Program Administrators are responsible for: (i) assessing existing risks to PII; (ii) developing ways to manage and control such risks; (iii) monitoring third-party vendor arrangements to ensure information security; and (iv) testing and revising the Program in light of relevant changes in technology and threats to client information.
The Program Administrators will review for foreseeable internal and external risks to information security with key employees, including operations, management and risk control personnel in all areas of the Firm’s operations. The Program Administrators will assess the likelihood and potential damage of these threats, the sufficiency of any safeguards in place to control such risks and, where appropriate, revise policies and procedures to address such risks.
The Program Administrators or their designees will meet with employees who may be in possession of PII periodically to review and implement the Program. The Program Administrators will be available for questions from employees as to the application of the Program. Based upon the information gathered by performing the risk assessments, and as changes in laws or regulations require, the Program Administrators will assess the need for, and arrange for, training of employees, and will provide policy and procedure updates as may be necessary to ensure that the Program is properly implemented.
The Program Administrators will ensure that the Firm: (i) takes reasonable steps in selecting, maintaining, upgrading and periodically testing the security protections of the information systems (including physical protection, network firewalls, relevant software, information processing, storage, transmission and disposal systems and arrangements); and (ii) employs appropriate password protection and encryption of electronic information where necessary, including while such information is in transit or stored on a network system or data storage device.
The Program Administrators will ensure that all information systems and networks containing, or otherwise affecting, PII have appropriate access controls, as well as detection, prevention and response mechanisms against attacks, intrusions, or other system failures that might materially affect the security of PII.
VI. Review by Program Administrators
The Program Administrators will review this Policy and the procedures set forth herein on an annual basis and test their effectiveness. The Program Administrators may suggest changes that he or she deems necessary for the purpose of enhancing the effectiveness of the policies and procedures. The Program Administrators should make a record of the date of his or her examination. The Program Administrators may also make spot checks on an interim basis.
VII. Further Information
The Program Administrators should be contacted for further information regarding these policies and procedures or any related complaints:
DataPrivacy@Point72.com. If the Program Administrators are not able to satisfactorily answer any questions, Firm employees have the right to lodge a complaint with the data protection regulator in the country where the relevant Point72 affiliate is using the PII.
 “Point72” or the “Firm” means Point72, L.P. and certain of its affiliates. The affiliates include, but are not limited to: CPV Partners, LLC, Cubist Systematic Strategies, LLC, Point72 Asia (Singapore) Pte. Ltd., Point72 Asset Management, L.P., Point72 Europe (London) LLP, Point72 France SAS, Point72 Hong Kong Limited, Point72 Japan Limited, Point72 Ventures, L.P., Point72 Australia Pty Limited, and Point72 Taiwan Research, LLC.
 “Point72 International” means all and any of Point72 Hong Kong Limited, Point72 Asia (Singapore) Pte. Ltd., Point72 Japan Limited, Point72 Europe (London) LLP, Point72 Australia Pty Limited, Point72 France SAS, Point72 Australia Pty Limited , Point72 Taiwan Research, LLC, and any other affiliate of Point72 routinely operating and employing personnel in a territory outside of the United States
 “Process” (including “Processed” and “Processing”) includes an operation or set of operations which is performed on PII, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use disclosure by transmission dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.