INTRODUCTION In this Privacy Policy references to we, us or our means Brown Advisory Incorporated, a corporation incorporated in the State of Maryland, whose registered office and principal place of business is 901 South Bond Street, Suite 400, Baltimore, MD 21231, USA, or one or more of its affiliates or subsidiaries as may be applicable and as further explained in Section 3 below. Our business activities include providing investment services to clients, advising and marketing the Brown Advisory Funds and arranging investments for institutional investors (collectively, the “Services”). References to you or your refer to individuals located in the United Kingdom or the European Economic Area who are protected by the GDPR and who are: users of our US website (www.brownadvisory.com), including our client portal TouchPoint (collectively, the “Website”); clients and prospective clients; investors and prospective investors in the Brown Advisory Funds; and agents of clients, investors or prospects. In addition to our Privacy Policy, your use of the Website is subject to our Terms of Use. OVERVIEW OF THE PRIVACY POLICY This Privacy Policy sets out the basis on which we collect and use personal information about you through your use of the Website and the Services. This Privacy Policy describes in detail who is responsible for the personal information that we collect about you, what personal information we collect, how we will use such personal information, who we may disclose it to and your rights and choices in relation to your personal information. In this Privacy Policy where we use the words personal information we use these words to describe information that is about you and which identifies you. WHO IS RESPONSIBLE FOR THE PERSONAL INFORMATION THAT WE COLLECT? For the purposes of the General Data Protection Regulation and any associated and applicable data protection laws (“GDPR”), Brown Advisory Incorporated is generally the data controller. This is because we dictate the purpose for which your personal information is used and how we use your personal information. If you are a prospective client (for example, you visit the Website, but you do not have a client agreement with an affiliate or subsidiary of ours), then we are the data controller. If you are a client of ours, then other agreements between us may also apply to your use of the Services, and we are the data controller with regard to your use of those Services. If you have an agreement with an affiliate or subsidiary of Brown Advisory Incorporated, then our affiliate or subsidiary would be the data controller with regard to your use of those Services. A list of Brown Advisory Incorporated affiliates and subsidiaries, along with appropriate contact information, appears in Section 17 below. WHAT PERSONAL INFORMATION DO WE HOLD ABOUT YOU? Our regulators require us to inform you that we have on record personal information about you and that we obtain such information from you directly (e.g., information you provide to us on account applications and other forms, such as your name, address, Social Security or National Insurance number, occupation, risk tolerance, assets and income) and indirectly (e.g., information on our computer systems about your transactions with us, such as your account balance and account holdings). All personal information is kept confidential. We identify the personal information we collect from you directly and indirectly in more detail below. Information You Provide to Us We collect and use personal information about you in the course of providing the Website and the Services. The information that you provide to us may include the following: Contact information Name, mailing or residential address, email address and telephone number General information Date and place of birth, gender, marital and family status, maiden name, place of birth, residency, nationality Locational information Information relating to your physical location which may be derived from the location where you access the internet using a computer or mobile device or mobile phone Government and other official identification information (including photographic identification information) Social security or national insurance number, passport number, tax identification number, driver’s license number or other government issued identification number Publicly available information Information that is available on publicly accessible records, such as State, local, and foreign government organizations, the Securities and Exchange Commission, certain court records, or is otherwise generally available on the internet. Occupation information Occupation, organization you work for, title or position, current salary and benefits Social relationship information Information relating to your family, friends, business associates or other relationships Financial and asset information Assets, income, real estate ownership, policies, credit history, credit reference information and credit score, and other financial information Account information Username, password, risk tolerance, account balance, account history, account holdings Payment and transactional information Payment card numbers (credit or debit card), bank account numbers, or other financial account numbers and account details. Details of payments to and from your accounts with us. Marketing preferences, marketing activities and customer feedback Marketing preferences or responses to voluntary customer satisfaction surveys To improve our marketing communications, we may collect information about interaction with, and responses to, our marketing communications Telephone, video, and security camera recordings Video recordings employed for security purposes within our offices. Under some circumstances, certain telephone calls or interactive audiovisual sessions may be recorded. Event information Information you provided to us for the purpose of attending events, including access and dietary requirements If you use the Website to apply for a career opportunity Applicant information, such as your educational and employment history, CV or resume, qualifications and training, results, interests, language skills, personal statements, employment preferences; information necessary to complete a background check (to the extent permitted in your jurisdiction); immigration status and work authorization; health information (as permitted by applicable law); diversity information (as permitted by applicable law); information collected during interviews and assessments Special categories of data Certain categories of data may only be processed in circumstances where the law permits. Such categories of data which we may process include: - Racial or ethnic origin - Sexual orientation - Religious, philosophical or political beliefs - Trade union membership - Health data - Criminal convictions and offenses Other information you provide to us For example, to the extent it is not already identified above, other information you provide to us during the consultation process, on account applications or other forms, or through use of the Website or the Services. This information may be provided: (a) in the course of your use of our Website and the Services; (b) in the course of communications between you and us (including by phone, email, Website or otherwise); (c) when you apply to open a client account with us or otherwise establish a business relationship;< (d) when you inquire about products or services; (e) when you apply to a job opportunity with us; (f) when you sign up for our newsletter or other materials; and (g) when you report a problem with our Website or Services. If we do not collect, or you do not provide, your personal information to us, we may not be able to receive or process your application, provide the Website or the Services to you or respond to your communications. Information We Collect About You We may also collect personal information about you through your use of the Website and the Services. This information includes online activity information and technical information about your usage activities, to the extent that such information constitutes personal information. We collect technical information automatically through your electronic device, such as your IP address (i.e. your computer’s address on the internet), operating system type (Windows or Mac) and version, internet browser type and version, and language. We also collect information about your use of our Website, for example, dates and times of log-in and out to your account, time spent on pages, and the pages visited. We use this information to ensure that the Website and the Services function properly. Please also see additional information on our cookie usage in Section 5 below. We may also collect information contained in our records of communications between us, such as by email, letter and text message. We may also, to the extent permitted by applicable law, record calls between us for training, monitoring, and quality control purposes. Information We Receive from Other Sources (a) information from any of the other websites we operate or the other services we or our affiliates provide (if you use any of them); (b) information from reference checking agencies (including your credit rating, details of any judgments made against you, and employment checks); (c) information we obtain from publicly available sources such as Facebook, LinkedIn, or news media; (d) information from recruitment agencies that you are registered with; and (e) information we have obtained from your references. Information about Third Parties If you are providing personal information to us relating to a third party, you confirm that you have the consent of the third party to share such personal information with us and that you have made the information in this Privacy Policy available to the third party. USE OF COOKIES The Website uses cookies to distinguish you from other users of the Website. Cookies are pieces of information stored directly on the device you are using. Cookies allow us to recognize your device and to collect information, such as internet browser type, time spent using the Services, and pages visited. This helps us to provide you with a good experience when you browse the Website and also allows us to improve the Website and the Services. We may also use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize your experience while using the Website and the Services. In addition, we may use the information to gather statistical information about the usage of the Website and the Services in order to understand how they are used, continually improve their design and functionality, and assist us with resolving questions about them. You can refuse to accept the cookies we use by adjusting your browser settings. However, if you do not accept these cookies, you may experience some inconvenience in your use of the Website and some of our Services. HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT ABOUT YOU? We use your personal information in connection with the provision of the Website and the Services to you. In particular, your personal information may be used by us, our employees, service providers, and disclosed to third parties for the following purposes. For each of these purposes, we have set out the legal basis on which we use your personal information. Purpose Legal Basis To communicate with you and other individuals FFor our legitimate business purposes (i.e., to provide information that you request and otherwise communicate with you in connection with the Website and the Services) To provide you with the Website and the Services For our legitimate business purposes (i.e., the provision of the Website and our Services), and depending on the circumstances, to perform a contract between you and us To process and assess your client application (where applicable) For our legitimate business purposes (i.e., to assess and consider a client relationship between us), and depending on the circumstances, to take steps prior to entering into a contract between you and us To notify you about changes to the Website or the Services For our legitimate business purposes (i.e., the provision of the Website and our Services) To audit and monitor the use of the Website and the Services For our legitimate business purposes (i.e., the provision of the Website and our Services, as well as to improve and monitor the security of these resources) We may request your consent in circumstances where a legal justification over and above legitimate interests is required by applicable law (e.g., in relation to our use of certain cookies) To improve the quality of the Website and the Services For our legitimate business purposes (i.e., the provision and improvement of the Website and our Services) To manage complaints, feedback and queries For our legitimate business purposes (i.e., the provision and improvement of the Website and our Services and to build and maintain strong relationships with our clients) To carry out satisfaction surveys and analysis For our legitimate business purposes (i.e., the provision, improvement and promotion of the Website and our Services) We may request your consent in circumstances where a legal justification over and above legitimate interests is required by applicable law To provide you with information about the services we offer (including details of any services or funds which we believe may be of interest to you) in accordance with your preferences as indicated when you entered into any agreement with us, including any marketing consent preferences. For our legitimate business purposes (i.e., the provision and promotion of the Website and our Services) We may request your consent in circumstances where a legal justification over and above legitimate interests is required by applicable law To process and assess your job application (where applicable) For our legitimate business purposes (i.e., to assess and consider your application) and, depending on the circumstances, to take steps prior to entering into a contract between you and us To the extent that we receive criminal records information as part of this process, we will only process this with your consent or as otherwise permitted by applicable law To comply with any legal or regulatory obligations (including in connection with a court order). For our legitimate business purposes and for compliance with legal obligations to which we are subject To detect, investigate or prevent crime, including fraud and money laundering For our legitimate business purposes and for compliance with legal obligations to which we are subject To enforce or apply the agreements concerning you (including agreements between you and us). For our legitimate business purposes and for compliance with legal obligations to which we are subject We may be required to obtain your personal information to comply with our legal requirements, to enable us to fulfill the terms of our contract with you or in preparation of us entering into a contract with you. If you do not provide the relevant personal information to us, we may not be able to provide the Website and the Services to you. Where we rely on our legitimate business interests or those legitimate interests of a third party to justify the purposes for using your personal information, this will include: • pursuit of our commercial activities and objectives, or those of a third party; • compliance with applicable legal and regulatory obligations and any codes of conduct; • improvement and development of our business operations and service offering, or those of a third party; or • protection of our business, shareholders, employees and customers, or those of a third party. WHO MAY WE DISCLOSE YOUR PERSONAL INFORMATION TO? Like all investment firms, in order to better serve clients, we need to share certain non-public personal information in the normal conduct of our business with other members of the Brown Advisory corporate group and with unaffiliated companies with whom we have service agreements. We describe those disclosures to third parties in more detail in the chart below. We may share your personal information in order to process transactions, maintain your accounts(s) and offer our services to you. This sharing allows us to: (i) provide better and more complete investment and strategic advice; (ii) develop new services that meet additional needs you may have; and (iii) comply with legal and regulatory requirements. When we share information with unaffiliated companies that are under contract to perform services on our behalf, such as vendors that provide services directly related to your account relationship with us, our agreements with these companies require that they keep your information confidential and not use such information for any unrelated purpose. We may also be required to share non-public personal information to respond to court orders and legal or regulatory investigations. We do not sell information about you to third parties, we do not jointly market with non-affiliated companies, and we do not otherwise disclose information about you to non-affiliates so they can market to you. You agree that we may share your personal information with: Our corporate group Other companies and entities within the Brown Advisory group of companies Our service providers Our business partners, suppliers and sub-contractors who help us provide the Website and the Services For example: our marketing and advertising service providers, our data hosting, client web portal and career platform service providers, and custodians and outsourcers who support the provision of the Services. Our professional advisers Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities Government authorities and third parties involved in court action External agencies and organizations (including the police and other relevant authorities) for the purpose of complying with applicable legal and regulatory obligations We may also disclose your personal information to other third parties, for example: • in the event that we sell or buy any business or assets we may disclose your personal information to the prospective seller or buyer of such business or assets as necessary to support the sale or purchase; • if we or substantially all of our assets are acquired by a third party (or are subject to a reorganization within our corporate group), personal information held by us will be one of the transferred assets; and • if we are under a duty to disclose or share your personal information in order to comply with any court order or legal obligation, examination, or investigation. WHERE WILL WE TRANSFER YOUR PERSONAL INFORMATION? Brown Advisory Incorporated is located in Baltimore, Maryland, and we will process your personal information in the United States of America. We and many of the other members of the Brown Advisory corporate group, as well as many of our service providers, are located in the United States. Therefore, in order to provide our Services to you we may need to transfer your personal information and store your personal information in the United States. The level of protection of personal information in the United States may be less than offered within the European Economic Area (“EEA”). If we transfer personal information outside the EEA, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law. Where we transfer personal information to members of the Brown Advisory corporate group, EU standard contractual clauses (as contemplated by Article 46(2) of the European Union’s General Data Protection Regulation) will be implemented. Where our third party service providers process personal data outside the EEA in the course of providing services to us, our written agreement with them will include appropriate measures, usually standard contractual clauses. For further information as to the safeguards we implement please contact: Chief Compliance Officer Brown Advisory Incorporated 901 South Bond Street, Suite 400 Baltimore, MD 21231, USA Email: [email protected] HOW WE PROTECTION YOUR PERSONAL INFORMATION To protect your personal information from unauthorized access and use, we use security measures that comply with applicable regulatory and legal requirements. These measures include physical, electronic and procedural safeguards that are designed to protect your personal information, including various measures to protect such information while it is stored electronically. We train and consistently remind all employees to respect client privacy (including the identity of our clients) and to recognize the importance of the confidentiality of such information. Those who violate our privacy policy are subject to disciplinary action. For more information on our security measures, you may visit brownadvisory.com/intl/security Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to the Website and any transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to help prevent unauthorized access. HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION? We will retain your personal information for as long as is necessary for purposes for which it was collected. The precise period will depend on the reason why it was collected. Those periods are also based on the requirements of applicable data protection laws, applicable legal and regulatory requirements and periods relating to the commencement of legal actions. We will retain your personal information for as long as you are our client or maintain a business relationship with us. Where the Services relate to regulated activities (such as the provision of investment management services) we will maintain your data for a minimum of five years after the relationship has ended. YOUR RIGHTS The following is a summary of your data protection rights in connection with your personal information. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the table below for a summary of your rights. You can exercise these rights using the contact details at the end of this Privacy Policy. Summary of your rights Right of access to your personal information You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions. Right to rectify your personal information You have the right to ask us to correct your personal information that we hold where it is incorrect or incomplete. Right to erasure of your personal information: You have the right to ask that your personal information be deleted in certain circumstances. For example (i) where your personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used; (ii) if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal information; (iii) if you object to the use of your personal information (as set out below); (iv) if we have used your personal information unlawfully; or (v) if your personal information needs to be erased to comply with a legal obligation. Right to restrict the use of your personal information You have the right to suspend our use of your personal information in certain circumstances. For example (i) where you think your personal information is inaccurate and only for such period to enable us to verify the accuracy of your personal information; (ii) the use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead; (iii) we no longer need your personal information, but your personal information is required by you for the establishment, exercise or defense of legal claims; or (iv) you have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection. Right to data portability You have the right to obtain your personal information in a structured, commonly used and machine-readable format and for it to be transferred to another organization, where it is technically feasible. The right only applies where the use of your personal information is based on your consent or for the performance of a contract, and when the use of your personal information is carried out by automated (i.e. electronic) means. Right to object to the use of your personal information You have the right to object to the use of your personal information in certain circumstances. For example (i) where you have grounds relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party); and (ii) if you object to the use of your personal information for direct marketing purposes. Right to withdraw consent You have the right to withdraw your consent at any time where we rely on consent to use your personal information. Right to complain to the relevant data protection authority You have the right to complain to the relevant data protection authority where you think we have not used your personal information in accordance with data protection law. LINKS TO THIRD PARTY WEBSITES The Website may contain links to the websites of third parties. We have no control over the content or operation of these websites, nor do we control the confidentiality or privacy practices of the website operators. Consequently, any personal information you submit through such websites is governed by the privacy policies of the websites in question. It is therefore your responsibility to find out about the third party policies in order to protect information that concerns you. NO SERVICES FOR MINORS We do not knowingly collect information from minors. To use the Website, you must be the age of legal majority in your place of residence. By using the Website, you hereby represent that you are at least the age of legal majority in your place of residence. We do not use an application or other mechanism to determine the age of users of the Website. We will use commercially reasonable efforts to delete information associated with a minor as soon as practicable if we learn that a minor has submitted information to us. We may retain personal information relating to minors only to the extent that it is relevant and necessary in maintaining a client relationship, for example, because we maintain an investment account that is associated with minor. DO-NOT-TRACK DISCLOSURE Certain mechanisms may allow you to send web browser signals, known as “Do Not Track” (“DNT”) signals, indicating your choice to disable tracking on the Website. We do not respond to browser do not track signals at this time. We may not be aware of or able to honor and respond to every such mechanism. More information about “do not track” is available at www.allaboutdnt.org concerning such information. CHANGES TO OUR PRIVACY POLICY Any changes we make to this Privacy Policy in the future will be posted on this page. The updated Privacy Policy will take effect as soon as it has been updated or otherwise communicated to you. QUERIES/CONTACT US If you have any questions regarding this Privacy Policy or the way we use your personal information, you can contact us by: Email: [email protected] Mail: Chief Compliance Officer Brown Advisory Incorporated 901 South Bond Street, Suite 400 Baltimore, Maryland 21231 Telephone: +1-410-537-5400 BROWN ADVISORY ADDITIONAL DATA CONTROLLERS If you are a client of a Brown Advisory affiliate or subsidiary, the entity listed below, as named in your written agreement with us, is your data controller: Brown Advisory affiliates or subsidiaries with a principal place of business in Baltimore, Maryland: Brown Investment Advisory & Trust Company Brown Advisory LLC Brown Advisory Securities, LLC Brown Advisory Investment Solutions Group, LLC Brown Advisory NG, LLC Email: [email protected] Mail: Chief Compliance Officer Brown Advisory 901 South Bond Street, Suite 400 Baltimore, Maryland 21231 United States of America Telephone: +1-410-537-5400 Brown Advisory Entities with a different principal place of business outside the UK or EEA: Brown Advisory Trust Company of Delaware, LLC Email: [email protected] Mail: Chief Compliance Officer Brown Advisory Trust Company of Delaware, LLC 5701 Kennett Pike, Suite 100 Centreville, DE 19807 United States of America Telephone: +1-302-351-7600 Highmount Fiduciary LLC Email: [email protected] Mail: Chief Compliance Officer Highmount Fiduciary LLC 100 High Street, 27th Floor Boston, MA 02110 United States of America Telephone: +1-617-717-6370 Meritage Capital, LLC Email: [email protected] Mail: Chief Compliance Officer Meritage Capital, LLC 500 West 2nd Street, Suite 1850 Austin, TX 78701 United States of America Telephone: +1-617-717-6370 Brown Advisory entities with a principal place of business in the UK or EEA: Brown Advisory Ltd. To the extent you have a relationship with Brown Advisory Ltd., the Privacy Policy available at brownadvisory.com/intl/privacy applies to your use of the Services. Brown Advisory Ltd.’s contact information is as follows: Email: [email protected] Mail: The Compliance Officer Brown Advisory Limited, 1st Floor, 18 Hanover Square London, W1S 1JY United Kingdom Telephone: +44 (0)20 3301-8130 This Privacy Policy was last updated on August 10, 2018.