Global Privacy Statement
Last updated: December 2022
Principal Financial Group and its affiliates and subsidiaries (“Principal,” “we,” “us,” or “our”) respect the privacy of your personal information (i.e., information that may directly or indirectly identify you, as further described below) (“PI”). This Global Privacy Statement (“Privacy Statement”) describes our practices regarding the collection, use, and disclosure of your PI, including sensitive personal information (as further described below), when you visit one of our Principal websites (collectively, the “Site”), when you communicate with us via email, when you register to attend our webinars or online events, when you use our Principal mobile application(s) (“App”), and when you engage with us offline (collectively, the “Services”).
This Privacy Statement is provided in a layered format so you can click through to the specific areas set out below. You can also download a version of the Privacy Statement (PDF).
This Privacy Statement also provides information about your rights in relation to the processing of your PI, including for residents in California and residents in the European Economic Area (“EEA”), United Kingdom (“UK”), and Switzerland. Please note: The applicability of certain sections of this Privacy Statement will vary by law and jurisdiction. As a result, not all provisions of this Privacy Statement will apply to all users or all of certain users’ PI.
For the purposes of European, UK, and Swiss data protection laws, when applicable, Principal is the controller of your PI as further described in this Privacy Statement. A list of Principal affiliates can be found in the Annex of this Privacy Statement.
References to “you” or “your” refers to individuals whose PI is processed by Principal, including Site and App users, customers, and beneficial owners of an organization or entity in connection with:
- the provision of financial services to potential or actual customers;
- transactions to which we are party; or
- services provided to us through a third-party vendor.
By accessing the Site and using our Services, you agree to our collection and use of your PI as described in this Privacy Statement. However, your use of the Services does not equate to consent for the processing of your PI for purposes of European, UK, and Swiss data protection laws.
In the 12 months preceding the date of this Privacy Statement, we may have collected your PI in a number of ways, including:
- when you provide it to us, including in connection with a Principal product or service you have purchased or are considering, such as a completed insurance or investment application form, or where you contact us in relation to a query you have;
- from your employer or plan sponsor, if Principal provides them with recordkeeping and/or employee benefits services;
- from financial professionals (e.g., brokers, agents, advisors, and distribution partners) associated with the products and services we offer you;
- if you are a representative of an organization or entity that is a client or vendor of Principal, and that organization or entity provides us with your PI;
- throughout the course of our relationship with you, including when you change your details, provide additional PI, or when the services we are providing to you change;
- from public sources where you have manifestly chosen to make your PI public, including via public profiles on social media;
- from third parties such as credit reference agencies, or third parties that you direct or authorize to share information with us;
- from other third-party data services, for example to verify your identity and to better understand your product and service needs; and
- from visits to our Site or use of the Services.
Please note that, where we receive your PI from a source other than directly from you, Principal cannot ensure the accuracy of such PI.
The categories of PI we may have collected from these sources during the 12 months preceding the date of this Privacy Statement, and will continue to collect, include the following:
- Personal identifiers: e.g., name, residential address, email address(es), social media handle, telephone number(s), government identification documentation and numbers, date of birth, nationality, gender, and signature.
- Professional information: e.g., name of current employer, job title, work address, work telephone number(s), work email address, and professional and academic history.
- Financial information: e.g., bank account number, account balance, income, assets, and liabilities.
- Profile information: details about your accounts that you have with us and other details of products and services you have purchased from us, such as your account or policy number, investments, and username, password, and email address for our online services that you have access to.
- Electronic monitoring information: to the extent permitted by law, we may record and monitor your electronic communications with us and visits to our premises via the use of CCTV recordings; and
- Sensitive Personal Information (“SPI”): In limited circumstances, and where allowed by law, SPI about you (e.g., medical and health information required to provide the products and services you request). Please note, you are prohibited from sending us SPI, or instructing others to do so on your behalf, that we did not request or is not needed for us to perform services for you.
- Demographic information: In some circumstances, we may collect demographic data about you (e.g., household information and marital status).
We may also collect any other PI from you to the extent that you voluntarily disclose such PI to us.
Unless we otherwise indicate that the provision of specific PI is optional, any PI we request from you, your organization, plan sponsor, or other associated entity will be related to the products and services requested by you or on your behalf. If you do not provide the PI requested, we may not be able to provide those products or services, accept or progress your submission of interest, fulfill your request, or respond to your communications more generally
We will only use your PI in accordance with applicable law and in the following circumstances:
|Categories of PI||Processing purposes||Legal basis for processing|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; Electronic monitoring information; SPI; Demographic information||To provide our services to you: To provide our products and services to you, including: (i) providing access to certain areas, functionalities, and features of our Services; (ii) allowing you to register for events; (iii) opening an account, or entering into a relationship at your request, including performing anti-money laundering, anti-terrorism, sanction screening, fraud, and other due diligence checks; (iv) liaising with third parties (., brokers for the purposes of executing transactions); and (v) providing information about our various products and Services||With your consent, if required by applicable law To enter into/perform a contract with you To comply with our legal or regulatory obligations To pursue our legitimate interests in providing the requested information and/or information about our processing of your PI in an effective and efficient manner|
|Personal identifiers; Professional information; Financial information; Professional information; Technical information; Demographic information||Transactions: To enable any due diligence and other appraisals or evaluations for any actual or proposed merger, acquisition, financing transaction, or joint venture contemplated by Principal||To enter into/perform a contract with you To pursue our legitimate interests to operate and improve our business|
|Personal identifiers; Professional information; Profile information; Technical information; Demographic information||Advertisements: For tailored advertising from us or on third party sites, either because of the website you are viewing or based on your interests, which we have inferred from your PI||With your consent, if required by applicable law If you no longer wish to see tailored advertising, you can amend your cookie preferences (see section on Cookies and Other Technologies below)|
|Personal identifiers; Professional information; Profile information; Technical information; Demographic information||Personalization and operations: To personalize your visit to the Site, to monitor or improve the Site, and to assist you while you use the Site To improve the operation of the Site by helping us understand who uses the Site, and how||With your consent, if required by applicable law To pursue our legitimate interest to properly manage and administer our relationship with you and to ensure that we are as effective and efficient as we can be|
|Personal identifiers; Professional information; Profile information; Technical information; Demographic information||Administration: For business administration, including statistical analysis, data analytics, strategic planning, and development of our products and services||With your consent, if required by applicable law To pursue our legitimate interest to properly manage and administer our relationship with you and to ensure that we are as effective and efficient as we can be|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; Electronic monitoring information; SPI; Demographic information||Legal claims: To defend and enforce our rights, including against legal claims that involve us, and to manage regulatory matters, investigations, data breaches, and/or data subject requests||To enter into/perform a contract with you To comply with a legal obligation, e.g., to respond to an official request or data subject request To pursue our legitimate interests to defend and enforce our rights|
|SPI, including data concerning political opinions and criminal convictions and offences||Investment eligibility: To verify your investment eligibility, including determining whether you are a “politically exposed person”||To comply with our legal or regulatory obligations|
|SPI, including health data (e.g., information relating to any medical or disability condition or status)||Provision of products and services: To provide the products and services you requested from us||With your consent, if required by applicable law|
If you are located in the EEA, the UK, or Switzerland: You have a right to object to the processing of your PI where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.
We also automatically collect basic Technical information from all visitors to the Site through our automatic data collection tools, which may include cookies and other commonly used technologies. These tools collect certain standard information that your browser sends to the Site, such as your browser type and language, device type, operating system, access times, domain name, and the address of the website from which you came to the Site. They may also collect information about your IP address or click-stream data within our Site (i.e., the actions you take in connection with the Site). Among other things, this information helps us improve the functionality of the Site.
Cookies are small text files sent to your web browser and stored on your hard drive by a website. Cookies allow your web browser to “remember” specific pieces of information about your visits to our Site.
Cookies allow you to access secured information, conduct secured transactions, and take advantage of promotional opportunities. They are designed to help you have a better user experience within our Site, and we use the information to improve our Site content and Site functionality. Cookies allow our Site to remember your device, remember who you are, and help us to be more efficient. For example, we can learn about what content is important to you, and we can revise or remove web pages that are not of interest. You may set your web browser to notify you when you receive a cookie.
Types of cookies we use
Our Site uses both “session” and “persistent” cookies. Session cookies are temporary and expire when you leave our Site or are inactive for a specified length of time. Persistent cookies store your preferences for the Site and are read by your browser each time you visit the Site.
Our Site uses both first-party cookies, which are cookies set by us, and third-party cookies, which are cookies set by other companies to assist our advertising and marketing efforts.
The cookies used by our Site fall into the following four categories:
1. Strictly necessary cookies. These cookies are necessary for our Site to function and cannot be switched off in our systems. They’re set for you behind the scenes when you do things such as log in, fill out forms, make a request for products or services, or set your privacy preferences. You can set your browser to block or alert you about these cookies, but some parts of our Site won’t work without them.
2. Functional cookies. These cookies enable our Site to work smoothly and in a manner personalized to you. They may be set by us or by third-party providers whose services we’ve added to our pages. For example: downloading a customer service form using PDF. If these cookies are blocked, then some or all of these services may not function.
3. Performance cookies. These cookies allow us to count how many times people visit our Site, and how they get here, so we can measure and improve its performance. They show us which pages are the most (and least) popular, and how visitors move around on the Site when they’re here. If these cookies are blocked, we have less information about how to improve our Sites that will be useful to you.
4. Marketing cookies. These cookies may be set through our Site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other websites. If these cookies are blocked, you will experience less targeted advertising.
Managing your cookie preferences
If you wish to make changes to your cookie preferences, please visit the Principal.com cookie preference center.
Most web browsers allow you to change your browser settings to limit or block certain cookies. Doing so, however, may limit your access to certain sections of our Site or otherwise compromise the functionality of the Site.
If you wish to make changes to your cookie preference please visit one of the links below:
The following chart describes the categories of PI that we disclosed to third parties for a business purpose in the 12 months prior to the date of this Privacy Statement:
|CATEGORIES OF PI||CATEGORIES OF THIRD PARTIES WITH WHICH WE SHARE PI FOR A BUSINESS PURPOSE|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||Service providers that assist us in operating, analyzing, and displaying content on our Site, provide analytics information, or provide website hosting, webcast and conference services|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; Electronic Monitoring Data; SPI||Service providers that provide data security services and cloud-based data storage, host our Sites, and assist with other IT-related functions|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||Service providers that assist us in providing or administering our products or services or in otherwise administering our business, and financial professionals (e.g., advisors, brokers, and distribution partners) that help us provide you with our products and services|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||Principal Financial Group companies and affiliates (see the Annex of Privacy Statement)|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; Electronic Monitoring Data; SPI; Demographic information||Professional advisors, third parties, agents, or independent contractors that provide services to any member of Principal Financial Group (such as IT systems providers, platform providers, financial advisors, brokers, or consultants, including lawyers and accountants)|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||Credit reference agencies or other organizations that provide credit information, or help us to conduct anti-money laundering and anti-terrorist financing checks and to detect fraud and other potential criminal activity|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||A potential buyer, transferee, merger partner, or seller and their advisers, in connection with an actual or potential transfer or merger of part or all of Principal’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it|
|Personal identifiers; Professional information; Financial information; Profile information; Technical information; SPI; Demographic information||Your plan sponsor (if applicable), and third parties with whom you or your plan sponsor (if applicable) instruct or authorize us to share data|
In addition to the above, we may also disclose your PI in any jurisdiction to:
- competent authorities (including national or international regulators, law enforcement authorities, tax authorities and courts or other tribunals) or their agents, where Principal is required or permitted by law or regulation to do so;
- any person to whom disclosure is allowed or required by local or foreign law, regulation, or any other applicable instrument; and/or
- comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property, or safety of others, including to law enforcement agencies and judicial and regulatory authorities.
We may contact you by email to provide information regarding events, products, services, and content that may be of interest to you, unless you inform us that you do not wish to receive marketing communications from us. If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send you those types of communications after receiving your consent.
You can request that we stop processing your PI for marketing purposes at any time by clicking on marketing opt-out links in any electronic marketing materials we send you, by making a request to your usual Principal contact, or by using the contact details set out in the Contact Us section or the Annex of this Privacy Statement.
Our U.S.-based Services are generally hosted in the United States, although we may work with service providers in other jurisdictions from time to time. Therefore, when you disclose PI to us, your PI may be transferred outside of the jurisdiction you reside. If you are located in the EEA, UK, or Switzerland, Principal may, for the purposes listed in Section II above, transfer your PI to recipients as referred to above that are located in countries outside the EEA, the UK, or Switzerland, including to the United States, and that are not currently considered by the European Commission, UK Government, and/or the Swiss Federal Data Protection and Information Commissioner (as applicable) to provide an adequate level of data protection. In these circumstances, Principal will take steps to ensure that the PI is transferred in accordance with relevant data protection laws, including by entering into Standard Contractual Clauses or similar (“SCCs”) with the recipient, seeking assurances from the recipient that they have Binding Corporate Rules in place, or otherwise relying on a derogation for the transfer (e.g., where the transfer is necessary for the defense of legal claims).
You can request further information on the data transfer solutions relied upon, including a copy of the SCCs, by using the contact details in Section XIII or the Annex below.
In accordance with applicable law, you may have certain privacy rights based on the jurisdiction in which you reside. However, please note that the below rights are not absolute and may be subject to exceptions and/or limitations. The exceptions may relate to the types of PI we collect or the nature of our business.
Some privacy laws, such as the California Consumer Privacy Act or the EU’s and UK’s General Data Privacy Regulation, give certain individuals the right to submit certain requests, subject to applicable exemptions or limitations.
You may submit such requests online via our form for California residents and our form for EU and UK residents, and we will process such requests in accordance with applicable privacy law. You may also submit requests by contacting us at +1-800-986-3343 (please inform our customer service representative of the type of request you wish to submit) or CorpPrivacy@exchange.principal.com. The types of requests provided for by applicable privacy law may include:
- Right of access: This type of request is to confirm what data is being processed, obtain information about the processing activities, and to receive a copy of your PI;
- Right to rectification: This type of request is to seek rectification/correction of your PI where it is inaccurate or incomplete;
- Right to erasure: This type of request is to seek deletion of your PI;
- Right to restriction: This type of request is to ask that we restrict or suppress the processing of your PI, which means that while we are permitted to store the PI, we cannot otherwise process it;
- Right to data portability: This type of request is to seek the transfer of certain PI to a third party in machine-readable format;
- Right to object: This type of request is to object to the processing of your PI, including for any direct marketing purposes; and
- Right to Withdraw Consent: This type of request is to withdraw your consent, at any time, without hindrance or cost, to prevent further processing of your PI. Please note that withdrawing your consent does not affect the lawfulness of our processing of your PI based on such consent before the withdrawal.
In addition, you may also have the right to lodge a complaint with your local data protection authority.
To protect your privacy, we take steps to verify your identity before fulfilling your request.”
California consumer privacy act
The California Consumer Privacy Act (CCPA) gives California residents rights with respect to their PI. Such rights are limited to PI that is not exempt under the CCPA. The CCPA exempts, for example, non-public personal information that is subject to the Gramm-Leach-Bliley Act, a federal financial privacy law.
California residents are granted the right by law to opt out of the sale of their Personal Information. We do not sell PI within the meaning of the CCPA.
CCPA: Data subject request rights
As mentioned above in Section VII, the CCPA may grant you the right to submit certain data subject requests. For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances.
If we expect your request is going to take us longer than normal to fulfill, we will let you know.
We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will provide you with an explanation as to why.
When we receive a data subject request, we will ask you for identifying information and attempt to match it to information that we maintain about you.
If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.
Our commitment to allowing you to exercise your rights – Non-discrimination
If you exercise any of the rights explained in this Privacy Statement, we will continue to treat you fairly. If you exercise your rights under this Privacy Statement, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than others.
CCPA: Authorized agents
You may designate an agent to submit data subject requests on your behalf. The agent must be a natural person or a business entity that is registered with the California Secretary of State.
If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process. Specifically, if the agent submits requests to access, know, or delete your PI, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.
Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.
California shine the light
California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents who have an established business relationship with a business to annually request, free of charge, information about certain categories of PI a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year. We do not share PI with third parties for their marketing purposes.
Do not track
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browsers’ do not track signals.
We retain PI for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, the amount, nature, and sensitivity of the PI are considered, together with the necessity and purposes for the processing (including whether such purposes can be achieved through other means) and the potential risk of harm from unauthorized use or disclosure of the PI. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your PI may need to be kept for longer periods of time.
We take reasonable steps, consistent with generally accepted industry standards, including physical, technical, organizational, operational and management controls to ensure a level of security appropriate to the risk of PI processing. For more detail, please see our Security Policies page.
The Services are not directed to children under 16 (or other age as required by local law), and we do not knowingly collect PI from children. We do not sell the PI of minors. If you learn that your child has provided us with PI without your consent, you may contact us as set forth below. If we learn that we have collected any PI in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.
Changes to our Privacy statement
We reserve the right to modify this Privacy Statement at any time, so please review it frequently. If we make changes that materially affect our uses of PI or your privacy rights, we will announce the changes by providing a notice on this Site and/or, if deemed appropriate, by email.
If you have any questions about our privacy practices or this Privacy Statement, or if you wish to submit a request to exercise your rights as detailed in this Privacy Statement, please contact us at:
Principal Financial Group
711 High Street
Des Moines Iowa, United States 50392
Depending on your location, you may also wish to contact us as per the contact details according to the relevant Principal affiliate in the Annex.
List of principal subsidiaries and affiliates
|Name of Principal affiliate||Jurisdiction||Contact details|
Principal Financial Group’s U.S. affiliates, including:
Enterprise Privacy Office
Principal Global Investors (Europe) Limited and its EU affiliates, including:
|European Union and United Kingdom||
Compliance Department, Principal Global Investors Europe
|Principal Real Estate Europe Limited||European Union and United Kingdom||Compliance Department, Principal Global Investors Europe
1 Wood Street, London, EC2V 7JB, United Kingdom,
For the German Data Protection Officer:
Scheja und Partner Rechtsanwälte mbB (FAO Jens Heidemann)
Adenauerallee 136, D-53113 Bonn (Germany)
Tel: +49 228 227226-0
If you are located in the EEA, the UK, or Switzerland: You have a right to object to the processing of your PI where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.