Equities: INFORMATION REGARDING NASDAQ'S IMPLEMENTATION OF GDPR - A DATA PRIVACY OVERVIEW

Dear Client of the Nasdaq Nordic and Baltic Exchanges*

As a premier financial services and technology firm, acting with integrity and
compliance with applicable law are foundations of Nasdaq's business. Like
yourselves, we are aware of the importance of the General Data Protection
Regulation (the "GDPR"), which will come into force on May 25, 2018.  As a
business whose vision is to Rewrite Tomorrow, we look forward to the GDPR as an
important contributor to making the business of tomorrow one that effectively
integrates innovations in technology and data use with the protection of
individuals' fundamental right to privacy. 

Executive Summary

Since the GDPR was finalized two years ago, we have been working across our
organization so that we are prepared to meet our compliance obligations and
continue to serve as an excellent business partner to our clients, members and
other market participants.  These efforts have intensified over the past
year-plus as we put in place a formal multi-workstream project spanning our
business operations, technology, information security, legal and compliance,
human resources communication and other teams to ready ourselves to comply with
the relevant requirements of the regulation. 

In this letter, we would like to briefly review with you:

(1) An overview of our GDPR readiness program,

(2) How the GDPR applies to our services and impacts on related contract terms
and privacy notices, and 

(3) Our Privacy Governance Model.

At Nasdaq, through consistent "tone from the top" as well as reinforcement
through policies, training and outreach, we have endeavored to build a
values-based ethical culture that prioritizes information security. Across our
global enterprise, we have used the GDPR as an opportunity to enhance our
privacy program with a focus in all instances to process personal data with
Integrity, Transparency and Accountability - values that meet the principles
set forth in the GDPR in a way that is relevant to our business.  By doing so,
we seek to further emphasize respect for privacy and individual personal data
rights within our culture. 

We welcome the opportunity to discuss our program as implemented for the Nasdaq
Nordic and Baltic Exchanges, our other Nordic and Baltic regulated businesses**
or any other portion of our business with you or any other interested party. 
Please do not hesitate to contact us or any of the resources identified in this
letter. 

1. Overview of our GDPR Readiness Program

Under the direction of our GDPR Project Steering Committee, chaired by our
Global Chief Legal and Policy Officer and Vice-Chaired by our Global Chief
Information Security Officer, Nasdaq has devoted substantial time, funding and
executive focus to prepare for the requirements of the GDPR and establish a
robust ongoing privacy compliance program that will be able to respond to
evolution in law and guidance as well as address changes within our business or
individual incidents that may occur.  The following are some of the key
initiatives that we have undertaken or are undertaking with completion to be
done prior to the GDPR going into effect: 

  -- Comprehensive Data Processing Assessment and Analysis: Consistent with GDPR
     requirements, we have conducted a thorough data mapping of our business
     systems and processes across our enterprise. Where we have identified
     personal data processing subject to GDPR, we assessed the basis for
     processing and evaluated that appropriate technological and organizational
     measures are in place to protect the data.  This includes support from our
     Legal and Regulatory and Information Security Departments.
  -- Governance Structure: As further detailed below, we assessed our privacy
     governance structure, identified our ongoing corporate structure for
     overseeing privacy globally and designated a Data Protection Officer (as
     defined in the GDPR) for certain legal entities in our corporate family.
  -- Policy and Notice Review: We have updated our company-wide Code of Ethics
     to include core elements of GDPR and implemented updates to certain
     policies and related procedures to account for GDPR. This has included
     development of updates to our public facing privacy statements and updates
     to certain forms to incorporate GDPR requirements.
  -- Contracting Processes: To ensure that we meet the requirements of the GDPR,
     we have updated our contract templates and terms where relevant to include
     new personal data processing terms.  We have also updated certain existing
     contracts to ensure that they include updated terms that address GDPR
     requirements.  Contract changes relevant to your services are further
     described below.
  -- Product Development: Our updated Product Development Lifecycle process will
     apply privacy-by-design and default standards and a process for conducting
     a data protection impact assessment if required.
  -- Mechanisms for Addressing Individual Requests: We have developed processes
     for addressing data subject requests where Nasdaq is the data controller
     and for referring such requests to the controller for the limited services
     where we serve as a processor.  Any data subject may contact us at
     privacy@nasdaq.com or other identified resources to initially exercise
     his/her rights.
  -- Data Breach Response: We have incorporated GDPR into our overall corporate
     data breach response program and are conducting scenario-based training to
     prepare for potential situations that may require notification under GDPR.
  -- Training: We have conducted numerous awareness and function-specific
     training events for our staff and continue to do so.



2. How the GDPR applies to our Services and impacts on Related Contract Terms
and Privacy Notices 

With respect to its delivery of services to clients, members and other market
participants, the Nasdaq Nordic and Baltic Exchanges process personal data in
two primary contexts: (1) to administer our business and (2) as part of the
delivery of contracted products and services by our customers. 

We process personal data as part of the administration of business in several
contexts. Examples of these include screening new issuers and members to comply
with law and prevent fraud, credentialing individuals from members to use our
system and ensuring effective information security, addressing help desk or
system user questions, providing system user notifications and marketing new
services to designated users. 

We process personal data as part of the delivery of our products and services
as required by applicable law and/or our agreement with you. Under applicable
laws such as MiFID 2/MiFIR and the Market Abuse Directive/Market Abuse
Regulation as well as to fulfill our role as a trading venue operator, we
collect and process certain data about individual orders and transactions that
may include personal information.  One example of this may include processing
as part of our market surveillance to identify market abuse, fraud and other
inappropriate actions; this may include reporting suspected misconduct to
authorities.  Another example may include processing of personal data related
to our exchange oversight role, such as conducting disciplinary reviews and
hearings. All such processing aligns with requirements under applicable law and
none involves automated decisionmaking. 

To reflect requirements under GDPR, we will make updates to the following
documents: 

  -- Member Portal General Terms and Conditions (posted to our Member Portal).
  -- Privacy Policy (posted to our website).

Because we may receive personal data from you about your individual customers
when you use our exchange to complete transactions (which is normally limited
in such a manner that we cannot effectively identify individuals or contact
them), it is your responsibility to advise your customers to consult our
published Privacy Policy
(http://business.nasdaq.com/list/Rules-and-Regulations/European-rules/index.html
),
this letter (which will be publicly posted on our website) and other
information posted on our website on how we process their data. 

3. Privacy Governance Model

Building on our self-regulatory history, Nasdaq has a deep foundation in
applying strong governance to our business and compliance activities.  Like
other compliance requirements, we seek to integrate GDPR compliance into our
business functions as part of the "first line" of defense. This is then
reinforced with compliance and risk management expertise as part of our "second
line" functions with Internal Audit providing the "third line" of defense
conducting risk-based reviews of our program. To ensure accountability and
vigilance, we have established executive management structures and board
oversight to provide mechanisms for escalating risk, prioritizing actions and
providing support to initiatives. 

Specific to our GDPR and privacy program governance, we have implemented the
following governance model: 

  -- Boards of Directors Oversight: Ultimate oversight of our GDPR privacy
     program is conducted by the Board of Directors of each of the Nordic and
     Baltic Exchanges and other group companies with further enterprise-wide
     oversight by the Board of Directors of our ultimate parent company, Nasdaq,
     Inc. Our boards have been briefed on GDPR's implications for Nasdaq and
     will be updated regularly on privacy program changes and elements.
  -- Global Privacy Steering Committee: Due to the enterprise-wide impacts of
     GDPR, we are converting our GDPR project steering committee into a
     permanent Global Privacy Steering Committee. The Steering Committee will be
     chaired by Andreas Gustafsson - our Senior Vice President and General
     Counsel for Europe - and vice-chaired by Lou Modano - our Senior Vice
     President and Global Chief Information Security Officer. Members will
     include business operations executives and senior representatives from our
     Technology, Office of General Counsel, Human Resources, and Global Risk
     Management functions. The Steering Committee will report to our top level
     management risk committees including our Global Risk Management Committee
     (chaired by our CFO), Compliance Council (chaired by our General Counsel)
     and Technology Risk Committee (chaired by our CIO).
  -- Data Protection Officer (DPO) and Operational Privacy Function Leadership:
     We have appointed Lindahl Law Firm represented through Caroline Olstedt
     Carlström as our DPO for Nasdaq Nordic and Baltic regulated entities. Ms.
     Carlström will serve in this role as an external DPO (so remains employed
     by Lindahl where she is a partner and lead of the firm's privacy practice).
     We believe that having an external DPO avoids potential conflicts of
     interests and ensures that we are engaged in industry best practices.

Within our organization, operational management of our privacy program will
handled within our Office of General Counsel, which also is responsible for our
other corporate compliance functions. Our commercial law group will be
responsible for managing customer and vendor contracts. 

Conclusion - Points of Contact

As exchange members and customers, we look forward to working with you to
ensure that we are able to meet the principles of the GDPR and expectations of
those with whom we do business as they relate to the services that we deliver.
We welcome the opportunity to discuss our efforts further with you either now
or in the future. 

You may contact any of the resources below quoting the service, product and
Nasdaq legal entity your query relates to: 

  -- General Contact for Privacy Team at: 
privacy@nasdaq.com
  -- Office of General Counsel, Stockholm office; 

Post address: Tullvaktsvägen 15, 10578 Stockholm, Sweden

Att: General Counsel Office

  -- Andreas Gustafsson; General Counsel for Europe at: 
Andreas.Gustafsson@nasdaq.com
  -- Wesam Alkawka
; 
Associate General Counsel, Nordics and Baltics Data Privacy Liaison, at: 
Wesam.Alkawka@nasdaq.com 
  -- Nasdaq DPO: Lindahl Law Firm represented through Ms. Caroline Olstedt
     Carlström

Address: Advokatfirman Lindahl KB, Box 1065, 101 39 Stockholm, Sweden

Att: Caroline Olstedt Carlström

  -- Your regular Nasdaq contact person 



Thank you for your consideration and attention to this important topic.

Yours sincerely,

Nasdaq Inc.

Andreas Gustafsson

General Counsel Europe and Global Co-Chief Compliance Officer



*The Nasdaq Nordic and Baltic Exchanges consist of Nasdaq Copenhagen A/S,
Nasdaq Helsinki Ltd, Nasdaq Iceland hf., Nasdaq Oslo ASA, Nasdaq Riga AS,
Nasdaq Stockholm AB, Nasdaq Tallinn AS and AB Nasdaq Vilnius. 

**In addition to the Nasdaq Nordic and Baltic Exchanges, these include Nasdaq
Broker Services AB, Nasdaq Clearing AB, Nasdaq CSD SE, Nasdaq CSD Iceland hf.
and AS Pensionikeskus.