Skip to content

Privacy Policy

1 June 2023 


This notice applies across all websites that we own and operate and all membership and subscription services we provide, including data exchange, research projects and events. For the purpose of this notice, we’ll just call them our ‘services’. 

When we say ‘personal data’ we mean identifiable information about you, like your name, email, business address, telephone number, support queries, location, IP address and so on. If you cannot be identified (for example, when personal data has been aggregated and anonymised) then this notice doesn’t apply. Check out our legal policy for more information on how we treat your other data. 

Who are ‘we’? 

When we refer to ‘we’ (or ‘our’ or ‘us’), that means Operational Riskdata eXchange Association (ORX) and all its wholly owned subsidiaries. Our registered office is in Geneva, Switzerland but we operate from and have offices in Bath in the UK. Address details for our offices are available in the  How to contact us section of this policy. 

We are the largest operational risk association in the financial services sector. Since 2002, we’ve been developing a global community of financial institutions committed to improving the management and measurement of operational risk. 

For European Union data protection purposes, when we act as a controller in relation to your personal data, ORX (UK) Limited (company number 6848757) is our representative in the European Union. 

Our privacy promise 

We are committed to: 

  • Keeping your data safe and private 
  • Providing you with useful and timely information 
  • Giving you ways to manage and review the way we communicate with you at any time 

How we collect your data 

When you visit our websites or use our services, we collect personal data. The ways we collect it can be broadly categorised into the following: 

Information you provide to us directly/indirectly: When you visit or use some parts of our websites and/or services we might ask you to provide personal data to us. For example, we ask for your work-related contact information when you sign up for communications, register for a free trial, request information, participate in working groups or research, take part in events, contact us with questions or request support. 

If your firm is a member, or subscriber of another ORX service, a colleague may provide us with your work-related contact information. We will treat this information as though you provided it to us directly. This does not affect your rights under this privacy policy. 

If you don’t want to provide us with personal data, you don’t have to, but it might mean you can’t use some parts of our websites or services. 

Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible (e.g. by personalising the content you see). 

Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, take a look at our cookie policy. 

ORX will perform some automated processing in our marketing and communication services, for example, we may use the personal details we hold about you to tailor the communication we send and to personalise the content on our website to your interests. 

If you give us work-related personal information about your colleagues (for example, as the contact for a particular role) please ensure that you have notified them and sought their permission to do so. 

Information we get from third parties: The majority of information we collect, we collect directly from you. Sometimes we might collect information from other sources though this may not be personally identifiable information. It will include: 

  • Information about the way that you use our websites 
  • Your interactions with us e.g. email correspondence 

Where we collect personal data, we’ll only process it: 

  • To perform a contract with you, or 
  • Where we have legitimate business interests to process the personal data and they’re not overridden by your rights, or 
  • In accordance with a legal obligation 

How we use your data 

First and foremost, we use your personal data to operate our websites and provide you with any services you’ve requested, and to manage our relationship with you. We also use your personal data for other purposes, which may include the following: 

To fulfil our core business activities: For example, by gathering your personal information through member surveys and research projects we can: 

  1. Provide high quality research outputs to our members, subscribers and website users
  2. Ensure your responses are appended to the correct institution
  3. Enable any follow-up discussions if required
  4. Provide individual benchmarks
  5. Evidence that we have mandatory information from the institutions we work with
  6. Connect you with interested peers from other organisations

To communicate with you. This may include: 

  • Providing you with information you’ve requested from us (like service or event materials) or information we are required to send to you 
  • Operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services 
  • Marketing communications (about ORX or another product or service we think you might be interested in) 
  • Asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with) 

To support you: This may include assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, in-app support or otherwise. 

To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools. 

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our websites and services fairly and in accordance with our legal policy. 

To analyse, aggregate and report: We may use the personal data we collect about you and other users of our websites and services (whether obtained directly or from third parties) to produce aggregated and anonymised analytics and reports, which we may share publicly or with third parties. 

How we may share your data 

There will be times when we need to share your personal data with third parties. We will only disclose your personal data to: 

  • Third party service providers and partners who enable us to provide services, support delivery of or provide functionality on the website or services, or to communicate about our products and services to you. Where we are sharing personal data as part of our research projects, we will only do this where we have stated at the outset it is a collaborative survey and we are being assisted by a third party. 
  • Regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure. 

Where we do share your personal data with third parties, we will ensure that we have a suitable contractual arrangement in place to protect your personal data. 

International Data Transfers 

When we share data, it may be transferred to, and processed in, countries other than the country you live in – such as the US, Switzerland or the UK, where our data hosting providers’ servers are located. These countries may have laws different to what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected. 

For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like Switzerland). 


The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal requirements). 

We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices. Following that period, we’ll make sure it’s deleted or anonymised. 

Your rights 

  • It’s your personal data and you have certain rights relating to it. When it comes to communications, you can ask us not to send you these at any time. There is a link in most ORX emails which allows you to update your preferences or unsubscribe, or you can contact us on with UNSUBSCRIBE in the subject heading. 

You also have rights to: 

  • Know what personal data we hold about you, and to make sure it’s correct and up to date 
  • Request a copy of your personal data, or ask us to restrict processing your personal data or delete it 
  • Object to our continued processing of your personal data 

You can exercise these rights at any time by sending an email to 

Our Information Security Officer is responsible for overseeing compliance with this privacy policy. If you have any questions about this Privacy Notice or how we handle your personal data please contact 

If you’re not happy with how we are processing your personal data, please let us know by sending an email to We will review and investigate your complaint and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you on how to submit a complaint. 

Changes to the privacy policy 

We may modify or update this privacy notice from time to time. 

How to contact us 

We’re always keen to hear from you. If you need to reach us our email is 

Our registered address is Operational Riskdata eXchange Association (ORX), c/o VISCHER Genève Sàrl, Rue du Cloître 2, 1204 Genève, Switzerland. 

Our UK staff are based in our UK offices at Third Floor, Upper Borough Court, Upper Borough Walls, Bath. BA1 1RG.