This Privacy Notice explains in detail how Bureau van Dijk Editions Electroniques Sàrl ("Bureau van Dijk", "we", "us", "our"), a Moody’s Corporation company of Avenue Louise 250, 1050 Brussels, Belgium, processes personal data in connection with the following products:

(the "Product"). 
 

"Personal Data" means information which identifies, or can be used to identify, living individuals.
 

1. Purposes of Processing

2. Personal Data Collected

3. Sources of Personal Data

4. Uses & Disclosures of Personal Data

5. Retention of Personal Data

6. Your Rights & Choices

7. Supplementary Information for the European Union, Switzerland and the UK

8. Contact & Queries

9. Updates to this Privacy Notice

Our clients include leading financial institutions, accounting companies and legal advisors, as well as companies in a variety of sectors and industries. Clients use the Products for legal compliance, risk assessment and business intelligence purposes, including:
 

• Compliance with law and regulation, such as know-your-client (“KYC”) obligations, sanctions screening, and anti-money laundering (“AML”) and anti-corruption and bribery (“ABC”) checks.
• Risk assessment purposes, such as corporate credit risk, supplier risk and procurement risk.
• Business intelligence purposes, such as information on the latest M&A deals, foreign direct investment, and patents held by companies.
• Additionally, some of the Products may be used by clients for business development purposes. 
   

We collect the Personal Data contained in the Products from a variety of sources, including third-party providers. Our clients are responsible for ensuring that their use of the Products complies with applicable laws and regulations. 

While the focus of the Products is corporate entities, they contain some information about key individuals connected with businesses, such as owners, directors, shareholders, managers and professional advisors, and patent holders, in the case of Orbis IP, and information about businesses which are not corporate entities (for example, sole traders).
 

The types of Personal Data in the Products include:
 

⦁ Name

⦁ Contact details, as provided on company-related records. Typically, these are company contact details, but some may be personal contact details where these have been included in company-related records

⦁ Salutation (Mr/Mrs)

⦁ Positions held within companies

⦁ Age

⦁ Nationality and/or national ID numbers

⦁ Status as a disqualified director

⦁ Information about unincorporated businesses.
 

For a full list of which types Personal Data may be included in each of the Products, please see below:
 

For clients to perform basic checks such as KYC and AML, they need to be able to understand who they are dealing with and be able to verify information provided to them.
 

Each data field included in the Products is necessary for these basic purposes. 
 

For example:
 

• without name and contact details, it would be impossible for clients to look up individuals to confirm who they are;
• without year or date of birth, it would be easy to mix up individuals with the same or similar names, leading to cases of mistaken identity;
• similarly, without nationality and/or national ID number, it would be easy to mix up individuals with the same or similar name, leading to cases of mistaken identity. National ID numbers are also used by clients to verify copies of ID documents provided to them by individuals for KYC purposes.

Below we explain the sources of Personal Data contained in the Products:
 

• Publicly available sources: Most of the Personal Data is sourced from publicly available information, such as national company information databases, companies’ own websites and their annual reports. The information is sourced both directly by us and indirectly via information providers.
• Information Providers: We source business card information and information about individuals working in the public field from third party providers.
• Directly interactions: Some information not in the public domain is sourced directly by us through correspondence with the businesses included in the Products.

Below we set out a description of the ways Personal Data is used and shared in the Products:
 

• Use by clients: As described above, our clients use the Products for legal compliance, risk assessment, business development purposes. We are not responsible for how clients use Personal Data in the Products.
• Use by internal clients: Moody’s Corporation affiliates also use the Products as clients, for the same client purposes as described above, including legal compliance and risk assessment.
• Data reconciliation with information providers: we share Personal Data back with the information providers we source Personal Data from as part of the updates and corrections process.
• Use within Moody’s Corporation: Bureau van Dijk is part of the Moody’s Corporation. Some Moody’s personnel working on the Products (such as IT support, sales, legal and compliance) have access to the Products and information within them as necessary for the completion of their job duties. Moody’s Corporation and its affiliates also use the Personal Data for data analysis purposes and to improve and develop products and services.
• Business transfers: If Bureau van Dijk is part of a business reorganisation, sale, merger or acquisition, Personal Data in the Products may be disclosed as part of the deal, safeguarded by contractual provisions to ensure confidentiality and use of the Personal Data only as described in this Privacy Notice.
• Legal or regulatory disclosures: We may disclose Personal Data contained in the Products where there is a reasonable requirement to do so, for example, to meet requirements of applicable law and regulation or in response to requests from regulators, courts or government agencies, or to establish or defend our legal rights.

The Personal Data is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements.

You may have rights under applicable data privacy laws. If you would like to request to review, correct, update, suppress, delete or otherwise limit our use of your Personal Data, you may make a request by contacting us using the information provided in the “Contacts & Queries” section below. If you are a California resident, please see the Additional Information for California Section of our main privacy policy for information on your specific rights regarding your Personal Data. 
 

You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can solve any queries or concerns you may have, so please contact us directly in the first instance.

We process Personal Data in the Products under the legitimate interests basis of the EU General Data Protection Regulation (“GDPR”) as it is within our and our clients’ legitimate interests to process limited Personal Data about company-related individuals:
 

• The Personal Data, such as name, contact details, date of birth, and details of directorships/posts, is limited, relevant, proportionate and necessary for the processing purposes.
• The affected data subjects, such as owners, directors, shareholders, managers, and professional advisors of the companies that are listed in the Products, are non-vulnerable adults acting in their professional capacity.
• The Products are used by clients for extremely important purposes such as compliance with law and regulation and risk assessment purposes, including: compliance with KYC, AML and ABC laws and regulations, sanctions screening, transfer pricing, corporate credit risk, supplier risk and procurement. These uses have wider public benefits in supporting economic stability and reducing financial crime. Some of the Products may also be used for business development purposes. While not as important as compliance with law and risk assessment, this is recognised as a legitimate interest under the GDPR.
• The processing is likely in affected data subjects’ reasonable expectations, given their professional roles in relation to the businesses listed in the Products.
• The information is ultimately sourced from publicly-available information (such as national company information databases, companies’ own websites and their annual reports), or in some cases is otherwise sourced directly from the companies through direct correspondence.
• We implement appropriate data accuracy measures to manage the accuracy and integrity of the data, including comparing data against multiple data sources, marking data as “historic” if it has not been updated within the last week, and the ability of affected data subjects to access and correct (if required) their Personal Data.
• We implement appropriate data security safeguards to protect the personal data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data breach policies and procedures.
   

Personal Data is stored in the Products for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements.
 

The Personal Data are stored in the EU. To transfer Personal Data outside of the EEA, Switzerland and the UK within Moody’s Corporation, we use EU standard contractual clauses to ensure that an equivalent level of data protection applies. To request a copy of these clauses, please email us at privacy@moodys.com.
 

To access your Personal Data contained in the Products and exercise your rights of correction, objection, restriction, erasure, and digital testament, please email us at privacy@moodys.com.
 

You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can solve any queries or concerns you may have, so please contact us directly in the first instance.

If you have any queries about our privacy practices or would like to contact us, please email us at privacy@moodys.com or write to us at:
 

Legal Department
Moody’s Corporation
7 World Trade Center at 250 Greenwich Street
New York, NY 10007
Phone: +1-212-553-1653 or 1-866-995-9659
E-mail: privacy@moodys.com

The most current version of this Privacy Notice will always be available here. You can check the “effective date” posted at the top to see when this Privacy Notice was last updated.