This Privacy Notice explains in detail how Bureau van Dijk Editions Electroniques Srl ("BVD", "we", "us", "our"), a Moody’s Corporation company of Avenue Louise 250, 1050 Brussels, Belgium, processes personal data in connection with the following products:

(the "Products"). 
 

"Personal Data" means information which identifies, or can be used to identify, living individuals.
 

1. Purposes of Processing

2. Personal Data Collected

3. Sources of Personal Data

4. Uses & Disclosures of Personal Data

5. Accuracy, Security & Retention of Personal Data

6. Privacy Rights & Choices

7. Supplementary Information for the European Union, Switzerland and the UK

8. Contacts & Queries

9. Updates to this Privacy Notice

10. FAQs

Our customers include leading financial institutions, accounting companies and legal advisors, as well as companies in a variety of sectors and industries. Customers use data in the Products, together with other information, including information provided to them directly, other third-party sources, and general internet searches, for legal compliance, risk assessment and business intelligence purposes, including:
 

• Compliance with law and regulation, such as know-your-client (“KYC”) obligations, sanctions screening, and anti-money laundering (“AML”) and anti-corruption and bribery (“ABC”) checks.
• Risk assessment purposes, such as corporate credit risk, supplier risk and procurement risk.
• Business intelligence purposes, such as information on the latest M&A deals, foreign direct investment, and patents held by companies.
• Additionally, some of the Products may be used by customers for business development purposes. 
   

We collect the Personal Data contained in the Products from a variety of sources, including third-party providers. Our customers are responsible for ensuring that their use of the Products complies with applicable laws and regulations. 

Where relevant under applicable law, BVD is the “data controller” for the collection, aggregation, curation, and distribution to its customers of Personal Data in the Products, and customers are independent “data controllers” in their use of Personal Data in the Products. BVD does not make any decisions or recommendations to its customers. To the extent that BVD’s customers make any decisions using data contained in the Products, they do so using data in the Products with other data, including information provided to them directly, other third-party sources, and general internet searches. 

While the focus of the Products is corporate entities, they contain some information about key individuals connected with businesses, such as owners, directors, shareholders, managers and professional advisors, and patent holders, in the case of Orbis Intellectual Property, and information about businesses which are not corporate entities (for example, sole traders) (together, “Company-Related Individuals”).

The types of Personal Data in the Products include:
 

• Name
• Contact details, as provided on company-related records. Typically, these are company contact details, but some may be personal contact details where these have been included in company-related records
• Salutation (Mr/Mrs)
• Positions held within companies
• Age
• Nationality and/or national ID numbers
• Status as a disqualified director
• Information about unincorporated businesses, including business type (such as, sole proprietor, general partnership), and information related to the business (such as industry).
   

For a full list of which types Personal Data may be included in each of the Products, please see below:
 

For customers to perform basic checks such as KYC and AML, they need to be able to understand who they are dealing with and be able to verify information provided to them.
 

Each data field included in the Products is necessary for these basic purposes. 
 

For example:
 

• without name and contact details, it would be impossible for customers to look up Company-Related Individuals to confirm who they are;
• without year or date of birth, it would be easy to mix up Company-Related Individuals  with the same or similar names, leading to cases of mistaken identity;
• similarly, without nationality and/or national ID number, it would be easy to mix up Company-Related Individuals  with the same or similar name, leading to cases of mistaken identity. National ID numbers are also used by customers to verify copies of ID documents provided to them by Company-Related Individuals for KYC purposes.

BVD does not always hold reliable contact details for Company-Related Individuals in order to contact them directly, and we rely on customers, who do hold reliable contact details, to notify Company-Related Individuals if they will process their Personal Data while using the Products, if required under applicable law. 

Below we explain the sources of Personal Data contained in the Products:
 

• Publicly available sources: Most of the Personal Data is sourced from publicly available information, such as national company information databases, companies’ own websites and their annual reports. The information is sourced both directly by us and indirectly via third-party information providers.
• Moody’s sources: We incorporate other Moody’s data into the Products. Personal Data is collected and processed by both manual and automated means.

Below we set out a description of the ways Personal Data is used and shared in the Products:
 

• Use by customers: As described above, our customers use the Products for legal compliance, risk assessment, business development purposes. We are not responsible for how customers use Personal Data in the Products. BVD does not make any decisions or recommendations for customers based on the information in the Products, including BVD does not make any decision or recommendation to customers whether to do business with an individual or entity, or any other decision or recommendation having legal or similarly significant effect on Company-Related Individuals. Customers make any decisions based on information provided to them directly by applicants, other third-party sources, and in accordance with law and regulation.
• Use by internal customers: Moody’s Corporation affiliates also use the Products as customers, for the same customer purposes as described above, including legal compliance and risk assessment.
• Data reconciliation with information providers: we share Personal Data back with the information providers we source Personal Data from as part of the updates and corrections process.
• Use within Moody’s Corporation: BVD is part of the Moody’s Corporation group of companies. Some Moody’s personnel working on the Products (such as IT support, sales, legal and compliance) have access to the Products and information within them as necessary for the completion of their job duties. Moody’s Corporation and its affiliates also use the Personal Data for data analysis purposes and to improve and develop products and services.
• Service Providers. We may share Personal Data with our service providers who perform services on our behalf and in relation to the purposes described in this Privacy Notice. We contractually require service providers to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements.
• Business Partners. We may share Personal Data with our business partners (namely channel partners who resell the Products) as reasonably necessary to operate our business.
• Business transfers: If BVD is part of a business reorganization, sale, merger or acquisition, Personal Data in the Products may be disclosed as part of the deal, safeguarded by contractual provisions to ensure confidentiality and use of the Personal Data only as described in this Privacy Notice.
• Legal or regulatory disclosures: We may disclose Personal Data contained in the Products where there is a reasonable requirement to do so, for example, to meet requirements of applicable law and regulation or in response to requests from regulators, courts or government agencies, or to establish or defend our legal rights.

We implement appropriate data accuracy measures to manage the accuracy and integrity of Personal Data in the Products, including using official original data sources (for example, national commercial registers), comparing data against multiple data sources, marking data as “historic” if it has not been updated within the last week, and the ability of affected Company-Related Individuals to access and correct (if required) their Personal Data.
 

We implement appropriate data security safeguards to protect the Personal Data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data breach policies and procedures.
 

The Personal Data is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements. We have in place appropriate Personal Data retention policies, procedures, and schedules.

Company-Related Individuals whose Personal Data is in the Products may have rights under applicable data privacy laws. To request to review, correct, update, suppress, delete or otherwise limit our use of Personal Data, contact us using the information provided in the “Contacts & Queries” section below.
 

Company-Related Individuals may also have the right to complain to their local data protection authority if they have concerns about how we process Personal Data. However, we hope we can resolve any queries or concerns Company-Related Individuals may have, so please contact us directly in the first instance.

We process Personal Data in the Products under the legitimate interests basis of the EU General Data Protection Regulation (“GDPR”) as it is within our and our customers’ legitimate interests to process limited Personal Data about Company-Related Individuals:
 

• The Personal Data, such as name, contact details, date of birth, and details of directorships/posts, is limited, relevant, proportionate and necessary for the processing purposes.
• The affected Company-Related Individuals, such as owners, directors, shareholders, managers, and professional advisors of the companies that are listed in the Products, are non-vulnerable adults acting in their professional capacity.
• The Products are used by customers for extremely important purposes such as compliance with law and regulation and risk assessment purposes, including: compliance with KYC, AML and ABC laws and regulations, sanctions screening, transfer pricing, corporate credit risk, supplier risk and procurement. These uses have wider public benefits in supporting economic stability and reducing financial crime. Some of the Products may also be used for business development purposes. While not as important as compliance with law and risk assessment, this is recognized as a legitimate interest under the GDPR.
• The processing is likely in the reasonable expectations of affected Company-Related Individuals, given their professional roles in relation to the businesses listed in the Products.
• The information is ultimately sourced from publicly-available information, such as national company information databases, companies’ own websites and their annual reports.
• We implement appropriate data accuracy measures to manage the accuracy and integrity of  Personal Data in the Products, including comparing data against multiple data sources, marking data as “historic” if it has not been updated within the last week, and the ability of affected Company-Related Individuals to access and correct (if required) their Personal Data.
• We implement appropriate data security safeguards to protect the personal data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data breach policies and procedures.

The Personal Data are stored in the EU. To transfer Personal Data outside of the EEA, Switzerland and the UK within Moody’s Corporation, we use UK, Swiss, and EU standard contractual clauses to provide an equivalent level of data protection. To request a copy of these clauses, please email us at privacy@moodys.com.

If you have any queries about our privacy practices or would like to contact us, to exercise applicable privacy rights, or any concerns regarding the data in the Products, please email us at privacy@moodys.com or write to us at:
 

Legal Department
Moody’s Corporation
7 World Trade Center at 250 Greenwich Street
New York, NY 10007
Phone: +1-212-553-1653 or 1-866-995-9659
E-mail: privacy@moodys.com

The most current version of this Privacy Notice will always be available here. You can check the “effective date” posted at the top to see when this Privacy Notice was last updated.