BACK TO TRUST CENTER HOME

Moody’s privacy program

At Moody’s, we’re committed to a comprehensive global privacy program involving ongoing monitoring, adaptation, and continuous improvement to address evolving privacy risks and regulatory changes.

01 Governance & accountability

Governance & accountability

Moody’s takes privacy seriously, with a dedicated specialist Privacy Team within our Legal Department managing our global privacy program, fully supported by senior management. We have appointed statutory data protection officers and registered with local data protection authorities as required by law. Our robust policies govern the handling of personal data, including information security, incident response, and data subjects' rights. We have strict procedures designed to process personal data in compliance with applicable laws, maintaining detailed records and risk assessments, obtaining explicit consent where applicable, and conducting privacy impact assessments. Our procedures work to allow timely responses to data subject rights requests.

02 Training & awareness

Training & awareness

We foster a privacy-aware culture across our entire organization. All employees at onboarding and annually complete global privacy training, supplemented by additional role-based training and guidance for teams handling personal data.

03 Data mapping & inventory

Data mapping & inventory

We maintain detailed records of our personal data processing operations.

We complete data privacy impact assessments to assess and mitigate potential privacy risks, adopting a privacy by design and default approach. 

We complete data transfer impact assessments to document and assess our cross-border transfers of personal data.

We execute data transfer agreements, including but not limited to EU Standard Contractual Clauses, to transfer personal data intragroup within Moody’s, on receipt from customers, and to third-party vendors. Click here to download a copy of our customer-facing EU Standard Contractual Clauses + UK + Swiss addenda.

04 Vendor management

Vendor management

We assess the privacy practices of third-party vendors. For further information click here.

05 Security measures

Security measures

Security is a top priority to us at Moody’s. We employ a Chief Information Security Officer and dedicated teams for information security, cybersecurity, and vendor cybersecurity. We've also implemented robust technical and organizational measures to protect personal data. Our Incident Response Management Plan involves key departments, facilitating a coordinated response. Additionally, we require vendors who process our data to sign data processing and transfer agreements and undergo privacy and security assessments.

06 Transparency

Transparency

Click here to view our privacy notices. 

Governance & accountability

Moody’s takes privacy seriously, with a dedicated specialist Privacy Team within our Legal Department managing our global privacy program, fully supported by senior management. We have appointed statutory data protection officers and registered with local data protection authorities as required by law. Our robust policies govern the handling of personal data, including information security, incident response, and data subjects' rights. We have strict procedures designed to process personal data in compliance with applicable laws, maintaining detailed records and risk assessments, obtaining explicit consent where applicable, and conducting privacy impact assessments. Our procedures work to allow timely responses to data subject rights requests.

Training & awareness

We foster a privacy-aware culture across our entire organization. All employees at onboarding and annually complete global privacy training, supplemented by additional role-based training and guidance for teams handling personal data.

Data mapping & inventory

We maintain detailed records of our personal data processing operations.

We complete data privacy impact assessments to assess and mitigate potential privacy risks, adopting a privacy by design and default approach. 

We complete data transfer impact assessments to document and assess our cross-border transfers of personal data.

We execute data transfer agreements, including but not limited to EU Standard Contractual Clauses, to transfer personal data intragroup within Moody’s, on receipt from customers, and to third-party vendors. Click here to download a copy of our customer-facing EU Standard Contractual Clauses + UK + Swiss addenda.

Vendor management

We assess the privacy practices of third-party vendors. For further information click here.

Security measures

Security is a top priority to us at Moody’s. We employ a Chief Information Security Officer and dedicated teams for information security, cybersecurity, and vendor cybersecurity. We've also implemented robust technical and organizational measures to protect personal data. Our Incident Response Management Plan involves key departments, facilitating a coordinated response. Additionally, we require vendors who process our data to sign data processing and transfer agreements and undergo privacy and security assessments.

Transparency

Click here to view our privacy notices.