Moody’s privacy program

Moody’s takes privacy seriously, with a dedicated specialist Privacy Team within our Legal Department managing our global privacy program, fully supported by senior management. We have appointed statutory data protection officers and registered with local data protection authorities as required by law. Our robust policies govern the handling of personal data, including information security, incident response, and data subjects' rights. We have strict procedures designed to process personal data in compliance with applicable laws, maintaining detailed records and risk assessments, obtaining explicit consent where applicable, and conducting privacy impact assessments. Our procedures work to allow timely responses to data subject rights requests.

We maintain detailed records of our personal data processing operations.

We complete data privacy impact assessments to assess and mitigate potential privacy risks, adopting a privacy by design and default approach. 

We complete data transfer impact assessments to document and assess our cross-border transfers of personal data.

We execute data transfer agreements, including but not limited to EU Standard Contractual Clauses, to transfer personal data intragroup within Moody’s, on receipt from customers, and to third-party vendors. Click here to download a copy of our customer-facing EU Standard Contractual Clauses + UK + Swiss addenda.

Security is a top priority to us at Moody’s. We employ a Chief Information Security Officer and dedicated teams for information security, cybersecurity, and vendor cybersecurity. We've also implemented robust technical and organizational measures to protect personal data. Our Incident Response Management Plan involves key departments, facilitating a coordinated response. Additionally, we require vendors who process our data to sign data processing and transfer agreements and undergo privacy and security assessments.