Privacy Notice

Effective date: August 27 2024

This Privacy Notice explains how Moody’s Analytics, Inc. ("Moody’s", "we", "us", "our"), a Moody’s Corporation company, of C/O The Corporation Trust Company, Corporation Trust Center, 1209 Orange Street, Delaware 19801, processes Personal Data in connection with the Entity Verification Index (the “Product”). 

"Personal Data" means information which identifies, or can be used to identify, living individuals, including, depending on applicable law, sole traders, and unincorporated partnerships.

  1. About the Product
  2. Purposes of Processing
  3. Personal Data Collected
  4. Sources of Personal Data
  5. Uses & Disclosures of Personal Data
  6. Retention of Personal Data
  7. Your Rights & Choices
  8. Supplementary Information for the European Union, Switzerland, and the UK
  9. Contact & Queries
  10. Updates to this Privacy Notice
1.  About the Product

The Product grants access to cached data retrieved from our KYC Application Programming Interface (“API”) which retrieves information from national registries and company databases in countries where such data is publicly available. Moody’s collects and processes specific Personal Data related to individuals and unincorporated partnerships, as detailed further below.

2. Purposes of Processing

Our clients include leading financial institutions, accounting companies and legal advisors, as well as companies in a variety of sectors and industries. Clients use the Product for legal compliance, risk assessment and business intelligence purposes, including:

  • Compliance with law and regulation, such as know-your-client (“KYC”) obligations, sanctions screening, and anti-money laundering (“AML”) and anti-corruption and bribery (“ABC”) checks.
  • Risk assessment purposes, such as corporate credit risk, supplier risk, and procurement risk.
  • Additionally, the Product may be used by clients for business intelligence purposes and business development purposes.

 

Our clients use information in the Product together with other information, including information provided to them directly, other third-party sources, and general internet searches.

3. Personal Data Collected

While the focus of the Product is corporate entities, it contains some limited information about key individuals connected with businesses, such as owners, directors, shareholders, managers, professional advisers and information about businesses which are not corporate entities (for example, sole traders). 

The types of Personal Data in the Product include:

  • Name
  • Sex/gender 
  • Age, date of birth, or month and year of birth, and place of birth
  • Residential address
  • Contact details, as provided on company-related records. Typically, these are company contact details, but some may be personal contact details where these have been included in company-related records
  • Salutation (Mr./Mrs.)
  • Positions held within companies (appointment and/or resignation date into their positions)
  • Nationality and/or national ID numbers
  • Status as a disqualified director
  • Information about unincorporated businesses.
4. Sources of Personal Data 

Moody’s sources the Personal Data in the Product from public records, i.e., publicly available national commercial registries and company databases.

5. Uses & Disclosures of Personal Data

Below we set out a description of the ways Personal Data is used and shared in the Product:

• Use by clients: As described above, our clients use the Product for legal compliance, risk assessment, and business intelligence purposes. Clients are responsible for how they use Personal Data in the Product. Where relevant under applicable law, Moody’s is the “data controller” for the collection, aggregation, and distribution to its clients of Personal Data in the Product, and Moody’s clients are independent “data controllers” in their use of the Product for the purposes described above. Moody’s does not make any decisions for clients, including any decision as to whether an individual searched by a client is an individual whose Personal Data is in the Product, nor any decision or recommendation to clients whether to do business with an individual or entity. Clients make decisions based on information provided to them directly, other third-party sources, and in accordance with law and regulation.

  • Use by internal clients: Moody’s Corporation affiliates also use the Product as clients, for the same client purposes as described above, including legal compliance and risk assessment.
  • Use within Moody’s Corporation: Some Moody’s personnel working on the Product (such as IT support, sales, legal and compliance) have access to the Product and information within it as necessary for the completion of their job duties. Moody’s Corporation and its affiliates also use the Personal Data for data analysis purposes and to improve and develop product and services.
  • Business transfers: If Moody’s is part of a business reorganization, sale, merger or acquisition, Personal Data in the Product may be disclosed as part of the deal, safeguarded by contractual provisions to ensure confidentiality and use of the Personal Data only as described in this Privacy Notice.
  • Legal or regulatory disclosures: We may disclose Personal Data contained in the Product where there is a reasonable requirement to do so, for example, to meet requirements of applicable law and regulation or in response to requests from regulators, courts, or government agencies, or to establish or defend our legal rights.
6. Retention of Personal Data

The Personal Data is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, and the applicable legal, regulatory, tax, accounting, or other requirements.

7. Your Rights & Choices

You may have rights under applicable data privacy laws. If you would like to request to review, correct, update, suppress, delete, or otherwise limit our use of your Personal Data, you may make a request by contacting us using the information provided in the “Contacts & Queries” section below.

You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can solve any queries or concerns you may have, so please contact us directly in the first instance.

8. Supplementary Information for European Union, Switzerland, and the UK

We process Personal Data in the Product under the legitimate interest’s basis of the EU General Data Protection Regulation (“GDPR”) as it is within our and our clients’ legitimate interests to process limited Personal Data about company-related individuals:

 

  • The Personal Data, such as name, contact details, date of birth, and details of directorships/posts, is limited, relevant, proportionate, and necessary for the processing purposes.
  • The affected data subjects, such as owners, directors, shareholders, managers, and professional advisors of the companies that are listed in the Product, are non-vulnerable adults acting in their professional capacity.
  • The Product is used by clients for extremely important purposes such as compliance with law and regulation and risk assessment purposes, including compliance with KYC, AML and ABC laws and regulations, sanctions screening, transfer pricing, corporate credit risk, supplier risk and procurement. These uses have wider public benefits in supporting economic stability and reducing financial crime. The Product may also be used for business development purposes. While not as important as compliance with law and risk assessment, this is recognised as a legitimate interest under the GDPR.
  • The processing is likely in affected data subjects’ reasonable expectations, given their professional roles in relation to the businesses listed in the Product.
  • The information is sourced from publicly available information (such as national company information databases).
  • We implement appropriate data accuracy measures to manage the accuracy and integrity of the data, including time stamps on data collected to ensure point in time accuracy of all cached data and the ability of affected data subjects to access and correct (if required) their Personal Data.
  • We implement appropriate data security safeguards to protect the Personal Data, including physical security measures, system hardening, patch management, vulnerability management, access controls, and implementing anti-virus and anti-malware protections, data breach policies and procedures.

 

To transfer Personal Data outside of the EEA, Switzerland and the UK within Moody’s Corporation, we use EU standard contractual clauses to ensure that an equivalent level of data protection applies. To request a copy of these clauses, please email us at privacy@moodys.com.

 

To access your Personal Data contained in the Product and exercise your rights of correction, objection, restriction, erasure, and digital testament, please email us at privacy@moodys.com.

 

You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can solve any queries or concerns you may have, so please contact us directly in the first instance.

9. Contacts & Queries

If you have any queries about our privacy practices or would like to contact us, please email us at privacy@moodys.com or write to us at:

 

Legal Department

Moody’s Corporation

7 World Trade Center at 250 Greenwich Street

New York, NY 10007

Phone: +1-212-553-1653 or 1-866-995-9659

E-mail: privacy@moodys.com

10. Updates to this Privacy Notice

The most current version of this Privacy Notice will always be available here. You can check the “effective date” posted at the top to see when this Privacy Notice was last updated.