Privacy Notice

Last updated: 12 September 2024

Regulatory DataCorp, Inc., a Moody’s Corporation company of 211 S. Gulph Road #125, King of Prussia, PA 19406, USA, (“RDC”, “we”, “us”, or “our”) respects your privacy. This privacy notice explains in detail how RDC processes Personal Data which we incorporate into our database product Global Risk Information Database “GRID”).
 

“Personal Data” means information which identifies, or can be used to identify, living individuals.

 

  • Purposes of Processing
  • Personal Data Collected
  • Sources of Personal Data
  • Uses & Disclosures of Personal Data
  • Retention of Personal Data
  • Your Rights & Choices
  • Supplementary Information for the European Union, Switzerland and the UK
  • Contact & Queries
  • Updates to this Privacy Notice

Purposes of Processing

RDC provides regulatory screening services through GRID to financial institutions and other entities (“Subscribers”) which have legal and regulatory obligations. Such legal and regulatory obligations include know-your-client (“KYC”) and know-your-supplier (“KYS”), sanctions and embargoes screening, counter terrorist financing (“CTF”), anti-money laundering (“AML”), anti-corruption and anti-bribery (“ABC”), fraud prevention, and regulatory dishonesty. Subscribers use GRID in relation to their customers and suppliers or others with whom they are looking to do business, some of which are companies or other legal entities, while others are individuals or sole traders. Subscribers use GRID together with other information, including information provided to them directly by applicants, other third-party sources, and general internet searches.

 

Subscribers are responsible for ensuring that their use of GRID complies with all applicable laws and regulations. Subscribers are specifically prohibited from using GRID for purposes of determining an individual's eligibility for any credit, insurance, employment or other consumer credit purpose under the U.S. Fair Credit Reporting Act (“FCRA”), or similar legislation outside of the United States.

 

Where relevant under applicable law, RDC is the “data controller” for the collection, aggregation, curation, and distribution to its Subscribers of Personal Data in GRID, and Subscribers are independent “data controllers” in their use of GRID for legal and regulatory compliance purposes.


Personal Data Collected

GRID contains the following types of Personal Data:

  • name
  • title, position, company affiliations
  • country, address
  • date/year of birth
  • nationality, national ID number
  • photograph
  • height/weight (from OFAC lists)
  • information relating to: political affiliations and political exposure, religious belief affiliations, sanctions, and unlawful activities, including terrorism and other criminal activities.

 

GRID contains copies or links to underlying data sources for Subscribers to review, asses and make their own further enquiries.

 

Personal Data is collected by both manual and automated means,  including programmatic scraping from public lists (such as sanctions lists), automated news aggregation filters, automated search strings using key words, and manual searches and review of public records and publicly available sources. The collected Personal Data is compiled into GRID using both manual and automated means. For example, the “Position” section in GRID profiles is automatically populated using the OFAC list “Position” sections as there is an exact correlation with the “Position” section in OFAC lists and the “Position” section in GRID, whereas other “Position” information in GRID profiles is created using manual research and drafting. RDC may use Artificial Intelligence (“AI”) in some automated processing activities. For example, some of the “Riskography” sections (high-level summary section of the information contained in the GRID profile) in GRID profiles are created using generative AI.

 

RDC does not always have contact details for individuals. Subscribers, who should hold reliable contact details, are required to notify individuals that they will run checks on them using GRID, if required under applicable law. Given the nature of our services that are used for fraud protection and meeting regulatory requirements relating to unlawful acts and dishonesty, there may be circumstances where providing the information to the individual would make impossible or seriously impair the achievement of the objectives of the processing.


Sources of Personal Data

RDC sources the Personal Data in GRID from public records and other publicly available sources, including: government publications, regulatory enforcement actions,  justice department information, sanctions lists, litigation releases, and law enforcement lists, such as Interpol Most Wanted and SEC Litigation Releases; insolvency lists; and media sources, including national and regional news reports and industry and specialty publications.


Uses & Disclosures of Personal Data

Subscribers use GRID to assist them with their legal and regulatory compliance obligations as described above in the section  “Purposes of Processing”.

 

RDC processes the Personal Data for the purposes of providing GRID services to its Subscribers, including analyzing and modelling the Personal Data to improve its accuracy and to develop and improve services. 

 

Personal Data in GRID is limited to what is  necessary for the processing purposes. For example, without name and contact details, Subscribers would be unable to look up individuals. Without year or date of birth, it would be easy to mix up individuals with the same or similar names leading to cases of mistaken identity. Similarly, without nationality, it would be easy to mix up individuals with the same or similar name leading to cases of mistaken identity.

 

Subscribers are responsible for how they use the results of a check performed using GRID, for example, whether to do business with a customer. RDC does not make decisions for Subscribers about individuals based on the information in GRID, including: 

 

  • RDC does not make any decisions on whether alerts through GRID screening services are or are not matches to Subscriber’s GRID searches. Subscribers must use further information in their possession to assess whether a GRID alert is a false positive or probable match to their GRID search enquiry. 
  • RDC does not make any decision or recommendation to Subscribers whether to do business with an individual or entity, or any other decision or recommendation with legal or similar significant effect on individuals. Subscribers make decisions based on information provided to them directly by applicants, other third-party sources, and in accordance with law and regulation, for example, which may prohibit them from doing business with a sanctioned individual.
 
We may disclose Personal Data for the following purposes:
  
  • Affiliates. We share Personal Data with our affiliates, as reasonably necessary to operate our business, to perform services for our Subscribers, for data analysis purposes, and to improve and develop products and services.
  • Service Providers. We may share Personal Data with our service providers who perform services on our behalf for the purposes described in this Privacy Policy. For example, we may use third parties to help us analyze data. We contractually require these Service Providers to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements.
  • Business Partners. We may share Personal Data with our business partners (such as third parties who resell RDC’s services) as reasonably necessary to operate our business and to perform services for our Subscribers, our business partners, or their customers.
  • Compliance with Law. We may disclose Personal Data to third parties to comply with the law, respond to valid legal process, establish, assert or defend our legal rights, or prevent fraud or abuse of our services. In particular, we may disclose Personal Data in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
  • Business Transfers. If we are involved in a reorganization, merger, acquisition or sale of any or all of our company, business or assets, Personal Data may be transferred as part of that deal or disclosed in connection with due diligence. We will put in place contractual provisions requiring other parties to keep Personal Data confidential and to only use it for the purpose of the relevant transaction or other purposes  consistent with those outlined in this Privacy Policy.

Retention of Personal Data

Personal Data in GRID is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements. We have in place appropriate Personal Data retention policies, procedures and schedules.


Your Rights & Choices

If your Personal Data is in GRID you may have rights under applicable data privacy laws. Where applicable, to access your Personal Data contained in GRID and exercise rights of correction, objection, restriction, erasure or digital testament, please email us at privacy@moodys.com.

 

You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can resolve any queries or concerns you may have, so please do not hesitate to contact us directly first.


Supplementary Information for the European Union, Switzerland and the UK

The relevant legal bases for the use of Personal Data are:

  • We or a third party (for example, business partner or Subscriber) have a legitimate interest in using the Personal Data. Our Subscribers have a legitimate interest to process Personal Data for meeting compliance and regulatory obligations, managing financial risk, protection against fraud, and knowing who they are doing business with.
  • In relation to political, religious or criminal offence data, this will generally be processed either:
    • where the Personal Data has manifestly been made public (for example, where it is a matter of public record that an individual belongs to a certain political party or religious organization); or
    • where necessary  to comply with, or assist our Subscribers to comply with, a legal or regulatory requirement.

RDC has put in place measures to protect Personal Data which is transferred from Switzerland, the UK and the European Economic Area (“EEA”). To transfer Personal Data outside of the UK, Switzerland and the EEA, RDC has put in place UK, Swiss and EU standard contractual clauses,  to ensure that an equivalent level of data protection applies. To request a copy of these clauses, please contact us as specified in the “Contact & Queries” section below. We may also transfer Personal Data to countries for which the EU Commission has issued an adequacy decision.

 

We take commercially reasonable steps to ensure that Personal Data is reliable, accurate, complete, and current for its intended purpose, primarily by accessing public records and publicly available data from reputable sources.


Contacts & Queries


If you have any questions or comments regarding RDC’s privacy practices, if you wish to exercise applicable rights of access or other privacy rights, or if you have any queries or concerns regarding the data in GRID, you can do this via email at privacy@moodys.com or at:

 

Legal Department
Moody’s Corporation
7 World Trade Center at 250 Greenwich Street
New York, NY 10007
+1-212-553-1653 or 1-866-995-9659
privacy@moodys.com


Updates to this Privacy Notice

The most current version of this Privacy Notice will always be available here. You can check the “Last Updated” date posted at the top to see when this Privacy Notice was last updated.