Policies

Kroll Consultant Privacy Notice

 

Kroll Consultant Privacy Notice

Kroll LLC (and all affiliates and subsidiaries, collectively “Kroll”, “we”, “us” or “our”), is committed to protecting personal data and complying with the applicable data privacy and security requirements in the countries in which we operate, including, where applicable, the EU General Data Protection Regulation (GDPR). 

This Privacy Notice explains how Kroll processes personal data relating to individual consultants, independent contractors and other individuals who provide services to Kroll, including through an agency, intermediary, or subcontracting arrangement (collectively, “Consultants”).

Please read this Notice carefully. It describes the types of personal data we collect about you, how and why we use it, how long we retain it, with whom we share it (in other words, how we “process” it). It also contains information about your rights under applicable data protection laws. 

Where Kroll determines how and why your personal data is processed in connection with your engagement, Kroll acts as a data controller (or equivalent under the local laws).

If you are a California resident who is a Consultant of Kroll, please see the California Privacy section of this policy.

Who is Collecting Data

  • Kroll processes your personal data for purposes connected with:
  • establishing and managing Kroll’s engagement with you and/or your organization;
  • providing and administering your access to Kroll systems and premises where appropriate; 
  • Ensuring the security of Kroll systems and facilities; 
  • meeting legal, regulatory and compliance obligations;
  • establishing, exercising, or defending legal claims;
  • Monitoring and promoting equal opportunity and diversity initiatives.

Where you are supplied through an agency, intermediary, or subcontracting arrangement, that organization may also process your personal data as a separate controller (or equivalent under applicable law) for its own purposes.

Data We Collect
Data we collect may include the following categories, as applicable to your engagement:

  • Identity and contact data, such as your name, business contact details, emergency contact if required for safety or continuity purposes.
  • Engagement/assignment data, including the start/end date, role, assignment details, and other records relating to the administration of your engagement. 
  • Onboarding and due diligence data (where applicable), including professional qualifications, certifications, references, right-to-work verification, conflict declarations, and background screening outputs.
  • Security and access data: system access requests/approvals, credentials, device identifiers (where Kroll-managed devices are used), access logs, audit trails, including logs relating to use of corporate accounts and tools, DLP events, etc.
  • Financial/admin data: invoicing references, bank details and tax identifiers, expense claims, and travel booking information where arranged by Kroll. 
  • Physical access and security information: identification badge information, building access logs, entry/exit records, visitor registration details, and video surveillance recordings (CCTV) collected at our premises, where applicable.
  • Training and compliance records (training enrollment, completion status, assessment scores (where used), certifications, policy acknowledgments (e.g., security, privacy, acceptable use, etc.).
  • Timesheets: timesheets, hours worked, utilization metrics, work allocation records, approvals, billing/time coding.
  • Communications and correspondence: business communications (email, collaboration tools), meeting notes where relevant to the engagement, service desk tickets, etc.
  • Compliance monitoring, investigations and enforcement related information: Information relevant to compliance reviews, monitoring, audit, investigations or related enforcement activities, including information such as complaints or allegations, correspondence, interview notes, audit documentation, system and access logs, CCTV footage (where applicable), and other evidence relating to potential breaches of law, policy, or contractual obligations. 
  • Diversity and equal opportunity information (where voluntarily provided): Information relating to diversity characteristics, which may include gender or gender identity, race or ethnicity, disability status, veteran or military status, or other protected characteristics, where voluntarily provided for equal opportunity monitoring, diversity reporting, or legal compliance purposes. 

Processing of Personal Data
Kroll processes your personal information where processing is necessary for the purposes described in this Notice. In jurisdictions that require a legal basis for processing (such as the UK or EU General Data Protection Regulation), we rely on the legal bases identified below, as applicable to specific circumstances of processing.

Purpose
Lawful Basis (where required under applicable law)
Engage you/administer the contract (including onboarding, assignment management, invoicing and payment)
  • Performance of a contract, where you are a party to that contract and processing is necessary for its performance;
  • Legitimate interests in administering and managing the engagement and our business relationships; 
  • Compliance with legal or regulatory obligations (such as tax laws).
Provide access and run secure operations (including provisioning accounts, access control, IT administration, monitoring for security, and incident response)
  • Legitimate business interests in operating, securing and improving our systems, networks and facilities; 
  • Compliance with legal or regulatory obligations; 
  • Consent, where required by local law.
Conducting compliance checks (including conflicts and sanctions screening, meeting regulatory and professional obligations, maintaining governance frameworks, risk management, and required reporting)
  • Compliance with legal or regulatory obligations;
  • Legitimate business interests in risk management, regulatory compliance and protection of legal rights;
Ensure business continuity (e.g., contacting in emergencies)
  • Legitimate business interests in ensuring business continuity and operational resilience; 
  • Protection of vital interests where necessary to protect health or safety.
Ensure physical access and security (including controlling and managing access to our premises, maintaining physical security and workplace safety, preventing and investigating unauthorized access, misconduct, or security incidents and protecting our personnel, clients, visitors and property)
  • Legitimate interests (physical security and safety)
  • Legal obligations (where specific site/security laws apply)
Provide training and retain records (for meeting legal/client/security obligations; demonstrating compliance; reducing risk; ensuring consultants understand requirements).
  • Contract (engagement requirements)
  • Legal obligation (where legally required training applies)
  • Legitimate interests (compliance governance and risk reduction)
Record and retain timesheets (for administering the engagement; managing billing and resource planning; performing the engagement and ensuring audit readiness).
  • Contract
Enable communications and correspondence (for operating the engagement, supporting communications, maintaining records and addressing issues and requests)
  • Legitimate interests (business administration, accurate billing, resource management)
Enable compliance monitoring, investigations and enforcement (including monitoring compliance with contractual and policy requirements; assessing and investigating suspected misconduct or security incidents; conducting compliance reviews or audits; responding to regulatory or client inquiries, enforcing contractual or policy requirements; and establishing, exercising, or defending related legal claims)
  • Contract
  • Legitimate interests (efficient operations, recordkeeping) 
Enable compliance monitoring, investigations and enforcement (including monitoring compliance with contractual and policy requirements; assessing and investigating suspected misconduct or security incidents; conducting compliance reviews or audits; responding to regulatory or client inquiries, enforcing contractual or policy requirements; and establishing, exercising, or defending related legal claims)
  • Legal obligations (where applicable)
  • Legitimate interests (risk management, compliance, protection of rights and property, and establishing, exercising, or defending legal claims)
  • Contract (where necessary to enforce engagement terms).

Any special category/criminal data will be processed only where necessary and permitted by law, with appropriate safeguards. 

Support diversity and equal opportunity (including monitoring and promoting diversity initiatives and complying with employment, anti-discrimination, or reporting laws)
  • Consent or as otherwise permitted or required by law.

How Data is Processed 
We process personal data using both manual and electronic systems for the purposes described in this Notice. Within Kroll, your personal data may be accessed by authorized personnel in teams such as technology, finance, legal, compliance and risk, where this is necessary for them to carry out their roles. Access is limited to what is needed. 

We may also share your personal data with trusted service providers who support our operations. These providers are required to handle your data securely and only for the services they provide to us. 

Retention of Personal Data
We keep personal data for the duration of your engagement and for a period after it ends, where needed for business, legal, regulatory or risk management purposes, including raising or defending legal claims. Retention periods are based on the law, the nature of the data, and our internal policies.

Disclosure/Sharing of Personal Data
We share your personal data only where necessary for the purposes described in this Notice.
We may share your personal data:

  • Within the Kroll group, where relevant teams need access to support your engagement or our operations.
  • Within trusted service providers, such as technology providers, background screening providers, professional advisers, or other partners who support our business. These providers may only use your data to provide services to Kroll and must protect it appropriately.
  • Where required by law or regulation, including in response to requests from courts, regulators, national security or law enforcement authorities. 
  • In connection with a business transaction, such as a merger, acquisition, joint venture or sale of assets. If this happens, your data may be shared with the relevant parties, subject to appropriate safeguards.

Cross – Border Transfers of Personal Data

  • Kroll operates globally, in over 25 countries. As a result, your personal data may be transferred, accessed or stored in countries other than the country where you are based. Where personal data is transferred internationally, we put appropriate safeguards in place to protect it. Depending on the location and the nature of the transfer, these safeguards may include:  Relying on official adequacy decisions; 
  • Using approved transfer mechanisms, such as the standard contractual clauses or equivalent tools recognized under local law;
  • Entering into intragroup transfer agreements within the Kroll group (which include, where necessary, the standard contractual clauses or equivalent tools). 

If you would like more information about the safeguards used for international transfers, you may contact us using the details provided below. 

Where we receive requests to disclose personal data from law enforcement or regulators, we carefully validate these requests, including reviewing the legality of any order and challenging the order if there are grounds under the law to do so, before any personal data is disclosed.

Your Rights 
Depending on where you are located, you may have certain rights in relation to your personal data. These may include:

Depending on the laws of the jurisdiction governing the processing of your personal data, you may have certain rights under applicable data protection laws including:

  • Access: the right to request a copy of personal data we hold about you. 
  • Rectification: the right to ask us to correct information Kroll holds about you if it is inaccurate or incomplete.
  • Erasure: the right request deletion of personal data in certain circumstances, for example, where data is no longer necessary for the purpose for which it was collected or processed, or if you believe personal data has been unlawfully processed. 
  • Restriction: the right to ask us to limit how we use your data in certain situations. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
  • Object to Processing: the right to object to processing where it is based on our legitimate business interests.  Kroll will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing.  We will keep basic data to identify you and retain it solely to prevent further unwanted processing.
  • Portability: have the right to data portability where processing is based on consent or performance of a contract. Kroll must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this affecting the usability of your data. This right only applies to personal data that you have provided to Kroll as the data controller.

Please contact [email protected]  to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.

Subject to legal considerations or certain exemptions, we may not always be able to address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Workplace Monitoring
Where you are provided with access to Kroll systems, networks, email accounts, applications, devices or premises (“Kroll Systems”), Kroll may monitor and review related activity to operate and secure those systems, to prevent and detect fraud, to investigate suspected misconduct or security incidents, and to comply with legal or regulatory obligations. Monitoring is conducted on a need-to-know basis by authorized staff and, where required, in accordance with applicable laws and Kroll’s Information Security Policy. We do not routinely monitor the content of communications except where permitted and necessary for the purposes described above.

Automated Decision Making
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

Kroll does not make automated decisions for Consultant personal data. If automated decisions are made, we will notify you in advance, and affected persons will be given an opportunity to express their views on the automated decision in question and object to it.

Providing Information to Kroll
If you choose not to provide certain personal information, we may not be able to administer your engagement with Kroll. 

Third Party Websites or Other Services
You may choose to provide us with access to certain personal information maintained by third parties such as LinkedIn. The information we may receive varies by site and is controlled by the operator of the site and your privacy settings thereon. We are not responsible for the privacy practices of any non-Kroll operated websites, mobile apps or other digital services, including those that may be linked through Kroll systems or websites, and we encourage you to review the privacy policies or notices published thereon.

Contact Us
Please contact us at Kroll with questions, concerns, or complaints:
Kroll Corporate Headquarters
One World Trade Center
285 Fulton Street, 31st Floor
New York, NY 10007
kroll.[email protected] 

If you are in the EU: 
Kroll Data Protection Officer: Daniela Mosca

  • Email: [email protected]
  • Telephone +39.039.64.23.812
  • Post: Daniela Mosca at Kroll Advisory Holding SpA, Centro Direzionale Colleoni, Palazzo Cassiopea 3, 7th Floor, Via Paracelso 26, 20864 Agrate Brianza (MB) - Italy 

For data subjects located in the EU or UK: if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information for the supervisory authorities may be found here: EU Data Protection Authorities.

California Privacy Notice and Policy
This California Privacy Notice and Policy section, effective as of [date] supplements this Consultant Privacy Notice and applies to personal information we collect about California residents who provide services to us as individual consultants, independent contractors and other individuals who provide services to Kroll, including through an agency, intermediary, or subcontracting arrangement (each, a “Consultant”). It describes how we collect, use, disclose, and retain personal information in connection with recruiting, onboarding, contracting with, managing, securing, administering, and pay for Consultant engagements.

Categories of Personal Information We Collect
In the preceding 12 months, we may have collected, used, and disclosed for business purposes, the following categories of personal information relating to California Consultants covered by this Notice:

Category
Examples May Include
Identifiers and contact data
Name, alias, postal address, unique personal identifier, online identifier, internet protocol address (IP Address), email address, or other similar identifiers
Personal Information categories described in California Customer Records statute (Cal. Civ. Code § 1798.80(e))
Name, signature, physical characteristics or description, address, telephone number, education, employment, employment history, bank details and tax identifiers
Engagement/assignment data
The start/end date, role, assignment details, and other records relating to the administration of your engagement.
Professional or employment-related information.
Your professional qualifications, certifications, references, right-to-work verification, conflict declarations, and background screening outputs.
Internet/network activity, Security and access data
Your system access requests/approvals, credentials, device identifiers (where Kroll-managed devices are used), access logs, audit trails, including logs relating to use of corporate accounts and tools, DLP events, etc.
Geolocation data
Physical Location
Financial/admin data
Invoicing references, bank details and tax identifiers, expense claims, and travel booking information where arranged by Kroll.
Training and compliance records
Training enrollment, completion status, assessment scores (where used), certifications, policy acknowledgments (e.g., security, privacy, acceptable use, etc.)
Timesheets
Timesheets, hours worked, utilization metrics, work allocation records, approvals, billing/time coding.
Communications and correspondence
Business communications (email, collaboration tools), meeting notes where relevant to the engagement, service desk tickets, etc.
Compliance monitoring, investigations and enforcement related information
Information relevant to compliance reviews, monitoring, audit, investigations or related enforcement activities, including information such as complaints or allegations, correspondence, interview notes, audit documentation, system and access logs, CCTV footage (where applicable), and other evidence relating to potential breaches of law, policy, or contractual obligations.
Protected classification characteristics under California or federal law (where voluntarily provided)
Information relating to diversity characteristics, which may include gender or gender identity, race or ethnicity, disability status, veteran or military status, or other protected characteristics, where voluntarily provided for equal opportunity monitoring, diversity reporting, or legal compliance purposes.

Sources of Personal Information We Collect

  • From you, during recruiting, contracting, onboarding, and throughout our engagement with us.
  • From internal personnel involved in engagement management, project oversight, finance, compliance, or security. 
  • From third parties, such as references, background check providers, compliance screening providers, identify verification providers, payment processors, travel providers, and It service providers as well as third-party agencies (where we have recruited you through them);
  • From publicly available sources, where appropriate; 
  • Automatically, when you access or use our systems, networks, devices, or applications, including IP address and usage data. 

Business Purposes

We collect personal information for our operational purposes in managing your engagement with us. We use personal information for the business purposes set out in the “Processing of Personal Data” section above.

Disclosure of Personal Information to Third Parties

We may share your personal data with third parties as set out in the “Disclosure/Sharing of Personal Data” section above. See also the “Cross – Border Transfers of Personal Data” section above.

We do not disclose personal information to Third Parties (not including service providers) unless you direct us to do so, or where required by law.

Selling/Sharing of Personal Information

We do not, and have not in the preceding 12 months, sold personal information or shared personal information with a third party for cross-context behavioral advertising.

Disclosure of Personal Information for our Business Purposes

We may share your personal data for our business purposes as set out in the “Disclosure/Sharing of Personal Data” section above.  See also the “Cross – Border Transfers of Personal Data” section above.

Data Retention

We keep personal data for the duration of your engagement and for a period after it ends, where needed for business, legal, regulatory or risk management purposes, including raising or defending legal claims. Retention periods are based on the law, the nature of the data, and our internal policies.

Your Rights

Subject to the CCPA, CPRA, and other applicable laws, you have the following rights concerning your information processed by Kroll:

  • Deletion: You have the right to request that Kroll erase your personal information, and Kroll will erase such information unless it is reasonably necessary for Kroll to maintain your personal data in accordance with CCPA 1798.105 (d) or 1798.145.
  • Correction: You have the right to request that Kroll correct inaccurate personal information, taking into account the nature and purpose of processing the information.
  • Access: You have the right to request to access the personal information that Kroll has collected about you.
    Non-discrimination: Kroll will not discriminate against an individual because the individual exercised any of the individual’s rights under the CCPA or CPRA.

Contact Us
Please contact us if you wish to exercise your rights under CCPA:
Email: [email protected]
In Writing: Kroll Compliance and Privacy Office, 1 South Wacker Drive, Suite 700, Chicago, IL 60606