This EU-US and SWISS-US Data Privacy Framework Policy (“DPF Policy”) supplements the Kroll Privacy Notice or other applicable privacy notice which is generally provided at the time of data collection or as soon as practical thereafter. This DPF Policy applies to the transfers of personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland in order to comply with the transfer requirements under data protection laws, including the EU General Data Protection Regulation (“GDPR”).
Kroll has certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF. Kroll is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC), which has jurisdiction over Kroll’s compliance with this Policy and the DPF.
Purpose of Data Processing
Kroll processes personal data for the purpose of providing client services. Personal Data relating to clients is collected from clients who provide it to us in connection with our provision of services to those clients. Client data is processed in the normal conduct of our business relationship with the client, to perform the services requested by and contracted with our clients.
Kroll also processes personal data for the purposes of recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time we collect personal data.
At the time of data collection, or as soon as practical thereafter, Kroll notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that Kroll offers for limiting its use and disclosure of such personal data.
Kroll provides individuals with notice and an opportunity to “opt-out” if such personal data is to be:
- disclosed to a third party (other than a third party acting on behalf of Kroll) or
- used for a reason that is incompatible with the purposes for which it was originally collected.
Individuals for whom Kroll may process Personal Data are entitled to obtain confirmation of whether his/her Personal Data are being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws.
Individuals may request access as provided above via email to: [email protected]
Accountability for Onward Transfer
We will not share, sell or distribute any of the information you provide to us without your consent, except as described in the relevant privacy notice provided at or near the time of collection, or when acting on behalf of our clients, at the direction of our clients (the data controllers) on whose behalf we are processing personal data.
The information provided to Kroll will be available to Kroll, as well as to affiliated companies within the Kroll group who act for us for the purposes set out in this Policy and who are subject to this Policy.
Kroll may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Kroll (our agents). Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Kroll requires these third parties to undertake security measures consistent with the protections specified in this Policy.
Kroll will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf, unless Kroll proves that it is not responsible in an event giving rise to damage.
In the event Kroll transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Kroll has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Kroll will take reasonable steps to prevent or stop such processing.
Kroll may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
Kroll takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized employees, who are trained in the proper handling of personal information to have access to that information. Employees who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.
Data Integrity and Purpose Limitation
Kroll will retain Personal Data for a reasonable period of time, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with Kroll’s Document Retention Schedule.
We will not use your information in a manner that is incompatible with the purpose for which it was originally collected without providing you with notice and an opportunity to opt-out.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Kroll commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Kroll at:
Kroll Privacy Team
Email: [email protected]
Post: Kroll Privacy Team, 55 East 52nd Street, 17th Floor, New York, NY 10055
Kroll EU, UK and Swiss Data Protection Officer
Email: [email protected]
Post: Daniela Mosca at Kroll Advisory Holding SpA,
Centro Direzionale Colleoni, Palazzo Cassiopea 3, 7th Floor, Via Paracelso 26, 20864 Agrate Brianza (MB) - Italy
Enforcement and Dispute Resolution
Individuals are encouraged to raise any complaints regarding the processing of personal data to Kroll.
In compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Kroll commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Data subjects may contact the relevant independent recourse mechanism listed below:
- EU Data Protection Authorities (DPAs)
- Swiss Federal Data Protection and Information Commissioner
- UK Information Commissioner's Office
Kroll will cooperate with the applicable data protection authority in the investigation and resolution of complaints brought under the DPF. Kroll will comply with any advice given by the EU DPAs, the FDPIC, or the ICO where the applicable authority takes the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the applicable authority with written confirmation that such action has been taken.
If a dispute or complaint cannot be resolved by Kroll nor by the EU Data Protection authorities, the Swiss FDPIC, or the UK ICO, a data subject has the right to require that Kroll enter into binding arbitration pursuant to the DPF’s Recourse, Enforcement and Liability Principle and Annex I of the DPF.
Kroll U.S. Entities:
- Kroll LLC
- Kroll Associates, Inc.
- Kroll Restructuring Administration LLC
- Kroll Government Solutions, LLC
- Kroll Settlement Administration LLC
- Kroll Information Assurance, LLC