Policies

Kroll Third Party Global Privacy Policy

  1. INTRODUCTION
  2. SCOPE
  3. TERMS AND DEFINATIONS
  4. DATA PRIVACY ORGANIZATION
  5. PRIVACY PROGRAM AND FRAMEWORK
  6. DATA PRIVACY PRINCIPLES
  7. PROCESSING OF PERSONAL DATA
  8. PERSONAL DATA BREACH AND INCIDENT MANAGEMENT
  9. COMPLIANCE WITH THIS POLICY
 
1. Introduction

Kroll, LLC, including its affiliates and subsidiaries (collectively "Kroll" or the “Firm”) collects and uses certain information about individuals (“personal data”), including clients, suppliers, business contacts, employees, and others, as needed to conduct its business activities.

This Policy sets forth requirements for the use and governance of personal data, to ensure that personal data is being collected, shared, and used in appropriate ways, and that individual privacy rights are protected.

2. Scope

The term “Third Party” as used throughout this document is intended to cover any person or entity signing, acknowledging or providing a certification with respect to this Policy, who is contracted or sub-contracted to work with or on behalf of Kroll or to provide goods or services to Kroll. This Policy applies to Third Parties who have access to or receive personal data under the authority of Kroll.

This Policy is designed to comply with the various data privacy laws globally, including US state privacy laws, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European General Data Protection Regulation (GDPR), and any other applicable laws governing the Firm’s activities in the countries in which it operates.

Violations of this policy may result in severe civil and criminal penalties and disciplinary action that may lead to the termination of your relationship with Kroll, personal liability, or criminal prosecution.

3. Terms and Definitions

Data Controller: A person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processing: Any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, alignment or combination, restriction, erasure, or destruction.

Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data Subject: an identified or identifiable natural person to whom personal data relates.

Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the identity of that natural person; examples of personal data include: name, email address, phone number, IP address.

Sensitive Personal Data: personal data that relates to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, genetic data, biometric data, criminal records, unique identifiers such as social security number/social insurance number/passport number (or similar), financial information such as bank account number, credit card number; PHI under HIPAA and non-public financial information under GLBA also fall under this category. Processing of sensitive data that relates to criminal convictions and offences of a data subject generally requires specific legal justification under relevant local laws.

Third Party Processor: contractors, vendors, suppliers, service providers or similar, to whom Kroll may disclose personal data or provide access to personal data (including access to Kroll systems processing personal data) in order to perform processing activities on behalf of Kroll.

4. Data Privacy Organization

Data privacy is an obligation of every Third Party. Everyone who works for or with Kroll has a responsibility to ensure that personal data is collected, stored, handled, and processed appropriately in line with this policy and data privacy principles and applicable laws.

Kroll has appointed the Privacy Organization as responsible for developing, implementing, maintaining, monitoring, and continuously improving an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the processing of personal data.

5. Privacy Program and Framework

5.1 Contact

Questions about this Policy should be directed to the Privacy Team at [email protected].

5.2 Privacy Risk Assessment Process

Kroll applies a privacy risk assessment process to identify potential risks of harm to data subjects, including risks to the privacy, rights, or freedoms of individuals which may result from personal data processing. Risks are assessed based on the likelihood of occurrence and seriousness of harm, and other potential consequences of the processing activity.

Identified risks are prioritized for risk treatment, which includes selecting risk treatment options and determining controls necessary to implement the risk treatment.

Risks to the confidentiality, integrity, and availability of personal data processing systems are evaluated and managed by the CISO and the Information Security team, in accordance with the Information Security Policy.

Third Parties must provide support and information to Kroll in order for Kroll to resolve any identified risks relating to the Third Party’s processing of Kroll personal data.

5.3 Data Protection Impact Assessment

When new processing of personal data or changes to existing processing of personal data are planned, Kroll will identify and evaluate potential privacy impacts and identify required privacy controls necessary for such processing.

Considering the sensitivity of data, risk level of the processing activity, and relevant regulations, Kroll will also determine if there is a need to conduct a Data Protection Impact Assessment (DPIA) (sometimes also referred to as a Privacy Impact Assessment). A DPIA should be conducted for high risk processing activities and must be conducted where mandated by relevant laws.

A DPIA will include:

  • A description of the processing activities, including types of data processed.
  • An assessment of the necessity and proportionality of the processing.
  • An assessment of the risks to the rights and freedoms of data subjects.
  • The measures envisaged to address the risks, including controls, safeguards, security measures and mechanisms to ensure the privacy and protection of personal data.
  • An overall assessment of the above elements to determine the necessity of consulting the relevant supervisory authority prior to the start of processing, as may be required by applicable law.

Third Parties must provide support and information in carrying out a DPIA at the request of Kroll.

5.4 Privacy by Design and Default

Kroll promotes the philosophy of privacy by design and default. Processes and systems should be designed such that:

  • The collection of personal data is limited to the minimum that is relevant, proportional, and necessary for the identified purposes
  • The processing (including use, disclosure, retention, transmission, and disposal) is limited to that which is adequate, relevant, and necessary for the identified purposes.

The design of any system that involves the processing of personal data must be preceded by an identification of relevant privacy control requirements. The privacy implications of new or substantially modified systems involving the processing of personal data should be resolved before those systems are implemented.

5.5 Records Relating to Personal Data Processing (Processing Register)

Kroll will maintain records of the processing of personal data, including an inventory or list of the personal data processing activities the Firm performs. Such records will generally include the type of personal data, purpose of processing, categories of data, categories of data subjects, categories of recipients, and any other information which may be required by applicable law.

5.6 Obligation to Clients

Where Kroll processes personal data on behalf of a client, in order to carry out a client engagement or provide a client service, the following applies:

  • Kroll must provide the client with the appropriate information such that the customer can demonstrate compliance with their obligations.
  • Personal data processed on behalf of a client must only be processed for the purposes in the agreement or compatible purposes, or on other documented instructions of the client.
  • Kroll and its Third Parties cannot use personal data processed under a client contract for the purposes of marketing and advertising, unless otherwise agreed.
  • Kroll must inform the client if, in its opinion, a processing instruction infringes upon applicable legislation and/or regulation.
  • Kroll and its Third Parties may only engage a sub processor to process personal data if and as permitted by the client contract.
  • Kroll and its Third Parties may only transfer personal data between jurisdictions if and as permitted by the client contract.
  • If Kroll receives any legally binding requests for disclosure of personal data Kroll must, after consulting with the Legal Department, notify the client of such request. Third Parties must immediately notify the Legal Department of any legally binding requests for disclosure of personal data.

5.7 Third Party Privacy

Kroll respects the privacy of our Third Parties. We will collect and handle personal data only for business reasons consistent with applicable laws. Access to personal data is limited only to those who have a need-to-know for the performance of their job, and in accordance with legal requirements. Those who are responsible for personal data are advised on a regular basis of their duty to protect this information. No one is permitted to access prospective, current, or former Third Party records without proper authority.

6. Data Privacy Principles

Kroll and its Third Parties must adhere to the following principles when processing personal data:

  • Fairness and lawfulness: there must be a legal ground that permits Kroll to process personal data. Where required by law, Kroll must obtain consent prior to collection, use, or disclosure of personal data.
  • Transparency: Kroll must identify the purposes for which the personal data is being collected by Kroll at or before the time of collection and make information about its data privacy policies and practices publicly and readily available.
  • Purpose limitation: data must be collected for specified, explicit and legitimate purposes, and may not be collected for one purpose and used for another, incompatible purpose (unless required by law or with the individual’s consent).
  • Data minimization: only process personal data to the extent that is adequate, relevant, and limited to what is necessary for the purpose and not more. Accuracy: personal data maintained by Kroll or its Third Parties must be correct and kept up to date.
  • Storage limitation: Personal data must only be kept as long as required to serve the purposes for which it was collected. Once personal data is no longer needed for those purposes, it should be destroyed.
  • Security: personal data must be kept secure using technical and organizational means appropriate to the sensitivity of information, to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Individual Rights: any processing activity must respect the rights of individuals and provide for specific data subject rights as required in certain jurisdictions.
  • Accountability: Kroll and its Third Parties are responsible for personal data under their control and are responsible for, and able to demonstrate compliance with, these principles.
7. Processing of Personal Data

7.1 Collection of Personal Data

Prior to collection, Kroll must identify and document the specific purposes for which the personal data will be processed and the relevant lawful basis for the processing for the identified purposes. Lawful grounds for processing personal data generally include:

  • When necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract.
  • When necessary for compliance with a legal obligation to which Kroll is subject.
  • When necessary for the purposes of legitimate interests of Kroll, including but not limited to conducting business activities, internal administrative purposes, ensuring network and information security.
  • Consent of the data subject, when consent is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. Data subjects must be given the right to withdraw consent at any time.
    • Kroll must demonstrate if, when and how consent for the processing of personal data was obtained from data subjects.
  • Where laws and regulations otherwise permit processing.

Collection of personal data must be limited to the minimum that is relevant, proportional, and necessary for the identified purposes. Third Parties may collect personal data only to the extent, and in such a manner, as is necessary for the purposes of the services and in accordance with Kroll’s written instructions.

7.2 Processing of Personal Data

Processing of personal data must be limited to that which is adequate, relevant, and necessary for the purposes identified prior to collection, unless a different purpose is required by applicable law or agreed to by the data subject. Use of personal data must be limited to that which is necessary in order to fulfill specific, explicit, and legitimate purposes, and not processed for other incompatible purposes. Third Parties shall not process or permit the processing of personal data for any other purpose beyond the provision of services to Kroll.

Wherever possible, Kroll will use processing options which do not involve the identification of the individual data subject. Kroll and its Third Parties should either delete personal data or render it in a form which does not permit identification or re-identification of data subjects as soon as the original data is no longer necessary for the identified purpose(s).

Kroll and its Third Parties should ensure that personal data is as accurate, complete, and up to date as is necessary for the purposes for which it is processed.

7.3 Sharing/Disclosure of Personal Data

Personal data must be treated as confidential, in accordance with the Records and Information Management Policy. Kroll and its Third Parties must limit the disclosure of personal data to that which is necessary in order to fulfil specific purposes and minimize the number of people to whom personal data is disclosed or who are permitted to process it.

7.3.1 Internal Firm Disclosure
Disclosure of personal data to Firm employees is permitted on a legitimate business need-to-know basis, where necessary for the conduct of one’s official duties.

7.3.2 Third Party Processors (Contractors, Vendors, Suppliers, Service Providers)
Kroll may need to disclose personal data or provide access to personal data (including access to Kroll systems processing personal data) to a Third-Party Processor to perform processing activities on behalf of Kroll. Kroll must conduct an evaluation of any prospective Third-Party Processor prior to disclosing data or providing access to data. Evaluations are to be performed by Legal, IT, Privacy, and Information Security. As part of the Privacy evaluation, the Privacy Team will review the third-party’s controls and safeguards for ensuring the privacy of personal data. Engaging Third Party Processors without the required evaluation and approval is expressly prohibited.

Kroll must have a written contract with any Third-Party Processor, which requires that the processor to comply with Kroll’s policies and applicable laws.

7.3.3. Other Third-Party Disclosures
Personal data should not otherwise be shared or disclosed outside of Kroll unless such disclosure is necessary for the performance of job duties, required by law, or where authorized to do so by Kroll in writing. The data subject must provide consent (or be given the ability to opt out, depending on jurisdiction) if the Firm or a Third Party would like to sell personal data or disclose data for a purpose different from that for which it was collected.

Where external disclosure is permitted, a non-disclosure, confidentiality or other agreement may be required prior to such disclosure. Contact the Legal Department for guidance.

Kroll and its Third Parties should record disclosures of personal data to third parties, including what has been disclosed, to whom and when.

7.4 Transmission of Personal Data

Personal data transmitted over a data transmission network (internet) must be subject to appropriate controls designed to ensure secure transfer and that the data reaches its intended destination.

Personal data should be encrypted during transmission, where feasible, and sensitive personal data must be encrypted during transmission, whether to internal or external recipients.

7.5 Storage, Retention and Deletion

The Firm and its Third Parties will not retain personal data for longer than is necessary for the purposes for which the personal data is processed.

The Firm has adopted policies, procedures, and a retention schedule for personal data to retain data for a reasonable period, taking into account whether retention is necessary for the purpose of processing, legitimate business needs to retain such information, and legal requirements.

After the retention period, personal data must be securely disposed of or fully anonymized. The Firm has adopted policies and procedures for the secure disposal of personal data, as set forth in the Information Security Policy.

7.6 Cross Border Transfers

Laws of many jurisdictions prohibit or restrict cross border transfers of personal data. Kroll and its Third Parties must comply with all laws restricting transfers as well as with any contractual obligations with clients which may further restrict Kroll’s ability to transfer data. Kroll documents the countries or regions to which personal data can be transferred pursuant to regulatory requirements, and the relevant legal basis for transfers between jurisdictions, where applicable.

For example, GDPR restricts data transfers from the EU to countries outside the EU. Kroll and its Third Parties may only transfer personal data from the EU to locations outside the EU where:

  • Such countries provide for an adequate level of personal data protection as determined by the EU Commission.
  • Pursuant to contract terms or model clause agreements ensuring adequate data protection
  • As otherwise permitted under GDPR.

Laws of other jurisdictions where Kroll conducts business have similar requirements for cross-border transfers.

7.7 Notice and Transparency

Where Kroll is a data controller, Kroll has an obligation to ensure that data subjects are provided with appropriate information about the processing of their data (notice).

Kroll will determine the legal, regulatory and/or business requirements for the type of information to be provided in the notice and the time at which to provide it. The notice must contain information identifying the data controller and describing the processing of personal data, as well as other information as required by applicable law.

Information must be provided to data subjects in a timely, concise, complete, transparent, intelligible, and easily accessible form, using clear and plain language, as appropriate to the target audience. Where feasible, the information should be provided at the time of personal data collection.

Where a Third Party is a data controller in carrying out the services, the Third Party will be responsible for providing any necessary notice according to applicable laws.

7.8 Data Subject Rights

Under certain data privacy laws, data subjects may be entitled to some, or all or the individual rights listed below. Kroll has adopted policies and procedures for handling requests from data subjects exercising the following data subject rights:

  • To obtain confirmation of whether personal data is being processed by Kroll.
  • To obtain access to the personal data or obtain a copy of the personal data being processed.
  • To ask Kroll to correct or amend personal data where it is inaccurate (rectification).
  • To ask Kroll to delete personal data.
  • To object to Kroll processing personal data.
  • To ask Kroll to restrict processing.
  • The right to data portability.
  • Where processing is based on consent, the right to withdraw consent.
  • Rights in relation to automated decision making and profiling, including to request human intervention or challenge a decision.
  • The right to challenge compliance or file a complaint with Kroll related to privacy.

Kroll will facilitate all data subject requests where required by law.

Requests by individuals to exercise their individual rights or submit a complaint must be handled by the Privacy Team and the DPO where applicable. Third Parties should immediately forward any request to exercise rights to the Privacy Team at [email protected].

Third Parties shall cooperate with Kroll in the course of investigating any complaint from a data subject or facilitating data subject rights with respect to data under the Third Party’s control, including to provide a copy of such data, amend, delete, or otherwise as required for Kroll to comply with applicable laws.

8. Personal Data Breach and Incident Management

The Firm has adopted policies, procedures, and controls reasonably designed for a quick, effective, and orderly response to a personal data breach that enable the Firm to meet its legal, regulatory, and contractual agreements with respect to personal data breaches.

Personal data breach events or suspected events must be immediately reported and handled in accordance with the Information Security Incident Response Plan (IRP) and/or the Privacy Incident Response Process. Kroll may be required to report a personal data breach to the relevant supervisory authority without undue delay and, in many jurisdictions, within 72 hours after becoming aware of it. Kroll may also be required to report the breach to affected data subjects or clients. Kroll has established responsibilities and procedures for the notification to required parties, as set forth in the IRP and the Privacy Incident Response Process.

In the event of a suspected breach of this Policy or privacy laws, including but not limited to unauthorized disclosure of personal data, Third Parties must immediately contact [email protected]. For a suspected systems breach, Third Parties must immediately contact [email protected].

9. Compliance with This Policy

Any instance of non-compliance with this Policy must be reported immediately to the Privacy Team, Information Security Team, or respective local Data Protection Officer. Any observed or suspected security weaknesses in systems or processes should also be reported.

Violations of this Policy or applicable laws may result in corrective or adverse action, up to and including termination of a Third Party’s relationship with Kroll, or other appropriate action, and/or severe civil and criminal penalties and personal liability or criminal prosecution.

Kroll reserves the right to change this Policy at any time. The revised Policy will be posted on the Kroll website and the "effective date" of this Policy will be updated accordingly.

Third Parties are required to adhere to all aspects of this policy to the extent not otherwise prohibited by applicable local law.