Kroll Restructuring Privacy Notice

The following information is provided to comply with the requirements of the General Data Protection Regulation (‘GDPR’). This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection. This Privacy Notice applies when an insolvency practitioner of Kroll is appointed as office holder and data processing is carried out as part of their statutory duties.

Who is Collecting Data

Where an insolvency practitioner of Kroll LLC (or its affiliates or subsidiaries, collectively "Kroll") is appointed as office holder and the data processing is carried out as part of their statutory duties, the office holder(s) is/are the data controllers.  This Privacy Notice relates primarily to data generated as officeholder.

Where an insolvency practitioner of Kroll is not appointed as office holder, the data controller is either the company/individual on whose instructions Kroll is acting or it is Kroll. Please refer to the main Kroll Privacy Notice for further details.  

Data We Collect/Hold 

The personal data we have used to contact you was provided by the company/individual (or persons acting on their behalf) on whose instructions we are acting or in relation to which the Kroll insolvency practitioner has been appointed.  We also access information from the Registrar of Companies and other similar public-access data providers.

The categories of data we hold are: contact details, financial information and location. In some cases, we may hold some special category data, e.g. trade union membership or information about individuals’ health, which will be necessary to administer the insolvency process in line with our legal obligations.

Processing of Personal Data

The purpose for which personal information is processed may include any or all of the following:

  • deliver services and meet legal responsibilities
  • verify identity where this is required
  • communication by post, email or telephone
  • understand needs and how they may be met
  • maintain records
  • process financial transactions
  • prevent and detect crime, fraud or corruption
  • may also need to use data to defend or take legal actions related to the above

Most processing is carried out to comply with our legal obligations under statute (eg specific insolvency legislation: Insolvency Act 1986 and Insolvency (England & Wales) Rules 2016) and other regulatory obligations related to the insolvency process. An example may be reviewing and agreeing claims of employees and paying such claims.  

We also believe our processing is for the legitimate interests of all stakeholders in the insolvency process, as they are entitled to be kept informed and may wish to engage in the insolvency process. Where Kroll has engaged with a client to perform a service, we will be required to process data to provide the service in accordance with the contractual terms.

Storage of Personal Data

We retain personal data for as long as is necessary to achieve the purpose listed above and for any other permissible related purpose. For example, we retain most records until the time limit for claims arising from the activities has expired or otherwise to comply with statutory or regulatory requirements regarding the retention of such records. 

Disclosure/Sharing of Personal Data

Kroll is a global firm with operations in over 30 countries. Personal information may be transferred, accessed and stored globally as necessary for the uses stated above in accordance with this notice, and in compliance with local regulations.

For instance, we may share personal data with other Kroll offices where necessary for administrative purposes and to provide professional services. For example, the IT servers powering and facilitating the IT infrastructure are located in secure data centers around the world, and personal data may be stored in any one of them.

We may also use third parties that assist us in providing goods, services or information located in other countries to help us run our business, e.g. commonly those that provide applications/functionality, data processing, data storage or IT services. 

Personal data held by us may also be transferred to auditors and other professional advisers, law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation.

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation. 

Cross – Border Transfers of Personal Data

Kroll is a global firm with operations in over 30 countries. Personal data may be transferred outside the countries where we and our clients are located. This includes countries outside the EU and countries that do not have laws that provide specific protection for personal data. We have taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EU are done lawfully. We take measures designed to provide the level of data protection required in the EU, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission, or another adequate transfer mechanism. Kroll entities have entered into intragroup transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.

Where we receive requests to disclose personal data from law enforcement or regulators, we carefully validate these requests, including reviewing the legality of any order and challenging the order if there are grounds under the law to do so, before any personal data is disclosed.

Your Rights

The GDPR provides the following rights for individuals:

  • Right to inform: This privacy notice meets our requirement to inform you of our processing of your data.
  • Access to personal data: You have a right of access to personal data held by us as a data controller. This right may be exercised by contacting us as detailed below. We will aim to respond to any requests for information promptly, and in any event within one month.
  • Amendment of personal data: To update personal data submitted to us, you may contact the insolvency practitioner(s) via the details (address, email and phone) shown in correspondence with you or by amending the personal details held on relevant applications with which you registered (eg Creditors Portal). If this is not convenient please contact us as detailed below. 
  • Rights that do not apply in these circumstances: Not all of the rights under the GDPR are available as one of the reasons we are holding your data is on the basis of it being a legal obligation and therefore the right to erasure, data portability and to object do not apply.  
  • Right to withdraw consent: The data received was not based upon obtaining consent and therefore the right to withdraw consent does not apply.

Please contact [email protected] to request access or amendment to your personal data.

Subject to legal considerations or certain exemptions, we may not always be able to address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Requests received via post may be delayed due to limited office access during the Covid-19 pandemic.  Please contact us by email to ensure your request is received in a timely manner.

Contact Us

The insolvency practitioner(s) can be contacted via the details (address, email and phone) shown in correspondence with you.

Requests received via post may be delayed due to limited office access during the Covid-19 pandemic.  Please contact us by email to ensure your request is received in a timely manner.

Alternatively you may contact Kroll with any GDPR questions, concerns, or complaints about our use of personal data as follows: 

Dedicated GDPR email: [email protected] 

D&P EU Data Protection Officer: Daniela Mosca

  • Email: [email protected]
  • Telephone +
  • Post: Daniela Mosca at Duff & Phelps REAG SpA, Centro Direzionale Colleoni, Palazzo Cassiopea 3, 7th Floor, Via Paracelso 26, 20864 Agrate Brianza (MB) - Italy 

Kroll Corporate Headquarters
55 E 52 Street
New York, NY 10055

When contacting us, it would be helpful if you are able to provide the name of the insolvency practitioner, office location, the name of the insolvent entity and your relationship to that entity (eg creditor, customer, shareholder etc), if known.

You also have the right to lodge a complaint with the Information Commissioner's Office (“ICO”) (the UK data protection regulator).  For further information on your rights and how to complain to the ICO, please refer to the ICO website.

Contact details for other supervisory authorities may be found here: EU Data Protection Authorities

Changes to Our Privacy Statement

We keep this privacy statement under regular review and will place any updates on our website. Paper copies can be obtained by contacting the Kroll EU Data Protection Officer, details above.

This privacy statement was last updated in May 2021.