Data Protection Notice
Kroll, LLC (and all affiliates and subsidiaries, collectively "Kroll", “us”, “we” or “the Firm”), as a Data Controller, is committed to complying with the applicable data privacy and security requirements in the jurisdictions in which it operates. Kroll complies with internationally recognized standards of privacy protection and with various privacy laws globally including, but not limited to, the General Data Protection Regulation 2016/679.
This Privacy Notice applies to individuals visiting Kroll’s business premises. The Kroll entity whose business premises you are visiting is the data controller and is responsible for processing your personal data.
(i) What information is being collected For the purposes mentioned in paragraph (ii),
below, we may collect the following categories of personal data:
- Contact details
- Government issued ID number or other identification documentation
- Name of employer (if applicable)
- CCTV images
- Internet activity using our network/guest Wi-Fi
- Other information we may request from you that you decide to provide
Together with information concerning the visit such as the name of the employee visited, the date and hour of the visit and the areas to which access is required.
(ii) Why it is being collected
All of the data you provide to us will be processed subject to the restrictions and for the purposes pointed out in this notice, namely:
a. To protect our premises and the people, property and information they contain
b. To ensure your safety during the visit and in case of an emergency requiring evacuation of the premises
c. To manage your visit (e.g. to provide you with appropriate security access or notify a hosting employee of your arrival)
d. For complying with obligations provided by laws, current regulations and legislation
Whenever we process your personal data for a legitimate interest, we will always ensure to take account of your rights and to balance our interests with them. You have the right to object to this processing if you wish, but please be aware that if you object this may affect our ability to grant you entrance to our premises.
(iii) Who is collecting data
Data will be collected by the Kroll entity whose business premises you are visiting.
(iv) How data is processed
Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and, in any case, in order to guarantee data security and data confidentiality in compliance with current regulations. Access to personal data will be given only to those who need such access for the purposes listed above or where required by law. These parties include human resources personnel, information technology personnel, building management, and authorised representatives of internal control functions, such as Audit and Compliance. Only the exact data required to fulfil each processing purpose (whether internal or external), is made available to the necessary individuals.
(v) How data is stored
Data is recorded on paper and IT systems. Kroll only stores data for as long as needed to satisfy the interests set out in this notice or as otherwise required by law. Different categories of data are subject to different storage periods; however, data generally will not be stored for a period longer than 1 year from the end of your visit to our premises.
(vi) With whom your data could be shared
We may share personal data among Kroll-controlled affiliates and subsidiaries who act for Kroll for the purposes set out in this notice. Without prejudice to any communications made to comply with legal or contractual obligations, data may also be disclosed to external parties as required by laws or regulations (e.g. court, tribunal, Regulatory Authority or Governmental Entity). When we share your information with other entities within our group or third-party companies, we take all reasonable steps to ensure that your information and privacy are protected in line with the applicable legal obligations.
(vii) Cross-Border transfers of personal data
Kroll is a global firm with operations in over 25 countries. Personal information may be transferred, accessed and stored globally as necessary for the uses stated above in accordance with this notice, and in compliance with local regulations. For personal data subject to European data protection laws, we take measures designed to provide the level of data protection required in the EU, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission, or another adequate transfer mechanism. Kroll entities have entered into intragroup transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.
(viii) Your rights and how to exercise them
You have the right to request the following concerning your data processed by Kroll:
- Access: You have the right to access personal information that Kroll holds about you.
- Rectification: You have the right to ask us to rectify information Kroll holds about you if it is inaccurate or not complete.
- Erasure: You can request that Kroll erase your personal data. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
- Restrict Processing: You have the right to ask Kroll to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
- Object to processing: Where processing is based on legitimate interests, you have the right to object to Kroll processing your data.Kroll will discontinue processing your data unless we can demonstrate compelling legitimate grounds for the processing. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
Please contact [email protected] to request access, rectification, or erasure, or to restrict processing, or to object to processing. If you are in the EU, you can also contact our EU Data Protection Officer: [email protected].
If you believe that the processing of your personal data infringes applicable data protection laws, as a data subject you have the right to lodge a complaint with a supervisory authority.