Free trial

Privacy Notice

Last updated: February 22, 2021

Regulatory DataCorp, Inc., a Moody’s Corporation company of 211 S. Gulph Road #125, King of Prussia, PA 19406, USA, (“RDC”, “we”, “us”, or “our”) respects your privacy. This privacy notice explains how we process Personal Data collected from publicly available and third-party sources which we incorporate into our database product, which we call Global Regulatory Information Database “GRID”).

“Personal Data” means information which identifies, or can be used to identify, living individuals.

  1. About GRID
  2. Personal Data contained in GRID
  3. Sources of Personal Data
  4. Uses & Disclosures of Personal Data
  5. Retention of Personal Data
  6. Your Rights & Choices
  7. Supplementary Information for the European Union, Switzerland and the UK
  8. Supplementary Information for California and Nevada
  9. Contact & Queries
  10. Updates to this Privacy Notice
  1. About GRID

    RDC’s main activity is providing regulatory screening services through GRID to financial institutions and other entities with regulatory compliance requirements (“Subscribers”). Subscribers use GRID in relation to their customers or those with whom they are looking to do business, some of which are companies or other legal entities, and some are individuals or sole traders. Subscribers use GRID as part of their compliance with their legal and regulatory obligations to help prevent and detect money laundering, terrorism, and other criminal activity, including know-your-client (“KYC”) obligations, sanctions screening, anti-money laundering (“AML”) and anti-corruption and bribery (“ABC”) obligations. We collect the Personal Data contained in GRID from public records, publicly available sources, and third parties. Subscribers are responsible for ensuring that their use of GRID through the results they receive from us complies with applicable laws and regulations.


  2. Personal Data Contained in GRID

    We receive name, address, and date of birth of individuals from Subscribers for us to query against GRID to search for matches.

    GRID contains the following Personal Data:

    • Name and title
    • Address
    • Date of birth
    • Nationality
    • Information relating to:
      • jobs and companies,
      • political affiliations and political exposure,
      • religious belief affiliations,
      • sanctions, and
      • unlawful activities, including terrorism and other criminal activities.

    We do not routinely obtain email addresses for individuals, and we rely on Subscribers (who do hold contact details) to notify those individuals that they will run checks on them using GRID if required under applicable law. Given the nature of our services that are used to identify banned and suspect entities and for fraud protection and meeting regulatory requirements relating to unlawful acts and dishonesty, there may be circumstances where providing the information to the individual would make impossible or seriously impair the achievement of the objectives of the processing.


  3. Sources of Personal Data

    RDC sources the Personal Data in GRID from public records, reputable publicly available sources, and third parties, including:

    • reputable media sources: media sources published by established media organizations, national and regional titles offering accurate and high-quality reporting, industry and specialty publications,
    • government publications and websites for government press releases around regulatory, enforcement, or justice department information, including sanctions lists, litigation releases, and law enforcement lists, such as Interpol Most Wanted, SEC Litigation Releases,
    • insolvency lists.

  4. Uses & Disclosures of Personal Data

    Subscribers use GRID to assist them with their legal, regulatory and compliance obligations in relation to AML, KYC, ABC, fraud, organized crime, sanctions, embargoes, and associated regulatory and reputational risks.

    The Personal Data in GRID is limited to those necessary for these purposes. For example, without name and contact details, Subscribers would be unable to look up individuals; without year or date of birth, it would be easy to mix up individuals with the same or similar names leading to cases of mistaken identity; similarly, without nationality, it would be easy to mix up individuals with the same or similar name leading to cases of mistaken identity.

    Subscribers are responsible for how they use the screening results they receive from us through GRID and ensuring that their use complies with applicable laws and regulations. Subscribers are responsible for how they use the results of a check performed using GRID, for example, whether to do business with a customer. RDC does not make decisions for Subscribers about individuals based on the information in GRID.

    We do not sell or otherwise disclose Personal Data we collect about you, except as described below or otherwise disclosed to you by us or our Subscribers (or the vendor or business partner that you represent) at the time the data is collected:

    • Affiliates and Business Partners. We may share the Personal Data we collect or receive with our affiliates and other offices, and business partners to whom it is reasonably necessary or reasonable for us to disclose your Personal Data to operate our business and to perform services for our Subscribers or for our business partners (namely channel partners who resell RDC’s services) or their customers or for other legitimate purposes.
    • Service Providers. We may share Personal Data with our service providers who perform services on our behalf and in relation to the purposes described in this Privacy Policy. For example, we may use third parties to help us analyze data as part of the services, manage our services, and build out GRID. We contractually require these Service Providers to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements.
    • Compliance with Law. We may disclose Personal Data to third parties to comply with the law, respond to valid legal process, establish, assert or defend our legal rights, or prevent fraud or abuse of RDC. In particular, we may disclose your Personal Data in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
    • Business Transfers. If we are involved in a reorganization, merger, acquisition or sale of any or all of our company, business or assets, Personal Data may be transferred as part of that deal or disclosed in connection with due diligence. We will put in place contractual provisions designed to ensure that any other parties commit to keep your Personal Data confidential and to only use it for the purpose of the relevant transaction and for purposes that are consistent with those outlined in this privacy policy.

  5. Retention of Personal Data

    Personal Data obtained from our Subscribers and business partners is maintained for the length of the associated agreement and the required time after the termination to meet any contractual audit or regulatory obligations or to otherwise comply with applicable law.

    Personal Data collected from public sources in GRID is stored for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and the applicable legal, regulatory, tax, accounting or other requirements.


  6. Your Rights & Choices

    If you are listed as an individual in GRID you may have rights under applicable data privacy laws. Where applicable, to access your Personal Data contained in GRID and exercise your rights of correction, objection, restriction, erasure, or digital testament, please see here.

    You may also have the right to complain to your local data protection authority if you have concerns about how we process your Personal Data. However, we hope we can solve any queries or concerns you may have, so please contact us directly in the first instance.


  7. Supplementary Information for the European Union, Switzerland and the UK

    The relevant legal bases for the use of your Personal Data are:

    • We or a third party (for example, business partner or Subscriber) have a legitimate interest in using your Personal Data. Our Subscribers have a legitimate interest in the processing of your Personal Data for managing their financial risks, protecting against fraud, knowing who they are doing business with, and meeting compliance and regulatory obligations.
    • In relation to political, religious or criminal offence data, this will generally be processed either:
      • where the Personal Data has manifestly been made public (for example, where it is a matter of public record that an individual belongs to a certain political party or religious organisation); or
      • in order to provide our services in circumstances where the processing is necessary for the purposes of complying with, or assisting our Subscribers to comply with, a regulatory requirement (including under AML, KYC, ABC and sanctions regulations or under industry good practice principles and regulatory guidance applying to Subscribers), which involves taking steps to establish whether the individual has committed an unlawful act, been involved in dishonesty, malpractice or other seriously improper conduct; or where the individual has manifestly made such data public.

    RDC has put in place measures to protect Personal Data which is transferred from the UK and the European Economic Area to the UK, US, India, Bangladesh, South America, China, Canada and the Asia Pacific region. To transfer Personal Data outside of the EEA RDC has put in place EU standard contractual clauses to ensure that an equivalent level of data protection applies. To request a copy of these clauses, please contact us as specified in the “Contact & Queries” section below. We may also transfer Personal Data to countries for which the EU Commission has issued an adequacy decision where applicable.

    We take commercially reasonable steps to ensure that Personal Data is reliable, accurate, complete, and current for its intended purpose, primarily by accessing Public Records and Publicly Available Data from reputable sources only.


  8. Supplementary Information for California and Nevada

    CALIFORNIA CONSUMER ACT PRIVACY NOTICE

    This California Consumer Act Privacy Notice (“Notice”) applies to the Personal Information (“PI”) of California “Consumers” as defined by the California Consumer Privacy Act (“CCPA”).

    A. PI We Collect
    We collect the following categories of PI from the corresponding sources and for the corresponding purposes set forth in the table below. The below table also includes information as to categories of third parties with whom PI is shared, as discussed below in more detail in Section B.

    Category of PI Source of PI Business or Commercial Purposes for PI Collection Categories of Third Parties with whom PI shared Purposes of Third Parties Receiving Data
    Identifiers, Personal Records, Consumer Characteristics, and Professional or Employment Information Government databases, publicly-available news and information databases, customers, consumers Legal and regulatory compliance including fraud detection and crime prevention Service providers, channel partners, and customers, which are regulated businesses including financial service institutions Service providers assist us in providing services; channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention
    Biometric Information Government databases Legal and regulatory compliance including fraud detection and crime prevention Service providers, channel partners, and customers, which are regulated businesses including financial service institutions Service providers assist us in providing services; channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention
    Inferences from PI Collected Internal analytics Legal and regulatory compliance including fraud detection and crime prevention Channel partners and customers, which are regulated businesses including financial service institutions Channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention

    B. CCPA Privacy Rights

    We provide California Consumers the privacy rights under the CCPA as described in this Section B. You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations. As permitted by the CCPA, any request you submit to us is subject to an identification and residency verification process (“Verifiable Consumer Request”). We will not fulfill your CCPA request unless you have provided sufficient information for us to reasonably verify you are the California Consumer about whom we collected PI. Please follow the instructions at our Consumer Rights Request form here and respond to any follow up inquires we may make. Given the sensitive nature of the information we collect, and to maintain the integrity of our databases, we require a government-issued photo identification card to complete the verification process.

    Some PI we maintain about California Consumers is not sufficiently associated with enough PI about the California Consumer for us to be able to verify that it is a particular California Consumer’s PI when a California Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

    We will make commercially reasonable efforts to identify California Consumer PI that we collect, process, store, disclose, and otherwise use and to respond to your California Consumer privacy rights requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

    Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your social security number, driver’s license number or other government-issued id number, financial account number, any health or medical identification number, an account password, or security questions or answers inf response to a CCPA request. To make a request according to you rights to know or to request deletion of your PI set forth below, please click here to submit your request. RDC will instruct you on additional information you will need to provide to fully respond to your request. For your specific pieces of information, as required by the CCPA, we will apply heightened verification standards, including by requiring you to provide a government-issued photo identification card.

    Your California Consumer privacy rights are as follows:
    a. The Right to Know
    i. Information Rights

    You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:

    • The categories of PI we have collected about you.
    • The categories of sources from which we collected your PI.
    • The business or commercial purposes for our collecting or selling your PI.
    • The categories of third parties to whom we have shared your PI.
    • The specific pieces of PI we have collected about you.
    • A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
    • A list of the categories of PI sold about you in the prior 12 months, or that no sale occurred. If we sold your PI, we will explain:
    • The categories of your PI we have sold.
    • The categories of third parties to which we sold PI, by categories of PI sold for each third party.

    Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

    ii. Obtaining Copies of PI
    You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.

    Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

    b. Delete
    Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. Note also that we are not required to delete your PI that we did not collect directly from you.

    c. Do Not Sell
    California residents have the right to opt-out of the sale of their PI to third parties. To exercise this, please click here. You can exercise control over browser-based cookies by adjusting the settings on your browser. We also list cookies and provide access to their privacy information in our Cookies Notice. Further, you can learn more about your choices regarding certain kinds of online interest-based advertising here and here. We do not represent that these third-party tools, programs or statements are complete or accurate.


  9. Contacts & Queries

    If you have any questions or comments regarding RDC’s privacy practices you can do this via email at [email protected] or write to us at:

    Regulatory DataCorp, Inc.
    211 S. Gulph Road #125
    King of Prussia, PA 19406.
    USA.


  10. Updates to this Privacy Notice

    The most current version of this Privacy Notice will always be available here. You can check the “effective date” posted at the top to see when this Privacy Notice was last updated.