Kroll, LLC (formerly Duff & Phelps LLC), including all affiliates and subsidiaries (collectively "Kroll"), is committed to complying with the applicable data privacy and security requirements in the countries in which it operates. Kroll complies with internationally recognized standards of privacy protection, and with various privacy laws globally including, but not limited to, the EU General Data Protection Regulation (GDPR). This Privacy Notice applies when providing valuation advisory, corporate finance, restructuring, governance, risk, investigations, disputes, intelligence, diligence, compliance and regulatory consulting, cyber risk, or other services (the "services") to its customers.
Please see separate privacy policies regarding the below services:
If you are a California resident, please see our CCPA Privacy Policy to learn about your rights under the California Consumer Privacy Act.
If you are a Virginia resident, please see our Virginia Privacy Notice to learn about your rights under the Virginia Consumer Data Protection Act.
Data will be collected by Kroll LLC (or its affiliates and subsidiaries, collectively "Kroll"). This policy applies to personal data which is collected and/or used by Kroll in its capacity as a data controller as that term is defined in the GDPR and similar privacy laws, for the purposes set out below under Processing of Personal Data.
When Kroll provides services to clients, we sometimes process personal data as a data processor, meaning that we process the data solely on the instructions of our clients, who determine the purpose and means of processing and exercise overall control of the data (for example, the hosting of client data on our web-based due diligence portal). Therefore, if you have questions or wish to exercise your rights relating to your personal data, you may need to contact the client (and controller) on whose behalf the processing of your data is carried out. If we receive a request from you relating to data controlled by a client, we will pass the request to the appropriate client (and controller) where permitted by applicable privacy law.
Kroll collects the following categories of personal data:
Contact data: We may collect information about data subjects such as name and contact details (email, phone number, etc.) in order to communicate and facilitate the provision of our services with our clients or potential clients. For example, contact details of individuals who work for or on behalf of the clients, in order to carry out the client’s engagement with Kroll.
Services data: Personal data may be provided to us by clients to the extent required to perform the services. Kroll may also acquire personal data from a third party at the direction of our client as required to perform services.
Marketing information: We may collect information to respond to inquiries regarding our products and services or to provide you with information, reports, or updates.
Website visitor information: when you visit our website, we may collect information about your visit such as your IP address and the pages you visited and when you use our services we may collect information on how you use those services. Please see our Website Use and Cookies Policy for additional information.
Clients and other Third parties who provide personal information to Kroll must do so in compliance with applicable data privacy regulations.
We collect personal data to offer and administer our services and products. These include valuation advisory, corporate finance, restructuring, governance, risk, investigations, disputes, intelligence, diligence, compliance and regulatory consulting, and cyber risk services.
Except as otherwise stated in the privacy policy applicable to the affiliate providing the services,(Kroll Restructuring Administration’s policy is available here and Kroll Settlement Administration’s policy is available here ) , the data you provide to us will be processed in accordance with the purposes specified in this notice, namely:
Whenever we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.
Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We permit only authorized Kroll employees and Third-Party processors to have access to your information. Such employees and Third-Party processors are appropriately designated and trained to process data only according to the instructions we provide them.
Kroll will retain personal data for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with Kroll’s Document Retention Schedule.
We only share your personal data with your consent or in accordance with this policy. We will not otherwise share, sell or distribute any of the information you provide to us except as described in this Privacy Notice.
Kroll is a global firm with operations in over 30 countries. Personal information may be transferred, accessed and stored globally as necessary for the uses stated above in accordance with this notice, and in compliance with local regulations.
Personal Data may be transferred to or processed in locations outside of the European Economic Area (EEA), some of which have not been determined by the European Commission to have an adequate level of data protection. In that case, for personal data subject to European data protection laws, we take measures designed to provide the level of data protection required in the EU, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission, or another adequate transfer mechanism. Kroll entities have entered into intragroup transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.
Where we receive requests to disclose personal data from law enforcement or regulators, we carefully validate these requests, including reviewing the legality of any order and challenging the order if there are grounds under the law to do so, before any personal data is disclosed.
Depending on the laws of the jurisdiction governing the processing of your personal data, you may have certain rights under applicable data protection laws including:
Please contact [email protected] to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability. Please note that Kroll cannot facilitate the exercise of your rights without proper verification of your identity.
Subject to legal considerations or certain exemptions, we may not always be able to address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Requests received via post may be delayed due to limited office access during the Covid-19 pandemic. Please contact us by email to ensure your request is received in a timely manner.
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
Kroll does not make automated decisions using personal data. If automated decisions are to be made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.
If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s).
We are not responsible for the privacy practices of any non-Kroll operated websites, mobile apps or other digital services, including those that may be linked through Kroll websites or services, and we encourage you to review the privacy policies or notices published thereon.
Please contact us at Kroll with questions, concerns, or complaints:
Requests received via post may be delayed due to limited office access during the Covid-19 pandemic. Please contact us by email to ensure your request is received in a timely manner.
Kroll Corporate Headquarters
55 E 52 Street
New York, NY 10055
[email protected]
If you are in the EU:
Kroll EU Data Protection Officer: Daniela Mosca
For data subjects located in the EU: if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information for the supervisory authorities may be found here: EU Data Protection Authorities
Kroll Cayman Islands Representative
Where Kroll processes personal data in the Cayman Islands, the Cayman Islands local representative, pursuant to the Cayman Islands Data Protection Act will be Kroll Advisory (Cayman) Ltd.