Legal
KBRA VDR Privacy Statement
We are Kroll Bond Rating Agency Europe Limited, a company incorporated in Ireland with registered office at 6-8 College Green, Dublin 2, Ireland (“KBRA Europe”, “we”, “us”, “our”).
This privacy statement applies to all users accessing KBRA Europe’s virtual data room (hosted by Finsight Group, Inc) (“VDR”).
KBRA Europe is the data controller of your personal data. In certain instances, KBRA Europe will act as a joint controller with (1) the party who provided you with access to this VDR and (2) certain KBRA affiliates. Please see below for further detail as to when this applies.
KBRA Europe will process your personal data in accordance with applicable European (and where applicable, UK) data protection law including Regulation (EU) 2016/979 (General Data Protection Regulation) (“GDPR”) and where applicable the UK GDPR.
What Information Do We Collect?
The personal data that we may collect and otherwise process about you is your name, job title, phone number, email address (“Identity Data”), and your IP address, log activity in using the VDR (time of login, document access and where applicable to your permission level, download activity, time spent viewing a document and, depending on your user permission level, records of messages generated using the VDR when you create an account for another user, share a link to, or upload a document to the VDR) geo-location, your IP address, and your encrypted password (“Technical Data”).
Why we use your Personal Data:
We process your personal data for the following purposes and for the following legal basis:
| Purpose | Categories of Personal Data | Lawful Basis | |
|---|---|---|---|
| (1) | Setting up user accounts and monitoring the access to and the distribution of the credit rating by third parties and clients. | Identity Data Technical Data | Necessary for compliance with a legal obligation to which KBRA Europe is subject (obligations under Credit Rating Agencies Regulation and associated European Securities and Markets Authority (ESMA) guidelines). |
| (2) | Making a credit rating available to our client(s) and our/their authorised and permitted third party recipients and managing the contractual obligations in the contract with our client. | Identity Data Technical Data | Necessary for (i) compliance with a legal obligation to which KBRA Europe is subject (ii) the purposes of legitimate interests pursued by KBRA Europe, specifically KBRA Europe’s legitimate interests in (a) performing our obligations and enforcing our rights under a contract with our client/the party who provided you with access to the VDR (b) providing credit rating services to our client(s) and making such rating available to the client and its permitted recipients, provided such interests are not overridden by the rights and interests of the data subjects concerned. |
| (3) | Security purposes - investigating suspicious behaviour/use of the VDR, or ejecting unauthorised/breaching users of the VDR. | Identity Data Technical Data | Necessary for the purposes of legitimate interests pursued by KBRA Europe, specifically KBRA Europe's legitimate interests in managing and administering the VDR and responding to requests from clients and users of the VDR, provided such interests are not overridden by the rights and interests of the data subjects concerned. |
| (4) | Identifying if you are an employee of an investor connected to a rating provided by KBRA Europe which is in the VDR and contacting you in connection with the rating. | Identity Data Technical Data | Necessary for the purposes of legitimate interests pursued by KBRA Europe, specifically KBRA Europe's legitimate interests in understanding and improving investor experience of its services, provided such interests are not overridden by the rights and interests of the data subjects concerned. |
Joint Controllers
In respect of the processing activities listed at (1) above, KBRA Europe acts as a joint controller with the party who engaged it to provide the credit rating and who is authorising you to access the VDR, where that party is also subject to the same legal obligation.
In respect of the processing activities listed at (2) above, KBRA Europe acts as a joint controller with KBRA Holdings, LLC.
In respect of the processing activities listed at (3) and (4) above, KBRA Europe acts as a joint controller with KBRA Holdings, LLC, and as applicable to the specific credit rating, Kroll Bond Rating Agency UK Limited and/or Kroll Bond Rating Agency, LLC.
You are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it or they act as a joint controller of your personal data, but you are invited to please direct any such requests KBRA Europe.
How we collect your data:
We collect the data from you in the following ways:
(1) directly, where we interact directly with you in setting up or administering your VDR account; and/or
(2) automatically through accessing data collected by the VDR when you use the VDR where someone else has invited you to the VDR or provided you with access to the VDR.
Where you provide us with personal data relating to another person, you should ensure that you have that person’s consent or the necessary lawful basis to provide their information for use in accordance with applicable data protection law.
International Transfers
KBRA Europe shares your personal data
- within the KBRA group of companies as necessary to perform the purposes described above
- through its affiliate, to Finsight Group, Inc and its sub-processors, to provide the VDR.
When transferring your personal data, KBRA Europe will transfer your data subject to appropriate safeguards as required by applicable law, and where required to do so by applicable law, KBRA Europe will ensure that recipients have entered into specific contracts approved by the European Commission to give your personal data the same level of protection it has in Europe, or confirm that the recipient is a member of the Data Privacy Framework, which requires the member to provide similar protection to personal data shared between Europe and the US.
How long we hold your Personal Data:
We will hold your personal data for so long as necessary, for so long as is required to comply with our legal obligations and regulatory guidance to which we are subject, and for the exercise of and to defend against legal claims which maybe brought by or against us.
Data Security
We, our affiliates and our service providers (in particular Finsight Group, Inc who provide the underlying VDR and manage the controls) have in place appropriate technical and security measures to protect an appropriate level of protection for your personal data.
Your Legal Rights
Under applicable data protection law you have the rights set out below. If you wish to exercise any of your rights in this regard please email [email protected], but please note these rights are not absolute. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance or where the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims.
- You can object to the processing of your personal data where our legal basis for processing your personal data is our legitimate interests.
- You can request access to a copy of your personal data held by us and details of the processing of your personal data by us. In the European Union and United Kingdom, an initial copy of your personal data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.
- You can ask to have your personal data corrected if it is inaccurate or incomplete.
- You can request us to delete your personal data in certain circumstances.
- You can restrict our processing of your personal data in certain circumstances, including where the processing is unlawful or no longer necessary.
- You can request the transfer of your personal data to another party. We will do this in a structured, commonly used, machine-readable format.
- You can ask us not to process your personal data for marketing purposes.
- You can complain to the relevant data protection supervisory authority, if you think that we are not complying with our obligations in relation to our processing of your personal data.
The above rights may not be exercised in certain circumstances, such as when the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. If you wish to exercise any of your rights in this regard, please email [email protected]. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data privacy laws. We may request proof of identification to verify your request.
What Happens When There Are Changes to this Privacy Statement?
We may amend this Privacy Statement from time to time. If we make any material changes in the way we collect or use personal data, we will notify you by posting a new privacy statement when you next login into the VDR or sending you an email. You will find the most up to date version displayed on each new session login to the VDR.
What If I Have Questions or Concerns?
If you have any questions or concerns regarding privacy using the VDR, please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.
Last Updated: 8 February 2024