S&P Global Policy for the Processing of Data Governed by US Data Privacy Laws

S&P Global Ltd. and its subsidiaries and affiliates, (collectively “S&P Global”) and your company (“you” or “Customer”) may have entered into agreement for the provision of services (“Agreement”) involving your data which potentially includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household (“Personal Information”) .

If S&P Global receives, or will receive, Personal Information under the Agreement, S&P Global is bound by the substantive requirements of applicable data protection laws, rules, and regulations that govern the processing of Personal Information (collectively, “Data Protection Laws”). This means that if S&P Global is processing Personal Information subject to Data Protection Laws on your behalf (“Customer Personal Information”) S&P Global shall comply with the terms of this Policy.

1. Definitions. For purposes of this Policy, the following terms shall have the meanings set forth below:
   1. “Data Subject” means the identified or identifiable individual to whom Personal Information relates.
   2. “Process” means any operation or set of operations that is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction.
   3. “Subprocessor” means any third party appointed by or on behalf of S&P Global to Process Customer Personal Information.
       
2. Processing of Personal Information
   1. S&P Global shall only Process Customer Personal Information (i) on behalf of Customer, (ii) for the limited and specified purpose of performing the Services, and (iii) in accordance with the terms (and to satisfy our obligations) set out in the Agreement, this Policy, and any other written terms agreed with Customer from time to time. The foregoing documents set out the subject-matter, duration, nature, purpose, types of Personal Information, categories of Data Subjects, and the obligations and rights of Customers relating to its Processing of Customer Personal Information.
   2. S&P Global shall comply with its obligations under applicable Data Protection Laws, including providing the same level of privacy protection required under applicable Data Protection Laws. S&P Global shall notify Customer if it determines it can no longer meet its obligations under applicable Data Protection Laws.
   3. S&P Global shall not:
      1. retain, use, or disclose Customer Personal Information for any purpose other than the purpose of performing its obligations under the Agreement, which for the avoidance of doubt prohibits S&P Global from retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between S&P Global and Customer;
      2. share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Customer Personal Information to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged; or
      3. combine Customer Personal Information with Personal Information S&P Global receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant applicable Data Protection Laws.
          
3. Confidentiality. S&P Global requires that the people it authorizes to Process Customer Personal Information are under appropriate obligations of confidentiality.
4. Cooperation Concerning Data Subjects. S&P Global will cooperate with the reasonable requests of Customer (at Customer’s reasonable expense) to help Customer fulfill its obligations under applicable Data Protection Laws to respond to requests by Data Subjects to access, modify, rectify, or remove their Personal Information.
5. Security. S&P Global shall implement appropriate technical and organizational safeguards to protect Customer Personal Information and shall ensure that all such safeguards comply with applicable Data Protection Laws. In assessing the appropriate level of security, S&P Global shall take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Customer Personal Information (“Breach”). In the event of a Breach impacting Customer Personal Information, S&P Global shall notify Customer without undue delay after becoming aware of such Breach where required by applicable Data Protection Laws.
6. Subprocessing. S&P Global requires that each of its Subprocessors that may have access to Customer Personal Information agrees to provide at least the same level of protection as is described in this Policy. A list of our Subprocessors can be found here.
7. Deletion of Data. Upon termination or expiration of the Agreement, S&P Global will delete or return all Customer Personal Information to the Customer (at Customer’s reasonable expense), unless S&P Global is permitted to retain it or is otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies. Customer may request a quote of the reasonable fee from S&P Global and S&P Global will provide Customer with a quote for reasonable fees to comply with this request.
8. Audits. Upon reasonable request by Customer and where required by applicable Data Protection Laws, S&P Global will cooperate to provide information necessary to demonstrate its compliance with this Policy, as well as any applicable Data Protection Laws, or to conduct audits of the Customer Personal Information held by S&P Global. S&P Global will typically agree to such audits on the following basis: (a) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to S&P Global (not less than 30 business days); (b) audits will be conducted by Customer or an appropriate independent auditor appointed by Customer (not being a competitor of S&P Global) in a manner that does not have any adverse impact on S&P Global’s normal business operations; (c) Customer and/or its representatives will comply with S&P Global’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data; and (d) any records, data or information accessed by the Customer and/or its representatives in the performance of any such audit will be deemed to be the confidential information of S&P Global, as applicable, and may be used for no other reason than to assess S&P Global’s compliance with the terms of this Policy (in connection with the foregoing, S&P Global may require Customer and and/or its representatives to enter into a customary confidentiality agreement prior to any such audit); (e) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of S&P Global personnel time, S&P Global shall be entitled to charge Customer a reasonable hourly fee for any such excess time. Customer may request a quote of the reasonable hourly fee from S&P Global and, if a quote is requested by Customer, the audit will not proceed without Customer’s prior approval of such quote.
9. S&P Global acknowledges that Customer may have the right under applicable Data Protection Laws , upon reasonable advanced notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information by S&P Global.
   
   

If you would like an executed version of this policy, click here for a downloadable and executable PDF version, sign and email to your usual account representative.