Skip to Content Skip to Menu Skip to Footer

S&P Global Policy for the Processing of Data Governed by the GDPR

The relevant S&P Global entity that provides the products or services and its affiliates (“S&P Global”) may collect, process or handle Personal Data relating to individuals in the European Economic Area (“EEA”), Switzerland and/or the United Kingdom (“UK”) (the “Personal Data”) on behalf of its customers and its affiliates, where applicable (“Customer”).

Although S&P Global’s relationship with its Customers is typically governed by its general terms and conditions and/or a master agreement, which includes order forms, exhibits, schedules and addenda (the “Agreement”), S&P Global is also legally bound by the requirements of applicable data protection laws that govern the processing of Customer Personal Data under the European Union General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and the  UK GDPR, and the Swiss Federal Act on Data Protection (“FADP”) where they apply (“European Data Protection Laws”).

This Policy describes S&P Global’s commitment to the processing of Customer Personal Data under the European Data Protection Laws where they apply.

  1. Appropriate Technical and Organizational Measures. When S&P Global processes Personal Data on behalf of a Customer, S&P Global implements appropriate technical and organizational measures to satisfy the requirements of applicable European Data Protection Laws, to ensure the level of security of Customer Personal Data is appropriate to the level of risk, and to help ensure the protection of the rights of the data subject. 
  2. Sub-processing.Customers may provide S&P Global specific or general written authorisation to utilize sub-processors. S&P Global requires that each of its sub-processors that may have access to Customer Personal Data agrees to provide at least the same level of protection as is described in this Policy. To the extent required by law, S&P Global remains liable to its Customers for any actions by its sub-processors that impact any rights guaranteed under applicable European Data Protection Laws. A list of our Sub-processors can be found here.
  3. Written Instructions. S&P Global only processes Customer Personal Data in accordance with the terms (and to satisfy our obligations) set out in the Agreement, this Policy, the S&P Global Privacy Policy and any other written terms agreed with the Customer from time to time. The foregoing documents set out the subject-matter, duration, nature, purpose, types of Customer Personal Data, categories of data subjects, and the obligations and rights of S&P Global’s Customers relating to its processing of Customer Personal Data.
  4. Transfers to non-EEA Countries. In connection with certain of its products and services, S&P Global confirms that Customer Personal Data may be transmitted outside of the EEA, Switzerland, and the UK. However, S&P Global will only transfer Customer Personal Data provided it has a legal basis to do so under applicable European Data Protection Laws and on the basis of a lawful transfer mechanism such as the Standard Contractual Clauses (“SCCs”) and the UK Addendum. The relevant SCCs and the UK Addendum are appended to the Agreement that S&P Global has with Customer.
  5. Confidentiality. S&P Global requires that the people it authorizes to process Customer Personal Data are under appropriate obligations of confidentiality.
  6. Cooperation Concerning Data Subjects. S&P Global cooperates with the reasonable requests of its Customers (at the Customer’s reasonable expense) to help them fulfill their obligations under European Data Protection Laws to respond to requests from data subjects to access, modify, rectify, or remove their Personal Data. Customer may request a quote of the reasonable fee from S&P Global and S&P Global will provide Customer with a quote for reasonable fees to comply with this request.
  7. Cooperation Concerning Customer Documentation. S&P Global cooperates with the reasonable requests of its Customers to provide information necessary to demonstrate compliance with this Policy and the European Data Protection Laws or to conduct audits of the processing of Customer Personal Data by S&P Global. S&P Global will typically agree to such audits on the following basis:
    1. audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to S&P Global (not less than 30 business days);
    2. audits will be conducted by Customer or an appropriate independent auditor appointed by Customer (not being a competitor of S&P Global) to conduct audits, in a manner that does not have any adverse impact on S&P Global’s normal business operations;
    3. Customer and/or its representatives will comply with S&P Global’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data;
    4. any records, data or information accessed by the Customer and/or its representatives in the performance of any such audit will be deemed to be the confidential information of S&P Global, as applicable, and may be used for no other reason than to assess S&P Global’s compliance with the terms of this Policy. In connection with the foregoing, S&P Global may require Customer and/or its representatives to enter into a customary confidentiality agreement prior to any such audit;
    5. to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of S&P Global personnel time, S&P Global shall be entitled to charge Customer a reasonable hourly fee for any such excess time. Customer may request a quote of the reasonable hourly fee from S&P Global and, if a quote is requested by Customer, the audit will not proceed without Customer’s prior approval of such quote.
  8. Personal Data Breach. In the event of a Personal Data breach under the European Data Protection Laws, S&P Global will notify its applicable Customers without undue delay after becoming aware of the breach. Such notification(s) may be delivered to an email address provided by Customer or, at S&P Global’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is responsible for ensuring that any email address provided to S&P Global for notifications is current and valid. S&P Global will take reasonable steps to provide its Customers with information that they may reasonably require to comply with their obligations to notify impacted data subjects or supervisory authorities.
  9. Deletion of Data; Termination and Variation. At the termination of a Customer’s relationship with S&P Global, S&P Global will delete or return all Customer Personal Data to the Customer, unless S&P Global is permitted to retain it or is otherwise required to retain it under applicable laws, regulations or bona fide audit and compliance policies.

    This Policy is effective starting May 25, 2018 and will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by S&P Global. S&P Global reserves the right to reasonably amend and update this Policy from time to time to reflect any updates under the European Data Protection Laws. S&P Global will give no less than 30 days’ notice of any such changes, which shall be included on the S&P Global website.
  10. Governing Law. This Policy shall be governed by the governing law and subject to the jurisdiction(s) of the relevant Agreement and otherwise subject to the limitations and remedies expressly set out in the Agreement.

If you have any queries about this Policy please contact your usual account representative.