S&P Global Policy for the Processing of Data Governed by the GDPR

The relevant S&P Global entity that provides the products or services and its affiliates (“S&P Global”) may collect, process or handle Personal Data relating to individuals in the European Economic Area, Switzerland and/or the United Kingdom (the “Personal Data”) on behalf of its customers and its affiliates, where applicable (“customer”).

Although S&P Global’s relationship with its customers is typically governed by its general terms and conditions and/or a master agreement, which includes order forms, exhibits, schedules and addenda (the “Agreement”), S&P Global is also legally bound under the EU General Data Protection Regulation 2016/679 (the “GDPR”) and the UK Data Protection Act 2018 (“UK GDPR”), where they apply, concerning the manner in which it collects, uses, and processes Personal Data. This Policy describes S&P Global’s commitment to the processing of Personal Data under the GDPR and the UK GDPR.

If the United Kingdom (“UK”), Switzerland, and/or European Economic Area (“EEA”) member state law applicable to a specific S&P Global customer requires that this Policy be appended to the Agreement, then, S&P Global will execute a version of this Policy upon written request. Please contact your usual account representative or applicable S&P Global Division if you would like an executable version of this Policy. 

1. Appropriate Technical and Organizational Measures. When S&P Global processes Personal Data on behalf of a customer, S&P Global implements appropriate technical and organizational measures to satisfy the requirements of the GDPR and UK GDPR, to ensure the level of security of Personal Data is appropriate to the level of risk, and to help ensure the protection of the rights of the data subject. 
2. Subprocessing. Customers may provide S&P Global specific or general written authorisation to utilize subprocessors. S&P Global requires that each of its subprocessors that may have access to Personal Data agrees to provide at least the same level of protection as is described in this Policy. To the extent required by law, S&P Global remains liable to its customers for any actions by its subprocessors that impact any rights guaranteed under the GDPR and/or UK GDPR. A list of our Subprocessors can be found here. 
3. Written Instructions. S&P Global only processes Personal Data in accordance with the terms (and to satisfy our obligations) set out in any Agreement, this Policy, the S&P Global Privacy Policy and any other written terms agreed with customer from time to time. The foregoing documents set out the subject-matter, duration, nature, purpose, types of Personal Data, categories of data subjects, and the obligations and rights of S&P Global’s customers relating to its processing of such Personal Data. 
4. Transfers to non-EEA Countries. In connection with certain of its products and services, S&P Global confirms that Personal Data may be transmitted outside of the EEA, Switzerland and the UK. However, S&P Global will only transfer Personal Data provided it has a legal basis to do so under applicable law, such as by offering to customers the SCCs or the UK Addendum.
   
   The SCCs are pre-signed by S&P Global and immediately available to customers for signing and returning. To download a copy of the SCCs, click here. The UK Addendum, which incorporates the SCCs, can be downloaded by clicking here. 
5. Confidentiality. S&P Global requires that the people it authorizes to process Personal Data are under appropriate obligations of confidentiality. 
6. Cooperation Concerning Data Subjects. S&P Global cooperates with the reasonable requests of its customers (at the customer’s reasonable expense) to help them fulfill their obligations under the GDPR and the UK GDPR to respond to requests by data subjects to access, modify, rectify, or remove their Personal Data. 
7. Cooperation Concerning Customer Documentation. S&P Global cooperates with the reasonable requests of its customers to provide information necessary to demonstrate compliance with this Policy and the GDPR and UK GDPR or to conduct audits of the Personal Data held by S&P Global that was received from the customer. S&P Global will typically agree to such audits on the following basis: (a) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to S&P Global (not less than 30 business days); (b) audits will be conducted by customer or an appropriate independent auditor appointed by customer (not being a competitor of S&P Global) to conduct audits, in a manner that does not have any adverse impact on S&P Global’s normal business operations; (c) customer and/or its representatives will comply with S&P Global’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data; and (d) any records, data or information accessed by the customer and/or its representatives in the performance of any such audit will be deemed to be the confidential information of S&P Global, as applicable, and may be used for no other reason than to assess S&P Global’s compliance with the terms of this Policy (in connection with the foregoing, S&P Global may require customer and and/or its representatives to enter into a customary confidentiality agreement prior to any such audit); (e) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of S&P Global personnel time, S&P Global shall be entitled to charge customer a reasonable hourly fee for any such excess time. Customer may request a quote of the reasonable hourly fee from S&P Global and, if a quote is requested by customer, the audit will not proceed without customer’s prior approval of such quote. 
8. Personal Data Breach. In the event of a Personal Data breach under the GDPR or the UK GDPR, S&P Global will notify its applicable customers without undue delay after becoming aware of the breach. Such notification(s) may be delivered to an email address provided by customer or, at S&P Global’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is responsible for ensuring that any email address for notifications provided by customer is current and valid. S&P Global will take reasonable steps to provide its customers with information that they may reasonably require to comply with their obligations to notify impacted data subjects or supervisory authorities. 
9. Deletion of Data; Termination and Variation. At the termination of a customer’s relationship with S&P Global, S&P Global will delete or return all Personal Data to the customer, unless S&P Global is permitted to retain it or is otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies. Customer may request a quote of the reasonable fee from S&P Global and S&P Global will provide customer with a quote for reasonable fees to comply with this request. 
   
   This Policy is entered into effect on May 25, 2018 and will remain in effect until, and automatically expire upon, deletion of all Personal Data by S&P Global. S&P Global reserves the right to reasonably amend and update this Policy from time to time. S&P Global will give no less than 30 days’ notice of any such changes, which shall be included on the S&P Global website. 
10. Governing Law. This Policy shall be governed by the governing law (and subject to the jurisdiction(s)) of the relevant Agreement and otherwise subject to the limitations and remedies expressly set out in the Agreement.

 If you have any queries about this Policy please contact your usual account representative.