Duff & Phelps LLC, and all operating affiliates and subsidiaries based in the United States (collectively "D&P")*, comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. D&P has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. If there is any conflict between this policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. The US Federal Trade Commission has jurisdiction over D&P’s compliance with this Policy and the EU-U.S. and Swiss-U.S. Privacy Shield Framework. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
This Privacy Shield Policy applies to personal data transferred from European Union member countries and Switzerland to D&P’s operations in the U.S. in reliance on the Privacy Shield framework. Processing of personal data may also be subject to local laws and regulations, or to other D&P privacy policies, which are generally provided at the time of data collection or as soon as practical thereafter. Personal data covered by this Privacy Shield Policy shall not be collected, used, or disclosed in a manner contrary to this policy.
Purpose of Data Processing
D&P processes personal data for the purpose of providing client services. Personal Data relating to clients is collected from clients who provide it to us in connection with our provision of services to those clients. Client data is processed in the normal conduct of our business relationship with the client, to perform the services requested by and contracted with our clients.
D&P also processes personal data for the purposes of recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time we collect personal data.
At the time of data collection, or as soon as practical thereafter, D&P notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that D&P offers for limiting its use and disclosure of such personal data.
D&P provides individuals with notice and an opportunity to “opt-out” if such personal data is to be:
- disclosed to a third party (other than a third party acting on behalf of D&P) or
- used for a reason that is incompatible with the purposes for which it was originally collected.
Individuals for whom D&P may process Personal Data are entitled to obtain confirmation of whether his/her Personal Data are being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws.
Individuals may request access as provided above via email to: [email protected]
Transfer of Personal Data
D&P may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of D&P. Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. D&P requires these third parties to undertake security measures consistent with the protections specified in this Policy.
D&P will remain responsible for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf, unless D&P proves that it is not responsible in an event giving rise to damage.
D&P takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized employees, who are trained in the proper handling of personal information to have access to that information. Employees who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.
Data Integrity and Purpose Limitation
D&P will retain Personal Data for a reasonable period of time, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with D&P’s Document Retention Schedule.
We will not use your information in a manner that is incompatible with the purpose for which it was originally collected without providing you with notice and an opportunity to opt-out.
Disclosure/Sharing of Personal Data
D&P may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
For further information, questions or complaints regarding this Policy, please contact Duff & Phelps at:
Duff & Phelps Headquarters
55 E 52 Street
New York, NY 10055
D&P EU and Swiss Data Protection Officer
Email: [email protected]
Post: Daniela Mosca at Duff & Phelps REAG SpA,
Centro Direzionale Colleoni, Palazzo Cassiopea 3, 7th Floor, Via Paracelso 26, 20864 Agrate Brianza (MB) - Italy
Enforcement and Dispute Resolution
Individuals are encouraged to raise any complaints regarding the processing of personal data to D&P. For complaints that cannot be resolved between D&P and a complainant in the EU, D&P has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the EU-U.S. Privacy Shield. Data subjects in the European Union may contact the independent recourse mechanism listed below:
For complaints that cannot be resolved between D&P and the complainant in Switzerland, D&P has agreed to participate in the dispute resolution procedures set forth by the Swiss Federal Data Protection and Information Commissioner (FDPIC) to resolve disputes pursuant to the Swiss-U.S. Privacy Shield. Data subjects in Switzerland may contact the independent recourse mechanism listed below:
D&P will cooperate with the applicable data protection authority in the investigation and resolution of complaints brought under the Privacy Shield. D&P will comply with any advice given by the EU DPAs or the FDPIC where the applicable authority takes the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the applicable authority with written confirmation that such action has been taken.
If a dispute or complaint cannot be resolved by D&P nor by the EU Data Protection authorities or the Swiss FDPIC, a data subject in the EU or Switzerland has the right to require that D&P enter into binding arbitration pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.
Duff & Phelps U.S. Entities:
- Duff & Phelps LLC
- American Appraisal Associates, LLC
- Prime Clerk, LLC
- Kroll Associates, Inc.
- Kroll Cyber Security, LLC
- Kroll Information Assurance, LLC
Last updated December 5, 2019.