Kroll Policies

Duff & Phelps EU-U.S. Privacy Shield Policy

Duff & Phelps LLC, and all operating affiliates and subsidiaries based in the United States (collectively "D&P")*, comply with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. D&P has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. If there is any conflict between this policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. The US Federal Trade Commission has jurisdiction over D&P’s compliance with this Policy and the EU-U.S. Privacy Shield Framework. To learn more about the Privacy Shield program, and to view our certification page, please visit

This Privacy Shield Policy applies to personal data transferred from European Union member countries to D&P’s operations in the U.S. in reliance on the Privacy Shield framework.  Processing of personal data may also be subject to local laws and regulations, or to other D&P privacy policies, which are generally provided at the time of data collection or as soon as practical thereafter. Personal data covered by this Privacy Shield Policy shall not be collected, used, or disclosed in a manner contrary to this policy.

Purpose of Data Processing

D&P processes personal data for the purpose of providing client services. Personal Data relating to clients is collected from clients who provide it to us in connection with our provision of services to those clients. Client data is processed in the normal conduct of our business relationship with the client, to perform the services requested by and contracted with our clients.

D&P also processes personal data for the purposes of recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time we collect personal data.


At the time of data collection, or as soon as practical thereafter, D&P notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that D&P offers for limiting its use and disclosure of such personal data.


D&P provides individuals with notice and an opportunity to “opt-out” if such personal data is to be:

  1. disclosed to a third party (other than a third party acting on behalf of D&P) or
  2. used for a reason that is incompatible with the purposes for which it was originally collected.


Individuals for whom D&P may process Personal Data are entitled to obtain confirmation of whether his/her Personal Data are being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws.

Individuals may request access as provided above via email to: [email protected]

Transfer of Personal Data

D&P may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of D&P. Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. D&P requires these third parties to undertake security measures consistent with the protections specified in this Policy.

D&P will remain responsible for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf, unless D&P proves that it is not responsible in an event giving rise to damage.


D&P takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized employees, who are trained in the proper handling of personal information to have access to that information. Employees who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.

Data Integrity and Purpose Limitation

D&P will retain Personal Data for a reasonable period of time, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with D&P’s Document Retention Schedule.

We will not use your information in a manner that is incompatible with the purpose for which it was originally collected without providing you with notice and an opportunity to opt-out.

Disclosure/Sharing of Personal Data

We will not share, sell or distribute any of the information you provide to us without your consent, except as described in this Privacy Policy. The information provided to D&P will be available to D&P, as well as to affiliated companies within the Duff & Phelps group who act for us for the purposes set out in this policy and who are subject to this Policy. D&P may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of D&P. If D&P’s business enters into a joint venture with or is merged with another business entity, your information may be disclosed to our new business partners. 

D&P may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Contact Information

For further information, questions or complaints regarding this Policy, please contact Duff & Phelps at:

Duff & Phelps Headquarters
55 E 52 Street
New York, NY 10055
[email protected]

D&P EU Data Protection Officer
Email: [email protected]
Telephone +
Post: Daniela Mosca at Duff & Phelps REAG SpA, 
Centro Direzionale Colleoni, Palazzo Cassiopea 3, 7th Floor, Via Paracelso 26, 20864 Agrate Brianza (MB) - Italy

Enforcement and Dispute Resolution

Individuals are encouraged to raise any complaints regarding the processing of personal data to D&P. For complaints that cannot be resolved between D&P and the complainant, D&P has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the EU-U.S. Privacy Shield. Data subjects in the European Union may contact the independent recourse mechanism listed below:

EU Data Protection Authorities (DPAs)

D&P will cooperate with the EU DPAs in the investigation and resolution of complaints brought under the Privacy Shield. D&P will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.

If a dispute or complaint cannot be resolved by D&P nor by the EU Data Protection authorities, a data subject in the EU has the right to require that D&P enter into binding arbitration pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield. 

Duff & Phelps U.S. Entities:

  • Duff & Phelps LLC
  • American Appraisal Associates, LLC
  • Ceteris US, LLC
  • CounselWorks, LLC
  • Duff & Phelps Securities LLC
  • Kroll Associates, Inc.
  • Kroll Cyber Security, LLC
  • Kroll Information Assurance, LLC

Last updated May 2, 2018.