Enhanced Due Diligence Privacy Statement

Who we are
What this privacy statement covers
What the EDD Service is
What personal information we process
How we use information about you
Who we disclose your personal information to
Why information may be transferred abroad
How we secure your personal information
How long we keep your information
Automated Decision Making
Your rights
How to contact us
Changes to this privacy statement

LAST UPDATED: APRIL 7, 2026

“This privacy statement explains how Refinitiv Limited (“Refinitiv”, "we", "us", or "our", acting as a data controller) collects, handles, discloses, stores and protects information about you in the context of the Enhanced Due Diligence service (“EDD Service”).

We encourage you to read this privacy statement thoroughly to understand how we handle your personal information in connection with the EDD Service. We use sub-headings and hyperlinks to help you find specific information that you may be looking for more easily.

This privacy statement also explains who we are, your rights that may be available to you depending on applicable law, and how you can contact us if you have questions about how we handle your personal information. You can also access more information about how the EDD Service works by visiting our EDD information page.

Refinitiv Limited, registered in the United Kingdom, is a member of the London Stock Exchange Group of companies (“LSEG Group”) and the entity responsible as data controller for processing personal information within the EDD Service.

This privacy statement only covers the EDD Service. World-Check, a screening and due diligence solution containing information on Politically Exposed Persons (PEPs) and other individuals and organisations relevant to financial crime and regulatory risk, is used in the provision of the EDD Service. World-Check has its own privacy statement available here.

For our general LSEG Privacy Statement, applicable to information the LSEG Group collects from and about users in connection with its other products, services, websites, platforms, software, applications and events, please refer to the LSEG Privacy Statement.

The EDD Service is a detailed integrity and advanced background check service, which involves us providing reports and information ("Reports") to help financial institutions, corporates, professional services firms, governments, and other EDD customers ("EDD Users") perform due diligence checks ("Checks") on businesses and individuals with whom EDD Users engage in business or other relationships with, including customers, suppliers, joint venture partners, investment opportunities and individuals applying for investment migration programmes, including citizenship by investment (CBI) and residency by investment (RBI) programmes (together, “Investment Migration Programmes”).

EDD Users use Reports to identify potential legal, regulatory, financial, reputational, or other relevant risks associated with a third party. For example, whether they are sanctioned, connected with money laundering, connected with illegal activities or associated with practices otherwise inconsistent with generally accepted principles of good practice. This allows EDD Users to make informed decisions on individuals and entities they do business with, in compliance with any applicable regulatory requirements. It also allows EDD Users to identify reputational and commercial issues that may arise from doing business with certain individuals or entities, therefore helping them avoid entering inappropriate commercial relationships and malpractice. The majority of the Reports ordered by EDD Users (around 90%) relate to legal entities, rather than individuals.

EDD Users make their own decisions about how to use the information in the Reports to conduct their Checks, although our contractual terms require EDD Users to use the information in Reports only for their own internal compliance processes, e.g., to conduct due diligence and other screening activities. If you have any questions about these decisions, please refer them to the relevant EDD User.

We may collect and process your personal information where relevant for Checks to provide the EDD Service. The volume and types of your personal information which we process will vary based on:

the amount of your personal information which is Public Domain Data;
whether a Report is commissioned on you as an individual, or a legal entity you are associated with; and
the type of Report requested by the EDD User (LSEG offers various types of Reports as part of the EDD Service which involve different levels of due diligence being conducted and contain varying levels of information).

For the purpose of this privacy statement:

"Public Domain Data” means personal information that: (1) is or was originally available to the public and typically over the internet; (2) Refinitiv has a reasonable basis to believe is lawfully made available to the general public by or from: (i) the data subject (or consumer or individual to whom the personal information relates), (ii) widely distributed media, or (iii) a person to whom the data subject has disclosed the personal information (provided that Refinitiv does not have knowledge that the data subject has restricted the information to a specific audience); or (3) is or was lawfully made available from records, databases, and/or systems of government agencies, departments, divisions or other operating units, or other organisations or institutions (such as universities or employers) in electronic, paper or any other format. Examples of sources of Public Domain Data include personal information found on: (i) sanction or watch lists; (ii) law enforcement, court, regulatory or other government websites; (iii) political websites and publications such as parliamentary, local government or individual politician websites; (iv) reputable news media and publications; and (v) information sources made public by an individual themselves, for example on their website, blog or any social media application.

“Reference Data” means personal information provided by an organisation or institution (such as universities or employers) in electronic, paper or any other format, where such information is provided with the explicit authorisation or consent of the individual concerned. For example, Reference Data may be used to verify a passport, academic credential, or employment history.

We do not always process all of the categories of personal information listed below in relation to every individual. The categories of personal information processed in connection with the EDD Service will depend on the circumstances of each case.

As part of the EDD Service, we screen all individuals (including children and dependants applying for Investment Migration Programmes) against World-Check, which includes results of a media search. This media dataset comprises publicly available news articles, reports, and other media sources that may reference allegations, investigations, regulatory actions, or other matters relevant to financial crime, integrity, or reputation. Information from media may appear in the EDD Report and be reflected in several categories of personal information listed in the table below.

Information is collected directly from you (the data subject) where we conduct a direct interview (as explained further below), or where you have provided information or documentation to the EDD User as part of an Investment Migration Programme or other due diligence process. This may include EDD User provided documents such as questionnaires, CBI/RBI application forms, or copies of official records (for example, police clearance certificates), which are then shared with us by the EDD User. Otherwise, information is obtained from other sources as listed in the table below.

Category	Details	Source
Identification information	First name Last name Age Date of birth Gender Marital status National Identity or Passport details Citizenship details Personal identification numbers (e.g. social security and national insurance numbers)	Public Domain Data Reference Data LSEG World-Check EDD Users (including information originally provided by you to the EDD User) Vendors engaged by LSEG You (the data subject, only where provided directly to LSEG during an interview)
Contact information	Home or work address(es) (including country of residence and postcode) Telephone numbers Email addresses	Public Domain Data LSEG World-Check EDD Users (including information originally provided by you to the EDD User) Vendors engaged by LSEG You (the data subject, only where provided directly to LSEG during an interview)
Information about any dependents	First name Last name Age Date of birth Gender If relevant, their relationship to the Report subject (e.g., son, daughter, stepchild in the context of a investment-migration Report) Nationality Passport or identification number Place of birth	Public Domain Data LSEG World-Check (only if a dependant is identified in World-Check, e.g., as a child of a PEP - refer to the section on children’s personal data below) EDD Users (including information originally provided by you to the EDD User) You (the data subject, only where provided directly to LSEG during an interview)
Employment information	Contact and identification information Current and past employer details Job title Appointments Nationality Languages Education, qualifications and experience Public roles (including political, diplomatic, religious, judicial, military and trade union roles)	Public Domain Data LSEG World-Check Reference Data EDD Users (including information originally provided by you to the EDD User) You (the data subject, only where provided directly to LSEG during an interview) Vendors engaged by LSEG
Professional reputation and integrity	Opinions or comments from third parties about your business conduct, ethics, trustworthiness, reliability, and general reputation in a business context. This may include their views on the accuracy or legitimacy of your claimed identity, contact details, or background.	Individuals who have experience interacting with you (only for certain business or reputational intelligence Reports; see below). Vendors engaged by LSEG Reference Data
PEP-specific information	Whether you are a PEP or are a close relation or associate of a PEP. Note: a “close relation” of a PEP includes a child of a PEP (refer to the section on children’s personal data below) Marital status Details of PEP relations, associates and dependants Commercial information, such as: Ownership or control of companies, partnerships, or trusts Directorships or executive roles Business ventures in which the individual is a named partner or holds a financial interest Associations with sanctioned entities, including vessels and aircraft	Public Domain Data LSEG World-Check
Financial information	Bank account or card details Billing address	EDD Users (providing documents originally supplied by you as part of an investment migration or other due diligence process)
Litigation and regulatory information	Information about your involvement in civil litigation, bankruptcy or insolvency proceedings, regulatory investigations or enforcement actions, or being listed as a dishonest judgment debtor.	Public Domain Data LSEG World-Check Vendors engaged by LSEG
Sanctions information	Your inclusion on sanctions lists, lists of disqualified directors and other similar lists	Public Domain Data LSEG World-Check
Criminal record information	Actual or alleged money laundering or terrorist financing crime Crimes that are a pre-cursor to money laundering or terrorist financing which are also known as predicate offences (e.g. financial crime, illegal trafficking, environmental offences, smuggling, membership of an organised crime group)	Public Domain Data LSEG World-Check
Social media information	Publicly available content from websites, blogs, or social media applications, but only where such content appears in general internet searches (e.g., Google, Baidu) and is relevant to the Report. We do not routinely search or review specific social media accounts, but may include relevant public posts if they arise in search results and are pertinent to the due diligence Report.	Public Domain Data (only if the individual has made this information publicly available and it is relevant to the Report).
Correspondence	Calls, voice messages, faxes, letters and emails sent between us or made by or to you Times, duration and size of those calls, letter and emails	You (the data subject) Us (LSEG)

For certain types of Reports, we may collect non-public information about you through interviews. These interviews may be conducted either by LSEG directly or by third-party vendors engaged by LSEG, where appropriate and permitted by law. Interviews may involve (a) direct engagement with you, the Report subject (for example, if you are the applicant in a citizenship by investment programme), with your consent; or (b) with individuals who have experience interacting with you, such as business associates or former colleagues, in each case where appropriate and permitted by law. The purpose of such interviews is to help EDD Users assess your suitability for investment migration programmes (including citizenship by investment and residency by investment programmes), or to evaluate any commercial, reputational or regulatory risk before entering into a business or other relationship with you, or an entity you are associated with. Where information is sourced from third parties and not you directly, we require a minimum number of sources (four) and follow a prescriptive set of actions to verify the information obtained. The majority of Reports we provide do not involve carrying out interviews.

In limited circumstances, verification of a home or work address may involve discreet, non intrusive, on the ground fact checking conducted by vetted third party vendors. This may occur in connection with Reports prepared for Investment Migration Programmes, namely citizenship by investment or residency by investment applications, where physical address verification is required as part of the applicable programme requirements or the relevant EDD User’s risk based due diligence process, and desk based verification alone is not considered sufficient in the circumstances.

Category	Details	Source
Identification information	· First name	· Public Domain Data
	· Last name
	· Alias
	· Age
	· Date of birth
	· Place of birth
	· Country of residence, state and province
	· Gender
	· National Identity
	· Passport details
	· Citizenship details
	· Personal identification numbers (e.g. social security and national insurance numbers)
Contact information	· Email address	· Public Domain Data (only where published by Sanctions Authorities)
	· Residential address
	· Telephone number
Employment information	· Current and past employer details	· Public Domain Data
	· Job title
	· Appointments
	· Nationality
	· Education, qualifications and experience
	· Public roles (including political, diplomatic, religious, judicial, military and trade union roles)
PEP-specific information	· Whether you are a PEP or are a close relation or associate of a PEP. Note: a “close relation” of a PEP includes a child of a PEP (refer to the section on children’s personal data below).	· Public Domain Data
	· Marital status
	· Details of PEP relations, associates and dependants
	· Commercial information, such as:
	o Ownership or control of companies, partnerships, or trusts
	o Directorships or executive roles
	o Business ventures in which the individual is a named partner or holds a financial
	ointerest
	o Associations with sanctioned entities, including vessels and aircraft
Financial information	· Bankruptcy or insolvency filings	· Public Domain Data

Sanctions information	· Your inclusion on sanctions lists, lists of disqualified directors and other similar lists	· Public Domain Data

Criminal record information	· Actual or alleged money laundering or terrorist financing crime	· Public Domain Data
	· Crimes that are a precursor to money laundering or terrorist financing, which are also known as predicate offences (e.g. financial crime, illegal trafficking, environmental offences, smuggling, membership of an organised crime group)
Social media information	· Date of birth	· Public Domain Data (only if the individual has made this information publicly available on their social media profile and is used solely as a secondary identifier to corroborate other information. World-Check does not collect usernames, profile photos, posts, comments, likes, shares, hashtags, or metadata from social media.)
	· Business title
	· Occupation details
Objections	· Records of any objections you have provided to us or others	· Public Domain Data
		· World-Check Users
		· Third parties, including vendors engaged by us, individuals who have experience interacting with you and your employer
Correspondence	· Calls, voice messages, faxes, letters and emails sent between us or made by or to you	· You
	· Times, duration and size of those items of correspondence	· Us

In some cases, the personal information we collect includes, depending on specific jurisdictions and their applicable data protection laws, so-called ‘sensitive’ or ‘special categories’ of personal information, such as information relating to your political opinions (for example, if you are a PEP holding a position in a political party) and information relating to your racial or ethnic origin (for example, if this can be reasonably inferred from other information collected about you in preparing Reports, such as your name, location and citizenship). In certain circumstances, we may also process information relating to any criminal offences actually or allegedly committed by you (for example, if these are money-laundering or terrorist financing offences, or pre-cursor crimes to such offences). We explain the basis on which we process this type of personal information below in the ‘How we use your personal information’ section of this statement.

The EDD Service is not aimed at children. In exceptional circumstances, we may handle limited types of children's personal information. This may occur, for example, where a child is:

Included as part of a investment- migration application as a dependant. In such cases, we process the information listed in the “Information about any dependents” section above (such as first name, last name, age, date of birth, gender, relationship to the Report subject, nationality, passport or identification number, and place of birth) to verify the identity of the child and to fulfil due diligence requirements for the relevant citizenship or migration program. We may also conduct checks on education and employment history, and screen them against World-Check, which, includes a media dataset as described above.
Identified as the child or dependant of a Politically Exposed Person (PEP) included in the EDD Report.
Directly named on an official sanctions, law enforcement, or regulatory list.

In these limited circumstances, we only process children's personal information to establish whether they are included on such an official list(s), to confirm, whether they are the child or dependant of a Report subject, and to assess any necessary identification, education, employment, or media information as part of the due diligence process.

Where it is necessary for us to handle children's personal information in these exceptional instances, we will only do so on the basis that it is necessary for reasons of substantial public interest, typically for prevention of unlawful acts, dishonesty and fraud as provided under paragraph 12, Schedule 1 of the UK Data Protection Act 2018 or as required by other applicable data protection laws.

For the purposes of this section, ‘ordinary categories of information’ and ‘sensitive categories of information’ are defined in detail in the ‘What personal information we process’ table above. Subject to variations under applicable data protection laws, a summary is provided here for ease of reference.

Ordinary categories of information include: identification information (e.g., name, date of birth, nationality), contact information, information about any dependents, employment information, financial information, professional information, sanctions information, social media information (where manifestly public), and correspondence.
Sensitive categories of information include: political opinions (e.g., PEP-specific information), racial or ethnic origin (where reasonably inferred), and criminal record information (actual or alleged offences, predicate crimes).

We process ordinary (non special category) personal information in EDD on the basis of our and our customers’ legitimate interests. These include:

enabling EDD Users to carry out due diligence Checks on third parties to make informed decisions in their business dealings;
supporting EDD Users in complying with their regulatory obligations and generally accepted principles of good practice;
reducing compliance, regulatory and commercial risk for EDD Users;
maintaining the integrity, security, accuracy and availability of the EDD Service and supporting efficient, effective due diligence workflows;
allowing us to operate, maintain and deliver an effective and reliable due diligence service relied upon by financial institutions, corporates, professional firms, governments and other EDD User; and• ensuring that conduct such as financial crime, fraud, corruption, sanctions breaches, human trafficking, modern slavery, and other serious misconduct is prevented and detected, benefiting EDD Users, the public and the financial system.

These interests are not overridden by your rights and freedoms, given the significant public interest in preventing financial crime, the nature of the Checks undertaken, and the fact that much of the information is obtained from Public Domain Data or provided through regulated due diligence processes, which you may reasonably expect in the relevant context.

For sensitive categories of information, our primary legal basis for processing is Article 9(2)(g) GDPR (“necessary for reasons of substantial public interest”), as reflected in the UK Data Protection Act 2018 Schedule 1, including substantial public interest conditions relevant to preventing or detecting unlawful acts, dishonesty, fraud and other serious misconduct. Where there is clear evidence that the information has been intentionally made public by you, we may also rely on Article 9(2)(e) GDPR (“manifestly made public”). Criminal offence data is processed where manifestly made public or where necessary for reasons of substantial public interest under UK DPA 2018 Schedule 1 or, in the EU/EEA, where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR).

More detailed information on our processing activities and lawful bases is set out in the table below. Please select ‘Show more’ to view this information.

Purpose / Activity	Information We Use	Lawful Basis / Condition
Providing the EDD Service	Ordinary categories of information	Consent (Article 6(1)(a) GDPR), for example where the EDD User obtains it for CBI/RBI screening Legitimate interests (Article 6(1)(f) GDPR)
Providing the EDD Service	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)
Responding to your requests and enquiries	Ordinary categories of information	Consent (Article 6(1)(a) GDPR) Legitimate interests (Article 6(1)(f) GDPR) Compliance with legal obligations (Article 6(1)(c) GDPR)
Responding to your requests and enquiries	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)
Exercising our rights and complying with applicable laws (e.g. to defend ourselves from third-party claims and to comply with applicable laws and regulations)	Ordinary categories of information	Compliance with legal obligations (Article 6(1)(c) GDPR) Legitimate interests (Article 6(1)(f) GDPR)
	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)
Receiving services from our professional advisors	Ordinary categories of information	Compliance with legal obligations (Article 6(1)(c) GDPR) Legitimate interests (Article 6(1)(f) GDPR)
Receiving services from our professional advisors	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)
Complying with regulatory requests	Ordinary categories of information	Compliance with legal obligations (Article 6(1)(c) GDPR)
Complying with regulatory requests	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)
Proper management and integrity of the EDD Service (e.g., data quality assurance, system maintenance and security, research and methodology development, training and oversight of analysts, and EDD User support)	Ordinary categories of information	Consent (Article 6(1)(a) GDPR), for example where the EDD User obtains it for CBI/RBI screening Legitimate interests (Article 6(1)(f) GDPR)
	Sensitive categories of information	Necessary for reasons of substantial public interest (Article 9(2)(g) GDPR; UK DPA 2018 Schedule 1) Criminal offence data: Processed where manifestly made public or necessary for reasons of substantial public interest under Schedule 1 of the UK DPA 2018, or (in the EU/EEA) where authorised by Union or Member State law providing appropriate safeguards (Article 10 GDPR)

We make your personal information available to third parties, including EDD Users, companies within the LSEG Group (where their staff, such as EDD researchers and analysts, are involved in compiling EDD reports for EDD Users). Where permitted by applicable law, we may also share your information with public bodies to allow us to comply with applicable laws.

We also use a limited number of third-party service providers who provide advice and services to us (including professional advisors) in connection with EDD. Where we share your personal data with our third-party service providers, we ensure that we have contracts in place that strictly govern how they use the personal information we disclose to them.

Further information about who we share your personal information with is set out in the table below.

Recipient	Purpose	Information shared	Location
LSEG entities	Provision of the EDD Service Proper management and integrity of the EDD Service (e.g., data quality assurance, system maintenance and security, research and methodology development, training and oversight of analysts, and EDD User support)	Identification information Contact information Information about any dependents Employment information Professional reputation and integrity PEP-specific information Financial information Litigation and regulatory information Sanctions information Criminal record information Social media information Correspondence	We may share your personal information within the LSEG Group to support our operations, provide services, and comply with legal and regulatory obligations. While EDD and supporting applications are primarily hosted in the EU (Ireland) and UK, authorised LSEG personnel, including analysts and support teams, may access and process personal information from other locations worldwide, in accordance with our strict access controls and data protection safeguards. We implement appropriate measures in line with applicable privacy laws and maintain a high standard of data protection.
Third-party data centres	Hosting and storage of information	Identification information Contact information Information about any dependents Employment information Professional reputation and integrity PEP-specific information Financial information Litigation and regulatory information Sanctions information Criminal record information Social media information	United Kingdom and Ireland These data centres provide infrastructure services only and do not access personal data. All access to the data is managed exclusively by LSEG and its authorised service providers.
External consultants and IT service providers	Maintenance, security, and performance of our systems Infrastructure management, technical support and incident response	In general, personal information processed in connection with EDD is not shared with external consultants or IT service providers. In exceptional cases, access may be required to support system maintenance, security, or incident response. Any such access is strictly limited to what is necessary for the relevant task and is subject to contractual and technical safeguards.	These providers typically operate from the UK, though may be located in other jurisdictions depending on the nature of the engagement.
External Business Intelligence (BI) researchers	Conducting discreet, localised fact verification, integrity checks, and public record enquiries that cannot be completed remotely. Supporting the preparation of EDD Reports by confirming information such as business activity, corporate affiliations, litigation history, or publicly available credential information.	Only limited personal information necessary to complete a specific fact verification task (e.g., name, role, publicly available identifiers, or documents already provided by the EDD User). BI researchers do not receive a full EDD Report or broader datasets and are contractually prohibited from retaining or re using any information.	BI researchers operate in various jurisdictions relevant to a specific EDD assignment. All access is limited, purpose specific, and subject to strict confidentiality, due diligence, and data protection safeguards. We do not disclose personal information to BI researchers in jurisdictions that are subject to international sanctions.
External auditors	Independent assurance of our controls and processes Verification of compliance with regulatory and data protection obligations Assessment of operational risk and internal controls	In general, personal information processed in connection with EDD is not shared with external auditors. In exceptional cases, limited and controlled access may be provided to external auditors solely to verify compliance, licensing, or internal control. Such access is typically read-only, supervised, and subject to confidentiality agreements. Any sharing is strictly limited to what is necessary for the relevant audit activity and is governed by contractual and technical safeguards.	These providers are typically located in the UK, though may operate in other jurisdictions depending on the nature of the engagement.
External law firms	Providing legal advice in relation to data protection, regulatory compliance, and governance Supporting responses to data subject requests and regulatory inquiries Advising on internal policies, risk management, and contractual matters	External legal advisors may, where necessary and appropriate, access and process personal information we hold about you, including the full contents of an EDD Report and related correspondence, particularly in connection with contentious matters, regulatory inquiries, or data subject requests. Any such access is strictly limited to what is required for the relevant legal task and is subject to contractual and technical safeguards.	These providers are typically located in the UK, and EU countries, though may operate in other jurisdictions depending on the nature of the engagement.
EDD Users	Provision of the EDD Service	Identification information Contact information Information about any dependents Employment information Professional reputation and integrity PEP-specific information Financial information Litigation and regulatory information Sanctions information Criminal record information Social media information	We may disclose our Reports to our customers located in various countries around the world, as necessary to deliver our services and fulfil our contractual obligations. However, we do not share personal information with customers in jurisdictions that are subject to international sanctions. We assess these risks regularly and apply appropriate safeguards in-line with applicable privacy and data protection law.
Regulators, official authorities, courts and tribunals	Responding to lawful requests, investigations, or proceedings initiated by regulators, official authorities, courts, or tribunals Complying with legal obligations, regulatory requirements, or judicial orders Supporting formal inquiries or proceedings related to data protection, financial crime, or other applicable laws	The specific types of personal information disclosed will vary depending on the nature and scope of the request or proceeding, and may include any personal data we hold, including EDD Reports and related correspondence. Any disclosure is strictly limited to what is required and permitted under applicable law or regulation and is carried out in accordance with our internal governance and legal review processes.	These authorities are primarily located in the UK and EU, but may include other jurisdictions depending on the nature of the engagement.
Prospective buyers, sellers, advisers or partners	Facilitation of potential sales, mergers, acquisitions, restructurings, joint ventures, assignments, transfers or other dispositions of all or any portion of our business	In general, personal information processed in connection with EDD is not shared with prospective buyers, sellers, advisers, or partners during corporate transactions. However, in limited and controlled circumstances, such as to meet regulatory requirements or support due diligence, access to personal information may be required. This may include any personal data we hold, including EDD Reports and related correspondence, where necessary and appropriate for the transaction. Any sharing is strictly limited to what is required and is subject to robust confidentiality and security safeguards.	These parties may be located in various countries worldwide, depending on the nature and scope of the transaction.

The EDD Service is a global service and LSEG is a global organization. As a result, your personal information may be transferred, stored and processed in different jurisdictions. The specific countries where personal information may be processed depend on the nature of the engagement and the location of the relevant recipient. These are outlined in the section “Who we disclose your personal information to”, which provides examples of processing locations by recipient type.

Where we transfer your personal information to third parties outside of the UK or European Economic Area (the “EEA”) or to jurisdictions with additional legal requirements, we do so in accordance with applicable laws, using safeguards where required to protect your personal information. This includes:

Transfers based on adequacy decisions under Article 45 of the UK GDPR or EU GDPR.
Transfers subject to Standard Contractual Clauses approved under Article 46 of the EU GDPR.
Transfers subject to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
Intra-group transfers governed by our Intra-Group Transfer Agreement, which incorporates SCCs and UK IDTA provisions.
Where required by local laws, we may implement additional safeguards, such as enhanced contractual protections, technical measures, or organizational controls to help ensure your personal information remains protected.

More information about these safeguards is available at https://myaccount.lseg.com/en/policies/gdpr-productinfo.

We take information security seriously and use a range of physical, electronic and managerial measures to keep your personal information secure. Our technical and organisational measures are closely aligned with widely accepted international standards, reviewed regularly and updated as necessary to meet our business needs and changes in technology and regulatory requirements. The security measures we implement will vary, depending on the sensitivity of the personal information being protected, but include data encryption, access controls, regular cyber security assessments and staff training on data protection. We also impose restrictions on EDD Users and our third-party service providers requiring them to only use information in EDD Reports in connection with Checks or the services they provide to us.

These policies and measures include:

Robust research methodology and quality assurance: EDD analysts follow strict research guidelines and documented processes to ensure that all information included in a Report is relevant and sourced accurately from approved public domain and non-public sources. Historical information is revalidated for accuracy at the time of the new Report.
Verification of sources: Analysts are required to verify the quality and reliability of all sources, including public domain data and information obtained through interviews or third-party vendors. There are prescriptive steps for verifying non-public information, including minimum source requirements and validation actions.
Training and oversight: Regular training is provided to EDD researchers and analysts to ensure compliance with research methodology, data quality, and security requirements.
Access controls: Access to EDD systems is strictly limited to authorised research staff. EDD Users do not have access to raw data or internal databases, only to finalised Reports.
Incident response and breach detection: We have implemented breach detection tools and incident response plans designed to identify and respond to any security incidents promptly.
Physical and technical safeguards: Secure premises, staff security passes, and technical controls are used to protect the locations and systems where EDD data is processed and stored.
Monitoring compliance: We regularly monitor compliance with our policies, procedures, and controls.

We hold your personal information for as long as needed for the purposes for which it is processed, and in line with our legal and regulatory obligations and risk management guidelines.

We determine retention periods for your personal information based on a range of factors, including:

how long your personal information remains relevant to the due diligence purposes for which it was collected;
the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations (including any legal obligations to which LSEG is subject);
any limitation periods within which claims might be made;
any retention periods prescribed by law or recommended by regulators, professional bodies or associations or inter-governmental bodies; and
the existence of any ongoing legal or regulatory proceedings.

Based on these criteria, we retain personal information in the EDD Service for as long as it is necessary to support Checks, as defined in this statement. This means retaining information where it is necessary to enable EDD Users to meet their legal or regulatory obligations, manage risk, adhere to industry standards or contractual requirements, or follow generally accepted principles of good practice and ethical business conduct.

Final versions of EDD Reports, vendor reports, correspondence, and related personal data are generally retained for seven years, unless a longer period is required due to a legal hold (for example, in connection with ongoing litigation, regulatory proceedings, or data subject rights requests). The retention period begins when the relevant EDD Report or associated document is first created or uploaded to our systems. After the relevant retention period has expired, and personal information is no longer necessary for the purpose for which it was processed, it is securely deleted in accordance with our internal procedures.

Retention periods for other types of personal information processed for different purposes (such as handling rights requests or legal claims) may vary depending on the nature of the processing and applicable legal or regulatory requirements.

For further information on our retention periods, please contact us using the details below.

We do not use automated decision-making processes in a way that produces legal effects concerning you, or similarly significantly affects you.

If you are based in the European Economic Area, Switzerland or the UK, data protection laws grant you certain rights which we summarise in the table below. We will try to honour any rights you have under applicable data protection laws, but please note that these rights are not absolute under applicable law, and they may not always apply in your circumstances. If we do not consider that you are able to exercise one of these rights, we will give reasons.

If you want to exercise any of these rights, please contact our Privacy Office at contact@world-check.com or at Attn: Data Protection Officer, LSEG, 10 Paternoster Square, London EC4M 7LS, England, United Kingdom.

Right	Description
Right of access and data portability	You have the right to make a written request for details or a copy of personal information we hold about you and/or to have it transferred to another data controller in some circumstances.
Right of rectification or erasure	You have the right to have inaccurate information about you corrected or removed and certain personal information about you erased.
Right to restriction of processing	You have the right to request that your personal information is only used for restricted purposes.
Right to object	You have the right to object to our processing of your personal information.
Right to withdraw consent	You have the right to withdraw your consent for the processing of your personal information where the processing is based on consent.
Right to complain	If you are unhappy with the way we have used or are handling your personal information you have the right to lodge a complaint with the supervisory authority for data protection issues in the country where you usually live, work or where the relevant issue arose. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance at the email set out above.

If you are based in California, please refer to our California Consumer Privacy Notice which supplements this privacy statement and applies solely to individuals based in California.

If you are based in South Africa, we have established processes and procedures to allow appropriate data subjects to exercise their rights under South Africa’s Protection of Personal Information Act. If you wish to exercise your rights, please visit here. For more information on our processes and procedures, and your rights, you can visit our Promotion of Access to Information Manual.

If you are based in Brazil, please refer to our Brazilian Data Protection Law Notice, which supplements this privacy statement and applies solely to individuals based in Brazil.

The China Privacy Notice supplements this Statement and applies solely to the processing of personal information by our companies within the territory of the People’s Republic of China.

If you have any questions, comments, complaints or suggestions in relation to how we process your personal information, or wish to exercise your rights referred to above, please contact our Privacy Office at contact@world-check.com, or you may write to:

Attention: Data Protection Officer
Refinitiv Limited
10 Paternoster Square
London, EC4M 7LS
United Kingdom

If you are an EU citizen or data protection regulator, for the purposes of the GDPR, our appointed European representative is Refinitiv Ireland Limited. Our appointed representative can be contacted at contact@world-check.com, or you may write to:

Refinitiv Ireland Limited
12-13 Exchange Place
IFSC
Dublin, D01 P8H1
Ireland

You also have a right to complain to a data protection regulator in the place where you live or work, or in the place where you think an issue in relation to your personal information has arisen. A list of national data protection regulators in the European Union can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. For the Information Commissioner’s Office in the United Kingdom, please visit https://ico.org.uk/.

We may update this privacy statement from time to time. Please look at the Effective Date at the top of this statement to see when it was last updated.

Any updates to this privacy statement will be published on this page.

Back to top ↑

Enhanced Due Diligence Privacy Statement

Who we are

What this privacy statement covers

What the EDD Service is

What personal information we process

Special categories of personal information

Children’s personal information

How we use information about you

Our Legitimate Interests (Article 6(1)(f) GDPR)

Legal basis for processing sensitive and criminal offence data

Who we disclose your personal information to

Why information may be transferred abroad

How we secure your personal information

How long we keep your information

Automated Decision Making

Your rights

California privacy rights

South Africa - Access to information

Brazil privacy rights

China privacy rights

How to contact us

Changes to this privacy statement