IHS Markit Ltd. and its subsidiaries and affiliates (collectively "IHS Markit" "us" "we" or "our") are committed to protecting your privacy. This Privacy Notice (“Notice”) is designed to give Beneficial Owners, Key Controllers, Directors, and Related Parties (together, “Associated Individuals”) information about how IHS Markit processes personal information when providing Know Your Customer related services from publicly available sources as described below (“KYC Services”) to our clients.
Anti-money laundering (“AML”) and counter terrorist financing (“CTF”) regulations apply to a variety of businesses and industries. These regulations require businesses to verify the identity of their customers, apply risk-based customer due diligence measures, and take other steps to prevent services from being used for money laundering or terrorist financing. IHS Markit supplies services that include a broad set of capabilities for their clients to meet their specific AML and CTF obligations. IHS Markit collects, processes, and shares personal information as part of providing our KYC Services to our subscribers and clients, who use this information to verify the identity of persons and entities who may become their customers and to meet their AML and CTF due diligence obligations. IHS Markit uses a connected set of operational risk and regulatory compliance solutions to achieve these purposes, which are carefully reviewed to ensure personal information is protected, minimized, and only processed in ways an individual would reasonably expect.
For the purpose of this Notice:
“Beneficial Owner” means an individual identified within the ownership structure of an entity IHS Markit is performing KYC Services on.
“Key Controller” “Director” or “Related Party” means an individual identified by IHS Markit in the performance of KYC Services as appointed or elected to exercise direct control over an entity, by participating in the governance, strategic direction, or senior executive activities.
Why is this Notice important?
Being transparent when processing personal information is a critical component of most global privacy laws. As an example, IHS Markit is obligated under Article 14 of the General Data Protection Regulation 2016/679 (“GDPR”) to provide relevant information about processing activities that involve personal information. IHS Markit meets these transparency requirements through several means, one of which is via this Notice.
Who are we?
IHS Markit is the Data Controller of your personal information. A “Data Controller” is the main decision maker in respect of data processing - this means we exercise overall control over the purposes and means when processing personal information. Being a Data Controller means we have a high level of compliance responsibility and that we must comply with, and demonstrate compliance with, all applicable data protection laws and regulations, including GDPR where it applies.
How to contact us
If you have any queries regarding this privacy notice or data protection in general, you should contact us using the form on our Privacy Request Page.
Postal enquiries can be sent to the following address:
IHS Markit Privacy Team
Attn: Chief Privacy Officer
15 Inverness Way East
Englewood, CO 80112
Why we process personal information
Our KYC Services collect a range of personal and non-personal ‘business’ information from various public sources, including websites and regulatory filings. In some circumstances, the information being collected includes a limited amount of personal information, which will commonly be your name and related beneficial ownership information.
IHS Markit shares this personal information with third-party businesses to enable the third-party businesses to use it for its own internal business purposes, including but not limited to banking, KYC, onboarding, and other regulatory purposes.
KYC procedures are a critical function used to assess customer risk and a legal requirement under AML and CTF laws. IHS Markit provides KYC Services that assist customers in establishing and maintaining effective systems and controls for countering the risk of criminal exploitation and maintaining compliance with AML and CTF laws and regulations.
What personal information we process
IHS Markit collects personal information when providing KYC Services to our clients, including:
Identifying information –
- Name (first and last name)
- Approximate age (month and year)
- Professional or Residential address
- Professional role/title
- Identification information
Associated Individual information –
- Type of association
- Level of association
How we ensure our processing of personal information is lawful
IHS Markit and the third parties we serve have a legitimate interest in processing the personal information provided through KYC Services. IHS Markit clients have a legitimate interest in gaining access to high-quality and easily manageable data of the type we process in order to optimize their AML and CTF compliance requirements. IHS Markit has a legitimate interest to reduce the societal cost of money laundering through the provision of cost-effective KYC solutions. We aim to reduce the AML and CTF risks faced by our clients by providing effective products that assist our customers in establishing and maintaining systems and controls for countering the money laundering and terrorist financing efforts of criminals.
IHS Markit has thoroughly assessed our legitimate interest, considered the potential impact on you (positive or negative) and your rights under data privacy laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests we have in processing your personal information.
Who do we share personal information with?
IHS Markit discloses personal information to unaffiliated third-party clients who utilize KYC Services. These third-party clients are also data controllers when they process personal information. IHS Markit enters into processing agreements with these third-party clients to ensure they only process personal information in accordance with the commitments we’ve set out in this Notice.
We may also disclose personal information to IHS Markit's parent, subsidiary, affiliates, and other related companies for the purposes listed in this Notice.
If IHS Markit sells all or part of its business or makes a sale or transfer of assets or is otherwise involved in a merger or business transfer, IHS Markit may transfer your personal information to a third party as part of that transaction.
From time to time we may also disclose personal information to a limited number of service providers, sometimes referred to as processors, for the purpose of providing information processing services to our organisation; operating our business; or delivering, improving, and customizing our products or services. IHS Markit has processing agreements with these service providers to ensure that they are subject to confidentiality obligations and are restricted in their processing activities to ensure personal information is protected at all times.
may disclose personal information to regulators, government bodies, fraud prevention agencies, law enforcement agencies and courts, who have powers to order us to provide personal information, which we may occasionally have to comply with. There may also be instances where we are required to share personal information to protect the interests, rights, safety or property of IHS Markit or others in compliance with a legal process, in response to adverse third parties in the context of litigation, or to protect against fraud or for risk management purposes.
How long do we process personal information?
IHS Markit will retain your personal information as needed to fulfill the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. Personal information that is identified as inaccurate or out-of-date is either removed or corrected.
Your rights while we process personal information
We strive to make sure that our information is reliable, accurate, and up to date. Individuals in certain jurisdictions have rights over how their personal information is processed. To make a request regarding your personal information, please complete the form found on our Privacy Request Page.
Below is a brief description of rights that may apply to you:
Right of access: You may have the right to access your personal information to review, update, and correct inaccuracies. There are some exemptions, which means you may not always receive all the information we process. Additionally, there may be limits to the amount of information we will provide access to. For example, in some cases, we may limit access to personal information where the request is manifestly unfounded or excessive, in particular because of the requests have been repetitive in character, or where doing so would violate the rights of others.
Right to rectification: You may have the right to ask us to rectify personal information you think is inaccurate. This could also include the right to ask us to complete information you think is incomplete.
Right to erasure: In some circumstances and subject to certain exceptions, you may have the right to ask us to erase your personal information.
Right to restrict processing: In certain circumstances, you may have the right to ask us to restrict the processing of your information.
Right to object to the processing of your personal information: When businesses rely on “legitimate interests” for their processing of personal information, individuals may have the right to object to the processing of their information. If you wish to object to our processing of personal information, you must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation.
Please be aware that in these situations, your right to object is not an absolute right, and we refuse to comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights, and freedoms.
Right to lodge a complaint with a supervisory authority: If you have a complaint or a concern regarding how personal information is being processed, we recommend that you raise it with us in the first instance (by completing the form on our Privacy Request Page). We are best placed to address any concerns or resolve any complaints.
Should you still wish to report a complaint to a supervisory authority or if you feel that IHS Markit has not addressed your concern in a satisfactory manner, you may raise your concerns directly with the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Full details of how to make a complaint can be found on their website at: https://ico.org.uk/make-a-complaint/.
Where do we source personal information from?
We compile information from publicly available sources. These sources are in the public domain and are reasonably accessible or available to IHS Markit, such as public websites, regulatory websites, open government databases, exchanges, and public registries.
International data transfers
As a global organization, we may transfer your personal information to IHS Markit affiliates, agents, contractors, service providers, and to third parties in various countries and jurisdictions around the world. The websites, services, and products we provide often result in the processing of personal information, and where applicable law permits, this information could be transferred, processed, and stored in countries where data protection standards may be different.
IHS Markit safeguards and enables the global transfer of personal information in several ways:
- Swiss-U.S. Privacy Shield Framework
- EU Commission Standard Contractual Clauses
- EU Commission Adequacy Decisions
Modifications to this Privacy Notice
IHS Markit reserves the right to change this Notice at any time by posting revisions on this web page. When we do, we will let you know by posting the changed Notice on this page with a new "Updated" date. Such changes will be effective upon posting. In some cases (for example, if we significantly expand our use or sharing of your personal information), we also may tell you about changes by additional means.
Updated 12 August 2020.