Both Sustainalytics, a leading provider of ESG and Corporate Governance research and ratings, and Morningstar — a leading provider of independent investment research are committed to responsible data processing and ensuring adequate personal data protection across all group entities.
Table of Contents
- Your Privacy at Sustainalytics
- How do we gather personal data?2
- What information do we collect?
- How do we use information that we collect?
- Will we share your personal data with third parties?
- What about sensitive personal data?
- What about data security?
- Where will your personal data be processed?
- Your rights
- Storage information
- What if I don’t want cookies?
- Contact Sustainalytics’ Data Protection Officer7
Your Privacy at Sustainalytics
Your privacy is one of our fundamental commitments here at Sustainalytics, including its affiliates within the Morningstar Group, each acting as data controller for its operations, hereinafter called “Sustainalytics”, “we”, “us”, and “our”.
Therefore, we take outmost care to process your personal data in accordance with the principles set forth in the applicable data protection legislation, including (EU) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Contact details for Sustainalytics` affiliates are available here
Contact details for Morningstar’s entities are available here. Information about Morningstar’s privacy practices is available here
The primary business purpose of Sustainalytics is providing the insights required for investors and companies to make more informed decisions that lead to a more just and sustainable global economy. As such, Sustainalytics uses personal data when performing its research, engagement and active ownership activities and providing information that our clients request, and when caring out its support activities such as labour and commercial contracts.
Personal data represents any information relating to an identified or identifiable natural person, and an identifiable person is that person that may be identified directly or indirectly, particularly by reference to an identification number or to one or more factors specific to its physical, psychological, mental, economic, cultural or social identity.
How do we gather personal data?
Sustainalytics collects personal data directly and indirectly, through the following channels
Directly from you: when entering into contracts with us, either on behalf of clients or service providers, when interacting with us as part of our research and engagement activities, , when visiting our website and on-line platforms and you explicitly provide your data for different purposes such as for receiving newsletters, when directly sending us your resumes for a possible collaboration with us, as well as when becoming part of our team as a board member, member of the executive team, employee or intern.
When the data is required directly from you, we kindly ask you to provide all categories of personal data we request for the relevant purposes, as otherwise we shall not be able to carry out part of our all our activity, including, among others, to provide you with our services.
- Our sites’ or platforms’ technology:this includes data about our clients, prospects, visitors or candidates;
- Conferences and events’ organizers:this includes data about our prospects and potential clients;
- Your employer – if they are our client or acting as our service provider:this includes data about representatives, employees or other contact persons of, and indicated by our clients or service providers;
- Subject companies that we research or engage with: this includes data about senior executives, investors’ relations or CSR representatives or other contact persons of, and indicated by the companies we research or engage with.
If your data is being provided by an event organizer or by your employer, we will take reasonable measures to ensure you have been informed about your data being processed by Sustainalytics. In any case, Sustainalytics is committed to respect your rights and answer your questions regarding the way we use your data.
- Third parties acting as our data suppliers:data collected either from publicly available sources (researchers who provide us information about senior executives and other representatives of the companies we research or engage with), or data about candidate employees shared with us by our recruitment agencies or temporary work agencies;
- Public sources:data collected by us from publicly available sources (such as public websites of companies that we research or engage with, stock exchange websites, public media, etc.).
While this information is publicly available, Sustainalytics is committed to respect your rights and answer your questions regarding the way we use your data.
What information do we collect?
Sustainalytics gathers a variety of data, from the following individuals:
- Clients, prospects and service providers’ representatives or contact points
- Representatives of the companies we research or engage with
- Participants to events
- Candidates, visitors and web site users
If you are our client, a prospect or the representative, contact person or employee thereof:
- Information that you provide when entering into a contract with Sustainalytics will be processed to enable us to execute the contract, to grant you access to our services and products, and for fiscal, billing and audit purposes. Data gathered includes name, title, contact details (business e-mail and telephone number), and other relevant information depending on the contract typology.
- If you are the representative, an employee or contact person of our clients, information that your employer provides us for the performance of our contract includes: name, title and contact details (e-mail and telephone number). This is used to grant you access to our platforms, services, research and data, as well as to monitor usage of our services and report to your employer.
If you are a representative of the companies we research or engage with
- If you are a representative or hold an executive position in the corporate governance structure of a company that we research or engage with, we may use publicly available information regarding your name, title, remuneration, public allegations or records on administrative, employment or criminal misconduct, contact details, professional background, education or professional body affiliations (e.g. trade unions).
- If you are the contact person of a company that we research or engage with, we may use your publicly available contact details to ask for your company’s feedback on Sustainalytics‘ research and products, or to invite your company to join our engagement programs.
If you are a participant to our events or to an event we are also attending
- If you are attending an engagement call/ meeting, we will collect your: name, e-mail address, phone number, details about the company you represent as well as the information you provide during the event, and will reflect them in our engagement reports (deliverables).
- If you are attending an event for which the organizers are sharing contact details among the invitees, or where you have shared your business card, we may collect and keep a record of them. If we further contact you, we will provide details as to how your data is being used and ask your consent about it.
- If you are attending an on-line event that we are organizing and recording (such as a webinar or conference), we may keep a record of the information you have made available in this context: name, contact details, picture, audio and or video recording of your voice and face. If we are the event organiser, we will inform you whenever such events may be recorded, ask for your consent, and provide details on how your data is being used.
If you are our service provider or the representatives, contact persons or employee thereof
- Information that you provide when entering into a contract with Sustainalytics. This includes name, title, contact details (e-mail and telephone number), and other relevant information depending on the contract typology.
- Information that your employer – our service provider – presents us with, if you are the representative, an employee or contact person thereof: name, title and contact details (e-mail and telephone number).
If you are visitor or a user of our website or platforms
- Information that you provide by filling in forms on our website: name, e-mail address, telephone number, details about the company you represent.
- If you contact us, we may keep a record of that correspondence, for audit purposes.
- Any postings, comments or other content that you upload or post to any Sustainalytics websites (including our social media accounts, such as LinkedIn, Twitter, Facebook).
- Any comments or information that you provide about any of our platforms.
- Our website collects information about your computer, including (where available) your IP address, operating system and browser type. This information is used for system administration, to filter site traffic, to look up user domains, and to report on site statistics.
- Details of your visits to our website and access to our resources (including but not limited to, traffic data, location data, weblogs and other communication data). Please see the Cookies section below for more information.
- Details of your visits and usage of our platforms and resources you access (including but not limited to, research accessed, reports downloaded, traffic, session and location data, weblogs and other communication data).
If you are a visitor of our office locations
- If you visit us at our office locations, we may collect and process information from your identity documents (name, surname, series of ID) and we may keep records of your image, for security purposes (including through our security services providers). Our office premises are under video surveillance and we will keep video recordings according to the legal requirements in force under the office jurisdiction.
If you are a job/internship applicant
- The categories of data processed in the context of our relationship are your name, e-mail, phone, fax, address, and other personal data included in your CV, including but not limited to education and training details or professional qualifications.
How do we use information that we collect?
We use personal data:
- To carry out our research and engagement activities.
- To grant you access to our platforms and research products and services, including the ones of our affiliates in the Morningstar Group, and for our clients’ contracts’ performance.
- To monitor access to and usage of our platforms and research products and services, for reporting purposes.
- To subscribe to our services, based on your prior request, and send you white papers, articles, newsletters, further information about Sustainalytics or other content, including the ones of our affiliates in the Morningstar Group.
- To register you to our events and share your contact details with other participants.
- To perform our contracts with our service providers.
- To contact you for marketing purposes where you have consented to this.
- To ask you to complete surveys or research questionnaires that we use for research purpose. however, completing such surveys is optional.
- To personalize your website experience. Please see the Cookies section below for more information.
- To analyse your IP and browser information to determine the effectiveness of our site and to help us identify ways to improve it. Please see the Cookies section below for more information.
- To assess the applicants’ qualifications for a position within Sustainalytics, including in relation to our internship program.
- To ensure security when visiting our office locations.
Will we share your personal data with third parties?
We generally only share personal data with our affiliates within the Morningstar Group, with our contracted service providers and advisors. However, there will be other instances when, for a specific purpose, we will need to share or disclose the personal data you provided, respectively:
- We may need to disclose your personal data to third parties if we sell or liquidate any part of our business or assets;
What about sensitive personal data?
We generally do not seek to collect sensitive personal data. In the limited cases we do so, this shall be done in accordance with local data privacy law requirements. When this is the case, such data shall be collected from public sources and may include: political opinions, philosophical or other similar beliefs, trade union, profession or trade association membership, or misconduct allegations, that may include publicly available criminal records.
The term “sensitive personal data” refers to the various categories of personal data identified by EU and other data privacy laws as requiring special treatment. These categories may include personal identity numbers, racial or ethnic origin, political opinions, religious, philosophical or other similar beliefs, trade union, profession or trade association membership, physical or mental health, biometric or genetic data, sexual life, or criminal record (including information about suspected criminal activities).
What about data security?
Sustainalytics takes appropriate steps to maintain the security of personal data collected through any of the above-mentioned channels/ means.
However, you should understand that the open nature of the Internet is such that information and personal data may flow over networks connecting you to our systems without security measures and may be accessed and used by people other than those for whom the data is intended.
Our site or other communication may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates of the Morningstar Group. If you follow a link to any of these websites, please note that these have their own privacy policies, and that we do not accept any responsibility or liability for these policies or sites. Please check these policies before you submit any personal data to these sites.
Where will your personal data be processed?
As a global organization, the personal data we collect may be transferred internationally throughout Sustainalytics’ organization entities, available here, respectively to Member States of the European Union and other third countries where an affiliate of the Morningstar Group is located, a list of which is available here.
We have internal policies in place to ensure an equivalent level of protection is implemented across our organization. For more information regarding the transfer of your personal data, you may contact Sustainalytics at firstname.lastname@example.org.
You are entitled to know whether we hold personal data about you and, if we do, you benefit from the right of information, of access to, and intervention upon, your personal data, to rectification, erasure and restriction of processing of personal data, the right not to be subject of an automatic individual decision and the right to oppose against the processing of your personal data for legitimate and grounded reasons. Moreover, you also benefit from the right to address your country’s National Supervisory Authority for Personal Data Processing, and the courts of law.
As of 25 May 2018, you also have the right to require Sustainalytics to: (i) pass on the personal data you have provided to us in a structured and easily accessible electronic form, or (ii) to transmit to another data controller the personal data you provided to Sustainalytics insofar as it is technically feasible. You also have the right to request the restriction of the processing as set out by law.
You can exercise your right to prevent marketing communications being sent to you by sending an email to email@example.com or by using the specified links to unsubscribe from our email marketing communications. You can also exercise the right to discontinue marketing communications to you at any time by contacting us by email or phone. See Get in Touch.
To exercise any of the above-mentioned rights, you may contact our Data Protection Contact Point at firstname.lastname@example.org, or by filling in the general contact form available at Get in Touch.
We will answer within 30 days from receiving your request or inform you about any justified delay.
Your personal data is stored and processed for as long as it is necessary in order to achieve the processing purposes listed above and longer, in accordance with internal and legal requirements. We generally store your data for as long as necessary, either for the contract execution or for the purpose for which is was collected, unless otherwise requested by law to process the information for longer periods of time.
Cookies are text files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another site that recognizes that cookie. Cookies are useful because they allow a site to recognize a user’s device.
What if I don’t want cookies?
When you first access our website or whenever you access it from a new device or browser, you will be asked through a pop-up message to consent or not to Sustainalytics placing cookies on your device as explained above.
If you want to remove existing cookies from your device, you can do this using your browser options. If you want to block future cookies being placed on your device, you can change your browser settings to do this.
Turning off cookies will also prevent any web beacons from tracking your user activity on our site. The web beacon will still account for an anonymous visit, but your unique information will not be recorded.
Contact Sustainalytics’ Data Protection Officer