Data Privacy is Important to
Dun & Bradstreet
What is Data Privacy? Data privacy focuses on the protection of personal information when collecting, using, processing, securing, and sharing such information with third parties and transferring personal information across geographic borders. There are regulatory requirements across the globe associated with these activities.
Through various business relationships we collect, process and share global business information, including professional contact data and other business data, such as sole proprietor information, that many countries may consider personal information. Although we only collect personal information relating to an individual’s business capacity, we respect the important nature of personal information, and take great care to protect it in accordance with applicable privacy and data protection laws.
How Dun & Bradstreet Complies with Global Privacy Laws
Dun & Bradstreet’s Global Privacy Program is designed to ensure compliance with applicable international, national and local privacy regulatory requirements.
- As part of our global Privacy by Design Program, Dun & Bradstreet uses Privacy Impact Assessments to help assess the privacy implications of new legislation, new products, projects or other new uses of personal information. We have completed numerous Privacy Impact Assessments in our efforts to help make sure that everything we do with personal information is in compliance with applicable laws.
- Dun & Bradstreet has implemented and monitors many internal policies and procedures to make sure that proper privacy standards are applied to our data collection, data use, data processing, data handling and data sharing practices. Dun & Bradstreet also provides notice to data subjects including our customers, employees, and website visitors about our collection, use, sharing and management practices of personal information through our Privacy Policies (also referred to as Privacy Notices). Our externally facing Privacy Notices also inform individuals about their data access right, how to opt out of marketing activities or the sharing of their personal information. For more information on our Privacy Notices, please see the “Privacy Notices for Dun & Bradstreet Owned Markets” section.
- We provide our employees with robust privacy training, including annual global privacy training and training for newly onboarded employees, data handling training and policy and procedural guidance to raise awareness and understanding about privacy issues and to promote compliance with applicable privacy laws.
- The past several years have seen a significant update of privacy legislation in the European Union and new privacy laws in China and in the U.S. State of California. There has also been a flurry of other proposed privacy legislation in the United States at both the state and federal level. In addition, a growing number of countries around the world have recently enacted or proposed privacy legislation. Dun & Bradstreet closely tracks legislative changes to monitor our compliance with privacy laws applicable to our business. We also work closely with our partners and vendors to screen and monitor their compliance efforts.
- As more jurisdictions enact privacy laws, a greater number of individuals are entitled to access the personal information companies may collect about them and to understand how that data is used or shared with third parties. Dun & Bradstreet has programs in place to manage data subject rights in accordance with local applicable legislation. Please refer to our Privacy Notices for information on individual’s access rights to personal information at Dun & Bradstreet.
- We use internal and external audit resources to audit our privacy compliance programs, policies and procedures.
- The GDPR governs the use of personal information of residents of the European Union and came into effect in May 2018. For Dun & Bradstreet, compliance with the GDPR was an evolutionary progression of our compliance with the GDPR’s forerunner – the EU Data Protection Directive and its implementing national legislation. Our GDPR compliance preparation program was comprehensive and extensive and included strengthening our data subject rights program, documenting our policies and procedures, updating our privacy notices and conducting privacy impact assessments and the required legitimate business interest assessments.
- Our EU Privacy program is subject to ongoing compliance testing and has undergone internal and external audits. Our most recent audit was based on the UK’s Information Commissioner’s Office (ICO) audit template and defined audit categories, covering over 300 questions. The audit confirmed that our program has the high degree of maturity customers expect from Dun &Bradstreet.
- Under the GDPR we have the role of both “Processor” and “Controller” in relation to our customer transactions. When we process our commercial inventory data we are a “Controller” of that data under legitimate business interest and have rigorous data subject right procedures to support this. When customers pass data to us for the purpose of any of our data services, we are a “Processor” and we process that data in accordance with a fully compliant GDPR Data Processing Agreement which is used as standard practice within our customer contract framework. These practices give customers peace of mind that we will handle their EU data to the high standard of the GDPR. For more information about EU data protection at Dun & Bradstreet please request the EU Data Protection Customer Manual from your D&B Account Manager.
- Dun & Bradstreet has been certified under Privacy Shield since 2016 (U.S. Department of Commerce Privacy Shield). Before 2016 Dun & Bradstreet was Safe Harbor certified and compliant with respect to transfers of personal information from the EU to the U.S. Please note that, despite the Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield Framework as a mechanism for transfers of personal data between the EU and the U.S. Dun & Bradstreet is currently maintaining our self-certification under the EU-US Privacy Shield Framework and remains committed to protect personal information in accordance with the Privacy Shield Principles which offer meaningful privacy protections for EU individuals. While we will continue our participation in the Privacy Shield Framework, we will at this time only rely on Standard Contractual Clauses to cover the transfer of personal information from the EU to other jurisdictions.
For more information on the U.S. Department of Commerce’s continued administration of the Privacy Shield program, please visit EU-US Privacy Shield Program Update.
Dun & Bradstreet and its legal entities participate in and have certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and/or Switzerland (as applicable) to the United States, respectively, in reliance on Privacy Shield. Dun & Bradstreet is committed to subjecting personal information received from European Union (EU) member countries, the United Kingdom, and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce website at Privacy Shield.
- Based on an external auditor’s recent review of the Dun & Bradstreet CCPA compliance program, our CCPA compliance program is “demonstrably mature” and the overall program management, resourcing, and executive engagement was identified as one of the most advanced programs in the market.
- Our CCPA program has been a natural and evolutionary progression of the program we put into place as part of our GDPR compliance efforts. We leveraged the practices already in place and expanded them to put measures in place for full CCPA compliance, including:
- Global training for Dun & Bradstreet employees including CCPA module and targeted CCPA training for key team members
- Privacy Notice Updates to cover CCPA requirements
- Updating our contractual terms and policies for CCPA compliance
- Completing Privacy Impact Assessments for key business and data practices impacted by the CCPA
- Creating FAQs for external use, available at: https://www.dnb.com/ccpa-faqs
- Internal and external audits
- Dun & Bradstreet is a registered data broker as defined by the CCPA: https://oag.ca.gov/data-brokers
- Dun & Bradstreet’s program to comply with the CSL (effective as of June 1, 2017) is ongoing since various implementation regulations are still in draft form. The CSL includes a broad set of regulations that govern how organizations collect, use, distribute, transfer (including cross-border transfer) and protect information (including personal information) in China.
- Dun & Bradstreet has put measures in place to check that personal information collected in China has the proper consents attached.
- Dun & Bradstreet is putting measures in place to be in compliance with the revised Personal Information Security Specification as of its effective date.
- Please see our China privacy notice for more information on Dun & Bradstreet’s privacy practices in China.
- Dun & Bradstreet receives business data, including personal information, from our global partners and vendors. This data is ingested into our products to expand our data coverage world-wide.
- We work closely with our partners and vendors around the globe to monitor their compliance with privacy laws and regulations and screen their collection, use and sharing of personal information with Dun & Bradstreet. Dun & Bradstreet performs due diligence reviews of personal information collection and other privacy practices of partners and vendors as a part of our relationships with our partners.
- When handling customer data, Dun & Bradstreet will comply with the security principles, standards and controls located at https://www.dnb.com/about-us/company/our-security.html.
- Dun & Bradstreet complies with data breach laws. We hold third party vendors and subprocessors to security standards and breach notification procedures that are similar to our own and at a minimum compliant with law.
- US: https://www.dnb.com/utility-pages/privacy-policy.html
- Greater China
- UK/EU: https://www.dnb.co.uk/utility-pages/privacy-policy.html
- India: https://www.dnb.co.in/privacy-policy