Dun & Bradstreet

Privacy, Data and AI Transparency Statement (U.S.)

Dun & Bradstreet (D&B) commits to ethical data stewardship and transparency in processing data on over 500 million global organizations by adhering to human-centered values, compliance with privacy and AI ethics policies, and maintaining consistent global standards to balance commercial objectives with respect for individual rights and data protection.

Our Commitment to Data Ethics, Compliance, and Privacy

At Dun & Bradstreet (D&B), we focus on bringing businesses and organizations together by providing insights about economic opportunities and risks, including data about businesses, business decision-makers, and other people who represent organizations of all sizes across industries and sectors. We aggregate, combine, and generate data, including scores, ratings, and analytics. Our Data Cloud contains data and insights on over 500 million organizations globally.

As a responsible data steward for almost 200 years, we strive to balance our commercial obligations and responsibilities with respect for the interests of the organizations and people about whom we process data. We aim to be transparent about how we process data about people, businesses, and organizations, as well as how we use Artificial Intelligence (AI) systems. Our goal is to improve visibility, engagement, and enrich the overall quality of our data to support meaningful data-driven insights, more opportunities, and better business and professional decision-making while respecting the interests and rights of individuals and their communities.

Our Values

At D&B, compliance and ethics begin with human-centered values and principles. These are set forth in our Code of Conduct and Ethics and guide us in designing, implementing, improving, disposing, and retiring data processing and management systems in a way that respects human rights, privacy and data protection, non-discrimination, diversity, equity, inclusion, and other applicable legal and regulatory obligations.

Consistent Global Standards

We build and maintain trust through an accountability-based compliance and ethics program that applies to our data processing globally. The following core policies provide the foundation for our program:

  • Data Compliance and Ethics
  • Privacy and Personal Data Protection
  • Data Subject Rights
  • AI Ethics
  • Global Cross Border Privacy Management System

This policy supports our compliance with ISO 27701, Privacy Information Management Systems (PIMS). Together with our Corporate Policies, it provides the framework pursuant to which we comply with ISO 27701.

Since 2016, we have upheld multilateral standards to provide assurance for how we manage our cross-border privacy and data protection obligations and to support our certifications under the following frameworks recognized by regulators:

  • EU-U.S. Privacy Shield (2016)
  • Swiss-U.S. Privacy Shield (2017)
  • EU-U.S. Data Privacy Framework (2023)
  • Swiss-U.S. Data Privacy Framework (2023)
  • UK Extension to EU-U.S. Data Privacy Framework (2023)
  • APEC Cross-Border Privacy Rules System (2023)

We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the systems we use to process data are AI Systems.

Dun & Bradstreet, Inc. is registered as a data broker in the U.S. State of California. Eyeota Pte. Ltd and NetWise Data, LLC are also registered as data brokers in certain U.S. states.

Your Personal Data

What is personal data?

Personal data is information that relates to an identified or identifiable individual natural person ("data subject"). Personal data includes information that can be associated with an individual, including data that can be used to identify, locate, track, or contact an individual.

Data that cannot be associated with an identified or identifiable individual, whether it was never associated with an individual (anonymous), or whether all identifiers or links to identifiers have been removed or aggregated in such a way that it is no longer possible to associate the data with an individual (anonymized), is not personal data.

How do we process personal data?

The ways in which we process personal data depend on the type(s) of data subject you are, such as your role in engaging with us, your role within your business or other organizations, the nature of the products and services that we offer, and our data and analytics methodologies.

As detailed in our Global Data Subject Rights Policy, we are committed to respecting the data and digital rights of natural persons in both their personal and professional capacities. We strive to honor the following data subject rights in accordance with well-established public policy principles, our ethical principles of Respect and Responsibility, rights enshrined in applicable laws, and the value we place on the protection of human rights and civil liberties.

Your Data Subject Rights

We provide Supplemental Personal Data Processing Statements about our personal data processing activities based on the following data subject groups:

  • Website visitors and online service users
  • Professional contacts in our products and services
  • Sole Proprietors in our products and services (coming soon)
  • Employees and beneficiaries
  • Job Applicants
  • Consumers
  • Cookie Policy
  • California Resident Disclosures

Each of these Supplemental Personal Data Processing Statements forms a part of the disclosures in this Statement for purposes of the regulatory and framework obligations to which we are subject.

Data Subject Rights

  • Right to Know: Individual natural persons have the right to know whether D&B processes personal data about them, for what purposes, and other information as required by law.
  • Right of Access: Individual natural persons have the right to access the specific personal data D&B processes about them and other information as required by law.
  • Right of Correction: Individual natural persons have the right to correct, update, amend, and/or supplement inaccurate personal data that D&B processes about them.
  • Right of Deletion: Where D&B does not have a legitimate business need to process data about an individual natural person, or where the rights or risk of harm to an individual outweigh D&B’s business need, such individuals have the right to deletion of the data.
  • Right to Restrictions: Individual natural persons have the right to request that D&B restrict how it processes personal data, including any sensitive data, about them.
  • Right to Opt-Out of Data Sale: Where required by law, D&B will honor specific requests of individual natural persons to opt-out of the sale of personal data about them, including information that identifies them in the products and solutions that D&B licenses to its customers and that is not otherwise publicly available.
  • Right to Opt-Out of Data Sharing with Third Parties for Online Advertising: Where required by law, D&B will honor requests to opt-out of sharing personal data with third parties for online advertising purposes.

You may exercise your data subject rights in connection with our data processing. D&B will not retaliate nor discriminate, nor tolerate any retaliation or discrimination, against any individual who exercises rights provided by D&B under our Global Data Subject Rights Policy or applicable law. Unless a shorter timeframe is required by law, D&B will honor requests as soon as practicable and in accordance with the timelines under applicable laws. Except where required by law, we will not honor multiple or repeated requests from the same individual to exercise the same right more than once every three months.

Cookies and Online Activity Data

We use cookies and other online data collection technologies, such as single pixel tags, eTags, and scripts, to help you navigate our website and other online services, remember your selections, deliver certain features and content supported by third parties and external tools, measure the effectiveness of our advertising and other marketing activities, and to remarket to you after you visit our website. We use two types of browser cookies: session cookies and browser cookies. Some cookies and data collection technologies may be placed directly by D&B, and we may permit others to be placed by third parties. We group browser cookies into three categories: Required, Functional, and Advertising. You can manage your preferences with our Cookie Consent Manager by clicking on “Cookie Preferences” on the footer of our websites at any time. For more information, review our Cookie Policy.

Our Use of AI Systems

We are committed to responsible use of AI, development of AI systems, and implementation of responsible AI solutions that accelerate innovation, improve efficiency, and contribute to sustainable growth. This supports our foundational data compliance and ethics goals of preserving digital trust, reliable data-driven decision-making, and the sustainability of data ecosystems as described in our AI Ethics Policy.

Our responsible AI program is built on a foundation of 11 AI Ethics Principles, which guide our approach to responsible AI by design across the AI lifecycle. Our comprehensive approach is supported by shared governance coordinated through our agile AI Governance Council, which brings together expertise from leaders across our business responsible for compliance and ethics, cybersecurity, data governance, data science, intellectual property, and sustainability.

We are committed to transparent, meaningful disclosures about our AI systems in our solutions, processes, and communications. Where we use an AI system to process personal data, we will disclose that in one or more of the following: our Supplemental Personal Data Processing Statements, contextual privacy notices at the point of direct data collection, user guides, model cards, or transparency statements and disclosures related to scores, ratings, and other analytics.

Personal Data Sharing and Disclosure

In general, we share data, including personal data, in the following ways:

  • With other D&B companies, including subsidiaries, parent companies, and affiliates within the D&B corporate group of companies, including other markets in which we have operations, and in accordance with our Consistent Global Standards.
  • With members of the D&B worldwide network, which are independent providers of business information around the world with whom we have entered into commercial agreements, including data protection agreements, to support sourcing of data globally as well as distribution of D&B products in the worldwide network markets.
  • With our customers, which are businesses and other organizations with whom we enter into agreements to license or access our data via our products and services.
  • With authorized resellers whom we permit to resell our products and services.
  • With our service providers, including our subcontractors and subprocessors as necessary to help us carry out our business activities. Service providers that function as data processors are only authorized to process necessary personal data as specifically directed by us.
  • With other business partners with whom we may enter into strategic relationships to support our business.
  • Where required by law or for safety or fraud prevention, such as in the case of a law enforcement seeking information, regulatory agencies investigating a complaint, or other government investigation, including requests from national security agencies, in response to a court order, or to investigate, prevent, or take action regarding suspected or actual prohibited activities.
  • Through third-party cookies and related online technologies that are used by third parties to evaluate use and help us manage the performance of our online services, and for advertising purposes.
  • In connection with mergers, acquisitions, divestitures, and asset sales where the acquiring organization agrees to protections comparable to those set forth in this Statement.
  • With other third parties with your consent or authorization in accordance with applicable laws.

Where we disclose personal data about specific data subjects in unique ways, additional information is provided in our Supplemental Personal Data Processing Statements.

Cross-Border Data Transfers

D&B processes data in the United States as well as in other markets in which we have operations, referred to as our Owned Markets. Our transfers are managed in accordance with our Consistent Standards, including the 12 Principles of our Global Cross-Border Privacy Management System Policy and our intragroup agreements, and are governed by applicable laws, adequacy decisions regarding the protections in countries in which data is received, and multilateral frameworks for transfer and protection of personal data.

Data Privacy Framework

Personal data transfers from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to the United States: D&B legal entities in the United States comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. D&B has certified to the U.S. Department of Commerce that the D&B U.S. Entities adhere to the DPF Principles regarding the processing of personal data received from the EEA, UK, and Switzerland. If there is any conflict between the terms in this Statement and the DPF Principles, the Principles shall govern.

D&B U.S. Entities are responsible for the processing of personal data received under the DPF, and subsequently transferred to a third party acting as an agent on behalf of the D&B U.S. Entities. D&B U.S. Entities comply with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions. The U.S. Federal Trade Commission has jurisdiction over D&B’s compliance with the DPF.

For unresolved complaints concerning our handling of personal data received in reliance on the DPF, D&B U.S. Entities commit to refer unresolved complaints to TRUSTe, an alternative dispute resolution provider based in the United States. For employment-related data, D&B U.S. Entities commit to cooperate and comply with the advice of the panel established by the EU data protection authorities, the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner.

Cross-Border Privacy Rules System

Transfers from APEC Member Economies to other Dun & Bradstreet Owned Markets: Our privacy practices comply with the APEC Cross Border Privacy Rules System (CBPRs). The APEC CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating APEC member economies.

Data Security

D&B has implemented a comprehensive cyber and data security program to protect D&B data, systems, and assets from loss, misuse, and unauthorized access, disclosure, alteration, or destruction based on the nature of the data and the risks associated with the data processing, taking into account current technology best practices and the cost of implementation.

Our data security functional policies include, but are not limited to:

  • Acceptable use of Information Assets Policy
  • Information Security Management Systems Policy
  • Information Security Policy Framework
  • Information Security Policy
  • Data Handling Standard
  • Cryptographic Standard

Data Retention

D&B stores data in accordance with our Records Management and Data Retention Policy, which supports our policies on Data Compliance and Ethics and Privacy and Personal Data Protection. Personal data is stored only as long as necessary for the purpose it was collected or otherwise in accordance with any applicable minimum periods defined by law. Where a legally defined period applies, we delete the data in accordance with the expiration of that period.

We define retention periods for D&B data that align with our legal obligations and legitimate business needs. Our data retention periods align with the purposes for which data are processed and the records and systems in which they are maintained. Data retention periods are documented for our data processing activities and systems. Data contained in static records are maintained in accordance with the retention periods for those records.

D&B Legal Entities to Which This Statement Applies

United States:

  • Dun & Bradstreet Holdings, Inc.
  • The Dun & Bradstreet Corporation
  • Dun & Bradstreet, Inc.
  • Avention, Inc.
  • Dun & Bradstreet Emerging Businesses Corp.
  • Dun & Bradstreet Government Solutions, Inc.
  • Dun & Bradstreet International, Ltd.
  • Dun & Bradstreet NetProspex, Inc.
  • Eyeota USA Inc.
  • Hoover's, Inc.
  • Lattice Engines, Inc.
  • MadObjective, Inc.
  • NetWise Data, LLC
  • Orb Intelligence, Inc.

How to Contact Us

If you have a question or concern about our privacy, data protection, compliance, or ethics practices, you may contact D&B Global Compliance & Ethics or raise a question or concern using our Helpline. You may also contact us at the relevant email addresses for your country or region.