1. Purpose of the Policy

This website (“Scope Accounts”) is operated by Scope Ratings GmbH.

This Privacy Policy explains the basis upon which Scope Ratings GmbH (“We” or “Data Controller”) collects and uses personal data.

Personal data means any information which relates to a specific person (“Personal Data”).

This Policy sets out the basis on which any Personal Data collected from or provided by the users, clients or subscribers of Scope Accounts website (“You” or “Data Subjects”), will be processed by the Data Controller.

Please read the following carefully to understand Our views and practices regarding Your personal data and how they will be treated.

The provisions set out in this Policy are regulated by and aligned with the General Data Protection Regulation – Regulation (EU) 2016/679 (“GDPR”).

For more information on the legal framework of this policy please consult the GDPR text at (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

2. Which data Scope Accounts collects

The type of data that the Data Controller may need to collect vary according to the business relationship with the Data Subject:

  • Clients and Subscribers: the Data Controller will request only information that is strictly necessary for the fulfillment of the contract that a client signs with the Data Controller and for the provision of its services; for example, some of the information the Data Controller may need are:

    • Name and Surname;
    • Email address;
    • Telephone number/fax number;
    • Company and business address;
    • Password;
    • Gender.
  • Website Users: the Data Controller’s websites use few types of Cookies, which in some cases track Users activity with the aim to provide them with a better and smoother customer experience, whenever they are visiting any of Scope Accounts platform; for further details on Cookies, please read the section on “Use of Cookies” under this Policy.

3. Why Scope Accounts collects personal data

The collection of personal data through Scope Accounts website is driven by the principle of “contractual necessity”: any personal information that the Data Controller collects from the Data Subjects is necessary and functional to achieve and fulfil the specific, defined and legitimate purposes which are determined and made explicit in the contract between the Data Controller and the Data Subject.

As an example, We will request personal information to:

  • Provide regular information and updates to its subscribers;
  • Providing technical support in the use of Scope Accounts online platform;
  • Send clients relevant marketing material (where applicable);
  • Deal with clients or suppliers’ queries.

4. How Scope Accounts collects personal data

We collect personal information from a variety of sources and mainly:

  • Directly from the Data Subject through subscription forms and contract applications or declarations;
  • From third parties: for example, when a client provides an alternative point of contact for a specific matter/service;
  • From the Data Controller platforms either via subscription or by reviewing tracking activities made by Cookies.

Whatever method is used to collect personal information, the Data Controller is committed to always accurately and promptly inform the Data Subject and to request his explicit consent.

5. How Scope Accounts handles personal data

The personal data collected through Scope Account website are processed and handled following the key principles highlighted below:

  • Minimization: only those personal data which fit the purpose of the contract between the Data Controller and the Data Subject will be collected; the type of personal data that will be required will be determined on a case by case basis;

  • Integrity: the information collected from the Data Subject will be kept confidential by the Data Controller at any time; in case of personal data being transferred from one entity to another within Scope Group, the Data Subject will be promptly informed when signing a contract with the Data Controller (through a Declaration of Consent) or as soon as the transfer; becomes necessary; the standards of data confidentiality will be maintained unchanged;

  • Limited storage: the Data Controller will only keep personal data from the Data Subject as long as they are needed for the fulfilment of the business purpose as indicated in the contract between the parties; once the business purpose ceases, personal data will be permanently deleted after a retention period that varies from a minimum of six months to a maximum of ten years depending on each specific case;

  • Security: the Data Controller is committed to keep personal data it stores secure at any time against internal and external threats such as, but not limited to, accidental loss, unauthorised access and use; however, no data transmission over the Internet or other network can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through the Properties or services, we cannot and do not guarantee the security of any information you transmit on or through the Properties or services, and you do so at your own risk.

6. Transferability

While performing some of its business activities, the Data Controller may use external service providers who mostly operate in the technology environment.

The Data Controller is committed to promptly notify the Data Subject in case his/her personal data are transferred to any of these external providers and to accurately explain the nature, purpose and duration of the transfer.

The Data Controller is also accountable for granting that the same standard of protection on personal data belonging to its clients/suppliers is also observed by its external service providers.

The Data Controller mainly operates in EU and EEA Member States, which are subject to the legal provisions set out in the GDPR on personal data protection.

7. Confidentiality and security

The Data Controller is committed to keep personal data from Data Subjects secure and to treat them confidentially at all times.

To ensure personal data are handled accurately, the Data Controller is accountable of granting that:

  • Personal data are handled by employees who are fully trained to do so;
  • The processing and handling of personal data is properly supervised;
  • Personal data processing practice within the Data Controller is regularly reviewed and audited;
  • Scope employees are aware of the policies regulating personal data processing and of the impact and consequences of potential breaches in data protection.

In case a breach of personal data occurs, the Data Controller is responsible of notifying the Data Subject(s) affected promptly and efficiently and to swiftly take any necessary actions that could help reducing the impact of the breach.

Specifically, in the event of a data privacy breach:

  • The DPO must be notified in writing within 24 hours from the data privacy breach;
  • The DPO will take care of notifying the Supervisory Authority as well as any relevant stakeholder and to investigate the breach further where required;
  • The DPO will notify the client and the Supervisory Authority of the outcome of the investigation.

The Data Controller is also committed to perform an exhaustive and thorough investigation both internally and externally (with the involvement of the supervisory authority if needed) on the root cause of the breach and to take any corrective measure in a timely manner, to help preventing the breach to occur in the future.

8. Use of Cookies

The Data Controller uses Cookies while running its web platforms: the function of these Cookies is to partially track the activities of platform/websites users with the aim of providing a better customer experience; usually, it is possible to customize the use of Cookies on each PC through the settings page.

Cookie nameFunction
_gaCookie used by Google Analytics to distinguish users (https://developers.google.com/analytics/devguides/collection/analyticsjs/cookieusage)
_gidCookie used by Google Analytics to distinguish users (https://developers.google.com/analytics/devguides/collection/analyticsjs/cookieusage)
_twitter_sessCookie used by Twitter to view Twitter social status
LANGKeeps language preference of user
JSESSIONID, ASIDKeep user credentials to avoid log out when reloading the page

9. Social Media Plugins

Scope Accounts websites uses plug-ins for social media platforms which allow You to share information or to follow Us on Your social media’s profile.

When You click on the plug-in button, the social media will automatically receive the information on the page You visited and on the content You viewed.

For more details on data protection policy for each social media, please visit the following pages:
For Twitter:

  • Plug-Ins: https://dev.twitter.com/web/overview/privacy
  • Privacy Policy: https://twitter.com/de/privacy
For LinkedIn:
  • Plug-Ins: https://developer.linkedin.com/plugins
  • Privacy Policy: https://www.linkedin.com/legal/privacy-policy
For Bloomberg:
  • Privacy Policy: https://www.bloomberg.com/notices/privacy/

10. Data Subjects rights and duties

Although some of the personal data are held and handled by the Data Controller, Data Subjects remain the owner of this information and, as such, they keep the following rights:

  • Right to access the data: Data Subjects have the right to access any information concerning them held by the Data Controller; additionally, the Data Controller takes any reasonable steps to ensure that the personal data it holds for its customers are kept up to date and accurate;

  • Right of revocation: at any time, the Data Subject can withdraw the consent for the handling and processing of his/her personal data by the Data Controller; the Data Subject can also change the level of consent, i.e. not withdrawing it entirely, but restricting its applicability; requests to revoke personal data should be sent via email to privacy@scopegroup.com;

  • Right of erasure: Data Subjects have the right to request the complete deletion of their personal records held by the Data Controller: requests to delete personal data must be submitted via email to privacy@scopegroup.com; this right does not apply if there is a legal or official obligation to store this data;

  • Right of data portability: personal data can be transferred to another service provider upon request from the Data Subject; this right is only applicable to information which the Data Subject he or she has provided to the Data Controller;

  • Right to complain: Data Subjects have the right to object the way personal data are processed by the Data Controller and they have the right to raise a complain directly with the local supervisory authority.

The Data Controller is committed to keep the personal data it stores up to date and accurate, nevertheless it is the Data Subject’s responsibility to promptly notify the Data Controller of any relevant change that may affect the personal records it keeps.

11. Update of the Policy and point of contact

The Data Controller is committed to periodically review its Privacy Policy with the aim of granting Data Subjects the best and more extensive level of protection: updates of the Policy will be automatically published on Scope Accounts website without any previous notice, therefore users are strongly recommended to regularly check Scope Accounts official online page for the latest version.

For further information or questions regarding Scope Accounts website Privacy Policy, please contact us at privacy@scopegroup.com

12. Additional contacts

Data Protection Officer:
Christian Werner
Scope SE & Co. KGaA
Lennéstraße 5
D-10785 Berlin
Phone +49 30 27891-0
Fax +49 30 27891-100

Data Controller:
Scope Ratings GmbH
Lennéstraße 5
D-10785 Berlin
+49 30 27891-0
+49 30 27891-100

Managing Director: Torsten Hinrichs
Commercial Register Berlin: HRB 192993 B
VAT-ID: DE226486027

Supervisory Authority
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
D-10969 Berlin