Product Information
business of Thomson
World-Check
(including Screening Online and Screening Deployed)
This overview answers common questions about how personal data in
World-Check (including in Screening Online and Screening Deployed) is
handled, stored and protected.
What is World-Check?
World-Check holds information that helps financial
institutions, corporates, professional service firms,
governments, law enforcement agencies, regulators
and other World-Check customers (“WC
Customers” or “You/Your Staff”) to perform due
diligence and other screening activities in
accordance with their legal or regulatory obligations
and risk management procedures which are carried
out in the public interest (“Checks”).
How is personal data used in
World-Check?
World-Check researchers gather data from public
sources (such as official records and news sources)
and carry out standard checks of the information
entered into World-Check.
Researchers will only include information about an
individual within the World-Check database if public
domain data suggests that there is information
about him/her that institutions ought to be aware of
for the purposes of the Checks.
Inclusion of an individual within the World-
Check database does not by itself demonstrate
criminality or wrongdoing of any sort. Some
individuals are only included in World-Check
because they have, for example, held public office
and guidelines such as those of the Financial Action
Task Force require financial institutions to be able
to identify these types of individuals.
WC Customers can search the World-Check
database to check if an individual is included in it.
However, this information is intended to be only part
– and not all – of any WC Customer’s Checks.
World-Check flags issues for investigation: it
does not provide any conclusions about
individuals and where World-Check contains
September 2020
The Financial and Risk
Reuters is now Refinitiv
negative allegations, it should be assumed that
the allegations are denied.
In order to safeguard individuals’ privacy, and the
integrity of the World-Check database, WC
Customers are not able to amend personal data on
the World-Check database.
More detailed information about how personal data
is used in World-Check (and on the types of
information held in World-Check) can be found in
the World-Check Privacy Statement available
online: https://www.refinitiv.com/en/products/world-
check-kyc-screening/privacy-statement
Is Refinitiv a controller or
processor of data?
For the purposes of EU data protection laws,
Refinitiv Limited acts as controller of personal data
in the World-Check database. The only exception to
this is the Ongoing Screening and Watchlist
functions in World-Check. The Ongoing Screening
function enables WC Customers to receive updates
to Checks to reflect any changes to the information
on individuals in World-Check. Watchlist allows WC
Customers to store the names of individuals of
interest on the World-Check platform so as to
conduct Checks against them. Refinitiv will host the
names of these individuals and details of the
Checks conducted against them as processor in
accordance with the WC Customer’s instructions.
Separately, WC Customers (as data controllers) are
responsible for any personal data they record as a
result of, or in connection with, the use of World-
Check (including the use of Ongoing Screening and
Watchlist). WC Customers’ processing of that
personal data for these purposes is separate and
distinct from the processing of Refinitiv as a
controller. Therefore, Refinitiv should neither be
considered a joint controller nor a controller in
Page 1
PRODUCT INFORMATION
common of any personal data. WC Customers are
solely responsible for ensuring their compliance
with data protection laws.
How can customers use World-
Check?
Some of the personal data contained in World-
Check is special category data that attracts extra
protection under EU data protection laws. For
example, World-Check holds public domain data
about actual or alleged financial crime.
Therefore, all WC customers must respect the
following commitments and restrictions when
using World-Check.
Commitments
✓ to bring the World-Check Privacy Statement to
the attention of individuals that You search
against on World-Check so they are aware that
You use World-Check and understand how we
handle their personal data. The World-Check
Privacy Statement can be found at:
https://www.refinitiv.com/en/products/world-
check-kyc-screening/privacy-statement
✓ to carry out Your own investigation into any
circumstances flagged by World-Check
✓ to assume that individuals deny any allegations
made about them
✓ if You have purchased the World-Check data
file, datafeed or API to implement any updates
(including deletions) we send to you
promptly – this helps to keep data accurate and
to stop it being retained for excessive periods
✓ to keep access to World-Check, and the World-
Check database (if you have a copy), secure –
you should take advice from Your information
technology security team on how to do this
✓ if you have purchased the World-Check data
file, datafeed or API, identify to us a named
person who is responsible for the security of
World-Check data
✓ complete and return any questionnaires we
send to you about the use of World-Check
promptly – this helps us to check that World-
Check is being used in a way that provides
adequate protection for individuals’ personal
data
Restrictions
 not to use World-Check for any purposes
other than as part of your own internal
September 2020
WORLD-CHECK
compliance processes to assist You with
performing due diligence and other screening
activities that are necessary for reasons of
substantial public interest on the basis of, or as
authorized by EU Law/applicable law, for
example in connection with Your legal or
regulatory obligations connected to preventing
or detecting unlawful acts (such as money
laundering, terrorist financing or fraud)
 not to use World-Check to make automated
decisions about an individual or his/her
business
 not to allow Your Staff who have not reviewed
World-Check User Training made available to
You by Refinitiv to use World-Check
 not to use the Watchlist function to upload
or compile a list of individuals, entities or other
persons that You do not wish to do business
with
Where are the data centers for
World-Check located?
The primary data centers for World-Check are
located in the United Kingdom and data is also held
in the Amazon Web Services Cloud, with a primary
data center in Ireland, and secondary location in the
United Kingdom.
Can personal data be accessed
from outside of the EEA?
World-Check is a global service and Refinitiv is a
global organization that provides 24/7 solutions to
customers around the world. In order to do this, it
uses a global team to provide services, support and
maintenance.
This means that personal data on World-Check may
be accessed from countries outside of the
European Economic Area (“EEA”) in accordance
with applicable laws. For more information on these
countries, please see the World-Check Privacy
Statement:
https://www.refinitiv.com/en/products/world-check-
kyc-screening/privacy-statement
When we transfer personal data from the EEA to
other countries whose laws do not offer the same
level of data protection, we will ensure that there
are adequate safeguards in place to protect the
personal data that comply with our legal obligations.
WC Customers (as data controllers) are solely
responsible for complying with data protection laws
when they transfer personal data outside of the
EEA as a result of or in connection with their use of
World-Check.
2
PRODUCT INFORMATION
How long is data retained for?
The personal data in World-Check is retained by
Refinitiv for so long as required in order to inform
current and future Checks conducted by WC
Customers. In determining this length of time,
Refinitiv takes into consideration local laws, the
reasonable requirements of WC Customers, the
rights of individuals and the continuing relevance of
the personal data (which is assessed through
ongoing relevancy checks). We also carry out
ongoing checks to ensure that personal data in
World-Check remains relevant even before it
reaches the end of its retention period.
When personal data reaches the end of its retention
period or Refinitiv otherwise identifies that it is no
longer relevant - Refinitiv securely deletes or
destroys it from the World-Check database.
Where WC Customers have purchased the World-
Check data file, data feed or API, Refinitiv provides
them with daily updates and deletions of data in the
World-Check database. This is to ensure that the
World-Check data held by such WC Customers
continues to reflect the World-Check database
maintained by Refinitiv. If You hold a copy of the
World-Check database on Your own systems, You
must implement all updates and deletions promptly.
How is personal data secured?
Securing personal data is a priority at Refinitiv and
a key aspect of protecting privacy. Our security
organization applies policies, standards and
supporting security controls at the level appropriate
to the risk level and the service provided. In
addition, appropriate security controls are
communicated to application owners and
technology teams across the business to support
secure development of products and a secure
operating environment. World-Check is also subject
to an ongoing audit and assessment programme
and has received independent assurance against
the ISAE 3000, Type II standard.
We pay specific attention to the protection of
personal data and the risks associated with
processing this data in World-Check. In particular,
the security infrastructure applying to World-Check
includes:
• robust controls around the inclusion and
maintenance of information in World-Check
which are designed to ensure the accuracy
and relevance of information in World-Check
• education and training to relevant Refinitiv
staff on the proper handling of personal data;
September 2020
WORLD-CHECK
• administrative and technical controls to restrict
staff access to the personal data in World-
Check
• a business continuity and disaster recovery
strategy that applies to World-Check and
which is designed to safeguard the continuity
of access to, and security of, World-Check;
• physical security measures, such as staff
security passes and strict controls on access
to locations of World-Check servers
• monitoring compliance with our policies,
procedures and controls;
• regular penetration testing by an independent
third party company; and
• regularly scanning of code and infrastructure
using third party capabilities
We do not agree bespoke security and data
protection specifications for customers as the
stability and integrity of the World-Check solution
rely on the standardization of our security and data
protection methodologies.
Annual privacy assurance and
WC Customer training
Refinitiv conducts annual privacy assurances with
its WC Customers to check that World-Check is
being used by WC Customers in accordance with
the terms and conditions applying to it. This will
include obtaining an acknowledgment that the WC
Customer and its users are only using World-Check
for the limited purposes permitted by Refinitiv and
demonstrating that Your Staff understand such
purposes and have been provided with appropriate
privacy guidance and/or completed any privacy
training applying to World-Check.
You agree that Your Staff will complete any such
privacy training and that on request by Refinitiv,
You will complete the World-Check annual privacy
assurance (including, where You purchase the
World-Check data file, providing evidence of the
acknowledgements outlined in the paragraph
above). Where You purchase a hosted version of
World-Check, Refinitiv will obtain these
acknowledgments bi-annually from Your staff when
they log in to World-Check.
Security of World-Check data file
Refinitiv requires WC Customers that purchase the
World-Check data file to establish and maintain an
adequate accreditation e.g. ISO 27001 or
equivalent, that is acceptable to Refinitiv) for the
people, processes and IT systems that they use to
process World-Check data.
3
PRODUCT INFORMATION WORLD-CHECK

If You purchase the World-Check data file, You

agree to meet the requirements outlined in the
paragraph above at Your own cost and to provide a
copy of your accreditation report to Refinitiv upon
request. Refinitiv will be able to determine whether
You are maintaining the necessary accreditation on
the basis of the report.

Personal Data Breaches

Refinitiv implements appropriate measures
designed to prevent personal data breaches. These
measures include:

• strict controls on access to World-Check and

World-Check’s physical infrastructure;
• regular scanning and penetration testing to
identify potential security vulnerabilities;
• use of encryption (where appropriate); and
• contractual obligations on Refinitiv third party
service providers to comply with our IT
security policies.

The measures we use are also reviewed and

updated as necessary to meet changes in
regulatory requirements.

WC Customers must also implement such

measures and You agree that You will do so and
also notify TR promptly of any actual or suspected
personal data breach affecting World-Check.

Individual rights
Under data protection laws, individuals may have
certain rights in relation to information held about
them (e.g. a right to request a copy of their personal
data or to request inaccuracies in such data to be
corrected). If You receive a request from an
individual seeking to exercise a right in relation to
information about them in World-Check, You agree
to promptly forward this request to Refinitiv as data
controller. Refinitiv shall respond to this request,
unless we expressly agree otherwise. You agree to
provide reasonable cooperation to enable us to
formulate that response.

For more information

If You would like to know more about our approach
to processing and protecting personal data as part
of World-Check, please contact Your account
manager.

For general questions on how Refinitiv deals with

personal data, please contact us at:
privacy.enquiries@refinitiv.com

4
September 2020