Data Protection Statement

EU Data Subjects


Morningstar is committed to the responsible handling and protection of personal information and sets out in this statement how we do that. This Statement is supplemental to Morningstar’s General Privacy Policy which can be found at Privacy Policy


Who is collecting and using personal data?

Morningstar, Inc. and its Affiliates and Group Companies
For more information on the Morningstar Group of Companies please go to http://corporate.morningstar.com/US/asp/company.aspx?xmlfile=7094.xml

What personal data does Morningstar collect?

We collect limited personal information (where necessary), such as name, email, phone number, payment details and address from our clients / subscribers, website visitors and other third parties.

Why does Morningstar collect this personal data?

We collect personal data to fulfil our contractual and legal obligations and to provide information to those parties who have registered with us via our websites to receive information about our products and services. We use the personal data to administer and support the contracts we have with clients and our client’s authorised users, including providing updates about the products and services Clients have bought or licensed, managing and dealing with enquiries clients or third parties clients make to Morningstar, informing clients or contacts who have registered with us (“marketing contact”) of Morningstar products and services that we feel may be of interest to them

Is Morningstar a “processor” or “controller” of personal data?

Morningstar confirms that: (a) in connection with the performance of its legal obligations or exercise of its rights and obligations under a contract it has in place with a client, a supplier, a third party or where someone has registered to receive information about Morningstar it will be processing personal data as a data controller under GDPR; and (b) Where a client subscribes to a Morningstar online tool or service into which they input personal data of their employees, or other third parties for their own purposes, the client will be the data controller in respect of this personal data. The client should therefore ensure its and its authorised users are compliant with the GDPR obligations as a controller of this personal data and can comply fully with data access requests, have consent (where required) or other legitimate grounds for the processing of the personal data inputted into the online tool or service. As Morningstar hosts the personal data inputted into the online tool Morningstar will be defined as a data processor under GDPR.

Who has access to client personal data?

Only Morningstar staff within the Morningstar Group who need access to personal client data to perform their roles have access to it and do so in accordance with Morningstar’s Data Protection Policy.
Morningstar uses a small number of third parties to provide systems and software for its administrative functions, such as sales processing, accounting / finance management and procurement. In such cases Morningstar remains controller of the client personal data and the third parties only process the data in accordance with our instructions and we ensure such third parties are compliant with all applicable data protection regulations in relation to their processing activities.

Who has access to personal data I input into an online tool or service?

Only a client and their authorised users will be permissioned to input, update and delete personal information from their instance of the online tool. Morningstar may be able to view the personal data when remote support is provided and a client shares their screen, but Morningstar will not be able to do anything with the personal data other than guide them through their support request.
It is important that clients and authorised users who input data into hosted tools or services are aware of their obligations under GDPR as only they will be able to access this data to comply with subject access and deletion requests.

How does Morningstar keep personal data secure?

For both client personal data and personal data that it hosts within an online tool, Morningstar has in place technical and organisational measures to ensure a level of security appropriate to the nature, scope and purpose of its processing of personal data. Further information about Morningstar’s security measures is available by contacting privacyenquiries@morningstar.com

How long does Morningstar hold personal data for?

Morningstar retains client personal data only for as long as necessary to fulfil our contractual or legal obligations. Individual jurisdictions have different tax, accounting, regulatory and legal retention requirements and Morningstar is bound to keep certain personal data in accordance with these local requirements.
For personal data a client may have inputted into an online tool or service, Morningstar will delete the information linked to that account once the licence terminates within the timescales stipulated in the relevant tool or service documentation

Does Morningstar transfer and / or process personal data outside of the EU?

Morningstar is a global company and does transfer and process personal data outside of the EU. Morningstar ensures it has appropriate safeguards in place to protect the personal data and make available to data subjects enforceability of their rights and effective legal remedies.

Does Morningstar host the online tools and services outside the EU?

Morningstar is a global company and does host instances of the online tool outside of the EU. Morningstar ensures it has appropriate security and failover safeguards to ensure its SLAs for availability are met to protect the integrity of the online tool and the personal data and information inputted by the authorised users.

How can a client contact Morningstar to exercise their rights in respect of the personal data held?

GDPR provides data subjects with rights in respect of their personal data, including the right to update or correct data, receive details of the personal data held, ask for the personal data to be erased or to be provided to another controller.
Morningstar has in place measures to ensure that these requests can be actioned within the statutory timescales set out under GDPR.
Data subjects should send their access requests to privacyenquiries@morningstar.com
Morningstar will respond to an access request as soon as possible and no later than within 30 days of request. In some cases, there may be reasons Morningstar cannot accede to a particular request, for example where local retention periods require the holding of personal data for a certain period of time or such data is required to perform our obligations or exercise our rights under an Order Form and/or Agreement. If we cannot accede fully to a data subject access request, we will respond as soon as possible with reasons.

Can Morningstar action data access requests on behalf of a client or authorised user in respect of the personal data they have inputted into their instance of the online tool?

No, Morningstar has no ability to input, update or delete the personal data or other information within the tool hosted by us. Whilst certain Morningstar support staff may be able to view data an authorised user has inputted when an authorised asks for support and shares their screen], only the client (and their authorised users) will be able to delete, update, comply with data subject access requests and / or purge data from the online tool.

Cookies and tracking technologies

Morningstar sets and uses cookies and similar technologies to store and manage user preferences, enable content, provide targeted advertising and gathering information about online activities across applications, websites and other services. Details about what cookies are used on a particular website or application will be found on the “cookies” link within that website, application or service along with details about how cookie preferences can be managed and updated. Some settings will not permit certain functions of the website or application to work. As all settings may be different it is important to refer to the relevant settings for more information.

Contact details of the Data Protection Officer

For any have any questions or comments about the information contained in this statement and/or any other privacy enquiries, including if you want to complain about Morningstar’s collection and use of personal data, please contact:

  • The Data Protection Officer (DPO)
  • Morningstar UK Limited
  • 1 Oliver’s Yard
  • 55-71 City Road
  • EC1Y 1HQ – London
  • Phone : (+44) 020 3107 0000
  • Email : privacyenquiries@morningstar.com

Right to lodge a complaint with the Regulator (“Data Protection Authority”)

If you have any concerns about Morningstar’s information rights practices, we would hope you would contact the DPO in the first instance. However, if you are still dissatisfied, you can complain to the relevant local Data Protection Authority via the links below. EU Information Commissioners