Company.info provides complete, reliable and up to date information, business news and predictive insights about companies and their directors. We bring together relevant business data, structure them and make them accessible to businesses. As part of that, we also process personal data.

We would like to explain in this privacy document which (personal) data we process and why we do so. We also provide insight into our policy and the guarantees we provide to do this as carefully as possible. We want to answer questions you may have about why and for what purpose information that concerns you appears in our systems and how we use it. If you are missing information or have feedback, we would like to hear from you.

This document is a supplement to the ‘privacy & cookie statement’ of Company.info.

Furthermore, as a member of the Association for Professional B2B Information (VVZBI), Company.info is bound by this industry organisation’s Privacy Code of conduct.

Company.info is a data service provider focused on the business sector. This means that we collect, combine and supply various types of data to businesses. In performing our work, we also process personal data. In processing personal data, we distinguish four categories.

Category 1: personal data from public registers

Company.info retrieves, combines and enriches data from a number of public sources and registers, such as the Commercial Register of the Chamber of Commerce and the Land Registry, in fulfilling its service provision to its customers. Schedule 1 contains an overview of all the public registers which Company.info uses. The purpose and functioning of these registers is regulated by law: for instance, to promote and safeguard legal certainty in commerce.

First, we collect data from various public sources. Based on those data, we create profiles of companies, officers and/or addresses; then we link these profiles to each other if relevant. This creates a network of rich, complete profiles of a company, officer and/or address, which provides users with insight. Finally, we make these data and profiles searchable (on the basis of search criteria) and make these data available online to business customers via technical integrations (APIs) and as individual files.

Category 2: personal data from data partners

In addition to retrieving and providing data from public registers, Company.info also does this with data from its data partners. This could include international business information, for instance, such as sanctions lists, PEP-lists and the provision of credit ratings for companies. Schedule 1 contains an overview of personal data that we supply on a one-to-one basis from our data partners to our customers.

Category 3: personal data from Company.info customers

Some customers commission Company.info to supplement or analyse their own (customer) data. The data supplied by these customers can also include personal data. After enriching these data, Company.info returns them to the customer, often accompanied by advice, for instance on how the customer compares with respect to industry peers or where the greatest risks or opportunities lie.

Category 4: personal data from Company.info users

We also process the (personal) data of our users and customers in the context of performing contracts with customers and optimising our service provision. See Schedule 1 for an overview of these personal data. How Company.info handles those data is described in detail in our privacy statement.

Category 1: personal data from public registers, websites and from data partners

To inform our users about business opportunities and risks, we offer solutions in the area of data quality, data integration and data insights. Providing personal data from public registers and from data partners is a necessary part of this. Our purpose for processing this data is compatible with the legal purposes of these registers: the promotion of legal certainty in economic transactions and – through transparency – the promotion and support of economic activities. Companies need this information to know who they are doing business with. Professional companies are expected to conduct a check on this (‘Know Your Customer’). In some cases, it is even legally required, for example under the Dutch Money Laundering and Terrorism Financing Prevention Act (‘Wet ter voorkoming van witwassen en financieren van terrorisme’, Wwft). Some concrete examples of applications are:

1. Providing insight into who within a company is formally authorized to represent that company;
2. Providing insight into the financial position and recovery options of a company to determine better whether business can be done and under what conditions;
3. Identifying possible corruption, fraud and money laundering risks linked to companies and their UBOs and company officials, e.g. by screening them against (inter)national PEP and sanctions lists;
4. Providing insight into the natural person(s) behind a company and directly providing insight into their recovery options, other companies and historical companies, in order to also provide insight into cross-border corporate structures, and the opportunities and risks that this entails;
5. Providing insight into the network of directors, supervisors and other company officials and thus into the moral position and possible conflicts of interest within a company;
6. Carrying out market analyzes and market segmentations within the business market, and providing insight into the most interesting companies (leads) to approach commercially;
7. Facilitating business conversation preparation by providing insight into what is going on at a company (news, vacancies, management changes, etc.) and who is ultimately responsible; and
8. Providing insight into ownership positions in real estate within the real estate market are linked to them to determine the expected profitability, the risk profile and required risk surcharges when conducting financial transactions.

Category 2: personal data of Company.info customers

In this category, personal data are processed in the context of analyzing and enriching data that customers provide to us to help them identify risks and opportunities and thus improve their business operations. With a better understanding of the market, they can increase their economic opportunities. A few concrete examples are:

1. Performing analyzes and segmentations in the (international) business market and providing insight into the most interesting companies (leads) to approach commercially;
2. Checking and supplementing a customer database for a CRM system with complete and up to date information about the address and the company. This increases the quality of customer data, because duplicate, outdated and missing business information is cleaned up.

Category 3: personal data of Company.info users

Company.info processes personal data of users for several purposes, all of which revolve around continuously providing good service. Some examples:

1. Managing user accounts, including being able to detect abuse and act on it;
2. At the specific request of a customer, we, in consultation, compile an aggregated overview of the use of our services by its users;
3. Improve our services by, for example, showing personalized watchlists and news articles to our users based on their preferences;
4. Further development of Company.info products based on anonymized use by our customers;
5. Carrying out customer research/analyses, for example by analyzing in aggregate which services are rated best/least and used most/least, to improve our services; and
6. Sending by email or displaying (personalized) features, content, offers, user information, service notifications, etc. on a website. More information about this can be found in our privacy & cookie statement.

Category 1: personal data from public registers, websites and data partners

Company.info’s legal basis for processing this category of data is ‘legitimate interest’. Our service provision is focused on facilitating our customers in promoting legal certainty and transparency in commerce and encouraging economic activities. These are legal interests with a robust statutory foundation, as laid down in, for instance, the Commercial Register Act 2007 (see art. 2 Handelsregisterwet), the Land Registry Act (see art. 2a Kadasterwet) and regulations for mandatory screening based on the Money Laundering and Terrorist Financing (Prevention) Act (see art. 2a and 2b Wwft).

By combining and making searchable data from various (public) sources, Company.info helps companies and institutions to realize the necessary legal certainty, transparency and economic impact as efficiently, effectively and carefully as possible. By offering this data via our online platforms (Company.info Online, KYC.app, CIPE) or via our API product, we support companies to act transparently, honestly and reliably, for example, to prevent fraud. We also help them to comply with specific legal rules, such as the Wwft. We also enable organizations with a public task, such as media, government agencies and supervisory bodies, to see who is responsible and liable for what in economic transactions.

Of course, we handle the privacy of those involved with care. We strive to prevent infringements on the privacy of those involved as much as possible in our services and, where this is not possible, to limit the consequences as much as possible. We have built in the following guarantees for this purpose:

1. This category of personal data, as processed by Company.info, can often also be consulted by anyone in public registers. Company.info only ensures that this data is offered via a more attractive interface;
2. To this end, Company.info also collaborates with public registers. For example, we have been officially recognized by the Chamber of Commerce as a ‘service provider’, see https://www.kvk.nl/over-het-handelsregister/betrouwbare-handelsregisterproducten-via-erkende-kvk-partners/.
3. Personal data in our products are only offered (i) against payment, (ii) via a secure environment to (iii) exclusively Company.info customers;
4. Company.info only provides the data to companies and people who need this data professionally, so not to private individuals;
5. The data provided is always and only offered in the professional or business context of the data subjects;
6. We only provide specific personal data, such as listing on international sanctions lists, to specific customers who meet even more specific purpose binding criteria, and then only under certain additional stringent contractually agreed conditions;
7. Because the data is only offered to our customers, we can always verify who uses which data;
8. Our customers must comply with our terms of use. We inform our customers of their transparency obligation in every agreement. Our customers must also guarantee that they will only process the personal data in accordance with applicable laws and regulations. For example, they may only use telephone numbers of persons for marketing if these persons have given their prior consent. They must also respect the ‘Non Mailing Indicator’ (NMI) of the Chamber of Commerce and may not use data from the Land Registry and the Chamber of Commerce signal ‘new registration’ for direct marketing or other forms of unwanted approach;
9. In addition, Company.info has its own ‘opt-out marketing indicator’ that can be activated by sending us an email (service@company.info) and that the customer must respect (see below);
10. In addition, customers have committed themselves not to use certain data for profiling of individuals or discrimination of certain population groups;
11. In the event of signals of abuse or unlawful use, Company.info will investigate. If it turns out that a customer is indeed not adhering to the agreements, Company.info will warn this customer to stop its actions; if that does not help, Company.info will immediately disconnect that customer.
12. Company.info does not offer customers more information than they need. Given the need for careful handling of personal data and the protection of privacy, Company.info’s services are designed in such a way that customers only purchase data that is necessary for a specific purpose.

Company.info does not process special categories of  personal data, such as data about race, religion, political preference or sexual orientation. Such data are not registered as such in the database. However, it is inevitable that if mentioned as  a board member of, for example, a religious association or other organization indirectly gives an indication of the religious beliefs of that person. In those cases, however, Company.info reports only what is stated in public sources, such as the Trade Register, about that person, and we limit ourselves to the processing of personal data that has been made public by the person themselves.

Company.info online also offers, without a customer relationship, a ‘basic’ version of a company profile (the Freemium model). This gives potential customers an idea of ​​our product. Company.info also strives to keep the impact of this feature on the privacy of the person concerned as small as possible. Everyone, including parties without an agreement, has access to these ‘stripped-down’ company profiles, but on the other hand, to protect the privacy, we have omitted as much personal data as possible in it. For example, the business address and mobile phone number of sole proprietorships are shielded. No information about directors of legal entities, such as B.V.s, is provided. Furthermore, only publicly accessible information is shown.

Category 2: personal data of Company.info customers

In this category, Company.info processes data from the customer based on a specific order from that customer. For that product, called Marktview, the customer is responsible for collecting and selecting the personal data that he provides to Company.info. In that case too, Company.info makes clear agreements with the customer about what the data from Company.info may be used for and how this customer must guarantee your privacy. These conditions are also contractually laid down in an agreement. Part of these agreements is also always that the customer complies with all applicable laws and regulations, such as the GDPR, including his transparency obligation.

The legal basis for this processing is ‘legitimate interest’.

Category 3: personal data of Company.info users

This category of data processing is necessary for the execution of the agreement that we have with our customers and is done where necessary on the basis of explicit and express consent. The agreements and/or the privacy statement set out which data is processed and for what purpose. If the agreement is concluded by someone who represents a larger group of users, we also point out to this person his/her duty to provide information to those users. More about this can be found in our privacy statement.

Company.info is responsible for compiling and managing its database with the data of all companies in the Netherlands. In terms of the GDPR, Company.info is the controller for those processes.

In providing services to its customers, and the processing that comes with it, Company.info qualifies as a processor in GDPR terms. That is why Company.info concludes a data processing agreement (DPA) with each customer in addition to a service agreement, as prescribed by the GDPR.

Company.info focuses on five concepts when processing personal data:

• Purpose limitation
• Data minimization
• Transparency
• Information security
• Data leak protocol

Purpose limitation

The personal data are processed exclusively for the purposes as set out above. For data from public registers, this means that we enforce our customers to only use this data in line with the legal purposes that underlie the public nature of this data. We make explicit contractual agreements with our customers about this. If necessary, Company.info also takes action when customers fail to meet their obligations.

In this context, Company.info is also strict about the use of data for direct marketing. If the so-called ‘Non Mailing Indicator’ (NMI) is enabled when registering in the Trade Register of the Chamber of Commerce, we contractually enforce that our customers fully respect this. If this does not happen, you can let us know via service@company.info and we will take immediate action. Customers are also not allowed to call people based on Company.info data if they have not given permission for this.

In addition, Company.info also has its own ‘opt-out marketing indicator’ that we can activate for data subjects if desired. The opt-out marketing indicator concerns a total exclusion of data for marketing purposes. We have developed this indicator on our own initiative in response to the increased negative sentiment of being approached unwantedly for commercial purposes.

Data minimization

In addition, personal data is not stored longer (in a form that makes it possible to identify the data subject) than is necessary for the purposes for which it is processed.

Company.info’s policy is designed in such a way that the number of people who have access to personal data is limited to only those people from whom it is necessary given the nature of the processing. These employees have also all contractually committed to confidentiality.

We design our products in such a way that additional privacy safeguards come into effect, where necessary and possible. Two examples:

1. We only make a small part of our information available on the open internet: a minimal version of a company profile (‘Freemium model’, see above). In this profile, for example, we have deliberately chosen not to make the personal data of directors visible. We also do not show mobile phone numbers of sole proprietorships. Furthermore, it is not possible to ‘search’ for directors in that feature.
2. Data solutions that focus on (also) investigating individuals are only provided as an additional service, for which additional specific conditions apply.

These privacy by design measures offer additional guarantees for data subjects.

Transparency

Company.info sees it as an important responsibility to inform data subjects as effectively and transparently as possible about the processing of their data. Given the scope of the processing and the large number of data subjects, Company.info informs everyone by describing in detail on its website which data it processes, from whom, why and for what purpose. Everyone can also always email our service department (service@company.info) for an explanation; you are guaranteed to receive a response within two working days.

In addition, every data subject always has the option to:

• Get an overview of his personal data with us;
• Request rectification of incorrect personal data concerning him, or to provide additional data if the processing takes place based on incomplete data. We will immediately rectify and/or supplement the data if this information has Company.info as its source.
• Object to the processing of personal data concerning him, insofar as this processing is based on the legitimate interest of Company.info and there are no overriding compelling legitimate grounds for the processing.
• A data subject can also request that his data be removed from our systems, for example if his privacy interest is disproportionately affected or if we appear not to be acting lawfully. We would be happy to discuss this. The data subject can contact us for this via service@company.info. For the sake of clarity, we would like to point out that removal from our systems does not mean that a person has also been removed from the public registers.

Do you suspect that Company.info is not acting in accordance with privacy legislation, or do you have comments or questions, then we would of course like to hear from you. Data subjects can contact us for this by sending an email to service@company.info stating ‘Review of personal data/inzageverzoek’. Please include your full name, company name and position in this email. We will be happy to assist you. You can also file a complaint with the Dutch Data Protection Authority (AP). Finally, in accordance with the GDPR, we maintain a processing register.

Information security

Information security is a top priority for Company.info and its parent company FD Mediagroep. This is evident from our ISO 27001 certification, among other things. It is not only our business, but we also attach great value to the privacy of those involved.

We find it very important to secure our information as well as possible. We have therefore taken a large set of information security measures. In Appendix 2 you will find the most important aspects of our information security.

Data leak protocol

The security of personal data and systems is of great importance to us. Despite our care for the security of our systems, it is possible that a weak spot may still arise. That is why we have drawn up a data leak protocol and a working method for ‘responsible disclosure’.

Below is an overview of the types of data sources that Company.info works with. For each source, we indicate which personal data we provide, including examples.

Chamber of Commerce

1. Personal data of company officials / shareholders, such as:
   – Name and date of birth of directors, shareholders and proxies;
   – Private address of company officials if the company is located at a private address and this address is not shielded.
2. Personal data of entrepreneurs who have named their company after themselves, such as:
   – Willem de Koning Holding B.V.;
   – Private address of entrepreneurs if the company is located at a private address.
3. Personal data of entrepreneurs who have registered their sole proprietorship at a private address, such as:
   – NAW data of the owner of a sole proprietorship;
   – Private address of entrepreneurs if the company is located at a private address.

Land registry

Personal data that Company.info works with are the personal data as stated on the Land Registry documents that a customer (for himself) requests from the Land Registry via Company.info.

1. BAG: residential addresses

Rechtspraak.nl

1. Personal data concerning bankruptcies; and
2. Personal data as stated in (anonymized) rulings in legal case;
   – Name and date of birth of persons in suspension of payments, bankrupt and/or debt restructuring;
   – Name, profession, media statements, gender, nationality, place of residence etc. as published in rulings;
   – Ruling/status of bankruptcy/suspension of payments/debt restructuring; and
   – Ruling of legal case.

International PEP and Sanctions Lists

1. Personal data of registered persons on lists issued by official bodies
   – Name, date of birth, gender and nationality of registered persons;
   – Indication of whether the person is a “Politically Exposed Person” (PEP); and
   – Indication of whether sanctions apply to the person.

Dutch Road Traffic Service

1. License plate data of registered vehicles:
   – License plate, model, specifications, registration date, MOT expiry date etc.

Personal data from other public sources

1. Personal data as publicly stated on company websites:
   Names, email addresses, phone numbers, links to LinkedIn profiles, URLs, etc.
2. Data from online news sources. These news articles may contain personal information, including but not limited to: personal data of directors, company officers and shareholders of companies that appear in these news articles.
3. Personal data of company officers based on professional profile on LinkedIn.

Customer data

1. Personal data provided by/about users of our services to provide our services;
2. Name, address, email address, telephone number, bank account number;
3. Personal data derived from the use of our services to maintain a digital user profile:
   – Search behavior, interests and preferences of users;
   – Digital fingerprint: IP address, source, device, browser data; and
   – Online usage statistics: number of sessions, time on site, pages visited, clicks.
4. Personal data resulting from the contact of users with one of our contact channels:
   – Notes of customer conversations;
   – Complaints and customer questions; and
   – Participation in research and events.
5. Personal data of non-customers/users in the context of a sales process, previous trial/test, contact etc.:
   – Name, email address, telephone number.

Below is an overview per category of the way in which we ensure information security of data.

Product data

• Data processing
  – Users can change and enter personal preferences, login details and (business) address details within the Online product; and
  – Users cannot enter any information within the Webservices product, except for subscribing or unsubscribing for (data) updates.
• Data storage
  – The data offered is stored and delivered within the EU;
  – Data services from data suppliers can originate from systems/storage outside the EU. The interaction between the user and these services takes place via the systems of Company.info, not directly.
• Consulting data suppliers (third parties) Data can be retrieved from external data suppliers via Company.info
  – Data retrieved via data suppliers is, where possible, forwarded directly to the user who made the request.

Customer data

• Processing of customer data.
  – Company.info stores the personal data that is necessary for using, invoicing and optimizing the product. This data is not shared with third parties; and
  – User/customer data is accessible to a limited extent to internal employees who need this access for the effective performance of their duties.
• Processing of usage data
  – Company.info uses logging to provide support, debug and further optimize its services;
  – For administrative employees of Company.info, the content of the usage is only visible in aggregated or anonymized form;
  – For a limited group of developers, it is possible to inspect the content of a request. This is only possible if this is done at the request of the customer, if there is a suspicion of improper use, or if this is necessary for the further development of our products. This information is only used to improve the product and perform support activities; and
  – Company.info uses third parties to gain insight into the use of its products, such as via Google Analytics.

Security

• Communication security
  – Company.info allows access to its Online and Webservices products via secure (HTTPS) connections.

Audit en control

• ISO-27001 certification
  – Company.info has an ISO-27001 certification, the international standard for information security.
• Underlying systems
  – Webservices is a cloud solution that is continuously kept up to date; and
  – Our systems are continuously kept up to date with recent (supported) releases of operating systems and peripheral systems.
• Regular security audits
  – Our systems are continuously monitored for hacking attempts, viruses, malware, etc.;
  – Important management actions are logged.

Last updated on July 19, 2024