Last amended on 21 September 2021

Company.info provides complete, reliable and current information, business news and predictions about companies and their directors. We bring together relevant business data, structure these data and make them accessible for the Dutch business sector. In doing this, we also process personal data.

In this privacy document, we explain what data we process, why we do that, and what policy and safeguards we implement to do this as carefully as possible. This information is provided to answer any questions that data subjects may have about why and for what purposes data of them may appear in our systems and how we use those data. If you are missing information or have feedback on this, we would like to hear from you.

This document supplements the ‘privacy & cookie statement’ of Company.info.

Furthermore, as a member of the Association for Professional B2B Information (VVZBI), Company.info is bound by this industry organisation’s Privacy Code of conduct.

Company.info is a data service provider focused on the business sector. This means that we collect, combine and supply various types of data to businesses. In performing our work, we also process personal data. In processing personal data, we distinguish four categories.

Category 1: personal data from public registers

Company.info retrieves, combines and enriches data from a number of public sources and registers, such as the Commercial Register of the Chamber of Commerce and the Land Registry, in fulfilling its service provision to its customers. Schedule 1 contains an overview of all the public registers which Company.info uses. The purpose and functioning of these registers is regulated by law: for instance, to promote and safeguard legal certainty in commerce.

First, we collect data from various public sources. Based on those data, we create profiles of companies, officers and/or addresses; then we link these profiles to each other if relevant. This creates a network of rich, complete profiles of a company, officer and/or address, which provides users with insight. Finally, we make these data and profiles searchable (on the basis of search criteria) and make these data available online to business customers via technical integrations (APIs) and as individual files.

Category 2: personal data from data partners

In addition to retrieving and providing data from public registers, Company.info also does this with data from its data partners. This could include international business information, for instance, such as sanctions lists, PEP-lists and the provision of credit ratings for companies. Schedule 1 contains an overview of personal data that we supply on a one-to-one basis from our data partners to our customers.

Category 3: personal data from Company.info customers

Some customers commission Company.info to supplement or analyse their own (customer) data. The data supplied by these customers can also include personal data. After enriching these data, Company.info returns them to the customer, often accompanied by advice, for instance on how the customer compares with respect to industry peers or where the greatest risks or opportunities lie.

Category 4: personal data from Company.info users

We also process the (personal) data of our users and customers in the context of performing contracts with customers and optimising our service provision. See Schedule 1 for an overview of these personal data. How Company.info handles those data is described in detail in our privacy statement.

Category 1: personal data from public registers

We offer data quality, data integration and data insight solutions in order to inform our users about business opportunities and risks. Providing personal data from public registers is a necessary part of this. Our purpose for processing these data is compatible with the statutory aims of these registers: promoting legal certainty in economic transactions and promoting and supporting economic activities through transparency. Companies need this information so that they know with whom they are doing business. Professional businesses are expected to make inquiries in this respect (‘Know Your Customer’) and in some cases this is even required by law, for example on grounds of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft). A number of concrete examples of applications include:

1. Providing insight into who is officially authorised to legally represent a particular company;
2. Furnishing insight into the financial position of and recourse offered by a company to enable a more informed decision to be made on whether to engage in business with the company and under what conditions;
3. Identifying the possible risks associated with company officers, for example by screening them against national and international PEP and sanctions lists.
4. Providing insight into the natural persons behind companies and also immediately providing insight into the recourse offered by them, other companies in which they are or have been involved in the past, and by extension also insight into cross-border corporate structures, and the opportunities and risks they entail;
5. Providing insight into the network of directors, supervisors and other company officers and as such into the moral position and possible conflicts of interest within a company;
6. Within the business market, conducting market analyses and market segmentations, and giving insight into the most interesting businesses (leads) to approach commercially;
7. Facilitating business meeting preparation by providing insight into what is going on at a company (news, vacancies, management changes, etc.) and who is ultimately responsible; and
8. Within the real estate market, providing insight into (current and historical) ownership positions in real estate and the associated mortgage debts in order to determine the expected profitability, risk profile and required risk mark-ups when entering into financial transactions, such as extending loans and transferring savings.

Category 2: personal data from data partners

With this category of personal data, Company.info supplies data from data suppliers, without any form of processing. As for category 1, our purpose is to promote legal certainty in economic transactions and support economic activities. A number of concrete examples of applications include:

1. Furnishing insight into the financial position of an international company to enable a more informed decision to be made on whether to engage in business with the company and under what conditions;
2. Performing analyses and segmentations in the international business market, and giving insight into the most interesting companies (leads) to approach commercially;
3. Facilitating economic transactions and preventing overextension of credit by supplying credit ratings in the payment processes of, for instance, e-commerce companies; and
4. Verifying and supplementing address details, such as supplementing postal code – house number combinations with a street name and city/town.

Category 3: personal data from Company.info customers

In this category, personal data are processed in the context of analysing and enriching data that customers supply to us to help them identify the risks and opportunities and in doing so, improve their business operations, gain better insight into the market and by extension expand their economic opportunities. A number of concrete examples include:

1. Performing analyses and segmentations in the (international) business market, and giving insight into the most interesting companies (leads) to approach commercially;
2. Verifying and supplementing a customer file for a CRM system with complete and up-to-date information on the address and the company. This improves the quality of customer data because duplicate, outdated and missing company information is cleaned up.

Category 4: personal data from Company.info users

Company.info processes the personal data of users for a number of purposes all of which are concerned with the constant provision of good service. A few examples:

1. Managing user accounts, including determining abuse and being able to respond;
2. At the specific request of a customer, we put together, in consultation, an aggregate overview of the use made of our services by the customer’s users;
3. Improving our service provision by, for instance, showing our users personalised lists and news articles based on their preferences;
4. Continuing the development of Company.info products based on anonymised use by our customers;
5. Performing customer surveys/analyses, for example by analysing on an aggregate basis which services are rated best/worst and which are the most/least used, in order to improve our service provision; and
6. Sending by email or showing on a website (personalised) features, content, offers, user information, service notices, etc. More information on this can be found in our privacy & cookie statement.

Category 1: personal data from public registers

Company.info’s legal basis for processing this category of data is ‘legitimate interest’. Our service provision is focused on facilitating our customers in promoting legal certainty and transparency in commerce and encouraging economic activities. These are legal interests with a robust statutory foundation, as laid down in, for instance, the Commercial Register Act 2007[1], the Land Registry Act[2] and regulations for mandatory screening based on the Money Laundering and Terrorist Financing (Prevention) Act (Wwft[3]). By combining these data from different (public) sources and making them searchable, Company.info helps businesses and institutions to realise that necessary legal certainty, transparency and economic impact as efficiently, effectively and carefully as possible. By offering these data via our portal (Company.info Online) or via our webservices product, we help businesses operate transparently, honestly and reliably in order to prevent fraud, for instance. We also help them comply with specific statutory rules, such as the Wwft. In the context of the public interest, we also enable organisations, media and supervisory institutions to see who is who in economic transactions.

Naturally we treat the privacy of data subjects with due care. In our service provision, we aim to prevent breaches of data subjects’ privacy as much as possible and where there is no other choice, to limit the effects as much as possible. We have built in the following safeguards for this purpose.

1. This category of personal data, as processed by Company.info, can also be viewed by anyone at any time in the public registers. Company.info only ensures that these data can be offered exclusively to its customers via a more appealing interface;
2. These personal data are provided by Company.info (i) in exchange for payment, (ii) via a secured environment, (iii) exclusively to customers of Company.info;
3. Company.info only provides the data to businesses and people who need these data professionally, so not to private individuals;
4. The data supplied are always only offered in the professional or business context of the data subjects;
5. Specific personal data, such as entries on international sanctions lists, are only provided to specific customers, and then only under certain strict contractual conditions;
6. Because the data are only provided to our customers, we can always verify which data are used by whom;
7. Our customers must comply with our conditions of use. In every agreement, we refer our customers to their disclosure obligation, and our customers must also guarantee that they process the personal data exclusively in accordance with applicable legislation and regulations. They must also respect the ‘Non Mailing Indicator’ (NMI) of the Chamber of Commerce and may only use the telephone numbers of natural persons for marketing purposes if the latter have given consent for this in advance;
8. Company.info also has its own ‘opt-out-marketing indicator’ that a data subject can have us activate by sending an email (service@company.info) and which the customer must respect (see below);
9. On top of that, customers commit to not use specific data for profiling people or discriminating against certain population groups;
10. If there are signs of abuse or unlawful use, Company.info investigates. If it emerges that a customer is indeed not complying with the agreements, Company.info takes appropriate measures;
11. Company.info does not provide customers with more information than they need. It is precisely with a view to handling personal data carefully and protecting privacy that Company.info’s service provision has been set up in such a way that customers only purchase those data that are necessary for a specific purpose.

Company.info does not, in principle, process any special personal data, such as data on race, religion, political preference or a person’s sexual orientation. These kinds of data are not registered in the database. But it is inevitable that the listing of a board position at, for example, a religious foundation or other organisation can indirectly give an indication of the director’s religion, for instance. In those cases, however, Company.info reports nothing more than what is contained about that person in the public sources, such as the Commercial Register, and we only process the personal data disclosed by the data subject him/herself.

Company.info online also offers users without a customer relationship a minimal basic version of a company profile (the Freemium model). That serves to give potential customers an idea of our product. Company.info also strives to strike a careful balance of interests, where the impact on the data subject’s privacy is kept to a minimum. Everyone, even parties without a contract, have access to the ‘bare’ company profiles, but on the other hand we omit personal data from those as much as possible precisely with the aim to protecting privacy. The registered address and mobile telephone number of a sole proprietorship are not shown, for instance. For legal entities, such as registrered companies (BVs), only the first initial and surname of the first director of a company is provided. Beyond this, only publicly accessible data are shown.

Category 2: personal data from data partners

This category of data is also processed by Company.info on the basis of ‘legitimate interest’, because for these data too, the processing is focused on safeguarding legal certainty and transparency in economic transactions, as described above; which is also consistent with the (original) purpose for which these data were collected.

For this category, too, we carefully balance the privacy interests of the data subjects against the legitimate interest that Company.info has in providing these data to its customers for whom these data are necessary in order to function in commerce with some measure of legal certainty and transparency and to be able to comply with certain statutory requirements.
Just as in the case of the processing of personal data from category 1, Company.info has built in safeguards to prevent or otherwise limit as much as possible the effects for data subjects’ privacy. The following points are important in this context:

1. The personal data are provided by Company.info only (i) in exchange for payment, (ii) via a secured environment, (iii) exclusively to customers of Company.info who (iv) are only permitted to use these data in the context of their profession or business;
2. Because the data are only provided to our customers, we can always verify which data are used by whom;
3. The only data involved are those that are relevant from a business or professional perspective;
4. Our customers must comply with our conditions of use. They must guarantee that they process the personal data only in accordance with applicable legislation and regulations, such as the General Data Protection Regulation (GDPR), which prohibits the use of personal data to exclude population groups and stipulates extremely strict requirements for the use of personal data for profiling;
5. For this category, too, if there are signs of abuse or unlawful use, Company.info investigates. If it emerges that a customer is indeed not complying with the agreements, Company.info immediately takes appropriate action;
6. Company.info does not provide customers with more information than they need. It is precisely with the aim to handling personal data carefully and protecting privacy that Company.info’s service provision has been set up in such a way that customers only purchase those data that are necessary for a specific purpose.

Category 3: personal data from Company.info customers
In this category, Company.info processes data originating from the customer based on a specific assignment from that customer. For that product, called Marktview, the customer is jointly responsible with Company.info for the processing of the personal data. In that case, too, Company.info makes clear agreements on what the data can be used for and how this customer must safeguard your privacy. These agreements are also laid down contractually. These agreements also always include that the customer must comply with all applicable legislation and regulations, such as the GDPR, including its disclosure obligation.
Category 4: personal data from Company.info users

This category of data processing is necessary for the performance of the contract we have with our customers, and where necessary takes place on the basis of explicit and expressed consent. The contracts and/or privacy statement sets out what data are processed and for what purpose. If the contract is concluded by someone representing a larger group of users, we also remind this person of the disclosure obligation for those users. Our privacy statement contains more details on this.

Five concepts are key for Company.info when it comes to the processing of personal data:

• Purpose limitation
• Data minimisation
• Transparancy
• Information security
• Protocol for data Leaks

Purpose limitation
The personal data are processed exclusively for the purposes set out above. In the case of data from public registers, this means that we require that our customers use these data entirely in line with the statutory aims on which the public character of these data is based. We make explicit contractual agreements with our customers in this respect. If necessary, Company.info also takes action if customers do not comply with their obligations.

In that context, Company.info is also strict when it comes to the use of data for direct marketing. If, upon registration in the Commercial Register of the Chamber of Commerce, the so-called ‘Non Mailing Indicator’ (NMI) is activated, then we stipulate contractually that our customers must respect that fully. If that does not occur, data subjects can notify us of that via service@company.info and we will take action immediately. Customers also may not phone natural persons on the basis of Company.info data if the natural persons have not given consent for this.
In supplement to this, Company.info also has its own ‘opt-out-marketing indicator’ which we can activate for data subjects if desired. The opt-out-marketing indicator is a total exclusion of data for marketing purposes. We developed this indicator on our own initiative to respond to the growing negative sentiment towards unsolicited contact for commercial purposes.

Data minimisation

Personal data are also no longer stored (in a form that makes it possible to identify the data subject) for longer than necessary for the purposes for which they are processed.

Company.info’s policy is set up such that the number of people with access to personal data is limited to only those required for the purpose of processing. These employees are also all contractually bound to secrecy.

We design our products so that supplementary privacy safeguards take effect where necessary and possible. Two examples:

1. We only make a small portion of our company information available on the open Internet: a minimal version of a company profile (‘Freemium model’, see above). In this profile for legal entities, for example, we have deliberately opted to only show the first initial of only the first director, and not the entire first name or birth date, or any of the other directors. Nor do we show the mobile phone numbers of sole proprietorships. It is also not possible to ‘search through’ directors.
2. Data solutions in which investigating persons is the aim, or one of the aims, are always provided as a supplementary service only, for which specific additional conditions apply.

These privacy by design measures provide extra safeguards for the data subject.

Transparantie

Company.info considers it an important responsibility to inform data subjects as effectively and transparently as possible about the processing of their data. Given the scope of the processing and the large number of data subjects, Company.info informs everyone by describing in detail on its website what data it processes, whose data are processed, why this takes place and for what purpose. Anyone can also contact our service department (service@company.info) for more information; you are guaranteed to receive a response within two working days.

Every data subject also always has the possibility of:

• Inspecting the personal data we have of him/her;
• Requesting rectification of inaccurate personal data held of him/her, or the provision of additional data if the processing takes place on the basis of incomplete data. We will immediately rectify and/or supplement the data if Company.info is the source of this information. If this information falls in category 1 or 2, we will refer the data subject to the relevant register or data supplier to have the data corrected at the source. We notify the recipients of personal data of this; and
• Objecting to the processing of the personal data pertaining to him/her, to the extent this processing is based on the legitimate interest of Company.info and there are no prevailing mandatory legitimate grounds for the processing;
• A data subject can also ask to have his/her data deleted from our systems, for instance if his/her privacy is being disproportionately damaged or it emerges we are not acting lawfully. We are happy to discuss this. The data subject can contact service@company.info. For the sake of completeness, we also point out once again that deletion from our systems does not mean that a person has been removed from the public registers.

If you suspect that Company.info is not acting in accordance with the privacy legislation, or if you have comments or questions, please let us know. Data subjects can contact us for this purpose by sending an email to service@company.info referring to ‘Inspection of personal data’. Please provide the full name, company name and position in this email. We would be happy to assist you. You can also submit a complaint to the privacy regulator: the Dutch Data Protection Authority.

Finally, in accordance with the GDPR we maintain a processing register.

Information security

Information security is a top priority for Company.info and its parent company FD Mediagroep. This is evidenced by, among other things, our ISO 27001 certification. It is not only our business, but the privacy of data subjects is also very important to us.

We feel it is very important to secure our information as well as possible. We have therefore taken an extensive set of information security measures. In Schedule 2 you will find the most important aspects of our information security.

Protocol for data Leaks 

The security of personal data and systems is very important to us. Despite the care taken in securing our systems, weaknesses can still arise on occasion. That is why we have drawn up a protocol for data leaks and a working procedure for ‘responsible disclosure’.

[1] See section 2 of the Commercial Register Act: ‘There is a commercial register of businesses and legal entities: …to promote legal certainty in commerce, …for the provision of data of a general, factual nature concerning the composition of businesses and legal entities to promote the economic interests of trade, industry, skilled trades and service provision;

[2] See section 2a of the Land Registry Act: The Agency (Cadastre, Land Registry and Mapping Agency, ed.) has the following aims, without prejudice to the provisions in other statutory regulations: to promote legal certainty in relation to registrable property, …support and promote economic activities.

[3] See mainly sections 2a and 2b Wwft

Chamber of Commerce

1. Personal data of company officers / shareholders, for instance:
   – Name and date of birth of directors, shareholders and authorised representatives
   – Private address of company officers if the company is registered to a private address
2. Personal data of entrepreneurs who have named their company after themselves, such as:
   – Willem de Koning Holding B.V.
   – Private address and telephone numbers of entrepreneurs if the company is registered to a private address
3. Personal data of entrepreneurs who have registered their sole proprietorship to their private address / private telephone number, for instance:
   – Name, address and telephone details of the owner of a sole proprietorship
   – Private address and telephone numbers of entrepreneurs if the company is registered to a private address and/or uses a private telephone number

Land registry
Personal data that Company.info uses:

1. Personal data relating to the ownership of immovable property
   – Name and address details of the owner of immovable property
   – Data concerning life partners, joint ownership and civil status
   – Size of the plot owned by someone
2. Personal data relating to mortgages
   – Name, address and telephone details of the mortgagor
   – Height of the mortgage registration
3. Key Register of Addresses and Buildings: residential addresses

Rechtspraak.nl

1. Personal data relating to bankruptcy cases, and
2. Personal data as mentioned in (anonymised) judgments in court cases
   – Surname and date of birth of persons granted moratorium on payments, pronounced bankrupt and/or to whom the debt restructuring scheme has been declared applicable.
   – Surname, profession, statements in the media, gender, nationality, city/town of residence, etc., as published in judgments
   – Judgment/status of bankruptcy/moratorium/debt restructuring scheme
   – Judgment in court case

International PEP and Sanctions Lists

• Personal data of registered persons on lists issued by official authorities.
  – Surname, date of birth, gender and nationality of registered persons
  – Indication of whether a person is a ‘Politically Exposed Person’ (PEP)
  – Indication of whether sanctions apply in respect of the person

RDW (National Vehicle and Driving Licence Registration Authority)

• Registration numbers of registered vehicles:
  Registration number, model, specifications, registration date, periodic vehicle inspection due date, etc.

Personal data from other public sources

• Personal data as publicly disclosed on company websites:
  Names, email addresses, telephone numbers, links to LinkedIn profiles, URLs, etc.
• Data from online news sources. These news articles can contain personal information, including but not limited to: personal data of directors, company officers and shareholders of companies mentioned in these news articles.
• Personal data of company officers based on their professional profile on LinkedIn.

International company information

1. Personal data of company officers
   – Name and date of birth of directors, shareholders and authorised representatives
   – Private address of company officers if the company is registered to a private address
2. Personal data of entrepreneurs who have named their company after themselves
   – For instance, Willem de Koning Holding B.V.
   – Private address and telephone numbers of entrepreneurs if the company is registered to a private address
3. Personal data of entrepreneurs who have registered their company (e.g., sole proprietorship) to their private address and/or with their private telephone number
   – Name, address and telephone details of the owner of a sole proprietorship
   – Private address and telephone numbers of entrepreneurs if the company is registered to a private address

International location and address details

• International address details
  – Conversion of postal code and house number to street, house number, postal code, city/town
  – Route planning between 2 addresses

Creditworthiness assessments

• Creditworthiness of companies where the name, address details, etc., can be traced back to an individual
  – Name and credit score of a company that has strong ties to a single individual

Real estate information

• Sales value of homes, as well as development in the value
  – Estimated home value, historical sales values, characteristics of the home
• Structural characteristics of homes, for example in relation to roofs, plot, etc.

IP information

• Identification of the organisation based on IP address

Customer data

1. Personal data provided by/about users of our services to enable us to provide services
2. Name, address, email address, telephone number, bank account number
3. Personal data derived from the use of our services in order to maintain a digital user profile
   – Search history, interests and preferences of users
   – Digital fingerprint: IP address, source, device, browser data
   – Online use statistics: number of sessions, time on site, pages visited, clicks
4. Personal data arising from users’ contact with one of our contact channels
   – Notes from conversations with customers
   – Complaints and customer questions
   – Participation in surveys and events
5. Personal data of non-customers/users in the context of a sales process, earlier trial/test, contact, etc.
   – Name, email address, telephone number

Product data

• Data processing
  – Users can amend and enter personal preferences, login details and (business) address details in the Online product
  – Users cannot enter any information in the Webservices product aside from subscribing or unsubscribing for (data) updates
• Data storage
  – The data provided is stored and transferred within the EU
  – Data services from data suppliers can originate from systems/storage outside the EU. The interaction between the user and these services takes place via Company.info’s systems, not directly
• Consulting data suppliers (third parties) Data can be retrieved from external data suppliers via Company.info
  – Data retrieved via data suppliers are, where possible, sent directly to the user who submitted the request

Customer data

• Processing of customer data
  – Company.info saves those personal data that are necessary for using, invoicing for and optimising the product. These data are not shared with third parties.
  – User/customer data are accessible to a limited extent for internal employees who need these to effectively perform their job
• Processing of usage data
  – Company.info uses logging to provide support, debug and beyond this to optimise its services
  – Administrative employees of Company.info can only view the usage content in aggregate or anonymised form
  – The content of a request can be inspected by a limited group of developers. This is only possible if this takes place at the customer’s request, there is a suspicion of improper use or this is necessary for the further development of our products. This information is only used to improve the product and perform support activities
  – Company.info uses third parties, like Google Analytics, to obtain insight into the use of its products

Security

• Communication security
  – Company.info allows access to its Online and Webservices products over secure (HTTPS) connections

Audit en control

• ISO-27001 certification
  – Company.info has ISO-27001 certification; the international standard for information security
• Underlying systems
  – Webservices is a cloud-based solution that is constantly updated
  – Our systems are constantly updated with recent (supporting) releases of operating systems and peripheral systems
• Regular security audits
  – Our systems are constantly monitored for attempted hacks, viruses, malware, etc.
  – Important management actions are logged