For certain processing activities, CompanySpotter relies on legitimate interest as referred to in Article 6(1)(f) GDPR. This legal basis must not be applied lightly. The GDPR requires that, for each specific processing operation, it is carefully assessed and documented whether there is a legitimate interest, whether the processing is necessary to achieve that interest, and whether the interests, fundamental rights and freedoms of data subjects do not override that interest.
CompanySpotter has prepared this Legitimate Interest Assessment on the basis of an assessment framework of the Hamburg Commissioner for Data Protection and Freedom of Information, a European data protection authority.
This LIA reflects the actual design of CompanySpotter's services. CompanySpotter maintains a business-oriented search and analytics database that is built from information originating from websites of organisations. The services are aimed at facilitating up-to-date and reliable business information provision for, among other things, analysis, transparency, target-group selection, data enrichment and B2B communication. The database contains, among other things, organisation data, website data, contact channels, classifications, location data, online characteristics and technology data.
The processing is not aimed at natural persons as such. CompanySpotter focuses on organisations, websites and the business context in which those organisations have an online presence. At the same time, CompanySpotter acknowledges that personal data may occur within that context in certain cases, for example where an organisation publishes on its website a personal business email address, a direct telephone number or other contact information that can be traced to a natural person. The processing of such data is assessed in this LIA within the specific business context in which those data have been made available on the website of the relevant organisation and are processed by CompanySpotter.
An important element of the design of the processing is that CompanySpotter actively informs organisations about inclusion in the database. The notification explains which data are processed, for what purpose, on what legal basis, which rights data subjects have and how deletion or restriction of the processing can be arranged. It is also emphasised that the notification is not advertising, but is sent in the context of transparency regarding the possible processing of data.
This document has been prepared in line with CompanySpotter's Privacy Statement, which contains more information about the processing of personal data by CompanySpotter. Where definitions are used in this document, they correspond to the definitions in the Privacy Statement.
The interest in the processing activity is the ability to offer and maintain an up-to-date, reliable and structured business-oriented search and analytics database that enables professional users to find, analyse, compare, segment and approach organisations relevant to them within the business-to-business domain.
CompanySpotter has a legitimate interest in collecting, structuring, updating and making available to professional users information about organisations, websites and business contact channels. This information is aligned as closely as possible with the needs of entrepreneurs and supports, among other things, business information provision, market exploration, target-group selection, lead generation, competitor analysis, data enrichment, updating of business files and B2B communication by users of CompanySpotter's services.
In addition, the interests of third parties, including users of CompanySpotter Services, are also served. They have an interest in access to up-to-date and usable business information for professional purposes, such as identifying relevant organisations, conducting market analyses, selecting target groups, better aligning their services with the market, offering their own services to interested Businesses, updating business databases and substantiating commercial and strategic decisions.
The interests of Businesses whose data are made available through CompanySpotter's services may also be served by the processing, because their business findability and visibility within the business-to-business domain may be increased and improved by enabling them to be found more effectively by professional parties looking for relevant products, services, technologies, expertise or opportunities for cooperation.
These interests are also pursued in compliance with the GDPR principles, including data minimisation, transparency and accuracy.
The specific purpose of the processing is to collect, structure, analyse, update and make available to professional users business-oriented data about organisations, websites and business contact channels. This enables users to identify, distinguish, analyse, segment and contact organisations within the business-to-business domain.
The processing is aimed at business search functionality, market analysis, target-group selection, lead generation, competitor analysis, data enrichment, updating of business files and targeted business communication. Searches and filters may be applied, among other things, to organisation characteristics, website characteristics, location data, sector and classification data, contact channels and technology use.
CompanySpotter collects data from websites of organisations. The processing is not aimed at building personal profiles or at processing data relating to natural persons as an independent purpose. Names of natural persons are not a separate purpose and do not constitute a separate database field. CompanySpotter applies measures to limit the processing of names as much as possible.
The processing of email addresses and telephone numbers is primarily aimed at general business contact channels of organisations, such as general email addresses and general organisation telephone numbers. In exceptional cases, a personal business email address or direct telephone number may be processed where it has been published by the organisation itself on its website, serves functionally as a business contact channel and no more general alternative is available.
The interest is pursued in the first place by CompanySpotter itself, as provider of its services in the role of controller. The processing takes place in the context of its core activity: offering a business-oriented search, analytics and data platform for professional users.
In addition, the interests of third parties are also served, namely the users and customers of CompanySpotter. They use the information for professional purposes, such as market exploration, target-group selection, business communication, data analysis, data enrichment, updating of business files and strategic decision-making.
The interests of Businesses whose data are made available through CompanySpotter's services may also be served by the processing.
The processing therefore serves both CompanySpotter's interest in being able to offer and maintain its services and the interest of professional users in access to up-to-date, accurate and reliable business-oriented information about Businesses. In addition, the processing may contribute to the business findability and accessibility of the Businesses to which the information relates.
Yes. The pursued interest is lawful and is not contrary to applicable Union law or national law.
The processing is aimed at offering and maintaining a business-oriented search and analytics platform for professional use within the business-to-business domain. To the extent that personal data occur within the processed data, these concern data that have been made available in a business context on websites of organisations and that are functionally connected with the online presence, findability or accessibility of those organisations.
The processing is not aimed at processing special categories of personal data within the meaning of Article 9 GDPR or data relating to criminal convictions and offences within the meaning of Article 10 GDPR. Nor is the processing aimed at automated decision-making with legal effects or similarly significant effects on data subjects within the meaning of Article 22 GDPR.
The processing activity is designed in such a way that it primarily concerns organisations, websites and business contact channels. General contact details of organisations take precedence over personal contact details. Organisations are actively informed about inclusion in CompanySpotter before data are made available in the public database. In addition, there is an easily accessible mechanism to inspect, restrict or delete data.
Yes. The legitimate interest is clearly and precisely formulated.
CompanySpotter's interest is limited to offering and maintaining a business-oriented search and analytics database for professional use within the business-to-business domain. The processing is aimed at organisations, websites, business contact channels and business-oriented characteristics, and not at natural persons as such.
This delineation is also reflected in the design of the processing. CompanySpotter collects data through websites of organisations and processes those data with a view to business findability, analysis, classification, segmentation and communication. The processing is not aimed at creating personal profiles, collecting names as independent data, or approaching natural persons in their private capacity.
Yes. The interest is real, current and concrete.
The interest arises directly from CompanySpotter's existing business activities: offering a business-oriented search, analytics and data platform that enables professional users to find, analyse, segment and contact relevant organisations on the basis of up-to-date website and business data.
The processing takes place on an ongoing basis because websites, contact channels, technology use and business characteristics of organisations may change frequently. In order to provide usable and reliable Services in line with its strategy, CompanySpotter collects and structures data in this manner so that the processed data are accurate and up to date, and can be made available in a structured form within the delineated business context.
Yes. The processing is necessary for the purpose described in this explanation. CompanySpotter cannot offer its business-oriented search, analytics and data platform without collecting, structuring, updating and making available data about organisations, websites, business contact channels, location, classification, online characteristics and technology use.
The purpose of the processing is not limited to displaying an organisation name or website address. The platform also enables business search functionality, market analyses, target-group selection, data enrichment, updating of business files and insight into the online presence and technology of organisations. This requires an up-to-date and structured dataset in which organisations can be found, distinguished, compared and classified.
In designing the processing, the least intrusive means have been chosen. CompanySpotter collects data from websites of organisations and does not process or acquire purchased personal-data files. The processing is primarily aimed at organisations and their business online presence. General contact details take precedence over personal contact details and names of natural persons do not constitute a separate database field.
An alternative in which only fully anonymous or aggregated data are processed would not achieve the purpose in a comparably effective manner. Professional users must be able to identify, distinguish, analyse and contact organisations. For that reason, a design has been chosen in which the business-oriented purpose can be achieved with the most limited possible processing of personal data and with additional safeguards such as active notification, control via a unique link and straightforward deletion.
Yes. The processing is limited to data that are necessary for CompanySpotter's purpose: collecting, structuring, updating and making available business-oriented information about organisations and websites for professional use within the business-to-business domain.
The dataset consists of categories of data that are functionally connected with the findability, identification, classification, analysis and business accessibility of organisations. These include domain and URL data, organisation name, address and location data, contact details, website information, social media channels of the organisation, classification data, online characteristics, status information and technology data.
The processing is organisation-oriented and not person-oriented. Data are collected from websites of organisations. General business contact channels take precedence over personal contact details. To the extent that a personal business email address or direct telephone number is processed, this only takes place where that contact detail has been made available by the organisation itself on its website, is functional for business accessibility and no more general alternative is available.
Data that do not functionally contribute to the identification, classification, analysis, findability or business accessibility of organisations fall outside the intended processing scope. CompanySpotter does not process personal data as an independent purpose, does not build personal profiles and does not process purchased personal-data files.
In addition, CompanySpotter respects technical signals from websites, such as robots.txt, by which website administrators can influence the crawling of their website.
Yes. The number of data subjects is limited to what is necessary for the business-oriented purpose.
The processing primarily concerns organisations, websites and business contact channels. CompanySpotter does not process personal data as an independent purpose and does not build personal profiles. Names of natural persons do not constitute a separate database field and are limited or removed as much as possible.
To the extent that personal data occur within the dataset, these are data that have been made available by an organisation on its website in a business context and that are functionally connected with the findability or accessibility of that organisation.
The number of data subjects is further limited because general contact details have priority over personal contact details. In addition, organisations are informed in advance about inclusion in CompanySpotter. Where the notification cannot be delivered, the data are not included. A waiting period also applies between notification and inclusion in the database made available through the platform. During that period, the organisation or data subject can inspect, restrict or delete the data before they are made available through the platform or provided to third parties as part of the Services.
The processing takes place on an ongoing basis.
CompanySpotter's purpose is to make available and keep up to date a usable business-oriented search and analytics database. The online presence of organisations changes constantly. Websites are amended, contact channels change, technologies are added or removed, and organisations may relocate, change their activities or cease to exist.
One-off processing would be insufficient to achieve the intended purposes. The data would thereby quickly become outdated and no longer current, complete and accurate. Outdated data can lead to incorrect analyses, erroneous contact details and reduced reliability of the data and may thereby seriously impair the Services that CompanySpotter can offer and the usefulness of the Services for customers and third parties, including data subjects.
The ongoing nature of the processing does not mean that data are processed indefinitely. The processing remains limited to data that are available on the source website and necessary for the business-oriented purpose. In addition, processes exist for updating, deletion, opt-out, blocking of re-inclusion and onward propagation to customers.
The processing comprises only steps that are necessary to offer an up-to-date, usable and structured business-oriented search and analytics database.
The necessary processing steps include crawling websites of organisations, identifying and structuring relevant business-oriented data, applying data minimisation, updating the dataset, informing organisations before inclusion, making data available to professional users and handling requests for deletion, objection or restriction.
These steps cannot be omitted without a substantial loss of functionality. Without crawling and extraction, no up-to-date dataset can be built. Without structuring and classification, organisations cannot be found, compared or analysed effectively. Without updating, the dataset loses its reliability and accuracy. Without minimisation, notification and opt-out, the safeguards for data subjects would be insufficient.
At the same time, the processing is designed in such a way that steps that are not necessary for the business-oriented purpose are not carried out. CompanySpotter does not process purchased personal-data files, does not build personal profiles and is not aimed at approaching natural persons in their private capacity.
Yes. There is a deletion concept and retention periods have been established.
The dataset is updated periodically. Data are processed for as long as they are available on the source website and for as long as they are necessary for CompanySpotter's business-oriented purpose. Where data are no longer available on the source website, they are deleted no later than 90 days thereafter.
Data quality is supported by source-based processing, periodic updating, the process for rectification requests and deletion requests, and the possibility for organisations and data subjects to check, restrict or delete data via the unique link both before the data are included in the Services and at any time thereafter. This enables inaccurate, outdated or no longer desired data to be corrected, restricted or deleted.
In addition, organisations and data subjects may actively request deletion or restriction of the processing. CompanySpotter provides an easily accessible mechanism for this purpose. The notification contains a unique link by which the recipient can inspect, restrict or delete the relevant data. This link also remains available after the initial notification, so that organisations and data subjects can also later consult which data are being processed and intervene in respect of those data.
Where deletion is requested or an objection is upheld, the relevant data are deleted or restricted in whole or in part. In the event of full deletion, the domain is removed from the dataset and placed on a blocking or suppression list so that re-inclusion is prevented.
To the extent that data have previously been made available to customers, customers are informed by means of a deduplication list or comparable mechanism so that they can identify these data in their own environment and take appropriate measures within their own responsibility.
Yes. CompanySpotter has insight into the data flows that take place in the context of this processing.
At a high level, these involve data collection from source websites, technical processing and analysis, minimisation and quality management, notification before inclusion, inclusion in the business-oriented database, making data available to professional users, exercise of rights and opt-out, and phasing out or deletion.
Organisations are actively informed before data are included in the public database. Via the unique link from the notification, they can also, after the initial notification, consult which data are processed and delete or restrict them in whole or in part.
The processing may in particular affect the fundamental right to the protection of personal data and the related right to respect for private life, to the extent that data occur within the business-oriented dataset that qualify as personal data.
However, the processing is aimed at organisations, websites and business online presence, and not at natural persons as such. To the extent that personal data are processed, these are in principle data that have been made available by an organisation itself on its website in a business or professional context, and such processing is limited as much as possible by CompanySpotter.
The processing is not aimed at special categories of personal data, personal profiling, behavioural monitoring of natural persons or decision-making concerning natural persons.
The fundamental freedoms within the meaning of the TFEU, such as freedom of establishment and free movement of services, goods, workers and capital, are not directly restricted by this processing.
The processing concerns the collection, structuring and making available of business-oriented data about organisations and websites for professional use. Any effects are indirect and linked to the business context in which the organisation has an online presence.
Yes. In addition to privacy and data protection, other interests of data subjects may also be relevant. Data subjects may have an interest in preventing unwanted business approaches, reputational harm or an inaccurate impression based on inaccurate or outdated data. The perception of privacy may also play a role where business contact details on a website can be traced to a natural person.
These interests are taken into account in the assessment of the type of data, the reasonable expectations, the possible effects of the processing and the safeguards applied by CompanySpotter.
The processing primarily concerns business-oriented data about organisations, websites and business online presence. This includes, among other things, organisation and identification data, domain and website data, location data, contact details, website characteristics, classification data, online characteristics, social media channels of organisations and technology data.
To the extent that personal data occur within these data, they concern data that are connected with an organisation in a professional or business capacity. This may be the case, for example, with a personal business email address, a telephone number or other information that appears on the website of an organisation and can be traced to a natural person.
In that case, the processing is not aimed at the person as a private individual or consumer, but at the business context in which the contact detail appears on the website of the organisation.
No. The processing is not aimed at processing special categories of personal data within the meaning of Article 9 GDPR.
CompanySpotter processes business-oriented data about organisations, websites, business contact channels and online characteristics. The processing is not aimed at sensitive data such as health data, political opinions, religious beliefs, biometric data or data concerning sexual orientation.
No. The processing is business-oriented and takes place within a professional context. CompanySpotter crawls websites of organisations and processes data that relate to the business online presence of those organisations.
The processing is not aimed at collecting or processing personal data of children.
No. The processing is not aimed at processing personal data relating to criminal convictions or offences within the meaning of Article 10 GDPR.
The processing is not aimed at private data of data subjects, such as data about private life, family situation, private location, personal finances or other information typically perceived as personal or intimate.
At the same time, it cannot be excluded that certain business data may be perceived by data subjects as privacy-sensitive, for example where a personal business email address or direct telephone number appears on the website of an organisation. That data item nevertheless remains embedded in the professional context in which it has been made publicly available by the organisation.
The impact of this is limited by the organisation-oriented nature of the processing, the focus on business contact channels, respect for technical website instructions, active notification and the permanently available mechanism to inspect, restrict or delete data.
The data are collected from websites of organisations. CompanySpotter obtains the data by crawling websites and identifying, structuring and updating relevant business-oriented information from them.
Collection takes place on an ongoing basis because websites and online characteristics of organisations change. To the extent that personal data occur, these concern data that have been made available on the website of the relevant organisation and that relate to the business presence, accessibility or findability of that organisation.
Because the data are not collected directly from individual data subjects but originate from websites of organisations, the collection is indirect to the extent that the data qualify as personal data.
CompanySpotter collects data by crawling websites of organisations and identifying and structuring relevant business-oriented data from them. The data originate from websites of organisations that are accessible online.
When crawling, CompanySpotter respects technical website instructions, such as robots.txt, by which website administrators can influence the crawling of their website.
After data have been retrieved, they may be analysed automatically in order to create additional business-oriented data points that are relevant for classification, analysis and findability. This processing is not aimed at making decisions about natural persons and not at building personal profiles.
CompanySpotter makes the processing transparent through a combination of publicly available information, active notification and continuing control via a unique link.
CompanySpotter publishes relevant information on its website, including a privacy statement, information about legitimate interest, information about unsubscribing and deletion, and an explanation of the use of robots.txt. This information describes which data are processed, for which purposes, on which legal basis, which rights data subjects have and how deletion or restriction of the processing can be arranged.
In addition, CompanySpotter actively informs each included website or organisation about the processing before data are included in its database as part of its Services. The notification states which categories of data are processed, describes the purpose of the processing, identifies the legal basis of legitimate interest and provides information about data subjects' rights.
Where the notification cannot be delivered, the data are not included in the database. In addition, a waiting period applies between notification and inclusion in the public database, so that the organisation or data subject can inspect, restrict or delete data before publication.
The unique link from the notification remains active. Via this link, the organisation or data subject can also later consult which data are processed by CompanySpotter and delete or restrict those data in whole or in part. Transparency is therefore not limited to a one-off notification, but remains practically accessible throughout the processing.
In principle, there is no direct customer or contractual relationship between CompanySpotter and the natural persons whose data may qualify as personal data in context. The data are not collected directly from individual data subjects, but originate from websites of organisations.
There is, however, a functional relationship with the relevant organisation or website: CompanySpotter actively informs the organisation about inclusion in the database and offers the possibility to inspect, restrict or delete data via a unique link.
The processing is extensive in the sense that CompanySpotter maintains a business-oriented dataset relating to a large number of organisations and websites and updates it on an ongoing basis. Only a limited part of this may possibly qualify as personal data.
The processing is primarily organisation- and website-oriented. CompanySpotter does not process personal data as an independent purpose and does not build personal profiles. To the extent that personal data occur, these are generally data that have been made available on the website of an organisation in a business context.
The actual impact of the scale is limited by active notification before inclusion, the waiting period before publication, the permanently active unique link, the self-service deletion mechanism, the suppression list and onward propagation to customers via deduplication lists.
Possible negative effects include unwanted business approaches, loss of control over business contact details, nuisance caused by the use of a direct or personal contact channel, inaccurate or outdated data, reputational or contextual harm due to misinterpretation of data, or unauthorised further processing by customers after data have been made available through the platform.
The likelihood and severity of these effects are limited by the design of the processing. The processing is aimed at organisations and websites, not at natural persons as such. Personal business email addresses or direct telephone numbers that may be personal are processed only where they have been made available on the website of the organisation and no more general alternative is available.
In addition, each included website or organisation is actively informed before data are included in the public database. If a notification cannot be delivered, no inclusion takes place. The unique link from the notification remains available, so that data can also later be inspected, restricted or deleted. In the event of deletion, re-inclusion is prevented and, where relevant, customers are informed by means of deduplication lists.
The possible negative effects are therefore generally limited and arise mainly in a professional context. Negative effects cannot be fully excluded in individual cases, particularly where a personal contact detail appears on a website as the sole business contact channel or where customers use data outside the agreed terms.
Yes. The processing may have positive effects for organisations and data subjects in their professional capacity.
CompanySpotter increases the business findability of organisations and supports more efficient B2B interaction. CompanySpotter's working method also ensures that the data remain up to date and accurate. Organisations can thereby be found more effectively by potential customers, partners, suppliers or other professional parties looking for relevant products, services, technologies or expertise.
In addition, the processing may contribute to better business information provision, more up-to-date databases, less miscommunication, better market analyses and more careful selection of business relationships. The processing is not primarily intended to realise an individual personal benefit, but it may contribute to the professional visibility, accessibility and findability of the organisation with which the data subject is associated.
To the extent that personal data occur within the business-oriented dataset, data subjects may experience a certain degree of loss of control. After all, the data are not collected directly from them, but are retrieved from websites of organisations and subsequently processed within a business information chain.
This possible loss of control is limited by multiple safeguards. The processing is organisation-oriented and not person-oriented. General business contact channels take precedence over personal contact channels. CompanySpotter respects technical website instructions such as robots.txt. In addition, organisations are actively informed before data are included in the public database. The notification contains a link to indicate that the data may not be processed as part of CompanySpotter's Service.
The unique link from the notification remains active. Via this link, organisations and data subjects can also later consult which data are processed and delete those data in whole or in part, or restrict processing. Control over the processing is therefore not limited to a single moment immediately after notification, but remains available throughout the processing.
Data subjects and organisations can also exercise their GDPR rights, object to the processing, have data deleted or restrict the crawling of their website by technical means such as robots.txt. When a domain is deleted, re-inclusion is prevented. To the extent that data have previously been provided to customers, deletion is supported by deduplication lists or comparable mechanisms towards customers.
CompanySpotter processes the data as controller. To the extent necessary for the performance of the services, CompanySpotter uses carefully selected service providers, for example for hosting, IT, security, technical processing, analysis and supporting business processes.
Service providers engaged by CompanySpotter process data only to the extent necessary for their task and on the basis of appropriate contractual arrangements. To the extent that these service providers act as processors for CompanySpotter, arrangements are made in accordance with the provisions of Article 28 GDPR, including arrangements regarding instructions, confidentiality, security, support in respect of data subjects' rights, and deletion or return of data after the end of the services.
Access within CompanySpotter and at engaged service providers is limited to persons who need that access for their work. Access to the platform by customers is limited to authorised users within the customer's organisation and takes place on the basis of an agreement and terms.
The processing is designed with technical and organisational measures to safeguard confidentiality, integrity and access restriction. These include role-based access, contractual arrangements with service providers and customers, restriction of access to authorised users, appropriate control mechanisms, data minimisation and processes for objection, deletion and onward propagation to customers.
For the processing of data that customers obtain from CompanySpotter and subsequently use or export themselves, customers act as independent controllers.
To the extent that personal data under the responsibility of CompanySpotter are transferred outside the European Economic Area, this occurs only where there is a valid basis and appropriate safeguards in accordance with Chapter V GDPR.
No. In the context of this processing, no automated decision-making takes place that is based solely on automated processing and that has legal effects for data subjects or otherwise significantly affects them within the meaning of Article 22 GDPR.
CompanySpotter uses automated techniques to crawl websites, recognise, structure and classify data. These processes are aimed at organisation and website analysis and not at taking decisions about natural persons.
Yes. CompanySpotter explains the use of legitimate interest as a legal basis in its information provided to data subjects and organisations.
The general information states that the processing, to the extent that personal data are involved, takes place on the basis of Article 6(1)(f) GDPR. It explains which interests CompanySpotter and its users pursue, for which purposes data are processed and which rights data subjects have.
In addition, the active notification to organisations refers to the legal basis of legitimate interest, the purposes of the processing and the rights of data subjects. The message to the Businesses also contains a link to the web page on which the privacy statement and this balancing of interests can be found.
Data subjects and organisations can exercise their rights via CompanySpotter, including via the unique link in the notification, via the deletion functionality on the website and via the contact channel for privacy requests.
Data subjects may object to the processing pursuant to Article 21 GDPR. When an objection is made, CompanySpotter assesses whether there are compelling legitimate grounds for continuing the processing. If this is not the case, the processing is terminated or restricted. In practice, this functions as an opt-out option.
In addition, data subjects may request access, rectification, erasure and restriction of processing. The opt-out is designed to be very easily accessible. The unique link remains active, so that organisations and data subjects can also later consult for themselves which data are processed and delete or restrict them in whole or in part.
When a domain is deleted, re-inclusion is prevented. Where relevant, customers are informed by means of deduplication lists or comparable mechanisms.
Yes. There is a process for receiving, assessing and implementing objections and requests for erasure.
Requests may be submitted via the unique link in the notification, via the deletion functionality on the website or via CompanySpotter's privacy contact channel. Where necessary, CompanySpotter requests additional information in order reasonably to identify the requester or the relevant domain and to determine to which data the request relates.
Where the request is granted, the relevant data are deleted or restricted in whole or in part. In the event of full deletion, the domain is removed from the dataset and re-inclusion is prevented. To the extent that data have previously been made available to customers, this is communicated to customers by means of deduplication lists or comparable mechanisms, so that they can take appropriate measures within their own responsibility.
CompanySpotter records the handling of requests to the extent necessary for its accountability obligation.
Yes. There is a process for receiving, assessing and following up rectification requests.
Rectification requests may be submitted via the unique link in the notification, via the website or via CompanySpotter's privacy contact channel. Where a data subject or organisation states that data are inaccurate or incomplete, CompanySpotter assesses the request in light of the nature of the data, the source website, the context of the processing and the manner in which the data have been included in the business-oriented dataset.
To the extent that CompanySpotter itself can establish that data are inaccurate or incomplete, they are corrected, supplemented, restricted or deleted within a reasonable period. Because CompanySpotter collects data from websites of organisations, updating may also depend on an amendment of the relevant source website. Where data are amended on the source website, those amendments are processed through the regular update cycle.
Where appropriate, CompanySpotter may take interim measures, such as restricting visibility, internal marking or temporary deletion.
After weighing all relevant factors, the legitimate interests of CompanySpotter and its professional users outweigh the interests, fundamental rights and freedoms of data subjects, to the extent that personal data occur within the business-oriented dataset.
This conclusion is based on the professional and business-oriented context of the processing. The processing is aimed at organisations, websites and business online presence. Personal data are not processed as an independent purpose and natural persons are not the primary object of the processing. To the extent that personal data occur, they are functionally connected with the business accessibility, representation or online presence of the organisation.
The processing is limited to what is necessary for the functionality of the platform. General business contact channels take precedence over personal contact details. The processing is not aimed at special categories of personal data, criminal personal data or automated decision-making with legal effects.
The remaining impact on data subjects is limited by a package of safeguards, including respect for technical website instructions, active notification before inclusion, no inclusion where notification cannot be delivered, a waiting period before publication, continuing access and control via a unique link, straightforward partial or full deletion, blocking of re-inclusion after opt-out, processes for objection, erasure and rectification, contractual arrangements with customers and onward propagation to customers via deduplication lists.
In view of this nature, context, purpose limitation, necessity, proportionality and safeguards, the processing is justified on the basis of Article 6(1)(f) GDPR.
Yes. The assessment of the legitimate interest, the necessity of the processing and the balancing of interests is recorded in this explanation.
This explanation describes the actual design of the processing by CompanySpotter, including the collection of data from websites of organisations, the structuring and updating of business-oriented data, the processing of business contact channels and the making available of data to professional users within the business-to-business domain.
In addition, this explanation describes the relevant safeguards applied by CompanySpotter, including the organisation-oriented nature of the processing, data minimisation, active notification before inclusion, continuing control via a unique link, the possibility of restriction or deletion, blocking of re-inclusion after opt-out and onward propagation to customers via deduplication lists.
This public explanation contains the balancing of interests on the basis of Article 6(1)(f) GDPR. Technical and organisational risks, including risks to the confidentiality, integrity and availability of data, are assessed separately within CompanySpotter's privacy, security and compliance governance.
This assessment is periodically reviewed within CompanySpotter's privacy and compliance governance. Where necessary, privacy-law expertise is involved in this review, including that of CompanySpotter's Data Protection Officer.
The purpose of the assessment is to verify whether the chosen legal basis, the description of the processing, the necessity test, the balancing of interests and the described safeguards continue to align with the GDPR, current guidance, relevant supervisory practice and the actual design of the services.
It is also assessed whether additional documentation or assessment is necessary, for example in connection with technical and organisational risks, changes in the processing, changes in technologies used or other circumstances that may be relevant to the protection of data subjects.
Yes. CompanySpotter revises this explanation when the actual processing, the technologies used, the categories of data, the categories of recipients, the retention periods, the opt-out mechanisms or other relevant safeguards materially change.
In addition, revision may take place as a result of changes in laws and regulations, case law, guidance from supervisory authorities or signals from practice, such as patterns in objection or deletion requests, complaints, incidents or findings from internal controls.
Signals from organisations and data subjects, including requests, objections, complaints and feedback via the deletion or contact channel, are taken into account in the periodic review of this assessment. This means that the review considers not only the formal legal assessment, but also the practical functioning of the safeguards applied.
The outcome of a review is documented and, where necessary, incorporated into an amended version of this explanation.
CompanySpotter concludes that the processing of business-oriented data and any personal data that occur within that context can be based on legitimate interest as referred to in Article 6(1)(f) GDPR.
This conclusion is based on the connection between the specific business interest, the necessity of the processing for the services and the safeguards implemented to protect data subjects. CompanySpotter primarily processes data about organisations, websites and business online presence. Any personal data are processed only to the extent that they are functionally connected with that business context and necessary for the business-oriented purposes of the services.
CompanySpotter applies a transparency and control model under which organisations are actively informed before inclusion in the public database and can, via a permanently active unique link, consult which data are processed and delete or restrict those data in whole or in part.
In combination with data minimisation, respect for technical website instructions, blocking of re-inclusion after opt-out, deduplication lists towards customers, contractual safeguards and processes for objection, erasure and rectification, the remaining possible impact on data subjects is limited and proportionate. The legitimate interests of CompanySpotter and its professional users and other third parties therefore prevail over the interests, fundamental rights and freedoms of data subjects, including any possible interference with those interests and rights.