This "Explanation of Legitimate Interests" is an integral part of the "Privacy Statement Database" of CompanySpotter BV, located at Koninginnegracht 46-I in The Hague and registered in the Dutch Trade Register under number 78391857. For any questions regarding the content of this statement or exercising your rights in respect of privacy, we have appointed a Data Protection Officer who can be contacted at [email protected].
Introduction
The legitimate interest can only serve as a legal basis for the processing of personal data if it passes the threefold test of the European Court of Justice. (1) The purpose test, (2) the necessity test and (3) the balancing test. It can be concluded from the elaboration below that the processing based on the legitimate interest (of CompanySpotter) serves as a legal basis for the processing of personal data since it passes the triple test. Before the triple test is addressed in detail, the existing framework within which the processing takes place will first be outlined.
Framework - General
The GDPR is a regulation designed to protect the citizens of the European Union. The objectives of the European Union include its commitment to the sustainable development of Europe, based on balanced economic growth and price stability, a social market economy and high competitiveness. By providing its services, CompanySpotter is actively contributing to this objective of the European Union.
Framework - Provision and compatibility
The general rule is that disclosing personal data is only allowed if it is compatible with the purposes for which it was collected. An organization may not simply provide personal data to individuals or other organizations. Whether this is the case depends on the specific circumstances. This can therefore differ per situation, where it is important to assess (among other things) whether the initial disclosure is compatible with the purpose of the processing. Here, the most important question is whether the processing of personal data takes place for the same or for a different purpose than that for which the personal data were collected.
With that in mind, it is important to realize that initiating and operating a website is a free choice of people and organizations and is intended to realize their goals, whatever they may be, through online presence. The intended purpose of a website can range from enhancing business activities, increasing online visibility, providing information and improving customer service, to expressing personal creativity and building an online community. A website is a powerful and versatile tool that allows people and organizations to share information, sell products and services, reach customers and followers, and connect with other people and organizations. Thus, operating a website is a free choice and a way to create online presence and achieve online goals.
The personal data processed by CompanySpotter has been shared publicly (e.g. through the company's website) by the relevant organizations/affiliates knowingly and on the basis of free choice. Despite the fact that in some regions there are requirements to the website content, this in no way affects the free choice to initiate, manage a website and consequently publish self-selected contact information. The data subject provides information for the purpose of creating an online presence and achieving online goals. Given the time and context of the collection of the personal data, it is reasonable to expect by the data subject that the data will be further processed in line with these purposes. In fact, it actively contributes to the reinforcement of the initial goal.
Framework - Guide for search engines
An important feature of CompanySpotter is to act as a search engine. On 26 November 2014, the Article 29 Working Party published an opinion on the guidelines for implementing the judgment of the Court of Justice of the European Union ("Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González"). The opinion provides guidance to search engine operators. The opinion states that (inter alia) the following issues are relevant in the assessment of the situation:
- Does the person involved plays a role in public life? Is the person involved a public figure?
- Is the information correct?
- Is the information relevant and not excessive?
- Does the data relate to the professional life of the person concerned?
- Is the data up to date? Is the data made available for a longer period than is necessary for the purpose of processing?
- Does the processing cause harm to the data subject? Does the data have a disproportionately negative impact on the data subject?
- In what context has the information been published?
- Was the content voluntarily made public by the data subject?
- Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?
Framework - Considerations GDPR
With regard to careful consideration, the following considerations of the GDPR, among others, are relevant:
“4. The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
[…]
14. The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
[…]
47. The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
(own emphasis)
Framework – Conclusion
The following can be derived from the above-mentioned considerations:
- The right to the protection of personal data is not absolute and must be weighed against other fundamental rights, such as the freedom to conduct a business.
- The circumstances in which the data were provided and in which further processing takes place should always be taken into account.
- The obligations set out in the GDPR do not apply to business information (i.e. data relating to legal entities).
- If certain conditions are met, the legitimate interests of CompanySpotter may provide a legal basis for processing the personal data included in the overall set of data.
The triple test - (1) The purpose test
A lack of essential (correct) business information puts a brake on the development of the economy and hinders its (re)emergence. Moreover, it damages the economy, and especially (European) organisations, by exposing healthy companies to the pernicious effects of contracting with insolvent or even malicious companies. Up-to-date business information enables organisations to explore new market segments in a target-oriented way, in particular by having access to relevant data regarding the companies' target groups or market segments. These companies can thus generate additional, healthy and therefore profitable business.
In this sense, the processing of data creates a level playing field since not only large(er) companies have access to business information, but small enterprises can also avoid the harmful consequences of contracting with insolvent or even malicious companies, can keep their carefully constructed business databases up to date, and are given the opportunity to prospect in a target-oriented way (without having to contact companies at random, for example).
CompanySpotter plays an important role in the context of corporate social responsibility, reducing the nuisance of unwanted direct marketing, stimulating competitiveness and preventing monopolisation.
- Through CompanySpotter, organisations can easily find out for themselves which suppliers and customers are located nearby and get in touch with them, without the need to rely on (international) parties. Local partnerships help to reduce costs and ecological damage caused by potential logistical aspects.
- CompanySpotter allows organisations to easily identify a very specific target group. The available filtering options allow users to select only those companies for which it is likely that the potential engagement will be relevant. This reduces marketing and sales costs, while the relevance helps to reduce the perception of inconvenience caused by direct marketing.
- Through CompanySpotter, start-ups, small and medium-sized organisations can access a sophisticated set of tools to find and approach their target group in a simple and cost-effective way. This allows them to actively compete with other (larger) parties who are more capital-intensive. This increases competition and reduces the risk of market and industry monopolies.
CompanySpotter has a legitimate interest in processing personal data in order to make it available to its customers. This implies that there are specific, predetermined processing purposes. The data that CompanySpotter makes available to its customers serves multiple purposes, including marketing purposes, analysis capabilities, data management and the limitation of financial risks and fraud prevention,
As there are concrete, predetermined processing purposes, the purpose test is passed.
The threefold test - (2) The necessity test
The processing must be necessary for the realisation of the objectives pursued, whereby it must be assessed whether the aforementioned objectives cannot reasonably and equally effectively be achieved by other means, which are less prejudicial to the rights of the data subject. This test must be carried out in relation to the principle of data minimisation.
The processing of personal data is required to fulfil CompanySpotter's company objective and therefore its activities, as recorded by the Dutch Chamber of Commerce by means of the "SBI code" (the code assigned by the European Union and its Member States to a particular class of commercial or non-commercial economic activity). This involves providing services in the field of information technology and, specifically, the development, production and publication of software. And with regard to information and communication, the publishing of databases.
In addition, CompanySpotter has implemented various measures for ensuring minimum data processing. After all, CompanySpotter's aim is to commercialise company information and not the information of natural persons (non-companies). In order to limit its database strictly to company information, CompanySpotter implements various measures to minimise the processing of personal data. Consequently, the data processed by CompanySpotter is limited to the data necessary for the pursuit of the aforementioned purposes. Finally, CompanySpotter will not keep any data longer than necessary.
As the processing is necessary for the realisation of the interests and objectives represented, the necessity test is passed.
The triple test - (3) The balancing test
It must be determined whether the interests pursued by CompanySpot outweigh the fundamental rights of the data subjects, taking into account the particular circumstances of the specific situation and the reasonable expectations of the data subjects.
This consideration is based on the following elements: the type of personal data involved and the 'intensity' of the processing, the specific way of processing and the access to the data and the reasonable expectations of the data subject that his personal data will not be processed when, in the given situation, he cannot reasonably expect further processing.
With regard to the type of personal data involved and the 'intensity' of the processing, it is concluded that the data primarily concerns business information and CompanySpotter does not process sensitive personal data at all. Nevertheless, it can be derived from this - in general - that CompanySpotter must assess the risk of a breach and how far this breach will affect the rights of the person concerned. In this context, the following elements are taken into consideration:
- The principles of 'Privacy by Design' and 'Privacy by Default' are taken into account in every aspect of our service.
- It involves data that are also publicly available in other ways.
- All processing is subject to CompanySpotter's Terms of Use and therefore restricted.
- The source that provided the data of the subjects was informed about the processing in accordance with the conditions set forth in Article 14 of the GDPR.
- Data subjects are always able to change the data in the original source.
- The data subject has the possibility to object to the processing by CompanySpotter.
- The risk of a breach is limited.
- In the event of a breach, the impact will always be limited: no sensitive data is processed and the data is still publicly accessible.
- CompanySpotter has taken various measures and safeguards to limit both the risk of a breach and the consequences of any breach
With regard to the specific method of processing and access to the data, it is important to underline that CompanySpotter manages the data in a secure environment that is tailor-made for these purposes and provides a level of security appropriate to this processing. Access to (the personal data included in) the data is strictly limited to CompanySpotter's customers. These customers are only granted access to this data after they have committed to complying with CompanySpotter's General Terms and Conditions (and other legal documents). These legal documents strictly stipulate the way in which the data is to be handled, taking into account the GDPR as well as additional specific legislation.
An information security risk assessment was carried out prior to CompanySpotter's operational activities. This has provided us with insight into potential risk areas and appropriate (security) measures have been implemented as a direct result. This risk assessment is reviewed on a regular basis to ensure that it is always up to date and that all measures are in accordance with the present state of affairs and in anticipation of possible risks in the foreseeable future.
As regards the data subject's reasonable expectations that their personal data will not be processed when they cannot reasonably, in the circumstances of the case, expect further processing, it should be noted that the data subjects' expectations depend (to some extent) on whether the data involved are already available in publicly accessible sources. If this is the case, it must be assumed that there is a lesser interference with the rights of those involved.
The personal data processed by CompanySpotter only relates to the companies' representatives. In addition to the name of this representative, the contact details recorded, such as address, email address and telephone number, are only included in the database as contact details of the respective company. These data have been deliberately shared publicly by the organisations/parties concerned (e.g. via the company's website). In view of this, there is little likelihood that the processing will adversely affect the rights of the data subject.
The data subjects provide the aforementioned information to the public with the aim of participating actively in trade. Given the circumstances and context of the collection of the personal data, the data subject may reasonably expect that his data will be further processed in accordance with the objective of active participation in trade.
As the personal data are in any case already public, there is thus a lesser interference with the rights of the data subjects. In particular, data subjects can fairly expect further processing of the (publicly available) personal data.
The triple test - Conclusion
As the interests of CompanySpotter, taking into account the measures CompanySpotter has foreseen, outweigh the rights of the data subject, the third condition is passed.
Changes to this document
CompanySpotter reserves the right to change or update this explanation at any time. If the occasion arises, we will strive to correctly inform all data subjects whose rights are significantly changed/affected by the change in question. In any case, it is advisable to consult this document regularly. A 'second to last' version is always available here.