Graydon Privacy Notice
This Privacy Notice applies to all Graydon services.
If someone has registered a company at Companies House, or is registered as a director, officer, administrator, or other insolvency practitioners, or shareholder, Graydon will receive information about the company or registration. In limited circumstances, some of that information will be "personal data" (data relating to identifiable individuals) such as names and contact details. In this Privacy Notice, we will provide further explanation about how we process personal data.
Most recent update: December 2021.
Graydon: we stand for doing business safely
As you may know, Graydon is a business information specialist. We have over 130 years of experience with the supply of reliable business information to companies and governments. Graydon believes that transparency strengthens trust between business partners. If organisations have a clear picture of the opportunities available and the risks they may face, the collaboration will arise, agreements will be made, and ideas will become reality.
Our mission is to filter large quantities of data that is available from various sources, to obtain and offer useful, but more importantly, reliable, business information about all companies in the UK, to generate more trust between trade partners and contribute to efficient trade and economic traffic. Data about you and your company is also an important part of this. Based on the information from various sources, we generate valuable financial, and commercial business insights, which enable our clients to take even better business decisions.
The three types of Graydon solutions
To assist our clients with this, Graydon has created three different types of solutions: Credit Information, Risk & Compliance, and Market Information. All of these solutions are very much aimed at providing business information to other businesses.
Our 'Credit Information' solution gives our clients insights into which (potential) business relations they do business with and what the creditworthiness of that relation is. This solution offers our clients the opportunity to request a credit information report about your company and to offer your company, for example, more supplier credit based on that report, allowing your company to trade and grow faster. Our clients can also decide not to enter into a business relationship with your company, to discontinue an existing relationship or to amend the conditions of your relationship, because, based on your creditworthiness, they anticipate certain risks.
The 'Risk & Compliance' product allows our clients to comply quickly and efficiently with laws and regulations, such as the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). This product offers the possibility to uniformly screen (potential) business relations, like corporate customers or ultimate beneficial owners (UBOs), to avoid financial risks and reputation damage. When, based on the screening, our clients anticipate a risk they deem unacceptable, they may decide not to enter into a business relation with your company, or to discontinue an existing relationship, because that relationship would be in breach of their legal obligations.
'Market Information' gives our clients insights to help them set up their marketing campaigns more efficiently. This allows the target audience for marketing activities to be mapped based on geographic locations, allowing prospects to be approached more efficiently and effectively. It is then up to our clients whether or not to approach your company for marketing purposes, where, in doing so, they would then be required to comply with all applicable legislation and regulations. You can always object to this processing, after which we will stop processing your personal data for these purposes.
What information do we process about you and your company?
Primarily, Graydon processes business information. From time to time some of that information might identify individual directors, officers, administrators or other insolvency practitioners, shareholders, and (small) independent traders, such as self-employed persons or sole traders without employees or other individuals. Even when this constitutes the personal data of those persons, it is firmly used within a "business context".
1. Who is the data controller for your personal data?
In those circumstances when we might process personal data, Graydon UK will normally be a data controller within the framework of Credit Management (business and credit information), Risk & Compliance, and Market Information products.
For some parts of its services, Graydon may be a data processor instead of a data controller. This applies, for example, to certain aspects of the “Risk & Compliance” service: if clients wish to perform a compliance check, they will be connected directly to a third party, which subsequently performs the compliance check. In this case, Graydon merely functions as the “connection” and is therefore considered a processor. The same applies to the “Credit Management” service: if clients wish to assess the creditworthiness of a person, they are redirected to a third party which subsequently performs the check. Here too, Graydon merely functions as the “connection” and is therefore considered a processor.
2. What personal data does Graydon collect?
Graydon supplies business information and insights into that information to its clients. To do this, relevant data is collected about all companies and organisations in the UK (both legal entity companies and sole traders).
3. How does Graydon obtain your personal data?
Graydon mostly uses public sources to collect personal data.
From what public sources Graydon collects information?
- Companies House, which has the legal duty to provide public data to any party who requests it;
- some public (insolvency, administration and receivership, and other) registers and (legal) judgments;;
- official publications and statements in the London Gazette;
- foreign equivalents of the aforementioned sources.
From what non-public sources Graydon occasionally will receive information?
- from you, for example where it concerns information supplied by the relevant company, or data that have come into the public domain by virtue of their own activities. This includes, for example, the published annual accounts and report for your enterprise;
- Graydon clients and others who have a business or financial relationship with Graydon that is relevant for the collection and processing of the data;
- other (commercial) parties Graydon does business with.
4. For what purposes and on what basis does Graydon process personal data?
Graydon is a business information specialist. Business information specialists have existed for a long time – Graydon for over 130 years – and they provide business insights based on business and (business-related) personal data from various sources. As a business information specialist, Graydon fulfills an important role. By providing this business information, Graydon helps its clients in the business world to estimate certain business-related risks, create new business opportunities, and comply with legal requirements and monitoring duties. Graydon’s aim, as such, is to help organisations to make business decisions based on accurate, reliable, and complete business information. In this way, Graydon contributes to the certainty and reliability of economic traffic and the development of a healthy economy.
Graydon processes data for the purpose of the following services:
Credit Management (business information)
Graydon supports companies and other organisations in the area of credit risk management. For this purpose, Graydon processes business information, sometimes including (business-related) personal data, into credit information reports. Assisted by this information, our clients then make their own decisions about whether or not to engage in or continue a business relation and/or about how to manage the business relation/agreement, both in the quotation stage and in the invoicing stage.
Risk & Compliance
Graydon supports companies and other organisations in complying with their legal requirements or supervisory duties, which are imposed under various laws and regulations. For this purpose, Graydon processes business information, sometimes including (business-related) personal data, into Risk & Compliance reports. Assisted by this information, our clients then make their own decisions about whether or not to engage in or continue a business relationship.
Market Information (marketing information)
Graydon supports companies and other organisations in the area of B2B market positioning, the acquisition of (new) insights into their client portfolio, and potential new clients. For this purpose, Graydon provides companies and institutes with business information, sometimes including (business-related) personal data, for the benefit of their marketing activities.
Graydon relies on its ‘legitimate interests’ and those of its customers as the legal basis for processing data as part of its services.
Graydon processes personal data on the basis of its ‘legitimate interests’. We carefully balance our legitimate interests, and those of our customers with individuals' interests and rights, to ensure that we only process personal data where it is necessary for our legitimate interests.
In considering individuals' interests, Graydon has looked at the possible consequences that the processing of personal data might have. In doing so, Graydon has taken into account, among other things, the following:
- The nature of the personal data: Graydon processes only a limited amount of business-related personal data, such as a name, address, function title, date of birth, and, sometimes, phone number and email address. This data is predominantly obtained from public sources, such as Companies House.
- How the personal data is being processed: Graydon exclusively processes personal data within a business context, for the performance of B2B activities. It supports companies and institutes in the area of credit risk management activities, by processing and providing information about companies, through a credit score, credit information report, or otherwise. This information, including personal data, is predominantly derived from public sources. Graydon merges this information and, in doing so, only selects that data that is required to compile accurate business information.
- Individuals' expectations: those who own or otherwise have significant control over the affairs of a business understand that some information about the business, and therefore about those individuals, will be published or otherwise made publicly available, as a matter of UK law, custom and practice. Therefore, it is generally accepted that such information (provided it is lawfully dealt with – for instance through the provision of Privacy Notices) is not something about which those individuals can reasonably expect to be kept private, or prevent its publication.
In consideration of the above, we conclude that Graydon and our clients had legitimate interests in the processing of your business-related personal data.
5. To what extent does Graydon use automated decision-making processes?
Graydon does not make decisions about data subjects based solely on automated processing, including profiling, which produces legal effects concerning that data subject or which similarly significantly affect him or her.
Graydon uses automated processing to determine scores, such as a company’s credit score. This involves the automated processing of company data and, from time to time, business-related personal data as defined in chapter 2 of this Privacy Statement. These data are processed together with static and/or demographic data, to then have a calculation model with weighting factors applied to them to arrive at a score. Each of our models results in scores which, depending on the design of the model, express a level of probability, or a ‘chance that...’. That way, a score offers, for example, an indication of how likely it is that a company will continue its business activities, pay its invoices on time, receives credit, or whether there are specific risks in connection with the company.
Graydon does not make any decisions about an organisation but only flags any risks and opportunities for doing business with an organisation. For example, Graydon records credit scores in the reports it provides to its clients; the client has sole discretion to determine its risk appetite, Graydon states as much in the general terms and conditions and communicates this clearly to its clients as well.
Graydon enables clients to select prospects based on a wide variety of information. The selected prospects may be enriched with a credit score, but it is up to the clients to determine which companies they ultimately want to do business with.
6. Does Graydon share personal data with other parties?
Graydon shares business information with other parties, such as clients and suppliers.
Graydon’s core activity is the collecting and processing of information for the supply of business information services. Graydon supplies the business information it collects, which from time to time might include (business-related) personal data, to its clients. Those clients are companies and governments in the UK. In addition, Graydon shares business information with its affiliated entities in Belgium and the Netherlands, and other parties Graydon collaborates with, such as foreign business information offices and CIFAS. As such, it may happen that a foreign business information office, for their foreign client, requests business information from Graydon about a company registered in the UK.
7. How does Graydon protect personal data?
The protection of personal data is very important to Graydon. Graydon ensures that appropriate technical and organisational measures are in place to secure personal data against all forms of illegitimate processing, loss, and misuse.
Graydon works with a quality management system that guarantees a consistent service level that complies with the client’s requirements and applicable law and regulations.
Graydon strives for continuous quality improvement in its organisation. Graydon strives to be a market leader in this area. Therefore, Graydon has a strong focus on creating awareness and providing training to all of its employees. Graydon has implemented an active ICT security policy and is ISO 27001 certified. Moreover, Graydon has appointed a Security Manager for the entire Graydon Group who is tasked with ensuring that the security policy complies with and who reports about the quality of the implementation.
8. How long does Graydon retain personal data?
Graydon retains personal data for no longer than is necessary to fulfill the purposes stated in this Privacy Notice unless Graydon is required to retain it by virtue of a legal requirement imposed on Graydon.
To ensure that personal data is not retained any longer than necessary for the purposes stated in this Privacy Notice, Graydon maintains a robust retention policy.
However, it may occur that we are sometimes required to retain personal data because of legal requirements imposed on us. If there is a dispute or legal proceedings, ongoing or anticipated, we are likely to be permitted to retain personal data for a longer period of time. If you would like comprehensive clarification about the retention periods Graydon maintains, please contact us.
9. What rights do data subjects have in respect of personal data?
Data subjects have several rights, which include the:
- Right of access: data subjects can ask Graydon to provide them with any personal data that is being processed by Graydon as a data controller;
- Right of correction and right of erasure: if the information contains errors, is incomplete, or is not relevant for the purpose for which it is processed, data subjects can request that Graydon corrects, supplements, or removes that personal data;
- Right of objection: in some circumstances data subjects have the right to object to the processing of their personal data;
Right of limitation of processing
Right of portability of data
Graydon makes every effort to ensure that personal data is correct and up to date. If you wish to exercise your rights, you can submit a request to Graydon. You can send your request to Graydon: via e-mail: firstname.lastname@example.org or by post to: Graydon UK Limited, 2nd Floor Hygeia Building, 66 College Road, Harrow, Middlesex, HA1 1BE. For us to be able to identify you, we kindly request that you include a copy of an appropriate identity document. We will aim to respond to your request within one month.
10. Making a complaint to the ICO
12. How can I contact Graydon?
You can contact us by e-mail: email@example.com or by post to: Graydon UK Limited, 2nd Floor, Hygeia Building, 66 College Road, Harrow, Middlesex, HA1 1BE.
This Privacy Notice may be updated from time to time. Therefore, we recommend that you regularly consult our website, to ensure you are informed of any changes.
13. Data Protection Officer
Graydon has appointed a Data Protection Officer (hereinafter: ‘DPO’). The DPO is tasked with ensuring Graydon’s compliance with data protection law and is the contact person for the ICO. If you want to contact the DPO, you can send an e-mail to: firstname.lastname@example.org.
For your information
In this video you will find more information about the processing of personal data by Graydon.