Privacy Statement & Information Security Policy
Company Watch Limited is a financial analytics firm and Credit Reference Agency based in London, United Kingdom. It is registered in England and Wales with company number 3597613.
A small part of the information we collect and use might be classified as “personal data” under the General Data Protection Regulation (GDPR) which comes into force in all European Union (EU) states on 25 May 2018. In the UK, the main terms of the GDPR are included in the Data Protection Act 2018 (DPA 2018). Therefore the withdrawal of the UK from the EU will not have any impact on the UK’s need to be compliant with the GDPR.
This personal data is that which relates to an individual (e.g. a company director, partnership, sole trader, person of significant control etc). Under the GDPR we are required to disclose information about how we process this information.
Company Watch’s Data Privacy Manager can be contacted on [email protected]
The information we collect
Company Watch provides company information to organisations who subscribe to its services in order that they are able to make informed decisions about the risks associated with doing business with a particular company/companies. We collect and use information on businesses and individuals associated with that business in a professional context. This includes, for example:
• Company contact information relating to directors, company secretaries, shareholders and persons of significant control which is, or has been, publicly available
• The name and contact information of unincorporated businesses, sole traders and partners of partnerships.
• The names, job titles and business email addresses of individuals in respect of a particular company for inclusion in our business contact database.
We do not seek to collect or process any information relating to an individual’s sensitive (special categories) personal data (e.g. sexual orientation, race, political opinions etc)
Company Watch uses a number of data suppliers and data sources, including third party data vendors, government sources, public sector information.
We also collect personal data of our own business prospects and contacts in a number of ways. If you are one of our business contacts, we will have collected your personal data in one of the following ways:
• From the information you provide to us when you meet us, or that is provided to us by your company;
• When you communicate with us by telephone, fax, email or other forms of electronic communication (which we may monitor, record and store);
• When you complete (or we complete on your behalf) client on-boarding or application or other forms.
The legal basis for processing personal data
Company Watch relies on the ‘legitimate interest’ ground for processing personal data in the context of company information: processing this data is necessary for our legitimate interests and those of our customers who use the information generated to facilitate commercial and trading activity in the UK economy worth billions of pounds a year. If our customers were not able to access the information we and other Credit Reference Agencies provided they would not be able to extend credit to their customers and could potentially be in breach of their statutory obligations to prevent fraud and money laundering. As such, we do not seek consent to process data.
If you are a customer, supplier or prospective customer or prospective supplier, your information will be processed to fulfil or enter into a contractual relation with you.
How we use personal data and whom we share it with
The company information we process is used by our customers across a number of industry sectors and business functions. These include banks, insurance companies and corporations, who work to promote responsible lending, provide trade credit and secure supply chain links. They may also use the information we provide for verification and fraud detection and to assist them in complying with applicable legal and regulatory obligations.
Marketing and other uses
The customer information we process is used in the ordinary course of our business. In particular, we may use the information that we hold to send you, or companies, marketing about other services we provide. We will communicate this in a number of ways including by email, telephone, post or other digital channels. If you object to receiving marketing from us, please either opt out online or contact our Data Privacy Manager (details above).
We use the information we obtain in order to produce scores such as the H-Score®, the Text Score, the PoD® (Probability of Distress) and the Credit Risk Score. We may also carry out bespoke scoring for our customers based on information they provide to us as Data Processor.
We have developed scoring models over many years using quantitative methods which are tested robustly in their ability to predict the likelihood of something happening given previous evidence.
We help our customers to interpret and apply our scores to their internal processes and ultimately decision-making. These decisions will be related to whether to do business with another company. Our terms and conditions of business prevent our customers using our scores as the sole reason for making this decision. We do not hold blacklists.
We seek to always use personal data properly and fairly. In particular we:
• Only process data in accordance with the purpose for which it was collected
• Seek to collect the minimum amount of data necessary for the legitimate business purpose for which it will be used
• Take steps to ensure that the data is adequate, correct and current
• Only keep personal data for as long as it is publicly available
• Take steps to protect against unauthorised loss or access
Under the GDPR you have the following rights:
• The right to be informed – this covers our responsibility for explaining in clear language what we do with your personal data. We believe this Privacy Notice meets this requirement.
• The right of access – under GDPR you have the right to obtain confirmation that your data is being processed, to have access to this personal data and to understand why it is being processed. The reason for allowing this right is so that you can verify the lawfulness of the processing
• The right of rectification – under GDPR you have the right to require us to correct personal information we hold about you if that information is incorrect. We take our responsibility to provide accurate information very seriously. To that end, we perform checks on the information that we receive to identify defects and/or mistakes. However, we are reliant upon suppliers, in particular on Companies House, providing accurate information to us. You have the right to request that we rectify any personal data relating to you that is inaccurate; and complete any incomplete data, including by way of a supplementing, corrective statement. If you do exercise your right to rectification, we will take steps to check the information and correct it where necessary.
• The right to erasure – under GDPR you have a right to ‘be forgotten’ and can request that we erase personal data we hold about you in certain circumstances, for example if it were not acquired for, or has ceased to be necessary for, a lawful purpose. Where you request that we erase your data, we will usually only do so where the data has ceased to be publicly available, whether at Companies House or otherwise, or where we no longer use it.
• The right to restrict processing – under GDPR you have the right to request that we limit the way we use your data
• The right to data portability – under GDPR you have the right to request that we provide back to you information you have given to us in a reasonable machine-readable format
• The right to object – under GDPR you can object to processing of your personal data
• Rights in relation to automated decision making and profiling – under GDPR you have the right not to be subject to a decision based purely on automated profiling
Note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. We are required to deal with all requests within 28 days of us receiving such requests. If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner at www.ico.org.uk.
In cases where we are relying on your consent to process your personal information (which will only be in rare circumstances) you have the right freely to withdraw that consent, without affecting the lawfulness of how we have used it in previous reliance on that consent.
If you have any questions about how we use your personal data, or you wish to exercise any of the rights set out above, please contact our Data Privacy Manager.
Processing our Customers’ data
Sometimes our customers provide us with their business data, such as their customer, supplier or prospect data – which may contain personal data – in order for us to provide them a service. In these instances we are the processor of any personal data contained in their data. Different parts of the GDPR/DPA2018 apply when we act as a processor and we take these obligations very seriously. The above notice does not apply to data received from our customers as this does not become our data (unless the customer has expressly agreed to this). We handle the data our customers provide us in strict accordance with our contractual and any other applicable laws and only for the purpose of the agreement we have with our customer.
Information Security Policy
Company Watch is committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets in our business. Not only do we have a legal obligation to do this, but our reputation as a commercial credit reference agency relies upon us doing all we can to maintain a robust Information Security Management System (ISMS).
Information is at the heart of what Company Watch does – we rely on the publicly available information on businesses filed at Companies House, Government Departments and other Registries, along with business information from other partners to build models that analyse and predict the financial health of companies. In turn, our clients rely on this analysis to inform their own business decisions. In order for us to operate as a business we also process customer, supplier and employee data. Our ISMS is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
It is our policy to ensure that:
• Customer and personal data is appropriately protected and not exposed to third-parties without authorisation
• Offices are secured by suitable physical security and environmental controls and access restricted as appropriate
• Confidentiality and integrity of information is ensured and is available to employees according to business need
• Access to organisational and personal data is appropriately controlled and protected against unauthorised access
• Use of third-parties to support the business operations is controlled and regularly reviewed
• Contractual, legal and regulatory requirements are being met
• Business continuity provisions are in place and plans are tested and maintained
• All employees and contractors are provided with information security awareness training
• All employees and contractors are aware of their individual responsibilities
• All breaches of information security, whether actual or suspected are reported and investigated
Company Watch has established an Information Security Committee, which is responsible for ensuring that Company Watch achieves and maintains an ISMS which meets or exceeds accepted information security best practice. Our ISMS is subject to continuous, systematic review and improvement.
All Employees and contractors are expected to comply with our Information Security Management System and will receive appropriate training.
In this policy, ‘information security’ is defined as:
Preserving the availability, confidentiality and integrity of the physical and information assets of Company Watch.