Company Watch Limited is a financial analytics firm and Credit Reference Agency based in London, United Kingdom. It is registered in England and Wales with company number 3597613.
A small part of the information we collect and use might be classified as “personal data” under the General Data Protection Regulation (GDPR) which comes into force in all European Union (EU) states on 25 May 2018. In the UK, the main terms of the GDPR are included in the Data Protection Act 2018 (DPA 2018). Therefore the withdrawal of the UK from the EU will not have any impact on the UK’s need to be compliant with the GDPR.
This personal data is that which relates to an individual (e.g. a company director, partnership, sole trader, person of significant control etc). Under the GDPR we are required to disclose information about how we process this information.
Company Watch’s Data Privacy Manager can be contacted on firstname.lastname@example.org
The information we collect
Company Watch provides company information to organisations who subscribe to its services in order that they are able to make informed decisions about the risks associated with doing business with a particular company/companies. We collect and use information on businesses and individuals associated with that business in a professional context. This includes, for example:
• Company contact information relating to directors, company secretaries, shareholders and persons of significant control which is, or has been, publicly available
• The name and contact information of unincorporated businesses, sole traders and partners of partnerships.
• The names, job titles and business email addresses of individuals in respect of a particular company for inclusion in our business contact database.
We do not seek to collect or process any information relating to an individual’s sensitive (special categories) personal data (e.g. sexual orientation, race, political opinions etc)
Company Watch uses a number of data suppliers and data sources, including third party data vendors, government sources, public sector information.
We also collect personal data of our own business prospects and contacts in a number of ways. If you are one of our business contacts, we will have collected your personal data in one of the following ways:
• From the information you provide to us when you meet us, or that is provided to us by your company;
• When you communicate with us by telephone, fax, email or other forms of electronic communication (which we may monitor, record and store);
• When you complete (or we complete on your behalf) client on-boarding or application or other forms.
The legal basis for processing personal data
Company Watch relies on the ‘legitimate interest’ ground for processing personal data in the context of company information: processing this data is necessary for our legitimate interests and those of our customers who use the information generated to facilitate commercial and trading activity in the UK economy worth billions of pounds a year. If our customers were not able to access the information we and other Credit Reference Agencies provided they would not be able to extend credit to their customers and could potentially be in breach of their statutory obligations to prevent fraud and money laundering. As such, we do not seek consent to process data.
If you are a customer, supplier or prospective customer or prospective supplier, your information will be processed to fulfil or enter into a contractual relation with you.
How we use personal data and whom we share it with
The company information we process is used by our customers across a number of industry sectors and business functions. These include banks, insurance companies and corporations, who work to promote responsible lending, provide trade credit and secure supply chain links. They may also use the information we provide for verification and fraud detection and to assist them in complying with applicable legal and regulatory obligations.
Marketing and other uses
The customer information we process is used in the ordinary course of our business. In particular, we may use the information that we hold to send you, or companies, marketing about other services we provide. We will communicate this in a number of ways including by email, telephone, post or other digital channels. If you object to receiving marketing from us, please either opt out online or contact our Data Privacy Manager (details above).
We use the information we obtain in order to produce scores such as the H-Score®, the Text Score, the PoD® (Probability of Distress) and the Credit Risk Score. We may also carry out bespoke scoring for our customers based on information they provide to us as Data Processor.
We have developed scoring models over many years using quantitative methods which are tested robustly in their ability to predict the likelihood of something happening given previous evidence.
We help our customers to interpret and apply our scores to their internal processes and ultimately decision-making. These decisions will be related to whether to do business with another company. Our terms and conditions of business prevent our customers using our scores as the sole reason for making this decision. We do not hold blacklists.
We seek to always use personal data properly and fairly. In particular we:
• Only process data in accordance with the purpose for which it was collected
• Seek to collect the minimum amount of data necessary for the legitimate business purpose for which it will be used
• Take steps to ensure that the data is adequate, correct and current
• Only keep personal data for as long as it is publicly available
• Take steps to protect against unauthorised loss or access
Under the GDPR you have the following rights:
• The right to be informed – this covers our responsibility for explaining in clear language what we do with your personal data. We believe this Privacy Notice meets this requirement.
• The right of access – under GDPR you have the right to obtain confirmation that your data is being processed, to have access to this personal data and to understand why it is being processed. The reason for allowing this right is so that you can verify the lawfulness of the processing
• The right of rectification – under GDPR you have the right to require us to correct personal information we hold about you if that information is incorrect. We take our responsibility to provide accurate information very seriously. To that end, we perform checks on the information that we receive to identify defects and/or mistakes. However, we are reliant upon suppliers, in particular on Companies House, providing accurate information to us. You have the right to request that we rectify any personal data relating to you that is inaccurate; and complete any incomplete data, including by way of a supplementing, corrective statement. If you do exercise your right to rectification, we will take steps to check the information and correct it where necessary.
• The right to erasure – under GDPR you have a right to ‘be forgotten’ and can request that we erase personal data we hold about you in certain circumstances, for example if it were not acquired for, or has ceased to be necessary for, a lawful purpose. Where you request that we erase your data, we will usually only do so where the data has ceased to be publicly available, whether at Companies House or otherwise, or where we no longer use it.
• The right to restrict processing – under GDPR you have the right to request that we limit the way we use your data
• The right to data portability – under GDPR you have the right to request that we provide back to you information you have given to us in a reasonable machine-readable format
• The right to object – under GDPR you can object to processing of your personal data
• Rights in relation to automated decision making and profiling – under GDPR you have the right not to be subject to a decision based purely on automated profiling
Note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. We are required to deal with all requests within 28 days of us receiving such requests. If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner at www.ico.org.uk.
In cases where we are relying on your consent to process your personal information (which will only be in rare circumstances) you have the right freely to withdraw that consent, without affecting the lawfulness of how we have used it in previous reliance on that consent.
If you have any questions about how we use your personal data, or you wish to exercise any of the rights set out above, please contact our Data Privacy Manager.