Wiki

General Data Protection Regulation (GDPR)

Graydon and the GDPR

The General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. How is Graydon compliant with this new regulation? And who should you contact with any questions or queries? Below you will find all of the information you need.

Graydon Privacy Statement

1. Graydon’s vision (in relation to privacy) 
2. For what purposes do we gather personal data?
3. What are the legal bases on which Graydon processes personal data?
4. Does Graydon use automated processing?
5. Does Graydon share personal data with other parties?
6. Does Graydon transfer personal data to entities outside of the European Economic Area?
7. How does Graydon protect your personal data?
8. How long does Graydon store your personal data?
9. What rights doe you have concerning your personal data?
10. Complaint to the AP
11. Cookies
12. How do I contact Graydon?

Table – Purposes of data processing and legal basis for processing by Graydon 

Privacy Statement

Preamble

This is the Privacy Statement for Graydon Nederland BV, OpenCompanies BV (GraydonGo), Graydon Holding NV and Giant-net BV (hereinafter: 'Graydon').

Graydon processes personal data as part of its services and responsibilities. In the following sections, we outline what personal data we process and for what purposes. We also explain for which services we process the personal data and on what legal basis we are permitted to do so. Sharing personal data with other parties will also be discussed, as well as the processing of personal data outside the EU. The security of personal data is addressed, followed by information on retention periods for personal data. We conclude with a section explaining your rights as a concerned party, and the option to file a complaint or otherwise contact Graydon.

1. Graydon’s vision (in relation to privacy)

It is Graydon’s view that transparency fosters trust between companies. When companies have a clear view of their opportunities and risks, it clears the way for productive cooperation, for closing deals, and making ideas into reality. Graydon’s mission is to be the market leader in supplying innovative insights into our core markets. This enables our customers to identify business opportunities, which, together with the right B2B partners, they can take advantage of and develop further.

Based on this information, Graydon generates invaluable economic, financial, and commercial insights, which enable our customers to take better commercial decisions and so gaining a competitive advantage. Graydon strives to be a reliable partner for its customers, to maintain a solid reputation and to exude sincere trustworthiness, both domestically and abroad. Therefore, Graydon’s compliance policy must be visible and pro-active.

Graydon processes your personal data in a careful, safe, and reliable way. Your faith in our organisation and services is important to us. That is why we are happy to do everything we can to protect your privacy. The rules for the protection of your privacy are set out in the General Data Protection Regulation (hereinafter: ‘GDPR’), for which the Autoriteit Persoonsgegevens (AP) is charged with monitoring compliance with the regulation. The GDPR is one of the biggest changes in the regulations for our sector in the last decade. Data forms the core of Graydon’s activities and of the services we offer our customers. Graydon believes the GDPR is of the utmost importance.

1.1 What is personal data?

Personal data is all data which can be linked to a person, a so-called data subject. Examples are: your name, address, telephone number, and bank account number. Sometimes we will aggregate or anonymise your personal data, so that it can no longer be traced back or linked to you. A data subject is a customer, an employee, or another person about whom personal data is being processed.

1.2 From what sources do we gather personal data?

Graydon utilises various sources to collect personal data:

The public sources from which Graydon may obtain personal data include:

  1. Company websites and public registers, like the Chamber of Commerce’s trade register, cadastre, annual accounts deposited with the Chamber of Commerce, the central insolvency register, receivership and trusteeship register; Trade Register publications by the Chamber of Commerce;
  2. registers for verification and signalling of public documents;
  3. references in the Official Gazette (Staatscourant) and daily or weekly papers, and other sources which are accessible to anyone, such as information already provided by the person or data that was made public by their own actions via social or other media;
  4. national and international sanction lists;
  5. foreign equivalents of the sources referred to under (a) through (d).

The non-public sources from which Graydon may obtain personal data include:

  • the data subjects themselves, including any parties representing the data subject and those authorised by the data subject to represent them;
  • Graydon customers and others who have a business or financial relationship (including employment) with us, which is relevant to the purpose of the collection and processing of data;
  • commercial parties and companies with which Graydon does business.

1.3 What personal data of yours does Graydon process?

Graydon supplies its customers with business information and insights into that information. To this end, information is collected for and about all business in the Netherlands (both legal and natural entities), such as contact information for both the company and the natural person behind it, data about payment experiences and historical data concerning economic calamities (e.g. payment arrears, moratorium (postponement) of payment, bankruptcy, and the Natural Persons Debt Rescheduling Act (Wet Schuldsanering Natuurlijke Personen, WSNP)).

1.4 Who is the controller for the processing of personal data?

Graydon, with the exclusion of Giant-net BV (see explanation in section 2), is the controller for the processing of personal data for the purposes stated in section 2, such as:

  • Credit Management
  • Risk & Compliance
  • Market Information

1.5 Who is the Data Protection Officer?

The Data Protection Officer (hereinafter: ‘DPO’) for Graydon is Katleen Mertens. The DPO is tasked with enforcing compliance with data protection legislation and regulations and is the internal contact for the ICO. If you want to contact the DPO, you can send an e-mail to: dpo@graydon.nl.

2. For what purposes do we gather personal data?

We also refer you to the “Table – Purposes of data processing and legal basis for processing by Graydon” for further information.

Graydon Nederland BV

Credit Management

Graydon supports companies and institutions in making decisions concerning entering into or maintaining business relationships and/or contracts or the management of the business relationship/commercial agreement, from the tender to invoice. Graydon supports companies and institutions in the area of Credit Management, by processing and supplying personal data concerning natural and legal entities, whether in the form of a credit score, credit report, or otherwise.

With the help of our information, our customers themselves make decisions concerning:

  • identifying, testing and/or selecting potential trade partners;
  • whether to enter into, maintain and/or terminate trade transactions;
  • determining the conditions under which such trade transactions take place, including especially the granting of loans or (commercial) credit;
  • determining (future) opportunities for demanding and claiming repayment of debt and/or determining creditworthiness;
  • the provision of the aforementioned personal data to third parties, who further process this personal data on the same basis as previously stated.

Risk & Compliance

Supporting companies and institutions in accordance with legal obligations and legal supervisory duties, including those imposed by the Dutch Financial Supervision Act (Wet op het financieel toezicht, Wft), Prevention of Money Laundering and Financing of Terrorism Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft), Sanctions Act (Sanctiewet), duty of care and customer investigation procedures (such as customer due diligence and know your customer/supplier) by processing and supplying personal data about natural and/or legal entities;

The provision of the aforementioned personal data to third parties, who further process this personal data on the same basis as previously stated.

Market Information

  • Supporting companies and institutions in the area of market positioning aimed at companies and/or institutions, by processing and supplying personal data about natural and/or legal entities, concerning the market activities of such companies and institutions;
  • The provision of the aforementioned personal data to third parties, who further process this personal data on the same basis as previously stated

Please note, all our marketing communication offers the option to unsubscribe from receiving further communication for commercial purposes.

Other purposes

Customer Support

We will use your personal data to provide our services to you and to optimise those services (for example if you have questions or specific comments that require further investigation),  to contact you, as our customer, about services that are important to you, provided that you consent or have already requested the specific service and the intended communication is relevant or connected to such a prior request and takes place within such timeframe as determined by applicable legislation.

Website Management

Processing personal data for the purpose of improving the services and experiences for the visitors of our websites.

Internal training purposes

Your personal data may be used for internal training purposes with the aim of improving the provision of services.

Reporting and analytics purposes

  • Your personal data may be used for reporting and analytics purposes, for example for mapping the geographical spread of our customer base. This allows us to improve our services and to offer you better support.
  • For the improvement of our services, you may receive an invitation to participate in a customer panel. Of course, it is entirely your choice whether to accept the invitation and the invitation will include an option to unsubscribe from invitations for future studies.

Administrative purposes

In our administration, aforementioned personal data is processed to keep it up to date as much as possible. In addition, the way in which personal data is used within our administration has been recorded.

Complaints and Dispute Resolution

Despite our aim to offer you the best possible service, it is possible that you are dissatisfied about our services and want to make a complaint. In that event, the personal data we have of you may be used to allow us to resolve your complaint to the best of our ability.

Recruitment

Your personal data may be used for the recruitment of new employees, employee support and for the management of employee files.

Camera surveillance

We deploy camera surveillance and video recording throughout our offices, to assist the security and safeguarding of people and property. Stickers and signposts are placed inside and outside the business premises to give notice of the use of camera surveillance. The use of cameras is not a stand-alone measure, it is part of a series of technical, structural, and organisational security measures.

Legislation and Regulation

We will, where required, use your personal data to comply with legislation and regulations.

OpenCompanies BV (GraydonGo)

Credit Management 

Graydon supports companies and institutions in making decisions concerning entering into or maintaining business relationships and/or contracts or the management of the business relationship/commercial agreement, from the tender to invoice. Graydon supports companies and institutions in the area of Credit Management, by processing and supplying personal data concerning natural and legal entities, whether in the form of a credit score, credit report, or otherwise.

With the help of our information, our customers themselves make decisions concerning:

  • identifying, testing and/or selecting potential trade partners;
  • whether to enter into, maintain and/or terminate trade transactions;
  • determining the conditions under which such trade transactions take place, including especially the granting of loans or (commercial) credit;
  • determining (future) opportunities for demanding and claiming repayment of debt and/or determining creditworthiness;
  • the provision of the aforementioned personal data to third parties, who further process this personal data on the same basis as previously stated.

Other purposes

Customer Support

 We will use your personal data to provide our services to you and to optimise those services (for example if you have questions or specific comments that require further investigation), to contact you, as our customer, about services that are important to you, provided that you consent or have already requested the specific service and the intended communication is relevant or connected to such a prior request and takes place within such timeframe as determined by applicable legislation.

Website Management

Processing personal data for the purpose of improving the services and experiences for the visitors of our websites.

Internal training purposes

Your personal data may be used for internal training purposes with the aim of improving the provision of services.

Reporting and analytics purposes

  • Your personal data may be used for reporting and analytics purposes, for example for mapping the geographical spread of our customer base. This allows us to improve our services and to offer you better support.
  • For the improvement of our services, you may receive an invitation to participate in a customer panel. Of course, it is entirely your choice whether to accept the invitation and the invitation will include an option to unsubscribe from invitations for future studies.

Administrative purposes

In our administration, aforementioned personal data is processed to keep it up to date as much as possible. In addition, the way in which personal data is used within our administration has been recorded.

Complaints and Dispute Resolution

Despite our aim to offer you the best possible service, it is possible that you are dissatisfied about our services and want to make a complaint. In that event, the personal data we have of you may be used to allow us to resolve your complaint to the best of our ability.

Legislation and Regulation

We will, where required, use your personal data to comply with legislation and regulations.

Graydon Holding NV

Other purposes

  • Performing the internal administration for the subsidiaries of Graydon Holding NV and the management of our own accounts and documents for this purpose;
  • The recruitment of new employees, supporting employees and management of employee files.
  • Giant-net BV
  • Giant-net BV processes personal data at the behest of Graydon Belgium NV, Nederland BV and Graydon UK Ltd, making it a processor. Giant-net BV receives and processes the international data for the international credit information reports.

3. What are the legal bases on which Graydon processes personal data?

We also refer you to the “Table – Purposes of data processing and legal basis for processing by Graydon” for further information.

Consent: The data subject has given his or her unequivocal consent for the processing.

If you, as a data subject on Graydon’s website, fill in contact forms, for example to request credit information, you are required to provide your personal data, such as your name, company, e-mail address, and telephone number. Graydon processes this personal data exclusively for the purpose for which it is intended: to supply the requested service and information. Your personal data will not be made available to third parties.

Agreement: The processing of personal data is necessary for the performance of an agreement that the data subject is party to. This criterion applies when the processing is required for the performance of an agreement, such as an employment contract, sales agreement, or rental agreement.

Legal obligation: The processing of personal data is required to comply with a legal obligation imposed on Graydon.

Legitimate interest: The processing of personal data, for the purpose of offering and providing commercial information, as well as the development of services, is necessary with a view to the legitimate interest of Graydon or its customer. The purpose of this processing is to enable companies to manage their financial risks, to protect themselves against fraud, to know who they are in business with, to meet compliance and regulatory obligations, and to gain better insight into organisations, sectors, and markets. Processing of personal data on these bases does not take place if the interests of the data subject outweigh the interests of Graydon. Graydon may also use the personal data if the public interests in them outweigh the individual interests or rights of the data subject. For example, for the prevention and tracking of criminal activity, such as fraud and money laundering. Such criminal activity costs the economy many billions of euros each year. In the end, that cost is borne by the general public in the form of higher prices. Graydon contributes to the public interest by helping to prevent fraud, such as identity theft.

4. Does Graydon use automated processing?

Graydon uses automated processing to determine and company’s credit score. This involves the automated processing of company data and/or personal data, combined with statistical and/or demographical data, to arrive at a score using a logical and transparent calculation model, including weight factors. In this way, credit score predicts, for example, whether a company is likely to continue its business activities, pays its invoices on time, receives credit, or whether there is a specific connected to the company. All of our models result in scores which, depending on the model’s subject, express a level of probability, ‘chance of’. The result is a risk indication. Graydon does not attach any legal consequences to this credit score. Graydon takes no decisions about an organisation and does not advice customers on whether they should do business with an organisation. The customers themselves determine how much ‘appetite for risk’ they have and is informed of this responsibility in Graydon’s general terms and conditions.

We make use of automatic processing to determine whether someone may be a potential customer for us. In our system, automatic processing, for example of clicking history on the website or in e-mails and of any requests for information on the website, takes place to determine whether someone is an interesting prospective customer for us. Based on this information, a score is calculated using a logical and transparent calculation model including weight factors. Based on that score, Graydon may contact a potential customer. There are no legal consequences connected to this automatic processing and there are no substantive consequences for the data subject, regardless whether Graydon contacts the potential customer based on the score or not.

5. Does Graydon share personal data with other parties?

Graydon’s core activity is the collection and processing of personal data for the purpose of supplying business information services (commercial personal data). Graydon shares such commercial personal data with:

  • customers - companies and organisations with which Graydon enters into an agreement to purchase or gain access to data;
  • entities affiliated to Graydon: Graydon Belgium NV and Graydon UK Ltd.;
  • suppliers - companies and organisations with which Graydon enters into an agreement to purchase or gain access to data;
  • Atradius and Ultimoo - companies which, in the capacity of collection agency, handle business with (international) debtors on behalf of Graydon;
  • the police and other institutions in the field of law enforcement, as well as government bodies, such as local and national authorities, may request personal data. Such requests must always have a valid legal basis. For example: for the prevention or tracking of criminal activity, the arrest or prosecution of offenders, the assessment and claiming of taxes, investigating complains, or assessing to what extent a specific branch of business is functioning as it should.

6. Does Graydon transfer personal data to entities outside of the European Economic Area?

Graydon only transfers personal data to entities outside of the European Economic Area  (hereinafter: ‘EEA’) if, according to the European Commission, that country enforces an adequate level of data protection, or if additional measures have been taken (Standard Contractual Clauses) with and by the parties to safeguard the security of your personal data in accordance with the GDPR.

7. How does Graydon protect your personal data?

Graydon considers the protection of the privacy and confidentiality of your personal data to be very important. Therefore, Graydon ensures adequate technical and organisational measures are in place to safeguard personal data against loss, misuse, and any form of unauthorised processing.

Graydon works with a quality management system that guarantees a consistent service level which meets the customer’s as well as any legislative and regulatory requirements.

ISO 9001

Graydon Nederland BV was one of the first credit information and collection agencies to be awarded ISO 9001 certification. This shows that Graydon Nederland BV has set up a quality management system that guarantees a consistent service level which meets the customer’s as well as any legislative and regulatory requirements.

ISO 9001 is an international standard for quality management, for the assessment of service orientation, transparency, and training and coaching of employees. Graydon Nederland BV is a clear example of a company that has embedded the goal of continues quality improvement in its organisation. The extensive audits that were undertaken, show that Graydon Nederland BV scores above the median on all fronts.

ISO 27001

Graydon strives for continuous quality improvement in its organisation. On that front, Graydon strives to be a market leader. That is why Graydon invests in generating awareness and offering training to all its employees. Graydon has actively drafted an ICT Security Policy and Graydon Nederland BV holds an ISO 27001 certificate. Furthermore, Graydon has appointed a Security Manager for the Graydon Group as a whole.

8. How long does Graydon store your personal data?

Graydon ensures that the personal data that is processed by Graydon for the purpose of its services is correct, adequate, relevant, and up to date. Graydon takes all reasonable measures required, to remove personal data if it is found that aforementioned processing purposes are incorrect or are no longer sufficient, relevant, or up to date.

9. What rights doe you have concerning your personal data?

Graydon does everything within its power to ensure that your personal data is accurate and up to date. If you wish to exercise your rights, you can do so by filing a request with Graydon. You can file your request with Graydon by e-mail to the following address: avg@graydon.nl, or by post to: Graydon Nederland BV, f.a.o.: Service, Postbus 12525, 1100 AM, Amsterdam. We will respond to your request within one month. 

You can exercise the following rights:

  • right of access: you can ask Graydon to provide to you the personal data Graydon has on file for you;
  • right of correction and right of removal: if the information contains incorrect information, is incomplete, or is not relevant to its processing purpose, or is otherwise in breach of a legal requirement, you can request that Graydon corrects, supplements, or removes such personal data;
  • right to restrict processing: restrict or limit the processing of your personal data.
  • right to data portability: to transfer your personal data, where your data is automatically processed based on an agreement or your consent;
  • right to object: to object against the processing of your personal data; when your personal data is being used for direct marketing, you can object to its processing at any time.

10. Complaint to the AP

Meeting your expectations is important to us. But even though we do everything in our power to achieve that, its possible you may be dissatisfied. If your complaint concerns the protection of personal data, you can file a complaint with the AP. You can do so at: https://www.autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-de-ap

11. Cookies

Graydon’s website uses cookies. For more information, please refer to our cookie statement.

12. How do I contact Graydon?

Would you like to know more about Graydon’s vision of privacy, or do you have a question or suggestion? You can contact us via e-mail: avg@graydon.nl, or by post addressed to: Graydon Nederland BV, f.a.o.: Service, Postbus 12525, 1100 AM, Amsterdam.

This Privacy Statement is updated from time to time. Therefore, we recommend that you regularly review the Privacy Statement to ensure you are aware of any changes.

This Privacy Statement was most recently updated on 18 September 2019.

Download here the table purposes of data processing and legal basis for processing by Graydon

Positioning Paper

Data is at the heart of Graydon. Our business revolves around data, and we take GDPR very seriously. Our strategy aims for Graydon to be trusted and to act as a reliable business partner. This is why Graydon confirms it is compliant and will meet the GDPR deadline, on 25th May 2018.

Please look at our privacy statement in the positioning paper below.

Download our positioning paper

What data does Graydon hold about me?

Find answers to frequently asked questions below.

I want to know what personal information you have about me.

The information that Graydon has will include your contact information such as address, telephone number and email address, as well as annual reports, financial information on your organisation(s), relevant Ultimate Beneficial Owner (UBO’s) and directors data, and other related items. If you have any additional questions or concerns, please contact us.

How did Graydon get the information it has on me?

Graydon gathers and collects information on companies,  and individuals related to these companies. We also gather information from public sources such as Chamber of Commerce, government records, public registers, from our customers and other related sources. If you have any additional questions or concerns, please contact us.

You have information on me that is incorrect.

We aim to be a trusted partner in business and have the highest standards regarding the quality of our data. However, this does not guarantee a fault-free set of data. If the information that we have is incorrect, you can send us the correct information  to process, after we have validated it. Please send us the information.

I wish to be removed from your database.

Graydon has information on companies, UBO’s as well as relevant directors’ information. Under GDPR. we have legitimate ground to gather and process this data. You can find the details in our privacy statement. If you still feel that your privacy interests prevail over ours, please contact us.

I haven’t given Graydon consent to have or process information on me.

Graydon processes data based on our legitimate interest. The purpose of this processing is to enable businesses to manage their financial risks, protect them against fraud, know whom they are doing business with, meet compliance and regulatory obligations and better understand organisations, industries and markets they are operating with.
Processing personal data on this ground does not take place if the interests of the person whose data is being processed prevail. 
However, this needs to be proven and checked on a case-by-case basis. If you feel this is the case, please explain your concerns and provide us with any available proof or evidence to help speed up the processing of your request.

Other

For any other request, please be as detailed as possible so we can proceed and get back to you quickly and efficiently. We are conscious of the importance of privacy-related information, so please be assured that your query will be handled with discretion.

Contact details for our Data Protection Officer (DPO)

Data Protection Officer: 

Katleen Mertens 
dpo@graydon.nl
+32 (0)3 280 88 00

How to contact Graydon about GDPR

At Graydon, data and transparency are two of our main values. This is why we have developed this web page where we have gathered all the relevant information related to data privacy in relation to our business.

Do you have any questions or comments? Please don’t hesitate to contact us at: avg@graydon.nl.

In order to be able to process your request as quickly and efficiently as possible,  you will need to provide us with some details related to your request. Please indicate in your subject line the reason of your email (e.g. amendments to your information, request to be forgotten) and add relevant annexes when necessary.

In addition, we will have to identify you to ensure that we provide any personal data to the right person. For this we need a copy of your ID. Please make sure your BSN (Citizen Service Number) and photo are shielded.

Database Notification

Graydon collects data about companies registered in the Netherlands, to support our customers in growing their business, assessing customer and supplier risk, identifying fraud and ensuring compliance with new regulations. For more information, please download our notification letter below.

Download de digitale versie van deze brief

How did Graydon prepare for GDPR?

You can read our previous statement from this link

Privacy & personal data, how does it work?

Sign up to our newsletter