Graydon Privacy Statement
This is the Privacy Statement of Graydon Nederland B.V. and OpenCompanies B.V. (trading as GraydonGo) (hereinafter jointly and individually referred to as: ‘Graydon’ or ‘we’). This Privacy Statement is applicable to all Graydon services.
If you have registered a company in the Trade Register (Handelsregister) of the Dutch Chamber of Commerce (Kamer van Koophandel), or you are registered as a director, proxy, commissioner, or shareholder, Graydon receives the data about your new company or registration. You will have received a letter from us concerning the processing of your personal data, providing you with some relevant information. In this Privacy Statement, we will provide further explanation about how we process your personal data.
This Privacy Statement was most recently updated on: 28/05/2021.
Graydon: we stand for doing business safely
As you may know, Graydon is a business information specialist. We have over 130 years of experience with the supply of reliable business information to companies and governments. Graydon believes that transparency strengthens trust between business partners. If organisations have a clear picture of the opportunities available and the risks they may face, collaboration will arise, agreements will be made, and ideas will become reality.
Our mission is to filter large quantities of data that is available from various sources, in order to obtain and offer useful, but more importantly reliable, business information about all companies in the Netherlands, for the purpose of generating more trust between trade partners and contributing to efficient trade and economic traffic. Data about you and your company is also an important part of this. Based on the information from various sources, we generate valuable financial, and commercial business insights, which enable our clients to take even better business decisions.
The three types of Graydon solutions
To assist our clients with this, Graydon has created three different types of solutions: Credit Management (business and credit information), Risk & Compliance, and Market Information.
Credit Management gives our clients insights into which (potential) business relations they do business with and what the creditworthiness of that relation is. This solution offers our clients the opportunity to request a credit information report about your company and to offer your company, for example, more supplier credit based on that report, allowing your company to trade and grow faster. Our clients can also decide not to enter into a business relation with your company, or to discontinue an existing relation or to amend the conditions of your relationship, because based on your creditworthiness they anticipate certain risks.
Risk & Compliance gives our clients the opportunity to quickly and efficiently comply with laws and regulations, such as the Money Laundering and Financing of Terrorism Prevention Act or the Sanctions Act. This product offers the possibility to uniformly screen (potential) business relations, like customers or ultimate beneficial owners (UBOs), to avoid financial risks and reputation damage. When, based on the screening, our clients anticipate a risk they deem unacceptable, they may decide not to enter into a business relation with your company, or to discontinue an existing relation, because that relation would be in breach of their legal obligations.
Market Information gives our clients insights to help them set up their marketing campaigns more efficiently. This allows the target audience for marketing activities to be mapped based on geographic locations, allowing prospects to be approached more efficiently and effectively. It is then up to our clients whether or not to approach your company for marketing purposes, where, in doing so, they would then be required to comply with all applicable legislation and regulations, including the Telecommunications Act (Telecommunicatiewet) and the non-mailing-indicator of the Dutch Chamber of Commerce. You can always object to this processing, after which we will stop processing your personal data for these purposes.
What information do we process about you and your company?
Primarily, Graydon processes business information. Only where it concerns directors, proxies, commissioners, shareholders, and (small) independent traders, such as self-employed persons or sole traders without employees, this may also include personal data within the meaning of the General Data Protection Regulation (‘GDPR’). The same applies the moment the legal entity can be (directly or indirectly) traced back to a person, for example due to the name of the legal entity. See tables at the bottom of this page.
1. Who is the data controller for your personal data?
Graydon Nederland B.V. and OpenCompanies B.V. are the data controllers for your personal data within the framework of the Credit Management (business and credit information), Risk & Compliance, and Market Information products.
For some parts of its services, Graydon may be a data processor as well as a data controller. This applies, for example, to certain aspects of the “Risk & Compliance” service: if clients wish to perform a compliance check, they will be connected directly to a third party, which subsequently performs the compliance check. In this case, Graydon merely functions as the “connection” and is therefore considered a processor. The same applies for the “Credit Management” service: if clients wish to assess the creditworthiness of a person, they are redirected to a third party which subsequently performs the check. Here too, Graydon merely functions as the “connection” and is therefore considered a processor.
2. What personal data does Graydon collect?
Graydon supplies business information and insights into that information to its clients. To do this, relevant data is collected about all companies and organisations in the Netherlands (both legal entity companies and natural person companies).
Graydon processes the following personal data about you. See tables at the bottom of this page.
3. How does Graydon obtain your personal data?
Graydon uses various public and private sources to collect personal data.
Below you see from what public sources Graydon collects information.
- The Trade Register of the Dutch Chamber of Commerce, which has the legal duty to provide public data to any party who requests it;
- the public (insolvency, administration and receivership, and other) registers and (legal) decisions, as published at rechtspraak.nl;
- official publications and statements in the Dutch National Gazette (Staatscourant);
- websites such as Overheid.nl;
- foreign equivalents of the aforementioned sources.
Below you see from what non-public sources Graydon collects information.
- from you yourself, for example where it concerns information supplied by the relevant company itself, or data that have come into the public domain by virtue of their own activities. This includes, for example, the annual figures for your enterprise;
- Graydon clients and others who have a business or financial relationship with Graydon that is relevant for the purpose of the collection and processing of the data;
- Payment behaviour of your enterprise based on the payment experiences other organisations have had with your enterprise.
- other (commercial) parties Graydon does business with.
4. For what purposes and on what basis does Graydon process personal data?
Graydon is a so-called business information specialist. Business information specialists have existed for a long time – Graydon for over 130 years – and they provide business insights based on business and (business-related) personal data from various sources. As a business information specialist, Graydon fulfils an important role in economic traffic, by providing business information, Graydon helps its clients in the business world to estimate certain business-related risks, create new business opportunities, and comply with legal requirements and monitoring duties. Graydon’s aim, as such, is to help organisations to make business decisions based on accurate, reliable, and complete business information. In this way, Graydon contributes to the certainty and reliability of economic traffic and the development of a healthy economy.
Graydon processes data for the purpose of the following services:
Credit Management (business information)
Graydon supports companies and institutes in the area of credit risk management. For this purpose, Graydon processes business information, including (business-related) personal data, into credit information reports. Assisted by this information, our clients then make their own decisions about whether or not to engage in or continue a business relation and/or about how to manage the business relation/agreement, both in the quotation stage and in the invoicing stage. See table 1 at the bottom of this page for more information about the Credit Management product.
Risk & Compliance
Graydon supports companies and institutes in complying with their legal requirements or supervisory duties, which are imposed under various laws and regulations. For this purpose, Graydon processes business information, including personal data, into Risk & Compliance reports. Assisted by this information, our clients then make their own decisions about whether or not to engage in or continue a business relation. See table 2 at the bottom of this page for more information about the Risk & Compliance product.
Market Information (marketing information)
Graydon supports companies and institutes in the area of B2B market positioning, the acquisition of (new) insights into their own client portfolio, and into potential new clients. For this purpose, Graydon provides companies and institutes with business information, including personal data, for the benefit of their marketing activities. See table 3 at the bottom of this page for more information about the Market Information product.
Graydon relies on its ‘legitimate interest’ as the legal basis for processing data as part of its services. Click here for more information about this legal basis.
Graydon processes your personal data on the basis of its ‘legitimate interest’. In that event, the General Data Protection Regulation (hereinafter: ‘GDPR’) requires from Graydon, before it begins processing your personal data, that it carefully weighs up its legitimate interest, and thereby the interests of the services Graydon and its clients provide (being the reliability of the economic traffic and a safe way of doing business) on the one hand, and your basic rights and fundamental liberties as an entrepreneur concerning the protection of personal data, on the other hand.
In considering your interests, Graydon has looked at the possible consequences that the processing of your personal data might have for you. In doing so, Graydon has taken into account, among other things, the following:
- The nature of your personal data: Graydon processes only a limited amount of business-related personal data, such as your name, address, function title, date of birth, and, if available, phone number, e-mail address, and financial data (for example using the annual accounts for your company as published with the Dutch Chamber of Commerce). This data is predominantly obtained from public sources, such as the Trade Register of the Dutch Chamber of Commerce.
- How your personal data is being processed: Graydon exclusively processes personal data within a business context, for the performance of B2B activities. It supports companies and institutes in the area of credit risk management activities, by processing and providing information about companies, through a credit score, credit information report, or otherwise. This information, including personal data, is predominantly derived from public sources. Graydon merges this information and, in doing so, only selects that data which is required to compile accurate business information about your enterprise.
- Your privacy expectations: Because you are an enterprise, you participate in the economic traffic. Therefore, data about your enterprise is recorded in registers which, for transparency and reliability reasons, are accessible to everyone. In consequence, entrepreneurs can generally expect that this public data will be processed by, for example, business information specialists like Graydon, which, in that way, contribute to the security of the economic traffic and to a healthier economy.
In consideration of the above, we conclude that Graydon and our clients have a legitimate interest in the processing of your business-related personal data. If you would like to receive a detailed substantiation of Graydon’s legitimate interest, please contact us.
5. To what extent does Graydon use automated decision-making processes?
Graydon uses automated processing, including profiling, but does not make any decisions about the organisation.
Graydon uses automated processing to determine scores, such as a company’s credit score. This involves the automated processing of company data and/or business-related personal data as defined in chapter 2 of this Privacy Statement. These data are processed together with static and/or demographic data, to then have a calculation model with weighing factors applied to them in order to arrive at a score. Each of our models results in scores which, depending on the design of the model, express a level of probability, or a ‘chance that...’. That way, a score offers, for example, an indication of how likely it is that a company will continue its business activities, pays its invoices on time, receives credit, or whether there are specific risks in connection with the company.
Graydon does not take any decisions about an organisation but only flags any risks and opportunities for doing business with an organisation. For example, Graydon records credit scores in the reports it provides to its clients; the client has sole discretion to determine its risk appetite, Graydon states as much in the general terms and conditions and communicates this clearly to its clients as well.
Graydon enables clients to select prospects based on a wide variety of information. The selected prospects may be enriched with a credit score, but it is up to the clients to determine which companies they ultimately want to do business with.
6. Does Graydon share personal data with other parties?
Graydon shares data with other parties, such as clients and suppliers.
Graydon’s core activity is the collecting and processing of personal data for the supply of business information services (commercial personal data). Graydon supplies the business information it collects, including (business-related) personal data, to its clients. Those clients are companies and governments in the Netherlands. In addition, Graydon shares data with its affiliated entities in Belgium and the United Kingdom, and other parties Graydon collaborates with, such as foreign business information offices. As such, it may happen that a foreign business information office, for their foreign client, requests business information from Graydon about a company registered in the Netherlands.
7. Is any personal data being transferred to countries outside of the European Economic Area?
Graydon only provides personal data to a few clients outside of the European Economic Area (hereinafter: ‘EEA’) if, according to the European Commission, the country has an adequate level of data protection in place or if additional precautions have been implemented (standard contract terms) with these parties to ensure that your personal data is being protected in accordance with the GDPR standards.
8. How does Graydon protect your personal data?
The protection of the privacy and confidentiality of your personal data is very important to Graydon, as such Graydon ensures adequate technical and organisational measures are in place to secure personal data against very form of illegitimate processing, loss, and misuse.
Graydon works with a quality management system which guarantees a consistent service level that complies with the client’s requirements and applicable law and regulations.
Graydon Nederland B.V. was one of the first business information offices to be accredited with the ISO 9001 certificate. This shows that Graydon Nederland B.V. has implemented a quality management system that guarantees a consistent service level that complies with the client’s requirements and applicable legislation and regulations.
ISO 9001 is an international standard for quality management for the assessment of service orientation, transparency, and training and coaching of employees. Graydon Nederland B.V. is a clear example of a company where a culture of continuous quality improvement is part of the core of the organisation. The extensive audits that have been performed, show that Graydon Nederland B.V. scores above average in all areas.
Graydon strives for continuous quality improvement in its organisation. Graydon strives to be a market leader in this area. Therefore, Graydon has a strong focus on creating awareness and providing training to all of its employees. Graydon has implemented an active ICT security policy and Graydon Nederland B.V. is ISO 27001 certified. Moreover, Graydon has appointed a Security Manager for the entire Graydon Group who is tasked with ensuring that the security policy is complies with and who reports about the quality of the implementation.
9. How long does Graydon retain your personal data?
Graydon retains your personal data no longer than necessary to fulfil the purposes stated in this privacy statement, unless Graydon is required to retain your personal data by virtue of a legal requirement imposed on Graydon.
To ensure that your personal data is not retained any longer than necessary for the purposes stated in this statement, Graydon maintains a strict retention policy.
However, it may occur that we are required to retain your personal data longer, because of legal requirements imposed on us. Where our bookkeeping is concerned, documents, such as invoices for example, must be retained for a minimum of 7 years after the end of the financial year to which they pertain. If there is a dispute or (legal) procedure, ongoing or anticipated, we are also permitted to retain your personal data for a longer period of time. If you would like comprehensive clarification about the retention periods Graydon maintains, please contact us.
10. What rights do you have with regard to your personal data?
As a data subject, you have several rights, which you can exercise within the framework of our processing of your data:
- Right of access: you can ask Graydon to provide you with the personal data that is being stored by Graydon;
- Right of correction and right of removal: if the information contains errors, is incomplete, or is not relevant for the purpose for which it is processed, or otherwise conflicts with the legal requirement, you can request that Graydon corrects, supplements, or removes that personal data;
- Right of limitation of processing: to limit the processing of your personal data.
- Right of objection: objecting against the processing of your personal data; when your personal data is being used for direct marketing, you may object at any time against that processing. You also have the right to object against profiling.
- Right of transferability of data: the right to have your personal data transferred to another supplier that provides the same service. Because other suppliers make use of the same public sources, Graydon will not transfer that data.
Graydon makes every effort to ensure that your personal data is correct and up to date. If you wish to exercise your rights, you can submit a request with motivation of your interests to Graydon. You can send your request to Graydon: via e-mail: email@example.com or by post to: Graydon Nederland BV, f.a.o..: Service, Postbus 12525, 1100 AM in Amsterdam. For us to be able to identify you, we kindly request that you include a copy of your identity document. You may redact your BSN (NINo) and picture on that copy. We will respond to your request within one month.
More information about editing the copy of your identity document in such a way that it is safe to post can be found on this website.
11. Filing a complaint with the Autoriteit Persoonsgegevens
Your contentment is important to us. But even when we make every effort to achieve this, you may be dissatisfied. You can file a claim with the Dutch data protection watchdog, the Autoriteit Persoonsgegevens, if your complaint concerns the protection of your personal data. You can do this via this link.
13. How can I contact Graydon?
Would you like to know more about Graydon’s vision for privacy, or do you have a question or suggestion? You can contact us by e-mail: firstname.lastname@example.org, or by sending a letter to: Graydon Nederland BV, f.a.o..: Service, Postbus 12525, 1100 AM in Amsterdam.
This Privacy Statement may be updated from time to time. Therefore, we recommend that you regularly consult our Privacy Statement, to ensure you are informed of any changes.
14. Data Protection Officer
Graydon has appointed a designated Data Protection Officer (hereinafter: ‘DPO’). The DPO is tasked with ensuring Graydon’s compliance with the privacy legislation and regulations and is the contact person for the Autoriteit Persoonsgegevens. If you want to contact the DPO, you can send an e-mail to: email@example.com.
15. VVZBI Privacy Code of Conduct
Graydon is a member of the Association for business B2B Information [Vereniging voor zakelijke B2B informatie] (VVZBI). Together we guarantee legal certainty in economic dealings. As an association, we have a Privacy Code of Conduct to which we and the other members fully comply. Read the Privacy Code of Conduct here (only in Dutch).