Request a list

Database Privacy Notice

Version 1.0 (draft) · Last updated TODO — [EFFECTIVE DATE]

If your name appears as a company officer in one of our lists, this is the notice that applies to you. It explains where we got your data, why we hold it, who we share it with, how long we keep it, and — importantly — how to object to your data being used for direct marketing, which you can do at any time, for free, and we must stop.

This is the standalone UK GDPR Article 14 notice for individuals whose personal data appears in our lists. For information about how we handle the personal data of website visitors and customers more generally, please see our main Privacy Policy.

1. Introduction and our GDPR/PECR position

This is the transparency notice required by Article 14 of the UK GDPR for individuals — typically company owners, directors and other officers — whose personal data CompanyLists has obtained from public and other sources (i.e. not directly from the individual), and compiles and supplies in its lists.

Because we did not collect this data from you directly, the law requires us to bring this information to your attention. We do this by publishing this notice as a standalone, prominently-linked page (not buried in our terms), and, where feasible, by notifying individuals directly (see the section on when and how we tell you, below).

Who we are and how to reach us

The controller is Team Dimensions Ltd (company number 08348964), registered office Walden House, Foxcombe Road, Oxford, OX1 5DL.

  • Contact, and the route to object or exercise your rights: [email protected] (and any self-service objection form linked from this page).

What we do, in plain terms

CompanyLists is a business-to-business data provider (a data broker). We compile and maintain a database of UK companies and their officers from public sources, and we license (we do not "sell" outright) extracts of that database to business customers for their own B2B marketing and prospecting.

For how we build, enrich and maintain the database, and for our own marketing of the database, CompanyLists is the controller. When a business customer buys a list from us, that customer becomes an independent controller of the data in their copy of the list, responsible for their own compliance from the moment they receive it. We and our customers are separate, independent controllers — never a controller-and-processor relationship.

2. Categories of officer personal data we process

For the individuals in our lists, we may hold:

  • Name of the officer / owner / director;
  • Role / position held (e.g. director, secretary, person with significant control);
  • Age (a demographic data point derived from public records);
  • Business email address — where available;
  • Business telephone number — where available;
  • Company associations (the company or companies the individual is connected to) and the registered or correspondence address associated with that role.

We do not process special-category data (such as health, ethnicity, political opinions, religion, or biometric data) and we do not process criminal-offence data (for example, we do not include director-disqualification status) in our lists. The personal data we hold is business-capacity contact and association data, plus the limited demographic data point of age attached to the named officer.

Contact fields are partial. Approximately 75% of records carry an email address and approximately 67% carry a phone number; many records have neither, or only one. Where a field is blank, it simply means we do not hold that data point for that individual.

3. Where we obtained the data (Article 14 source disclosure)

We obtain officer personal data from the following specific, publicly accessible sources:

  • the Companies House public register;
  • filed statutory accounts (as published at Companies House);
  • ownership / Person with Significant Control (PSC) records (as published at Companies House);
  • published website and contact data (for example, contact details a business has itself made public on its own website).

These are publicly accessible sources. We name them here because Article 14 requires us to tell you the source of the data and to confirm whether it came from publicly accessible sources.

Open Government Licence and personal data

Contains public sector information licensed under the Open Government Licence v3.0.

(nationalarchives.gov.uk/doc/open-government-licence/version/3)

The Open Government Licence v3.0 lets us re-use Companies House public-sector information. Importantly, the OGL does not license personal data — it expressly excludes it. We therefore do not rely on the OGL as our basis for processing personal data. Our basis for processing the personal data of officers is the UK GDPR and PECR, satisfied independently as set out in the next section.

We do not use any data from the Financial Conduct Authority (FCA) Register in our lists.

4. Purposes and lawful basis (legitimate interests + LIA)

Our purposes

We process officer personal data to:

  • compile and maintain an accurate, up-to-date B2B prospecting database of UK companies and their officers;
  • profile and enrich company records (for example, adding financial, growth and ownership signals at company level, and segmenting records by sector, region and size); and
  • license and supply lists drawn from that database to our business customers.

Lawful basis: legitimate interests

Our lawful basis for processing this personal data is legitimate interests under Article 6(1)(f) of the UK GDPR. We rely on legitimate interests — not consent and not contract.

We have carried out, and keep on file, a documented Legitimate Interests Assessment (LIA) applying the three-part test:

  1. Purpose test — there is a genuine, legitimate interest in providing accurate, lawful B2B business-contact data to other businesses;
  2. Necessity test — processing this limited, business-capacity data is a reasonable and proportionate way to achieve that purpose; and
  3. Balancing test — that interest is not overridden by the interests, rights or freedoms of the individuals concerned.

The dual legitimate interest is (a) our commercial interest in compiling and supplying accurate B2B data, and (b) our business customers' interest in finding relevant business prospects. We consider this falls within the reasonable expectations of people who hold a public office in a UK company. The downstream direct-marketing purpose for which our customers use the data is a purpose that Recital 47 of the UK GDPR recognises may be carried out for a legitimate interest; our own legitimate interest in compiling and supplying the data rests on the documented LIA described above, not on Recital 47 alone. The processing is proportionate and low-impact: it concerns business-capacity data only (plus the limited demographic data point of age), involves no special-category data and no criminal-offence data, and is used for B2B purposes.

DPIA

Because this involves data-broking and large-scale processing of personal data obtained from public sources, we have carried out a documented Data Protection Impact Assessment (DPIA), which we keep on file and review periodically. The DPIA records the risks we identified and the measures we use to reduce them (including the suppression and objection mechanisms described below).

5. Recipients — who we share the data with (stated upfront)

We want to be clear and upfront about this, because it matters to you: the personal data in our database is licensed and supplied to our business customers, so that they can carry out their own B2B marketing and prospecting. This onward supply is the core of what we do. We are not hiding it in dense small print.

The recipients of officer personal data are:

  • Our business customers / licensees — organisations that buy a list. They receive the data as a CSV and use it for their own B2B marketing and prospecting. They become independent controllers and are contractually required to comply with UK GDPR and PECR (including TPS/CTPS screening, their own Article 14 transparency, and honouring objections). They are not permitted to resell or redistribute the data.
  • Our processors, who act on our instructions only, including:
    • hosting and infrastructure providers (to store and serve the database and the site);
    • email and file-delivery providers (to deliver CSV lists and communications); and
    • Stripe (for payment processing in respect of the customer who buys the list — Stripe acts as our processor to that extent and as an independent controller for its own fraud-prevention and regulatory purposes).

We share data with these recipients only for the purposes set out above, and we keep these categories of recipient under review. Where we can identify recipients more specifically on request, we will.

6. International transfers, retention and re-verification

International transfers

We aim to host and process personal data within the UK or the European Economic Area wherever practicable. Some of our processors (for example, certain hosting, analytics or payment providers such as Stripe) may process data outside the UK. Where they do, we ensure an appropriate safeguard is in place — UK adequacy regulations, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) — together with any additional measures needed. You can ask us for details of the safeguards, and how to obtain a copy, by emailing [email protected].

Retention and re-verification cycle

We apply the storage-limitation principle and do not keep data indefinitely without review:

  • We refresh our records against the public sources approximately every 6 months, so that the data we hold and supply stays accurate and current.
  • A record is removed when the individual is no longer on the public register in the relevant capacity (for example, on resignation as a director that is reflected at Companies House), or where it can no longer be verified against a current public source — we retain records only for so long as is necessary to keep the database accurate, and no longer.

How suppression interacts with retention

If you object or ask not to be contacted, we suppress your record. Crucially, a suppressed record is kept on a do-not-contact / suppression list precisely so that your objection is permanently honoured — this prevents your details being re-introduced and re-supplied at the next refresh from the public sources. In other words, we retain the minimum information needed to make sure you are not contacted again. You can ask us to erase rather than suppress (see the next section), and we will explain the trade-off if erasure would risk re-introduction.

7. Your rights — and your absolute right to object to direct marketing

Your rights

You have the right to:

  • access the personal data we hold about you;
  • have it rectified (corrected) if it is wrong;
  • have it erased in the circumstances allowed by law;
  • restrict our processing of it;
  • object to our processing (see below); and
  • data portability where it applies.

To exercise any of these, email [email protected] (or use any self-service form linked from this page). We will respond within one month, free of charge in the usual case.

Your absolute right to object to direct marketing (Article 21)

You can object to your personal data being used for direct marketing at any time, and we must stop. This is an absolute right — there is no balancing test and we do not need any further justification from you.

If you object to direct marketing, or ask not to be contacted:

  • we will stop processing your data for marketing purposes;
  • we will suppress your record so that it is never re-supplied to a customer; and
  • we will treat this as the highest priority.

A fast, free route, always open to receive your request: simply email [email protected] with "object" or "do not contact", or use the objection form linked from this page. We commit to actioning marketing objections within five (5) working days and in any event within one month, and to recording your objection so it is permanently respected. In most cases we will suppress (rather than necessarily erase) your record, marked clearly so it is never re-supplied — but you can ask for erasure instead.

When and how we tell you (Article 14(3)), and our belt-and-braces approach

In line with Article 14(3), where we notify individuals directly we do so within a reasonable period after obtaining the data and at the latest within one month, or — if earlier — at the point the data is first disclosed to a customer or other recipient.

We do not rely on the published notice alone. Our posture is:

  • this public Article 14 notice is available as a standalone, directly-linked page; plus
  • where feasible, we notify individuals directly about the processing, within the Article 14(3) timeframe above.

Where direct notification to every individual would involve disproportionate effort (which can be the case for large-scale processing of public-register data), we may rely on the Article 14(5)(b) exemption — but only on the basis of a documented assessment and our DPIA, and we publish this notice regardless, so that the processing is never "invisible". If you would like a copy of the assessment supporting any reliance on that exemption, ask us.

8. Profiling, PECR statement, and complaints

Profiling and automated decisions

We carry out limited profiling in the sense of segmenting and enriching company records (for example, by sector, region, size, financial and growth signals) so that our lists are relevant. The supplied record nonetheless includes a limited personal demographic (age) attached to the named officer; this is included as a business-capacity data point and is not used to profile or make decisions about you as an individual. We do not make solely-automated decisions that produce legal effects, or similarly significant effects, about individuals. The profiling we carry out is at the level of business records and is used to organise and present the database; it is not used to make automated decisions about you personally.

PECR statement (electronic and telephone marketing)

PECR distinguishes between corporate subscribers (limited companies and LLPs) and individual subscribers (which includes sole traders and non-LLP partnerships), and these rules apply to our business customers when they use a list:

  • Our customers must carry out their own TPS and CTPS screening before making marketing calls, and must re-screen in line with the rules (calls require screening against the TPS/CTPS, and lists should be re-screened — at least every 28 days — before each calling campaign).
  • Our customers must not send electronic marketing (email/SMS) to sole traders or non-LLP partnerships without an appropriate basis; the PECR soft opt-in is generally not available for cold, compiled or public-source data, so consent is usually required for those individual subscribers.
  • Every marketing message our customers send must identify the sender and give a simple, free opt-out, and they must honour and record opt-outs.

For our part, CompanyLists screens and handles objections and do-not-contact requests at source (see the sections on retention and on your rights, above), and we flow these PECR duties down to our customers by contract in our Terms of Sale & Licence and Acceptable Use Policy.

Complaints

If you have a concern about how we handle your personal data, please contact us first at [email protected] so we can try to put it right. You also have the right to complain to the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 — ico.org.uk

Changes to this notice

We may update this Database Privacy Notice from time to time. We will change the version and last-updated date at the top, and, for material changes affecting listed individuals, we will reflect them in this published standalone notice. This document is Version 1.0 (draft), last updated TODO — [EFFECTIVE DATE].