Creditsafe as a business has a requirement to collect data on businesses and their historical conduct in order to assess the creditworthiness of companies. Creditsafe provides its clients with data to allow them to make financials decisions and manage business risks. Personally Identifiable information (PII) which is handled by Creditsafe is only of those individuals who are directly connected to a business entity1. Creditsafe operates in a business to business (B2B) environment. Creditsafe has the PII of individuals either as part of an organization such as a director or as a sole trader where by the individual is the business. Creditsafe is only assessing the capability of the business entity to conduct and continue to conduct business and fulfil contracts based on current and historical performance. As such the type and quality of data provided to customers will not change after the introduction of GDPR. Where data collected by Creditsafe has been determined as unsuitable for use or does not appear to have appropriate consent this data will be deleted.
Legitimate interest to deliver information services GDPR Article 6:F permits the processing for the purposes of the legitimate interests pursued by the controller or by a third party. It further states that data-controllers can process personal data without given consent if there is genuine and legitimate reason. This can include commercial benefits, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest that Creditsafe operates under is that we are facilitating businesses to make risk based financial decisions in order to enable our clients to make better business and economic decisions. As such we also maintain the legitimate interest to make businesses aware of this capability.
Controller-controller relationship Creditsafe has many different product offerings that clients can choose from. Across the board, there is a varying degree of flexibility in how Creditsafe provides the services and the information that is selected by Creditsafe to provide the services. Creditsafe is using its own database to provide the services and can decide what else it uses the data for. In other words, Creditsafe will be acting as a data controller. This position will be covered in the standard Terms and Conditions. Creditsafe is acting as a data controller whenever it provides services to the client: Creditsafe is using its own data which it can decide what to do with; it has flexibility to decide how to carry out the task, what data to include and what is important in terms of compiling the report. This will mean that Creditsafe will be wholly responsible for all of its processing activities and must ensure that it only shares personal data when it is lawful to do so. To summarise, any data that Creditsafe provides comprised in our products and services will give rise to a controller to controller relationship with our customers for which no processing clauses are required. Despite there being a ‘controller to controller’ relationship with customers, Creditsafe includes the data protection clauses in our standard customer terms and conditions.
As a controller Creditsafe must ensure that it only shares personal data when it is lawful to do so and therefore Creditsafe sets out in the terms and conditions the framework for the sharing of personal data and an acknowledgment from the customer that in order to use our Services they must have a lawful basis for doing so. In the terms and conditions of Creditsafe there is a list of the reasons a customer can use our products. Some specific information services are: Search input The non-binding view of the DPA was that the search terms are irrelevant – the company owning the database was a data controller of the database and when it sent information to the customer by way of a report, the customer would become a data controller of that report. Therefore, it is a matter of whether or not you can lawfully share information in the first instance - the search terms are a red herring.
Data cleanse/ append and Trade Payment data Creditsafe is ‘controlling’ what corrections are being made to that data and what additional information/data is to be appended as part of the service and Creditsafe has the flexibility to decide how to carry out the task, we are most probably, a ‘controller’ of that data.