Data policy
Updated 2nd October 2023
PART 1
1. GDPR
We need to make sure that your and our processing of the BizCrunch Data complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR“), the EU GDPR as incorporated into UK national law by virtue of the European (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018.
This Policy, together with our Terms and Privacy Policy, form part of your Subscription Order. It comprises a set of terms to support the assessment that our sharing of BizCrunch Data with you is in your and our legitimate interests and does not unduly prejudice the rights and freedoms of individuals to whom the Platform Personal Data relates. If you have any questions about it, please email our Data Protection Officer at dpo@bizcrunch.co
1.1. Definitions: In this Data Policy, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):
(a) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, UK Data Protection Law, the EU GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
(b) “clause” means a clause of this Data Policy.
(c) “controller“, “processor“, “data subject“, “processing” (and “process”) and “special categories of data” shall have the meanings given in UK Data Protection Law as may be amended from time to time.
(d) “Data Usage” is outlined in Part 3 of this Data Policy which determines the extent of your usage rights in relation to BizCrunch Data, including Platform Personal Data.
(e) “GDPR” means the EU GDPR and the UK GDPR.
(f) “Party” means you or BizCrunch, as party to a Subscription Order comprising the BizCrunch Terms and this Data Policy.
(g) “Permitted Purpose” is as defined in clause 1.2 below.
(h) “personal data” means any information relating to an identified or identifiable natural person (a data subject). This is one who can be identified, directly or indirectly, in particular by reference to an identifier.
(i) “Platform Personal Data” is any personal data made available to you via the BizCrunch Platform, as further described in Annex I below.
(j) “UK Data Protection Law” means:
(i) the UK GDPR;
(ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003); and
(iii) the Data Protection Act 2018.
1.2. Disclosure of data: BizCrunch will make available to you via the BizCrunch Platform certain personal data as further described in Annex I (the Platform Personal Data) to process strictly in accordance with the Data Usage Tier outlined in your Subscription (and subject to any restrictions outlined in Part 3) or as otherwise agreed in writing between BizCrunch and you (the “Permitted Purpose“).
1.3. Relationship of the parties: You acknowledge that BizCrunch is a controller of the Platform Personal Data made available via the BizCrunch Platform, and that you will process the Platform Personal Data as a separate and independent controller strictly for the Permitted Purpose. In no event will BizCrunch and You process the Platform Personal Data as joint controllers.
1.4. Legitimate Interests: The Parties acknowledge that for the purposes of UK Data Protection Law, the legal basis on which BizCrunch will facilitate access by you to the Platform Personal Data is the legitimate interests pursued by BizCrunch in building and operating its business of providing data insights into UK companies as well as those pursued by the Subscribing Organisation which may wish to invest in or acquire such companies.
1.5. Compliance with law: Each of BizCrunch and you shall be separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law.
1.6. Prohibited data: We shall not disclose any special categories of personal data to you for processing.
1.7. International transfers: Transfer of Platform Personal Data occurs whenever a User accesses the BizCrunch Platform.
Subscribing Organisation based in the EEA/UK: you shall not transfer the Platform Personal Data (nor permit the Platform Personal Data to be transferred) outside of the European Economic Area (“EEA“) and/or the United Kingdom (“UK“) unless you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
Subscribing Organisation based outside the EEA/UK: If you are based outside the EEA/UK in a country that has not been deemed as ensuring adequate data protection within the meaning of Article 45 of the GDPR, you agree that the Standard Contractual Clauses (2021/914/EC) Module 1 (“Standard Contractual Clauses“) and the ICO’s UK Addendum to the Standard Contractual Clauses (“UK Addendum“) shall be incorporated by reference into your Subscription Order. For the purposes of populating the Appendices to the Standard Contractual Clauses and UK Addendum, the required information will be as set out in the Annexes to this Data Policy. In the event of any conflict between the Data Policy and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between the Data Policy and the UK Addendum, the UK Addendum shall prevail.
For the purposes of Clause 11 of the Standard Contractual Clauses (“Redress”), the optional Clause (which reads as follows: “The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.”) is hereby deleted.
For the purposes of Clause 17 of the Standard Contractual Clauses (“Governing law”), the parties agree that this shall be the law of Ireland.
For the purposes of Clause 18 of the Standard Contractual Clauses (“Choice of forum and jurisdiction”), the parties agree that those shall be the courts of Ireland.
For the purposes of Clause 17 of the UK Addendum, the parties agree that the Approved Addendum (as defined in the UK Addendum) shall be populated by reference to this Data Policy and its Annexes and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) shall not adversely affect the validity of the Subscription Order or the compliance with Applicable Data Protection Law of any international transfers of personal data made thereunder. The parties hereby acknowledge and agree that any such formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided.
For the purposes of Clause 19 of the UK Addendum, the parties agree that the Exporter shall be entitled to terminate the Addendum by providing written notice of the same to the Importer.
1.8. Security: You shall implement appropriate technical and organisational measures to protect the Platform Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Platform Personal Data (a “Security Incident“). Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
1.9. Subcontracting: You shall not allow access to Platform Personal Data to any person outside the Subscribing Organisation without our prior written consent, and even if such consent is given, restrictions must be adhered to (see Part 3).
1.10. Cooperation: In the event that either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Platform Personal Data by BizCrunch to you for the Permitted Purpose; or (b) processing of the Platform Personal Data by the other Party or by a Client of a Subscribing Organisation, it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
1.11. Security incidents: Upon becoming aware of a Security Incident, you shall inform us without undue delay and within a maximum period of 48 hours. You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident. Each Party agrees to provide reasonable assistance to the other to facilitate the handling of any Security Incident in an expeditious and compliant manner.
1.12. Deletion of Platform Personal Data: Further to paragraph 11.3 of the Terms, upon termination or expiry of this Agreement, you shall destroy all Platform Personal Data (including all copies of the Platform Personal Data) in your possession or control (including any Platform Personal Data disclosed to a third party outside the Subscribing Organisation, if your Data Tier permits such disclosure or we have consented to such disclosure). This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law or UK law to retain some or all of the Platform Personal Data, in which event you shall securely isolate and protect the Platform Personal Data from any further processing except to the extent required by such law. For the avoidance of doubt, this clause 1.12 shall not apply to Platform Personal Data which is processed by you in connection with you entering into a direct relationship with a company on the BizCrunch Platform for investment or acquisition purposes, or the provision of professional services (including in the context of any enquiries by the company in respect of such investment or services).
1.13. Audit: Should we have reasonable cause, you shall permit us (or our appointed third party auditors) to audit your compliance with this Data Policy, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit.
PART 2
2. USE OF EMAIL ADDRESSES OBTAINED FROM THE BIZCRUNCH PLATFORM
We provide business email addresses on the BizCrunch Platform so that you can directly approach the individuals to whom those business email addresses relate. Since the communication (by whatever means) of advertising or marketing material directed to particular individuals is defined as “direct marketing” (even if you are not explicitly selling something), you must be compliant with any applicable rules pertaining to email marketing, as well as Applicable Data Protection Law. Further, to enable us to support the assessment that the disclosure of such email addresses to you (and your subsequent use of those email address) is not unduly prejudicial to the rights and freedoms of the individuals to whom the email addresses relate, you must comply with each of the requirements below.
2.1. You are forbidden from using email addresses from the BizCrunch Platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate, and you must ensure that this is the case. Further, if you have not received a response, you shall not contact an individual more than 4 times and you shall ensure that there is at least 4 days interval between one email to an individual and the next email to the same individual.
2.2. You must identify yourself in any email you send and include contact details, ideally a postal address, active email address, and a phone number.
2.3. You must include in each email a clear and simple way for anyone you email to opt out of your communications.
2.4. If someone objects to or opts out of your marketing, you must immediately add them to a ‘do not contact’ list and stop communications with them. You must screen all your marketing against this list to make sure you don’t contact anyone who has opted out.
2.5. You must ensure that you are fully compliant with any Applicable Data Protection Laws, including where applicable European Directive 2002/58/EC, also known as ‘the e-privacy Directive’ (and any and all applicable national data protection laws made under or pursuant to such Directive). It is your responsibility to keep up to date with any changes in the law, in particular following the introduction of the proposed new e-Privacy Regulation, which is due to replace European Directive 2002/58/EC.
PART 3
3. DATA USAGE RIGHTS
Access to the BizCrunch Platform is limited as set out below. You may not access or use the BizCrunch Platform and / or the BizCrunch Data or permit any Data User to access or use the BizCrunch Platform or the BizCrunch Data in breach of the Data Usage set out below.
3.1. User Use Only
Individual Users may use BizCrunch Data, including any Platform Personal Data, subject to the following restrictions:
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Only a User may access BizCrunch Data on the BizCrunch Platform and each User may only share or make available BizCrunch Data with other active Users on Your Subscription. These rights are subject to the Terms, so where any Subscribed Teams are identified in the Subscription Summary, BizCrunch Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: Biz Crunch Ltd
Address: 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE
Official registration number: 14268311
Contact person and contact details: Data Protection Officer, dpo@bizcrunch.co
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
2. Name: As set out in the Subscription Summary
Address: As set out in the Subscription Summary
Contact person’s name, position and contact details: As set out in the Subscription Summary
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Signature and date: Set out in signature block below
Role (controller/processor): Controller
B. DESCRIPTION OF DATA ACCESSED VIA THE BIZCRUNCH PLATFORM
Data subjects
The Platform Personal Data accessed concern the following categories of data subjects:
Directors, shareholders and employees of companies on the platform, and individuals involved in companies included within the BizCrunch Platform.
Categories of data
The Platform Personal Data accessed concern the following categories of data:
Details pertaining to businesses on the BizCrunch Platform, including but not limited to: names, business contact details (business email address, business telephone number), job title, details of shareholdings, and details of company directorships.
Sensitive data (if appropriate)
The Platform Personal Data accessed do not concern any categories of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis.
Nature of the processing
Collection, recording, structuring, organisation, retrieval and access.
Purposes of the transfer(s)
Access is for the following purpose:
To facilitate usage by the Subscribing Organisation in accordance with the Data Usage identified in its Subscription Summary and further described in Part 3 of the Data Policy.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
For the duration of this Subscription Order.
Recipients
Subject always to the provisions of this Subscription Order, the Platform Personal Data accessed may be disclosed only to the following recipients or categories of recipients:
Subscribing Organisation: Users (as defined in the Subscription Order) duly authorised by the Subscribing Organisation to have access to BizCrunch Data for the Permitted Purpose and employees at a Subscribing Organisation if the Subscribing Organisation is on Data Tiers 1, 2 or 3
Public bodies and law enforcement authorities: Duly authorized staff at public bodies and law enforcement authorities who make enquiries of the Subscribing Organisation in accordance with applicable law.
C. COMPETENT SUPERVISORY AUTHORITY
As set out in Clause 13 of the Standard Contractual Clauses.
Data protection registration information of BizCrunch (where applicable)
Information Commissioner Registration Number for Biz Crunch Ltd (trading as BizCrunch): ZB610698
Contact points for data protection enquiries
Email: dpo@bizcrunch.co
PART 1
1. GDPR
We need to make sure that your and our processing of the BizCrunch Data complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR“), the EU GDPR as incorporated into UK national law by virtue of the European (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018.
This Policy, together with our Terms and Privacy Policy, form part of your Subscription Order. It comprises a set of terms to support the assessment that our sharing of BizCrunch Data with you is in your and our legitimate interests and does not unduly prejudice the rights and freedoms of individuals to whom the Platform Personal Data relates. If you have any questions about it, please email our Data Protection Officer at dpo@bizcrunch.co
1.1. Definitions: In this Data Policy, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):
(a) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, UK Data Protection Law, the EU GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
(b) “clause” means a clause of this Data Policy.
(c) “controller“, “processor“, “data subject“, “processing” (and “process”) and “special categories of data” shall have the meanings given in UK Data Protection Law as may be amended from time to time.
(d) “Data Usage” is outlined in Part 3 of this Data Policy which determines the extent of your usage rights in relation to BizCrunch Data, including Platform Personal Data.
(e) “GDPR” means the EU GDPR and the UK GDPR.
(f) “Party” means you or BizCrunch, as party to a Subscription Order comprising the BizCrunch Terms and this Data Policy.
(g) “Permitted Purpose” is as defined in clause 1.2 below.
(h) “personal data” means any information relating to an identified or identifiable natural person (a data subject). This is one who can be identified, directly or indirectly, in particular by reference to an identifier.
(i) “Platform Personal Data” is any personal data made available to you via the BizCrunch Platform, as further described in Annex I below.
(j) “UK Data Protection Law” means:
(i) the UK GDPR;
(ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003); and
(iii) the Data Protection Act 2018.
1.2. Disclosure of data: BizCrunch will make available to you via the BizCrunch Platform certain personal data as further described in Annex I (the Platform Personal Data) to process strictly in accordance with the Data Usage Tier outlined in your Subscription (and subject to any restrictions outlined in Part 3) or as otherwise agreed in writing between BizCrunch and you (the “Permitted Purpose“).
1.3. Relationship of the parties: You acknowledge that BizCrunch is a controller of the Platform Personal Data made available via the BizCrunch Platform, and that you will process the Platform Personal Data as a separate and independent controller strictly for the Permitted Purpose. In no event will BizCrunch and You process the Platform Personal Data as joint controllers.
1.4. Legitimate Interests: The Parties acknowledge that for the purposes of UK Data Protection Law, the legal basis on which BizCrunch will facilitate access by you to the Platform Personal Data is the legitimate interests pursued by BizCrunch in building and operating its business of providing data insights into UK companies as well as those pursued by the Subscribing Organisation which may wish to invest in or acquire such companies.
1.5. Compliance with law: Each of BizCrunch and you shall be separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law.
1.6. Prohibited data: We shall not disclose any special categories of personal data to you for processing.
1.7. International transfers: Transfer of Platform Personal Data occurs whenever a User accesses the BizCrunch Platform.
Subscribing Organisation based in the EEA/UK: you shall not transfer the Platform Personal Data (nor permit the Platform Personal Data to be transferred) outside of the European Economic Area (“EEA“) and/or the United Kingdom (“UK“) unless you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
Subscribing Organisation based outside the EEA/UK: If you are based outside the EEA/UK in a country that has not been deemed as ensuring adequate data protection within the meaning of Article 45 of the GDPR, you agree that the Standard Contractual Clauses (2021/914/EC) Module 1 (“Standard Contractual Clauses“) and the ICO’s UK Addendum to the Standard Contractual Clauses (“UK Addendum“) shall be incorporated by reference into your Subscription Order. For the purposes of populating the Appendices to the Standard Contractual Clauses and UK Addendum, the required information will be as set out in the Annexes to this Data Policy. In the event of any conflict between the Data Policy and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between the Data Policy and the UK Addendum, the UK Addendum shall prevail.
For the purposes of Clause 11 of the Standard Contractual Clauses (“Redress”), the optional Clause (which reads as follows: “The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.”) is hereby deleted.
For the purposes of Clause 17 of the Standard Contractual Clauses (“Governing law”), the parties agree that this shall be the law of Ireland.
For the purposes of Clause 18 of the Standard Contractual Clauses (“Choice of forum and jurisdiction”), the parties agree that those shall be the courts of Ireland.
For the purposes of Clause 17 of the UK Addendum, the parties agree that the Approved Addendum (as defined in the UK Addendum) shall be populated by reference to this Data Policy and its Annexes and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) shall not adversely affect the validity of the Subscription Order or the compliance with Applicable Data Protection Law of any international transfers of personal data made thereunder. The parties hereby acknowledge and agree that any such formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided.
For the purposes of Clause 19 of the UK Addendum, the parties agree that the Exporter shall be entitled to terminate the Addendum by providing written notice of the same to the Importer.
1.8. Security: You shall implement appropriate technical and organisational measures to protect the Platform Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Platform Personal Data (a “Security Incident“). Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
1.9. Subcontracting: You shall not allow access to Platform Personal Data to any person outside the Subscribing Organisation without our prior written consent, and even if such consent is given, restrictions must be adhered to (see Part 3).
1.10. Cooperation: In the event that either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Platform Personal Data by BizCrunch to you for the Permitted Purpose; or (b) processing of the Platform Personal Data by the other Party or by a Client of a Subscribing Organisation, it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
1.11. Security incidents: Upon becoming aware of a Security Incident, you shall inform us without undue delay and within a maximum period of 48 hours. You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident. Each Party agrees to provide reasonable assistance to the other to facilitate the handling of any Security Incident in an expeditious and compliant manner.
1.12. Deletion of Platform Personal Data: Further to paragraph 11.3 of the Terms, upon termination or expiry of this Agreement, you shall destroy all Platform Personal Data (including all copies of the Platform Personal Data) in your possession or control (including any Platform Personal Data disclosed to a third party outside the Subscribing Organisation, if your Data Tier permits such disclosure or we have consented to such disclosure). This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law or UK law to retain some or all of the Platform Personal Data, in which event you shall securely isolate and protect the Platform Personal Data from any further processing except to the extent required by such law. For the avoidance of doubt, this clause 1.12 shall not apply to Platform Personal Data which is processed by you in connection with you entering into a direct relationship with a company on the BizCrunch Platform for investment or acquisition purposes, or the provision of professional services (including in the context of any enquiries by the company in respect of such investment or services).
1.13. Audit: Should we have reasonable cause, you shall permit us (or our appointed third party auditors) to audit your compliance with this Data Policy, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit.
PART 2
2. USE OF EMAIL ADDRESSES OBTAINED FROM THE BIZCRUNCH PLATFORM
We provide business email addresses on the BizCrunch Platform so that you can directly approach the individuals to whom those business email addresses relate. Since the communication (by whatever means) of advertising or marketing material directed to particular individuals is defined as “direct marketing” (even if you are not explicitly selling something), you must be compliant with any applicable rules pertaining to email marketing, as well as Applicable Data Protection Law. Further, to enable us to support the assessment that the disclosure of such email addresses to you (and your subsequent use of those email address) is not unduly prejudicial to the rights and freedoms of the individuals to whom the email addresses relate, you must comply with each of the requirements below.
2.1. You are forbidden from using email addresses from the BizCrunch Platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate, and you must ensure that this is the case. Further, if you have not received a response, you shall not contact an individual more than 4 times and you shall ensure that there is at least 4 days interval between one email to an individual and the next email to the same individual.
2.2. You must identify yourself in any email you send and include contact details, ideally a postal address, active email address, and a phone number.
2.3. You must include in each email a clear and simple way for anyone you email to opt out of your communications.
2.4. If someone objects to or opts out of your marketing, you must immediately add them to a ‘do not contact’ list and stop communications with them. You must screen all your marketing against this list to make sure you don’t contact anyone who has opted out.
2.5. You must ensure that you are fully compliant with any Applicable Data Protection Laws, including where applicable European Directive 2002/58/EC, also known as ‘the e-privacy Directive’ (and any and all applicable national data protection laws made under or pursuant to such Directive). It is your responsibility to keep up to date with any changes in the law, in particular following the introduction of the proposed new e-Privacy Regulation, which is due to replace European Directive 2002/58/EC.
PART 3
3. DATA USAGE RIGHTS
Access to the BizCrunch Platform is limited as set out below. You may not access or use the BizCrunch Platform and / or the BizCrunch Data or permit any Data User to access or use the BizCrunch Platform or the BizCrunch Data in breach of the Data Usage set out below.
3.1. User Use Only
Individual Users may use BizCrunch Data, including any Platform Personal Data, subject to the following restrictions:
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Only a User may access BizCrunch Data on the BizCrunch Platform and each User may only share or make available BizCrunch Data with other active Users on Your Subscription. These rights are subject to the Terms, so where any Subscribed Teams are identified in the Subscription Summary, BizCrunch Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: Biz Crunch Ltd
Address: 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE
Official registration number: 14268311
Contact person and contact details: Data Protection Officer, dpo@bizcrunch.co
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
2. Name: As set out in the Subscription Summary
Address: As set out in the Subscription Summary
Contact person’s name, position and contact details: As set out in the Subscription Summary
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Signature and date: Set out in signature block below
Role (controller/processor): Controller
B. DESCRIPTION OF DATA ACCESSED VIA THE BIZCRUNCH PLATFORM
Data subjects
The Platform Personal Data accessed concern the following categories of data subjects:
Directors, shareholders and employees of companies on the platform, and individuals involved in companies included within the BizCrunch Platform.
Categories of data
The Platform Personal Data accessed concern the following categories of data:
Details pertaining to businesses on the BizCrunch Platform, including but not limited to: names, business contact details (business email address, business telephone number), job title, details of shareholdings, and details of company directorships.
Sensitive data (if appropriate)
The Platform Personal Data accessed do not concern any categories of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis.
Nature of the processing
Collection, recording, structuring, organisation, retrieval and access.
Purposes of the transfer(s)
Access is for the following purpose:
To facilitate usage by the Subscribing Organisation in accordance with the Data Usage identified in its Subscription Summary and further described in Part 3 of the Data Policy.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
For the duration of this Subscription Order.
Recipients
Subject always to the provisions of this Subscription Order, the Platform Personal Data accessed may be disclosed only to the following recipients or categories of recipients:
Subscribing Organisation: Users (as defined in the Subscription Order) duly authorised by the Subscribing Organisation to have access to BizCrunch Data for the Permitted Purpose and employees at a Subscribing Organisation if the Subscribing Organisation is on Data Tiers 1, 2 or 3
Public bodies and law enforcement authorities: Duly authorized staff at public bodies and law enforcement authorities who make enquiries of the Subscribing Organisation in accordance with applicable law.
C. COMPETENT SUPERVISORY AUTHORITY
As set out in Clause 13 of the Standard Contractual Clauses.
Data protection registration information of BizCrunch (where applicable)
Information Commissioner Registration Number for Biz Crunch Ltd (trading as BizCrunch): ZB610698
Contact points for data protection enquiries
Email: dpo@bizcrunch.co
PART 1
1. GDPR
We need to make sure that your and our processing of the BizCrunch Data complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR“), the EU GDPR as incorporated into UK national law by virtue of the European (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018.
This Policy, together with our Terms and Privacy Policy, form part of your Subscription Order. It comprises a set of terms to support the assessment that our sharing of BizCrunch Data with you is in your and our legitimate interests and does not unduly prejudice the rights and freedoms of individuals to whom the Platform Personal Data relates. If you have any questions about it, please email our Data Protection Officer at dpo@bizcrunch.co
1.1. Definitions: In this Data Policy, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):
(a) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, UK Data Protection Law, the EU GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
(b) “clause” means a clause of this Data Policy.
(c) “controller“, “processor“, “data subject“, “processing” (and “process”) and “special categories of data” shall have the meanings given in UK Data Protection Law as may be amended from time to time.
(d) “Data Usage” is outlined in Part 3 of this Data Policy which determines the extent of your usage rights in relation to BizCrunch Data, including Platform Personal Data.
(e) “GDPR” means the EU GDPR and the UK GDPR.
(f) “Party” means you or BizCrunch, as party to a Subscription Order comprising the BizCrunch Terms and this Data Policy.
(g) “Permitted Purpose” is as defined in clause 1.2 below.
(h) “personal data” means any information relating to an identified or identifiable natural person (a data subject). This is one who can be identified, directly or indirectly, in particular by reference to an identifier.
(i) “Platform Personal Data” is any personal data made available to you via the BizCrunch Platform, as further described in Annex I below.
(j) “UK Data Protection Law” means:
(i) the UK GDPR;
(ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003); and
(iii) the Data Protection Act 2018.
1.2. Disclosure of data: BizCrunch will make available to you via the BizCrunch Platform certain personal data as further described in Annex I (the Platform Personal Data) to process strictly in accordance with the Data Usage Tier outlined in your Subscription (and subject to any restrictions outlined in Part 3) or as otherwise agreed in writing between BizCrunch and you (the “Permitted Purpose“).
1.3. Relationship of the parties: You acknowledge that BizCrunch is a controller of the Platform Personal Data made available via the BizCrunch Platform, and that you will process the Platform Personal Data as a separate and independent controller strictly for the Permitted Purpose. In no event will BizCrunch and You process the Platform Personal Data as joint controllers.
1.4. Legitimate Interests: The Parties acknowledge that for the purposes of UK Data Protection Law, the legal basis on which BizCrunch will facilitate access by you to the Platform Personal Data is the legitimate interests pursued by BizCrunch in building and operating its business of providing data insights into UK companies as well as those pursued by the Subscribing Organisation which may wish to invest in or acquire such companies.
1.5. Compliance with law: Each of BizCrunch and you shall be separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law.
1.6. Prohibited data: We shall not disclose any special categories of personal data to you for processing.
1.7. International transfers: Transfer of Platform Personal Data occurs whenever a User accesses the BizCrunch Platform.
Subscribing Organisation based in the EEA/UK: you shall not transfer the Platform Personal Data (nor permit the Platform Personal Data to be transferred) outside of the European Economic Area (“EEA“) and/or the United Kingdom (“UK“) unless you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
Subscribing Organisation based outside the EEA/UK: If you are based outside the EEA/UK in a country that has not been deemed as ensuring adequate data protection within the meaning of Article 45 of the GDPR, you agree that the Standard Contractual Clauses (2021/914/EC) Module 1 (“Standard Contractual Clauses“) and the ICO’s UK Addendum to the Standard Contractual Clauses (“UK Addendum“) shall be incorporated by reference into your Subscription Order. For the purposes of populating the Appendices to the Standard Contractual Clauses and UK Addendum, the required information will be as set out in the Annexes to this Data Policy. In the event of any conflict between the Data Policy and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between the Data Policy and the UK Addendum, the UK Addendum shall prevail.
For the purposes of Clause 11 of the Standard Contractual Clauses (“Redress”), the optional Clause (which reads as follows: “The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.”) is hereby deleted.
For the purposes of Clause 17 of the Standard Contractual Clauses (“Governing law”), the parties agree that this shall be the law of Ireland.
For the purposes of Clause 18 of the Standard Contractual Clauses (“Choice of forum and jurisdiction”), the parties agree that those shall be the courts of Ireland.
For the purposes of Clause 17 of the UK Addendum, the parties agree that the Approved Addendum (as defined in the UK Addendum) shall be populated by reference to this Data Policy and its Annexes and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) shall not adversely affect the validity of the Subscription Order or the compliance with Applicable Data Protection Law of any international transfers of personal data made thereunder. The parties hereby acknowledge and agree that any such formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided.
For the purposes of Clause 19 of the UK Addendum, the parties agree that the Exporter shall be entitled to terminate the Addendum by providing written notice of the same to the Importer.
1.8. Security: You shall implement appropriate technical and organisational measures to protect the Platform Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Platform Personal Data (a “Security Incident“). Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
1.9. Subcontracting: You shall not allow access to Platform Personal Data to any person outside the Subscribing Organisation without our prior written consent, and even if such consent is given, restrictions must be adhered to (see Part 3).
1.10. Cooperation: In the event that either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Platform Personal Data by BizCrunch to you for the Permitted Purpose; or (b) processing of the Platform Personal Data by the other Party or by a Client of a Subscribing Organisation, it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
1.11. Security incidents: Upon becoming aware of a Security Incident, you shall inform us without undue delay and within a maximum period of 48 hours. You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident. Each Party agrees to provide reasonable assistance to the other to facilitate the handling of any Security Incident in an expeditious and compliant manner.
1.12. Deletion of Platform Personal Data: Further to paragraph 11.3 of the Terms, upon termination or expiry of this Agreement, you shall destroy all Platform Personal Data (including all copies of the Platform Personal Data) in your possession or control (including any Platform Personal Data disclosed to a third party outside the Subscribing Organisation, if your Data Tier permits such disclosure or we have consented to such disclosure). This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law or UK law to retain some or all of the Platform Personal Data, in which event you shall securely isolate and protect the Platform Personal Data from any further processing except to the extent required by such law. For the avoidance of doubt, this clause 1.12 shall not apply to Platform Personal Data which is processed by you in connection with you entering into a direct relationship with a company on the BizCrunch Platform for investment or acquisition purposes, or the provision of professional services (including in the context of any enquiries by the company in respect of such investment or services).
1.13. Audit: Should we have reasonable cause, you shall permit us (or our appointed third party auditors) to audit your compliance with this Data Policy, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit.
PART 2
2. USE OF EMAIL ADDRESSES OBTAINED FROM THE BIZCRUNCH PLATFORM
We provide business email addresses on the BizCrunch Platform so that you can directly approach the individuals to whom those business email addresses relate. Since the communication (by whatever means) of advertising or marketing material directed to particular individuals is defined as “direct marketing” (even if you are not explicitly selling something), you must be compliant with any applicable rules pertaining to email marketing, as well as Applicable Data Protection Law. Further, to enable us to support the assessment that the disclosure of such email addresses to you (and your subsequent use of those email address) is not unduly prejudicial to the rights and freedoms of the individuals to whom the email addresses relate, you must comply with each of the requirements below.
2.1. You are forbidden from using email addresses from the BizCrunch Platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate, and you must ensure that this is the case. Further, if you have not received a response, you shall not contact an individual more than 4 times and you shall ensure that there is at least 4 days interval between one email to an individual and the next email to the same individual.
2.2. You must identify yourself in any email you send and include contact details, ideally a postal address, active email address, and a phone number.
2.3. You must include in each email a clear and simple way for anyone you email to opt out of your communications.
2.4. If someone objects to or opts out of your marketing, you must immediately add them to a ‘do not contact’ list and stop communications with them. You must screen all your marketing against this list to make sure you don’t contact anyone who has opted out.
2.5. You must ensure that you are fully compliant with any Applicable Data Protection Laws, including where applicable European Directive 2002/58/EC, also known as ‘the e-privacy Directive’ (and any and all applicable national data protection laws made under or pursuant to such Directive). It is your responsibility to keep up to date with any changes in the law, in particular following the introduction of the proposed new e-Privacy Regulation, which is due to replace European Directive 2002/58/EC.
PART 3
3. DATA USAGE RIGHTS
Access to the BizCrunch Platform is limited as set out below. You may not access or use the BizCrunch Platform and / or the BizCrunch Data or permit any Data User to access or use the BizCrunch Platform or the BizCrunch Data in breach of the Data Usage set out below.
3.1. User Use Only
Individual Users may use BizCrunch Data, including any Platform Personal Data, subject to the following restrictions:
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Only a User may access BizCrunch Data on the BizCrunch Platform and each User may only share or make available BizCrunch Data with other active Users on Your Subscription. These rights are subject to the Terms, so where any Subscribed Teams are identified in the Subscription Summary, BizCrunch Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: Biz Crunch Ltd
Address: 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE
Official registration number: 14268311
Contact person and contact details: Data Protection Officer, dpo@bizcrunch.co
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
2. Name: As set out in the Subscription Summary
Address: As set out in the Subscription Summary
Contact person’s name, position and contact details: As set out in the Subscription Summary
Activities relevant to the data transferred under these Clauses: Provision of BizCrunch Data via the BizCrunch Platform
Signature and date: Set out in signature block below
Role (controller/processor): Controller
B. DESCRIPTION OF DATA ACCESSED VIA THE BIZCRUNCH PLATFORM
Data subjects
The Platform Personal Data accessed concern the following categories of data subjects:
Directors, shareholders and employees of companies on the platform, and individuals involved in companies included within the BizCrunch Platform.
Categories of data
The Platform Personal Data accessed concern the following categories of data:
Details pertaining to businesses on the BizCrunch Platform, including but not limited to: names, business contact details (business email address, business telephone number), job title, details of shareholdings, and details of company directorships.
Sensitive data (if appropriate)
The Platform Personal Data accessed do not concern any categories of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis.
Nature of the processing
Collection, recording, structuring, organisation, retrieval and access.
Purposes of the transfer(s)
Access is for the following purpose:
To facilitate usage by the Subscribing Organisation in accordance with the Data Usage identified in its Subscription Summary and further described in Part 3 of the Data Policy.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
For the duration of this Subscription Order.
Recipients
Subject always to the provisions of this Subscription Order, the Platform Personal Data accessed may be disclosed only to the following recipients or categories of recipients:
Subscribing Organisation: Users (as defined in the Subscription Order) duly authorised by the Subscribing Organisation to have access to BizCrunch Data for the Permitted Purpose and employees at a Subscribing Organisation if the Subscribing Organisation is on Data Tiers 1, 2 or 3
Public bodies and law enforcement authorities: Duly authorized staff at public bodies and law enforcement authorities who make enquiries of the Subscribing Organisation in accordance with applicable law.
C. COMPETENT SUPERVISORY AUTHORITY
As set out in Clause 13 of the Standard Contractual Clauses.
Data protection registration information of BizCrunch (where applicable)
Information Commissioner Registration Number for Biz Crunch Ltd (trading as BizCrunch): ZB610698
Contact points for data protection enquiries
Email: dpo@bizcrunch.co