GDPR Policy and Data Protection

Version: 11th May 2018

What is GDPR?

GDPR (General Data Protection Regulations) is an EU regulation which came into force on 25th May 2018. The essence of the regulation is making protection of personal information a fundamental right for EU citizens. Protection relates to transparency and control over personal data.

How does GDPR apply to datalog.co.uk, vat-lookup.co.uk and 401k-lookup.com?

Firstly the GDPR legislation and the Data Protection Act applies only to individuals (natural persons).

Datalog provides information about incorporated entities including legal entities incorporated within the EU. Companies are not people. GDPR legislation and other Data Protection legislation ONLY applies to natural persons / individuals - it does not apply to incorporated entities.

VAT Lookup provides information about VAT numbers - as a general statement, it is our intent to publish VAT information for companies however it is perfectly possible for individuals to be VAT registered so it is possible we may hold data on natural persons.

401k Lookup provides a lookup service for USA 401k benefit/pension schemes provided by companies. It is feasible we have data on sole trader organisations based in the USA. As the content is about USA domiciled companies, GDPR legislation does not apply. We may hold ancilliary data on natural persons for example who supplied the pension filing information or who sold the company the benefit insurance.

Website: Datalog

Datalog's policy is to list only incorporated entities - we do not list sole traders. If you believe the company listing is for a sole trader, we will review and delete if it is found to be a sole trader.

Datalog provides information about incorporated companies and that includes the directors of companies who are people. It is possible for legal entities to be directors too. The information on Datalog about directors of European companies applies to entities registered with Companies House. Datalog does not contain director information for entities domiciled in other European countries. We do not currently have information on German companies however Germany has similar disclosure requirements for companies including mandatory disclosure of directors - including the use of the "imprint" or "impressum" on websites.

The Companies Act 2006 states that there is a mandatory requirement for disclosure of information about members and officers of UK companies to be public information and that this personal information is explicitly excluded from Data Protection legislation. Datalog does not publish member information only information about officers (directors). Disclosure of director information is a "Legitimate Interest" and sections of GDPR applies in these situations.

Datalog has always had a policy of not publishing date of birth or home addresses of directors. Although this information is supplied to us by Companies House we do not store it or process it.

If you have used your home address as the registered office of the company, this is not considered personal information

Companies House may suppress the names of directors in exceptional circumstances. You will need to contact Companies House to see if your circumstances are exceptional. We will automatically remove your name to align with the information Companies House publish however if the reason is urgent then please contact us with your company Name and number and we will ensure the information is synchronised with Companies House as soon as we can.

Datalog may also contain information about individuals as a result of their interaction with a company. For example if there has been a court hearing between an individual and a company. Datalog provides legal event history in the form of the court hearing description. Here is an example Smith v Barclays Bank PLC.

The court listings usually use just the surname of an individual so it cannot be considered personal information in this context. In the unlikely event that you are the only person to have the surname, we will review and redact court listings upon request.

Other information types such as business rates, addresses, trademarks, patents and domains names associated with a company are not personal information. We also list mortgage charges - in most cases mortgage charges are with other companies. If there is a record of a mortgage charge with an individual, we will review and redact (if appropriate) upon request.

Website: VAT Lookup

VAT Lookup provides information relating to validation of VAT numbers. VAT numbers are issued to companies. VAT numbers can also be issued to individuals.

When we collect VAT registration information, we cross match the registrant information against our database of companies. If the registrant is identified as an incorporated entity, we publish the information. If we are unable to automatically determine if the registrant is an incorporated entity, we will automatically redact certain information.

Most European jurisdictions have a legal requirement to disclose information about VAT registrants for the purposes of preventing tax fraud. As there is a legal requirement for disclosure we understand that disclosure of VAT information is a "legitimate interest". If an entity or person is VAT registered, there is a legal requirement to provide invoices with the VAT number present. It is our understanding that a VAT number cannot therefore be considered personal information. It is also a legal requirement that contracting entities who are VAT registered, perform checks on the validity of a VAT number and therefore there has to be an element is disclosure in order to perform the legally required check. Our understanding is therefore that disclosure of the registrant of a VAT number is "legitimate interest".

We also perform a range of processing checks. For example if the registrant name is something like Mr John Smith or Mrs Jane Smith then we will automatically redact the registrant information so that the published information is solely about the VAT number validity.

Some entities are not incorporated but are not individuals either - for example Westminster Council has a VAT number - this information should not be redacted. Similarly a company may not be incorporated (ie it may be a sole trader) but the VAT registration may be under a trading name. Trade names are not personal information.

If you discover that we have made a mistake and are publishing VAT information about an individual then we will be happy to redact the information.

Website: 401k Lookup

401k Lookup provides a lookup service for USA 401k benefit/pension schemes provided by companies.

The information relates to the benefits such as pension plans and other welfare benefits provided to company employees.

401k plans only apply to the United States of America so therefore GDPR does not apply. GDPR only applies to EU citizens and EU member states.

It is feasible we have data on sole trader organisations based in the USA as the 401k information does not provide legal entity identifiers. We automatically cross check with our database of USA companies however company disclosure requirements vary state-by-state therefore it is not possible to do this consistently and confirm definitively whether the company is an incorporated entity.

It is possible for sole traders to create 401k plans for their employees. Although this is outside the scope if GDPR, in the event that you discover the plan information on 401k lookup, we will consider your request to redact the information. For example if the benefit is supplied to 1 employee and you are the employee then we would consider redaction to be reasonable. If however the benefit is supplied to 1,000 employees but the firm is not incorporated (ie a sole trader) then we would need to examine the case in more detail. In the case where employees have contributed monies to the pension benefit then they would have a "legitimate interest" in the information we publish.

We may hold ancilliary data on natural persons for example who supplied the pension filing information or who sold the company the benefit insurance. It is unlikely that these individuals are EU citizens and therefore GDPR does not apply however we will consider reasonable requests for redaction of this information

Email information

We do not currently collect any email addresses as part of the normal operation of our services.

We do not require any registration to use our services so do not gather personal information about users of our websites.

There may be email addresses in our text content body where this has been published by a source. We beleive the only possible places where this may exist is in gazette notices. We may therefore be publishing email addresses are a consequence of publishing information.

Legal gazette information relating to company bankruptcies may contain email addresses of the legally appointed receiver to wind up the company.

Where we detect the presence of email addresses in content which we publish, we will encode the email address to prevent harvesting by third party services which scrape our content.

We may pint to documents and content which contain email addresses - we are not the publishers of this information so it is outside the scope of GDPR

Our policy is to block scraping services when we detect them as they may be harvesting email addresses

We have measures in place to prevent third party scraping services from scraping our content. We permit the following search engines unrestricted access to our sites : Google, Bing, Yandex, Baidu and 10cent.

If you make a PayPal donation towards the running of our services, we will receive your email address as part of this transaction. We will have an email record of the donation and there will be information on the PayPal service relating to your donation. We do not process this information to extract any information about you. We obviously greatly appreciate your donation and will respect your privacy.

Cookies

Our sites use Google AdSense and Google Analytics - these services use Cookies. We do not request consent from users of our sites for Google's EU consent policy therefore you will be deemed to have opted out and should therefore not be seeing personalised adverts from Google if you are in the EU. Google may ask you for consent in relation to our content. If they do then the GDPR relationship is with Google not us. Under no circumstances would we be considered a joint controller in relation to Google's actions. Google's EU User Consent Policy

All information which Google collect, will be anonymous if we access it.

We are not heavy users of Google Analytics - in fact we've removed it from some of our sites as we figured they get more value from the data than us - we tend to use Google Webmaster tools more which has no personal information.

We use the SilkTide EU cookie consent service for tracking cookie consent relating to Google's Adsense/Analytics services cookie usage (and other affiliates of Google). We do not have access to any SilkTide's data - our understanding is they use the data solely for the purpose of confirming that you have acknowledged the EU Cookie Consent.

We are not an information processor of Cookie information therefore we interpret Cookies to be outside the scope of GDPR for our services.

Server Logs

We collect and store server log information. These logs record which pages users visit and their IP address and domain information. IP address information is not currently considered personal information under the scope of GDPR since it may be dynamically assigned.

We do very limited processing of server log information - we use it occasionally for technical dimensioning purposes and we use it to determine which content is popular. All information used for marketing purposes is at an aggregate level - we do not look at an individual record level except for things like people trying to hack or abuse our services.

We do not use the data for marketing or profiling purposes. For the purposes of GDPR we can be considered to not process the information therefore this is exempt.

In the event that we receive a formal request from a recognised legal authority to disclose the server logs or extracts of the server logs, we will comply with this request if there is a lawful basis to do so eg a high court order .

GDPR places a new requirement on companies to record the disclosure of information. We therefore have a requirement to store the server logs with regards to recording any information disclosure.