Ocean.io & GDPR

Understandably, GDPR is a hot topic. Despite the legislation coming into force a year ago, many companies are still struggling to become GDPR-compliant. Not a day goes by without the newspapers mentioning companies failing to meet GDPR standards or testing the limits of GDPR compliance.

At Ocean.io, we have always been conscious of the way we handle data as it is the bedrock of our platform. We have invested substantial time and effort to ensure we are GDPR-compliant and even written an introductory guide for others. Of course, people still wonder. So our COO & Co-founder, Michelle Heiberg, explains below how we work, and she also addresses some potential concerns for customers. If you want to know even more about protection of data and GDPR, you can enlighten yourself here.


It is quite clear that emails and phone numbers are personal data and, as such, protected under GDPR. Companies must have what is called a “lawful basis” for processing such personal data. In all, there are 6 lawful bases for processing personal data. The one lawful basis most spoken of is “consent”. However, our processing of personal data is based on “legitimate interest”.

Under Recital 47 of GDPR, it is specifically mentioned that the processing of personal data for marketing purposes may be regarded as carried out for a “legitimate interest”. As a company, we have to ensure that we have properly balanced the interests and rights of the individual whose personal data will be processed and our/third party interests.

When conducting such a balancing test, numerous issues must be addressed. It is important to note that we only process personal data that are related to the individual’s professional life. We do not process personal emails, personal telephone numbers, or personal addresses. If your professional email is not connected to a domain email but rather to a provider email domain such as @google.com or similar, we currently do not process your email.

In addition, contrary to most marketing and sales platforms (especially lead generation providers), we do not “harvest” emails and phone numbers from lists, your address book, etc. We only process professional emails and phone numbers that are publicly available – and, again, we avoid processing certain publicly available personal data even if they are related to your professional life.

So how come we have much more information than any other provider committed to GDPR? We have spent the past four years investing in data science and our model. The algorithms defining, locating, and matching the right information are now paying off.

Because this is a complex area, we are happy that our interpretation of what constitutes “legitimate interest” was recently raised in a GDPR ruling. In this case, the legal process by another data broker for processing personal data was not challenged, rather their fulfillment of the Article 14 information notification obligation. The ruling is especially important to data brokers such as Ocean.io and other companies using publicly available data in their business activities.

Does that mean we are in the clear? Well yes and no. There are still a number of formalities to comply with but these formalities do not challenge the legal basis for processing personal data.

How does this affect you?

The above is only a partial description of how we ensure compliance with GDPR. It is relevant to us because it’s our “lawful basis” for processing data. However, there are obviously other issues that we needed to address to be GDPR compliant, such as the right to be informed, the right to be erased, etc. Some of this is extremely relevant to our customers.

When you use personal data obtained from Ocean.io you are processing personal data and you – just like us – have to determine for yourself whether your processing of personal data obtained from Ocean.io is lawfully based. In this respect, it is extremely important that you comply with local marketing regulation.

When you use the legitimately processed emails, such as in an email campaign, you are processing personal data so you have to comply with GDPR and local marketing regulation. If you send out email campaigns in a jurisdiction where marketing regulation requires opt-in (consent) and you don’t have the opt-in you are not only in violation of the local marketing regulation but also of GDPR.

Processing personal data for marketing purposes may only constitute “legitimate interest” if the purpose for which you process the personal data is legitimate under the jurisdiction in question.

Let’s take Denmark, where we reside, as an example. In Denmark, you cannot send unsolicited marketing emails. If you process email addresses from Ocean.io to send out unsolicited emails to Danish recipients, you will be in violation of both Danish marketing regulation and GDPR.

However, in the UK, where opt-out applies (they specifically inform you not to send to them, meaning you don’t need consent up-front), sending out these unsolicited marketing emails is not in itself an offense of PECR (the UK marketing regulation) and therefore the unsolicited email does not in itself affect the legal basis for processing in relation to GDPR.

If you want to know more about Ocean.io, please email support@ocean.io.