LEGAL / DOCUMENTATION
OCEAN.IO - GDPR COMPLIANCE
Latest update: July 27, 2022
Ocean.io applies next-gen analytics to CRM data to understand which accounts are a best fit for your company. Then our intelligent dataset finds more companies like them to prioritise your team and resources on the right accounts to help you win more deals and grow your business.
Ocean.io has developed a proprietary AI algorithm that uses Machine Learning and Natural Language Processing to identify what companies do based on how they describe themselves on their websites, enabling Ocean.io to get much more specific in classifying them than anyone else on the market.
Ocean.io indexes hundreds of millions of websites, normalises the data we find, and uses it to place each company into a mathematical model of the global market.
The Ocean.io proprietary AI algorithms analyse and segment a customer’s CRM data, giving insights that can help point towards accounts with great potential to target next. Prior deals and win patterns are thoroughly analysed and based on this analysis Ocean.io can suggest which segments/accounts to target – accounts that may already be in the customer’s CRM system or new prospects found in the Ocean.io database that fit within the segment identified by the Ocean.io AI algorithms.
We at Ocean.io call this Revenue Intelligence.
The proprietary Ocean.io database of companies’ information and professionals of the companies has been obtained from public sources - public sources that are available to the general public.
THE OCEAN.IO DATABASE
1. NATURE AND ORIGIN OF THE OCEAN.IO DATABASE
1.1 Corporate information is the foundation for the Ocean.io database. Each company is classified by industry tags based on the proprietary analysis of the Ocean.io algorithm. Corporate information includes company location data, company identification data, company social media data etc. The Ocean.io database contains personal data on professionals in order to enable clients to identify the individual who occupies a certain position or role within a B2B account that has been identified by the Ocean.io algorithm as relevant - enabling clients to only reach out to relevant contacts.
1.2 The content of the Ocean.io database has been obtained from multiple online public sources, such as company websites and LinkedIn.
1.3 In addition to company information the Ocean.io database comprises the following personal data related to profiles: Names, job titles and corporate email addresses of professionals working in the companies, provided the email address is a corporate email domain and not a gmail.com domain or similar. Professionals may use gmail.com and similar email domains as their corporate email, but as we cannot easily verify that it is a corporate and not a personal email address, our database does not contain such email domains.
1.4 The Ocean.io database does not include private email addresses, any online behavioural data, predictive elements, personality traits, or special categories of personal data (as defined in Article 9 of the GDPR).
2. EMAIL GENERATION, COLLECTION AND VALIDATION
2.1 When Ocean.io does not have the business email address of a profile, it may generate an email address using the following process:
2.1.1 we collect first name, last name, and company name; and
2.1.2 generate the email address from a common pattern.
2.2 Subsequently, Ocean.io undertakes a number of measures to validate that email addresses on the Ocean.io database are publicly available corporate email addresses.
2.3 In order to ensure that email addresses are valid, Ocean.io carries out tests against a company’s email server before the email address figures in the Ocean.io database. These tests come back with one of the following signals:
2.3.1 “valid” meaning the email address is valid and the email server is not configured to block public access;
2.3.2 “acceptable”, meaning the email address allows emails through to the email server, without signalling whether there are any further access restrictions; or
2.3.3 “not valid”, meaning either the email server is configured to block external access or the email address is invalid.
2.4 Ocean.io records this signal in the Ocean.io database. Where the signal is “not valid”, Ocean.io does not use the associated profile. Ocean.io gives its users a choice of whether they wish to use profiles with "valid" signals only or also wish to use those with an "acceptable" signal.
2.6 Ocean.io also regularly checks whether email addresses have been indexed on the web. If so, this indicates that the email address is publicly available online.
2.7 Testing servers in this way is the only way Ocean.io can assess whether the email address is public or not. Email server status checks as performed by Ocean.io are standard industry practice with a significant number of providers.
3. TELEPHONE NUMBER
3.1 Ocean.io does not collect personal telephone numbers. Direct numbers for the profiles are only processed if they can be validated and are publicly available. It is the policy of Ocean.io to limit the categories of personal data to a minimum.
4. PURPOSES AND DATA PROCESSING
4.1 Ocean.io offers a service to its clients, using the Ocean.io proprietary algorithm to analyse and segment the clients CRM. Prior deals and win patterns are thoroughly analysed and based on this analysis the Ocean.io platform suggests which segments/accounts to target. Such suggestions may consist of accounts already in the client’s CRM as well as new prospects that fall within the segments suggested by the Ocean.io proprietary algorithm and found in the Ocean.io database. Once the accounts have been identified the Ocean.io platform provides company information and profile contact data for the accounts identified as targets.
4.2 Ocean.io also offers a service to its clients where the Ocean.io algorithm based on criteria defined by the client’s ideal customer profile (“ICP”) identifies the total addressable market (“TAM”) and identifies which accounts do not appear in their CRM, or accounts within the CRM with which the client has no existing or historic business relationship. The Ocean.io clients may subsequently use data obtained through Ocean.io at their discretion to approach prospective new clients, including through B2B marketing campaigns.
4.3 Due to the business classification from the Ocean.io algorithm, Ocean.io is uniquely positioned to identify the entire, relevant TAM for a client. Ocean.io does not use standard industry codes which groups companies based on a few common traits while the products, services, customers and needs of the companies may be varied. Instead, the Ocean.io platform precisely identifies companies based on what they do, so they have very similar products, services, customers and needs.
Selecting a TAM is as much about eliminating potential target companies as it is about selecting target companies. Within a given TAM, companies can precisely target a small number of companies within the same niche industry, or a select few profiles that fit a job title. The Ocean.io algorithm helps our clients target only relevant companies and profiles that are the most likely to benefit from the client’s offering. This results in targeting the right accounts and profiles with more relevant messaging which should lead to less spam.
4.4 The Ocean.io platform is exclusively intended to be used by B2B clients to normalise and segment the clients CRM and to identify the TAM and associated profiles and is not intended to be used in respect of consumers.
4. 5 Ocean.io provides the following personal data for the identified accounts: Identification of relevant individuals within the targeted accounts consisting of names, job titles and corporate email addresses.
5. STATUS OF OCEAN.IO AS A DATA CONTROLLER OR A DATA PROCESSOR
5.1 In maintaining and analysing the Ocean.io database, Ocean.io is likely processing the personal data as the sole data controller as:
5.1.1 Ocean.io determines the purpose of processing, namely, to collect and curate data on individuals for carrying on a business like Ocean.io’s business;
5.1.2 Ocean.io also determines essential elements of the means of data processing. This includes the determination by Ocean.io of the personal data on the Ocean.io database to be collected and processed; and
5.1.3 Ocean.io’s processing of the Ocean.io database is not triggered by or subject to the clients’ instructions.
5.2 When the client accesses the Ocean.io database and process personal data, Ocean.io would likely be processing such data as a data processor on behalf of the client data controller due to:
5.2.1 The client determines the purpose of processing, namely which accounts and associated profiles and their personal data should be processed to be targeted by the clients sales and marketing teams;
5.2.2 the client determines the essential elements of the means of data processing. This is because by determining the search criteria, the client decides the category of data subjects, on whom personal data is obtained and subsequently processed.
6. LEGAL BASIS - FOUNDATION OF PROCESSING
6.1 GDPR requires a data controller to justify the processing of personal data before it will be considered lawful. Article 6(1) sets out six lawful grounds for processing, one of which is legitimate interests of a data controller including those of a data controller to which the personal data may be disclosed, or of a third party.
6.2 The legal basis for processing to be lawful under GDPR, Article 6(1) are:
6.2.3 legal obligation;
6.2.4 vital interests;
6.2.5 public interest;
6.2.6 Legitimate interest: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedom of the data subject which require protection of personal data, in particular where the data subject is a child (”legitimate interest”).
6.3 Only one condition under Article 6(1) must be satisfied in order for the processing to be conducted on fair and lawful grounds. It is permissible to process data on more than one legal basis, provided that one of those bases is not consent.
6.4 Ocean.io relies on legitimate interests as the legal basis for processing data.
7. LEGITIMATE INTERESTS
7.1 Legitimate interests as referred to above include the legitimate interests of a data controller, including those of a controller to which the personal data may be disclosed, or of a third party.
7.2 Recitals 47 to 50 provide some examples of when a data controller may have a legitimate interest, but falling within one of these areas does not, of itself, satisfy the requirement for lawfulness, which must be confirmed by an assessment undertaken by the data controller.
7.3 Recital 47 provides:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedom of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
(a) Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
(b) At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
(c) The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
(d) Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
(e) The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
(f) The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
7.4 Each of the component parts of Article 6(1)(f) must be satisfied:
“Processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedom of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.”
7.5 The European Data Protection Board (formerly the Article 29 Working Party) Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (“LI Opinion”) remains applicable under GDPR.
7.6 In accordance with the LI Opinion, in order for interests to be legitimate, interests should be lawful, not speculative and capable of being clearly and specifically articulated such that the interests may be considered against the interests or fundamental rights or freedom of the respective data subjects, being the individuals identified by the personal data.
7.7 The balancing test
7.7.1 The legitimate interests must be balanced against the corresponding impact of the processing on the interests or fundamental rights or freedom of the individual subject of the processing.
7.7.2 As such, in order to rely on this legal basis, Ocean.io must carry out an assessment to balance the interests of Ocean.io, and relevant third parties, in the processing of the personal data, against the data subject’s data protection rights. As part of this assessment, Ocean.io must consider whether the data subject’s rights override the interests of Ocean.io and relevant third parties, and also consider the potential harm that may occur as a result of the processing activities.
7.7.3 Ocean.io must be able to demonstrate, if challenged, that it has fully considered the necessity for the purpose of processing against the rights of the data subjects and that a reasonable decision was taken that the individual’s rights did not override the interests of the controller.
7.7.4 Therefore, there are effectively three stages:
- a) identifying a legitimate interest;
- b) carrying out a necessity test; and
- c) undertaking a balancing exercise.
8. APPLICATION OF LEGITIMATE INTEREST ASSESSMENT
8.1 Identifying a legitimate interest
A legitimate interest is not limited to the interest of Ocean.io; it can be a legitimate interest of a third party or to society as a whole.
Ocean.io will need to consider whether the processing activities are necessary for the pursuit of the legitimate interests described above and whether such interests can be achieved by processing personal data to a lesser extent.
8.3 Undertaking the balancing test
8.3.1 Ocean.io can only rely upon a legitimate interest where the rights and freedom of the data subject have been evaluated, and these interests do not override the legitimate interest referred to above. The balancing exercise must be undertaken fairly and should include consideration of:
- a) the nature of the interests;
- b) the impact of processing; and
- c) any safeguards which are or could be put in place.
8.3.2 When balancing the impact on the interests or fundamental rights or freedom of a data subject against the legitimate interests of a data controller, the following points are relevant:
- a) the significance of the interest pursued by the data controller;
- b) the significance of the prejudicial impact on the interests or fundamental rights or freedom of the data subject;
- c) the reasonable expectations of the data subject;
- d) the status of the data subject;
- e) the implementation of any appropriate safeguards in order to mitigate the impact on the interests or fundamental rights or freedom of the data subject; and
- f) the measures taken by the data controller to comply with its other obligations under GDPR.
8.3.3 When considering the nature of the impact of the processing, the significance of the impact on the interests or fundamental rights or freedom of a data subject is determined by:
- a) the amount of information held in respect of that data subject;
- b) the source of any information held in respect of that data subject;
- c) whether any information held in respect of that data subject was obtained from public sources, whether that information was made public by that data subject, and whether that data subject would expect that information to be further processed following its publication;
- d) the extent to which that information is used to reveal insights or understandings of that data subject's personality, preferences, interests and behaviour;
- e) the extent to which that information may be used to: intrude on that data subject’s privacy; influence that data subject; make decisions in respect of that data subject; discriminate against that data subject, for example price discrimination; and the risk of any particular impact materialising; and
- f) the availability and ease of use of any ability for the data subject to opt out of the processing.
8.3.4 Accordingly, under the balancing test, a minor prejudicial impact on the interests or fundamental rights or freedom of a data subject may override an interest of a data controller which is considered minor and not compelling. However, a similar impact may not override a more significant interest of the data controller.
8.3.5 Conversely, a minor interest of the data controller may override an even more trivial impact on the interests or fundamental rights or freedom of a data subject.
8.3.6 The purpose of the balancing test is, therefore, not to prevent any prejudicial impact on the interests or fundamental rights or freedom of data subject. Rather, its purpose is to prevent such impact being disproportionate.
In light of any risks identified, the controllers should put in place appropriate safeguards and mitigating processes and procedures to protect the data subject and reduce any risk of a negative impact of processing, including, for example:
8.4.1 technical and organisational measures to prevent unauthorised use of personal data;
8.4.2 extensive use of anonymisation, pseudonymisation and encryption techniques, and other data minimisation measures;
8.4.3 aggregation of data;
8.4.4 privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments;
8.4.5 increased transparency with data subjects, including disclosure of:
- a) the extent and nature of processing;
- b) individuals’ rights in respect of that processing;
- c) other safeguards implemented to protect their interests or fundamental rights or freedom;
- d) the reasoning behind any finding that the processing may be undertaken on the grounds that such processing is necessary to pursue legitimate interests;
8.4.6 ensuring that personal data is processed in accordance with the data subject’s reasonable expectations where possible;
8.4.7 enabling the data subject to have access to and to have the opportunity to modify, update and remove personal data when necessary;
8.4.8 data portability and related measures to empower data subjects to exercise their rights;
8.4.9 the implementation of a workable mechanism by which data subjects may object to such processing, or to review and correct or withhold personal data;
8.4.10 measures to ensure that any personal data transferred out of the EEA is adequately protected and that such transfer is compliant;
8.4.11 ensuring that appropriate contractual clauses are present in agreements between Ocean.io and any third parties who process personal data on its behalf; and
8.4.12 ensuring that Ocean.io personnel receive appropriate training regarding their dealings with personal data.
9. DETERMINING THE LEGAL BASIS FOR OCEAN.IO’s PROCESSING OF PERSONAL DATA
9.1 Identifying the legitimate interests:
It is in Ocean.io’s interest to carry on its business in the pursuit of exercising its fundamental rights to liberty and security (under Article 6 of the European Charter of Fundamental Rights) and its freedom to conduct a business (under Article 16 of the European Charter of Fundamental Rights). However, we consider it unlikely that the broad objective of conducting a business and making a profit in and of itself is a legitimate interest. It can obviously be part of the legitimate interests or form the basis for it, but it must be supported by other legitimate interests and purposes.
Furthermore, it is in the interests of Ocean.io and its clients to:
(i) have information about potential business customers, such as industry segment, company size and location, organised in one database and searchable, so that relevant B2B companies and profiles can be more precisely and easily identified;
(ii) be able to identify the individual that occupies a certain position or role within a B2B lead, to enable clients to only reach out to relevant profiles;
(iii) be able to generate and contact potential relevant B2B accounts in order to undertake forms of marketing and advertisement in respect of themselves or their products or services, provided such marketing activities are within the laws and marketing practices of the relevant jurisdictions;
(iv) have information about potential business customers organised in one database and searchable;
(v) have access to up-to-date and complete information for when conducting marketing and advertisement in respect of themselves or their products or services;
(vi) be able to normalise a clients CRM, eliminating duplicates and making the data in the CRM more precise. Having duplicates in the CRM provides for a polluted CRM. Full value of the CRM data is provided through normalisation providing for a correct view of the client’s CRM data.
Provided that the relevant personal data of Ocean.io database is used only to achieve the intended purposes, Ocean.io's processing activities are likely to be necessary for the stated legitimate interests. There are no alternative methods to achieve the objectives pursued by Ocean.io, which have a lesser impact for individuals on the Ocean.io database.
9.3 Balancing Test:
Interests supporting processing:
The categories of personal data used for this purpose:
- Relate to adults in their professional capacity and contains information relating to that professional capacity. The amount of personal information is limited to a minimum. Ocean.io only processes names, job titles and professional emails and to some extent professional telephone numbers. Direct telephone numbers are only processed if they are publicly available and can be validated. Professional emails are included for a variety of reasons. Professional emails form the basis for deduplication in the customer’s CRM system, it provides means of contact for ocean.io and the client to inform the data subject that their personal data is processed. It may also be used for marketing purposes, provided that the form of marketing applied to the use of the email is legal in the jurisdiction in question;
- are likely to have been published for business purposes or with the expectation that this personal data may be processed by third parties for business purposes, including marketing and lead generation;
- do not contain any special categories of personal data, precise location data, internet usage data or data relating to an individual’s online behaviour.
- is solely being processed for B2B purposes. The individual is not being marketed to in any personal capacity.
Risks and impact on rights and interests of the data subject:
- Individuals have an interest in protecting their personal data from disclosure and use;
- There is no relationship between Ocean.io and the individual and the individual may, therefore, not reasonably expect that their personal data is being stored and processed by Ocean.io.
- Initially there is no relationship between the client and the individual and the individual may, therefore, not reasonably expect that their personal data is being stored and processed by the clients.
- There will likely be an increase in the extent to which individuals on the Ocean.io database are contacted for marketing purposes and this may cause them irritation. However, as the Ocean.io algorithm helps our clients target only relevant companies and profiles that are the most likely to benefit from the client’s offering, this results in more relevant messaging to the individuals which should eventually lead to less spam.
The processing of personal data is not likely to (i) cause fear and distress, whether resulting from an individual losing control over personal data, or for any other reason; or (ii) have any impact on protected behaviour, such as freedom of research or free speech.
It is possible for the Ocean.io database to be lawfully processed in pursuit of legitimate interests and such processing should not cause a disproportionate impact on the interests or fundamental rights or freedom of the professionals in the Ocean.io database. This is on the basis that the safeguards set out in paragraph 8 above are implemented.
11. Obligations pursuant to GDPR Article 14
Pursuant to Article 14, the data controller has certain obligations vis-a-vis the data subject. This applies to Ocean.io and the client as well, when the client operates as the data controller.
Article 14 provides
- Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
- where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- The controller shall provide the information referred to in paragraphs 1 and 2:
- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Paragraphs 1 to 4 shall not apply where and insofar as:
- the data subject already has the information;
- the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
- obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
The right to erasure is not an automatic right for individuals where processing is based on legitimate interests. That said, an individual will still have the right to object to processing of their personal data when processing takes place on the basis of legitimate interests. The right to erasure would then apply if the data controller cannot justify the legitimacy of the processing.
As Ocean.io deliberately does not process any personal data on the individuals other than name, title and professional email address, the only means of complying with the obligation in Article 14 will be to send an email to the data subject providing the information required pursuant to Article 14, herunder informing the data subject of its rights would be per email. In deciding how to send out the email the client shall consider to stage the information to ensure that the email does not end up in a spam filter. Ocean.io will be happy to provide our clients with guidelines about best to achieve that the email actually makes it to the data subject. Ocean.io will also be happy to provide the standard language for the email.