ClarifiedBy data protection terms

1. Definitions

Terms used in these ClarifiedBy Data Protection Terms have the meanings given below or in the ClarifiedBy Platform Subscription Terms, unless otherwise stated. Where not otherwise defined, terms have the meaning given in Part 2 Chapter 1 of the Data Protection Act 2018 and Article 4 of the UK GDPR.

Data Protection Legislation: All applicable data protection and privacy laws in the UK and (where applicable) the European Economic Area, including the Data Protection Act 2018 (“DPA 2018”), Data Use and Access Act 2025, the UK GDPR, PECR, and any successor legislation. 

DSAR: A Data Subject Access Request under Data Protection Legislation.

IDTA: The International Data Transfer Agreement issued by the ICO under s.119A(1) DPA 2018, the template for which is set out in Part B of these Data Protection Terms and which applies where relevant.

Independent Controller: The Client, when it receives and processes personal data disclosed to it by Diligencia as part of the Service, acting as a data controller in its own right independently of Diligencia.

Permitted Purpose: Research and due diligence regarding companies and their directors or shareholders, as further described in clause 3.

Personal Data: Any information relating to an identified or identifiable natural person.

Processor: Diligencia, where the Client acting as Controller discloses personal data to Diligencia that is not derived from Diligencia's own databases or Confidential Information.

Territories: The United Kingdom and (where applicable) the European Economic Area.

Third Country: Any country or territory outside the Territories that does not benefit from an adequacy decision under Data Protection Legislation.

UK GDPR: The General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.

2. Overview: Roles of the parties

2.1 Diligencia as Controller

When Diligencia uses its own databases and Confidential Information to deliver the Service, it acts as an independent Controller. In this capacity, Diligencia determines the purposes and means of processing personal data and is responsible for its own compliance with Data Protection Legislation.

2.2 Client as Independent Controller

When personal data is disclosed to the Client as part of the Service, the Client becomes an Independent Controller of that data. The Client is solely responsible for ensuring its own processing activities comply with Data Protection Legislation from the point of disclosure.

2.3 Diligencia as Processor

Where the Client, in its capacity as Controller, discloses personal data to Diligencia that is not contained within Diligencia's own databases (for example, data about the Client's employees or contacts), Diligencia processes that data as a Processor acting on the Client's instructions.

2.4 Contractual basis for transfers

Processing of personal data relating to the Client's employees, agents and others that Diligencia may need to contact to deliver the Service is carried out by Diligencia as Controller on the legal basis of contractual necessity.

Diligencia's DPO is the primary point of contact for Data Subjects and Supervisory Authorities. Contact details are available in Diligencia's Privacy policy.

3. Scope and permitted purpose

These ClarifiedBy Data Protection Terms cover all personal data processed by either party in connection with the Service. The parties have determined that the Permitted Purpose for sharing personal data is:

• Research and due diligence regarding companies and their directors or shareholders.

The Client may only use personal data disclosed to it for the Permitted Purpose.

The parties acknowledge that both parties must comply independently with their respective obligations under Data Protection Legislation, and that nothing in these ClarifiedBy Data Protection Terms relieves either party of its direct responsibilities under Data Protection Legislation.

Both parties warrant that they have all necessary appropriate legal bases (including consents or notices where required) in place to enable the lawful transfer and processing of personal data under these ClarifiedBy Data Protection Terms.

No Special Categories of Personal Data will be processed by Diligencia on the Client's behalf.

The Client provides permission to Diligencia to notify Data Subjects that a disclosure of their data has taken place, where this is necessary for the Data Subject to exercise their rights or where required by Data Protection Legislation or a Supervisory Authority.

4. Legal basis for processing

Diligencia relies on Legitimate Interest as its legal basis for processing business contact personal data (as defined in Article 6 UK GDPR). Diligencia confirms that a Legitimate Interest Assessment has been carried out for all relevant processing activities in the UK and EU where that basis is permissible.

Where Diligencia acts as Controller in respect of processing in Third Country jurisdictions, Diligencia does not guarantee compliance with data protection laws in those jurisdictions but will use its best endeavours to meet applicable local requirements. 

5. Categories of personal data

The personal data processed in connection with the Service may include, without limitation:

- Names
- Job titles, directorships and shareholdings
- Company names and addresses
- Business telephone numbers and email addresses
- Additional information related to the Data Subject as required for the Permitted Purpose from time to time

 

6. Technical and organisational measures

Both parties agree that they have in place appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures must be appropriate to the risk, and must ensure:

a) confidentiality, integrity, availability and resilience of processing systems and services;

b) the ability to restore access to personal data in a timely manner after an incident; and

c) a process for regularly assessing and evaluating the effectiveness of those measures.

Both parties shall maintain complete, accurate and up-to-date written records of all processing activities as necessary to demonstrate compliance with these Data Protection Terms and with Data Protection Legislation.

7. Data subject rights

Under Article 14 of the UK GDPR, the Client is responsible for notifying Data Subjects within the Territories of its own processing activities following disclosure from Diligencia.

Each party shall use all reasonable endeavours to provide full and prompt co-operation and assistance in relation to any DSAR or other Data Subject communication, in order to meet the timescales required by Data Protection Legislation. Requests for co-operation under this clause shall be responded to within five days.

8. Data breach notification

If either party becomes aware of an actual or reasonably suspected personal data breach that may require notification to a Supervisory Authority (under Article 33 UK GDPR) or to Data Subjects (under Article 34 UK GDPR), it shall notify the other party without undue delay and provide:

a) sufficient information to enable both parties to meet their notification obligations in a timescale that facilitates compliance;

b) complete information to Supervisory Authorities investigating the breach as requested from time to time;

c) all reasonable assistance required, including co-operation with Supervisory Authority investigations, access to relevant data and records, assistance with investigation and remediation, and co-ordination on public communications relating to the breach.

9. Audit rights

Where Diligencia acts as Processor, it shall make available to the Client information reasonably required to demonstrate compliance with these Data Protection Terms, including Cyber Essentials certification and ISO 27001 evidence.

The Client may, no more than once in any 24-month period and at its own cost, on reasonable prior notice, conduct audits or inspections (including by authorised third party representatives) during Normal Business Hours to verify compliance with these Data Protection Terms. Any third party conducting an audit may be required by the audited party to enter a direct confidentiality undertaking. Nothing in this clause requires either party to disclose its own Confidential Information.

10. International data transfers

Where Diligencia transfers personal data to recipients in Third Countries (i.e. countries without an adequacy decision under Data Protection Legislation), Diligencia will ensure that appropriate safeguards are in place before the transfer, as required by Data Protection Legislation.

Subject to clause 4 above, where the Client's establishment is in a Third Country and an IDTA is required, Part B of these Data Protection Terms (IDTA Framework) applies and the parties are required to complete and execute the applicable IDTA tables.

Note: The IDTA in Part B is the ICO-approved standard form. It will only apply where the Client's establishment is in a Third Country without a recognised adequacy decision. If this does not apply to the Client's situation, Part B can be disregarded.  

11. Data protection indemnity

Where Diligencia acts as an independent Controller in connection with processing in Third Country jurisdictions (as described in clause 4), Diligencia shall indemnify the Client for costs (including reasonable legal fees), claims, damages and expenses arising directly from data protection claims related to that processing, subject to the total aggregate liability cap in the Platform Subscription Terms and provided that:

a) the Client has fulfilled its own obligations under applicable Third Country data protection requirements;

b) Diligencia is given prompt written notice of the claim;

c) the Client provides reasonable co-operation in the defence and settlement of the claim at the Client’s expense; and

d) Diligencia is given sole authority to defend or settle the claim.

Diligencia has no liability for any indirect, consequential or exemplary damages, or for loss of profits, arising from the Client's own breach of its obligations under these Data Protection Terms or under Data Protection Legislation. 

12. Term and retention

These ClarifiedBy Data Protection Terms survive termination or expiry of the Platform Subscription Terms and continue in force for 36 months thereafter, except where an obligation requires compliance for a longer period under Data Protection Legislation.

Each party is responsible for complying with its own data retention obligations in respect of personal data it holds. On termination of the Service, each party shall deal with the other party's personal data in accordance with Data Protection Legislation.

12. Governing law and jurisdiction

These ClarifiedBy Data Protection Terms  are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction over disputes arising from these Data Protection Terms (including non-contractual claims). 

 These Data Protection Terms may be updated from time to time in accordance with The ClarifiedBy Platform Subscription Terms.