Dun & Bradstreet Privacy Notice

What Information Do We Collect and Why?
Who Do We Share This Information With?
Profiling
International Transfers
Data Retention
Grounds of Processing
Data Subject Rights

Additional Rights In Relation To Credit Reporting

Statutory Report
Notice of Correction
Handling Our Customers’ Data
Updating this Privacy Notice
Complaints

Subject Access Requests
Direct Marketing Privacy Notice

7^th August 2024

Dun & Bradstreet helps customers improve business performance through the power of data and analytics. The Dun & Bradstreet Data Cloud delivers the world’s most comprehensive business data and analytics and provides unparalleled depth and breadth of business information that accelerates growth, reduces costs, manages risk, and transforms your business. Comprising over hundreds of millions of business records and thousands of attributes, our data is curated from tens of thousands of sources – both online and through our World-Wide Network of data partners around the globe – and is updated five million times each day. It encompasses the companies that make up the majority of the world’s GDP – meaning the companies you are most likely to do business with.

From the Data Cloud we derive our Live Business Identity, which delivers a comprehensive and continually updated view of any company in the Data Cloud. Live Business Identity starts with our universal identifier, the Dun & Bradstreet DUNS® Number. The DUNS Number is a unique nine-digit business identifier that is assigned once our patented identity resolution process, part of our DUNSRight methodology, identifies a company as being unique and distinct from any other in the Data Cloud. Consider Dun & Bradstreet’s unique Live Business Identity as a living, breathing descriptor of nearly every business on earth. Our data and analytics are delivered through the Data Cloud, which customers can access through our comprehensive solutions, APIs, and partner solutions.

Companies of every size around the world – including 90 percent of the Fortune 500^™ - rely on Dun & Bradstreet to improve business performance.

We recognise that some of the information we collect may be classified as “personal data” under UK and European Union (EU) law as it is information relating to an individual (e.g. a sole trader, a partnership, a company director, a beneficial owner, a trustee, a professional contact etc). This privacy notice provides the information in relation to the processing of personal data under UK EU law (and specifically the General Data Protection Regulation 2016/679). It applies to all Dun & Bradstreet companies registered in the EU and United Kingdom and those outside the EU when they carry out business information activities on residents of the EU or offer goods or services to businesses in the EU. The Data Protection Officer for D&B can be contacted on EUDPO@dnb.com.

What Information Do We Collect and Why?

D&B processes data so that it can supply commercial data about organisations to other organisations. The purpose of this processing is to enable businesses to manage their financial risks, protect against fraud, know who they are doing business with, meet compliance and regulatory obligations and better understand organisations, industries and markets.

We also licence or sell professional business contact information for marketing and data management purposes, which is covered in more detail in our dedicated Direct Marketing Privacy Notice.

Therefore we collect information on businesses and business professionals. This is our “Commercial Data” and includes the following examples:

Company and business professional contact information, including name, job title, address, phone number, fax number, e-mail address, domain names, and trade associations;
Detailed company profiles and statistics, including number of employees and for publicly listed companies only the remuneration of certain officers;
Background information regarding company management, such as beneficial ownership/persons of significant control, the educational and career histories of company principals;
Company operational histories, including territories, subsidiaries, affiliates, and lines of business;
Detailed trade and business credit information, including banking data, payment histories and patterns;
Business information regarding profitability, debts, assets, net worth, and business relationships;
Business compliance information from public source government and professional records, media and business publications;
Newspaper and media reports of criminal convictions.

When you use our services to purchase goods and services or contact us, we may collect:

Information that identifies you, including professional contact information

Information collected from cookies or other tracking technologies

Records and financial information, including credit and debit card information

Commercial information, such as transaction information

Internet or network activity

Geolocation information

correspondence and other communications between us, such as email, call recordings, live chat, instant messages and social media communications, market research or surveys

device information (from your mobile telephone, tablet or laptop for example) to confirm your identity and/or to protect you from becoming a victim of fraud, if you use our UK Digital Service Centre

D&B does not seek to collect any information in relation to a European resident’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic or biometric data.

Our data originates from:

Organisations providing information directly to us
Creditors and suppliers of an organisation
Data vendors
Governmental and administrative public records such as business registrations, company filings, court and bankruptcy filings
Public sector information (e.g. Charity Commission, Company Registrars)
Regulatory bodies and law enforcement agencies
D&Bs World Wide Network Partners
Website visitors and those who inquire about our services
Card networks and payment processors
Banks and finance providers. Data received from this source about unincorporated businesses is subject to an additional privacy notice found here.

Unless our customers have explicitly agreed otherwise, we do not obtain personal data from the data our customers supply us with in order to provide them with a service. Data that our customers have provided us with in order for us to provide a service to them is processed in accordance with the “Handling Customer’s Data” section below.

Who Do We Share This Information With?

We may share Commercial Data (and that may include personal data) with others where lawful to do so including:

Other members and affiliates of the Dun & Bradstreet corporate family
Third parties to help us manage risk, fraud and to help provide us with information to effectively communicate with you to meet our legal obligations.
Service providers that help us with processing payments, marketing, research, compliance, audits, corporate governance, communications, and security
Worldwide Network Partners – independent business information providers across the world with whom we have entered into commercial agreements to help achieve a leading competitive position internationally in providing business information.
Customers – businesses and organisations with whom we enter into agreements to licence or access our data. Our customers enter into agreements or licences with us because they wish to manage their financial risks, protect against fraud, know who they are doing business with, meet compliance and regulatory obligations, better understand organisations, industries and markets or carry out direct marketing.
Resellers – we licence information to authorized resellers and third party businesses for reselling.
Any people or companies where required if we sell our business to a third party, or go through a corporate reorganisation.
Law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. 
Other parties involved in any disputes, grievances and investigations.
Fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity.
As required or appropriate in order to protect our website, business operations or legal rights.

Profiling

We use the information we obtain in order to produce scores and ratings such as D&B’s Failure and Delinquency Scores, the D&B Rating, D&B’s Maximum Credit and the D&B Payment Score. We may also carry out customised profiles for our customers. We use highly developed scoring models and algorithms, based on previous similar circumstances, adverse events and economic forecasts to produce a score.

We advise our customers how to interpret and use our scores. Our customers may choose to use our scores alone or combine the scores with other information available to them. Their decision making will be based around whether to insure or market to, extend credit, acquire, trade or partner with a business. Our scores predict whether a business is likely to continue trading, pay its bills on time, receive credit, whether they would be likely to purchase a product or service, where they benchmark within their industry or whether they are subject to any specific risks. We do not make any decisions about an organisation – we do not hold blacklists and we do not tell our customers whether to trade with an organisation or not.

International Transfers

We transfer personal data to recipients outside the EU and rely on adequacy decisions, data transfer agreements or other EU approved mechanisms for such transfers. Prior to transferring data out of the EU we carry out transfer impact assessments and implement any supplementary measures to ensure any data transferred will be maintained in accordance with EU requirements. If you require further information on this please contact the Data Protection Officer on EUDPO@dnb.com

Data Retention

Personal data is stored for varying lengths depending on the nature and purpose for which it was collected. We store personal data in line with any applicable statutory minimum periods, and then review it periodically (usually annually) to ensure it is still necessary to be retained for the purpose for which it was collected. Where there is a statutory maximum for which data can be retained, such as County Court Judgements, we will delete accordingly on expiration.

Grounds of Processing

We’ll only use your information where we have your consent or we have another lawful reason for using it. These reasons include:

Legitimate interests. D&B’s legitimate business interest is the supply of commercial data (and the marketing of our business). The purpose of this processing is to enable businesses to manage their financial risks, protect against fraud, know who they are doing business with, meet compliance and regulatory obligations and better understand organisations, industries and markets. We have carried out assessments of our legitimate interests and weighed these against the interests, fundamental rights and freedoms of the individuals we process data on.
To comply with a legal obligation. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data.
The use of your information in the public interest (e.g., for the purpose of preventing or reporting crime).

Data Subject Rights

You have the right to request from us confirmation of whether we are processing your personal data, and if so access to that information. Please see the links on the left for further information about how to request access to your information. This may take up to 28 days, however you may be able to obtain specific information about your personal data immediately by contacting Customer Services.

If any of your personal data is inaccurate you have a right to request rectification. We are very keen to ensure the data we hold is accurate and up to date. Please contact Customer Services.

You have the right to object to our processing and/or request it is deleted or restricted. In considering our response we undertake to ensure your interests, fundamental rights and freedoms are properly balanced against our legitimate interests. We will also look at whether it is still necessary to process your data for the purpose it was collected. Please contact Customer Services for more information.

Before we are able to provide you with any information or correct any inaccuracies we may ask you to verify your identity and to provide other details to help us identify you and respond to your request.

Objecting to receiving direct marketing:

We will always observe your objection to receiving either our Dun & Bradstreet marketing or to us passing on your contact details to third parties for their direct marketing purposes: You can either contact Customer Services including the name, business name, address, telephone number and email address that you wish to have excluded, or you can do this yourself by following these links:

Click here to opt out of receiving information about Dun & Bradstreet products and services

Click here to opt out of receiving information from our customers

You are also able to contact D&B’s data protection officer at any time on EUDPO@dnb.com.

Additional Rights In Relation to Credit Reporting

Statutory Report

If you or your organisation are the owner of an unincorporated business (e.g. sole trader or small partnership) or a director of a UK registered business with an annual turnover of less than £25 million, (and is not part of a group which as a whole has an annual turnover of over £25 million) you can obtain a copy of your organisation's credit file based on the information we hold about you. Please click here for more information and to obtain a copy of your credit report. Again we may ask you to provide certain information to allow us to identify your file. Data supplied to us for the purpose of receiving your statutory credit report is only used for that purpose (including identification and fraud checks).

Notice of Correction

Any organization can ask us to correct, remove or amend any information on their report by contacting Customer Services. We will contact you within 28 days of receiving your email to let you know that we have either removed or amended the entry, or taken no action. If we have amended the file, we will provide you with a copy of your amended entry.

Within 28 days of us contacting you, you may contact us again to ask us to add a notice of correction to your file (unless we have told you we have removed the incorrect entry from your file). If you want to do this, you will need to send us your notice of correction (up to 200 words). We will then confirm receipt and let you know that we will add the notice to the file. If you do not hear from us within 28 days, or we think it would be improper to publish the notice of correction (for example, because it is incorrect), then either you or we may apply to the Financial Conduct Authority (if you are a sole trader, small partnership or unincorporated association) or the Information Commissioner, (where the error relates to personal data about an individual) as appropriate, who may order as they see fit. There is a statutory fee and prescribed form for this.

Please click here for complaints relating to our credit scoring.

Handling Our Customers’ Data

Sometimes our customers provide us with their business data, such as their customer, supplier or prospect data – which may contain personal data - in order for us to provide them a service. In these instances we are the processor of any personal data contained in their data. Different parts of the GDPR apply when we act as a processor and we take these obligations very seriously. The above notice does not apply to our data received from our customers as this does not become D&B data (unless the customer has expressly agreed to this). We handle the data our customers provide us in strict accordance with the agreement found here - and only for the purposes of this agreement.

Updating this Privacy Notice

We strive for continuous improvement in our services, processes and protecting data subject rights. We will therefore update this privacy notice from time to time. Therefore, we advise you to check this notice on a regular basis, or if requested we will send it to you on a regular basis. We are also happy to provide previous versions of this Notice on request.

Complaints

All complaints or concerns and appropriate resolution relating to the practices of handling personal information will be logged. Any complaints of this nature should be made to Customer Services or the EU Data Protection Officer at EUDPO@dnb.com at:

Dun & Bradstreet Limited
The Point
37 North Wharf Road
London, W2 1AF

Our representative in the EU is:
Dun & Bradstreet Information Solutions Unlimited Company
The Chase Sandyford Industrial Estate
Carmanhall Road
Sandyford Business Park
Dublin 18
Dublin
Ireland D18 Y3X2

You also have the right to lodge a complaint with your local data protection supervisory authority Contact details for data protection authorities are available here.

For all other complaints, including complaints relating to credit scoring please see the Complaint Process.