Clearbit and the GDPR
In order to help our customers comply with the EU’s General Data Protection Regulation (GDPR), we've added EU suppression settings to both our Enrichment and Prospector products.
Enrichment Suppression settings:
When enabled, Enrichment suppression prevents people with EU location data or with unknown location data from being returned in person enrichment. Emails of people that fall into these categories will return as Not Found, but Company data will be unaffected.
Note: This is a global setting that will affect results from Enrichment API and any integrations connected to your Clearbit account.
Prospector Suppression Settings
When enabled, Prospector suppression prevents people with EU location data or with unknown location data from being returned as a result in Prospector. This is particularly useful when prospecting into multi-national companies, where employees may not be located in the companies country of operation.
Learn how to enable EU supression on your account here
Clearbit is committed to helping our enterprise customers (Customers) as they get ready for the EU’s General Data Protection Regulation (GDPR). GDPR officially goes into effect on May 25, 2018.
Clearbit has taken a number of steps to help Customers of all sizes, from Fortune 500 to SMB, address their GDPR needs when using our enterprise services (applicable services are those covered by a Master Subscription Agreement between Clearbit and the Customer). For example:
- Clearbit’s services provide functionality that helps customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer’s behalf.
- Clearbit offers a Data Processing Agreement to qualifying, paid subscription Customers (Eligible Customers) to document our commitments as a data processor.
- Further sections of this document offer more detail regarding our relevant technical and business policies.
Keep in mind that Clearbit only processes professional data, regardless of where an individual is based. This usually includes things like their job role and details about their employing company. This means that Clearbit does not provide or collect consumer-focused data such as age, health, web browsing history, health records, or economic status.
While Clearbit is committed to assisting its Customers in its role as a data processor, Customers are still ultimately responsible for adhering to their obligations as a “data controller.” Broadly speaking, this means that Customers are responsible for obligations such as:
- Properly collecting, processing, and transmitting personal data from EU subjects
- Properly marketing and communicating to current/potential customers
- Properly handling requests from EU data subjects, such as erasure and access.
The EU’s General Data Protection Regulation (GDPR) strengthens the rights of EU individuals regarding how their personal data is used & collected. You, the Customer, may be based in the EU or engage in other activities that require you to comply with this new legislation. As part of this process, you may be verifying that you have appropriate arrangements in place with your vendors.
Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our Customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. For the past 12 months, our legal, operations, and product teams have been hard at work in making sure we have appropriate product safeguards, policies, and knowledge to facilitate our Customers’ continued use of Clearbit via SaaS App, API, or officially supported Partner integration (Partner). While you may need to adjust your growth strategies, Clearbit will continue to be available to help you regardless of how those evolve over time.
Clearbit is almost always the “data processor” of the data we handle on behalf of our Customers, whereas the Customer or Partner is usually the “data controller”. In plain English, that effectively means that data controller’s responsibility is to collect, process, and transmit data in compliance with applicable laws such as GDPR and it’s the data processor’s responsibility to comply with the terms of its data processing agreement with the data controller, which specifies how it can process personal data on the data controller’s behalf.
What steps has Clearbit taken to help its Customers be ready for GDPR?
Clearbit has built features to help Eligible Customers address data subject (i.e. your customers or potential customers) requests, such as to access and erase applicable personal data.
Clearbit requires minimal personal information (ex. an email address) to process and return results.
Clearbit will offer plans to Eligible Customers that limit processing of EU personal data altogether.
Clearbit offers a Data Processing Agreement to Eligible Customers to address required terms related to purposes of processing, security incidents, storage, and more.
Clearbit is EU-US / Swiss-US Privacy Shield certified, which is a mechanism to protect EU personal data transferred to non-EU countries. Our Privacy Shield certification allows Customers to send personal data to us from the EU.
What information does Clearbit process or collect?
Clearbit only processes professional data, regardless of where an individual is based, across all of our solutions. This usually includes things like their job role and details about their employing company. This means that Clearbit does not provide or collect consumer data, which includes, but is not limited to, things like age, health, web browsing history, health records, or economic status. You can always see the latest list of data attributes at: clearbit.com/attributes.
In addition, Clearbit only requires minimal input (ex. email address) to generate a resulting response and may not necessarily return or require input of any personal data, especially where only company data is being transmitted.
Does using Clearbit mean that I have “consent” or “legitimate interest”
to reach out to EU Data Subjects?
In short – the answer is no. The data controller is ultimately responsible for how it uses data collected from its own customers or from a 3rd party vendor, such as Clearbit.
It remains the Customer’s responsibility, as the data controller, to ensure that it has a legal basis to use that information and any required consent to send marketing or other communications to the individual. As the data processor, we depend on our Customers to adhere to their own responsibilities as far as how they communicate with customers/prospective customers.
Are there different ramifications based on the product(s) that Clearbit offers?
Yes, there are. Several of our products such as Reveal or Company Enrichment, only return company-level information.
Person Enrichment allows a Customer to submit information about an individual such as the individual’s email address, to enrich the business contact information they have about that individual. As the data controller, the Customer is responsible for having collected this input information in accordance under the GDPR and any other applicable laws and regulations. Clearbit’s claim.clearbit.com service provides functionality that helps Customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer’s behalf.
With regards to Clearbit products such as Prospector, where personal data on EU subjects may be returned, Clearbit makes contractual commitments to its Eligible Customers about its responsibilities in gathering this data, and also reminds the Customer that they are ultimately responsible for how they use this information in accordance with rules and regulations. For example, if Clearbit is used to source email addresses of EU data subjects, the Customer assumes the risk in facilitating that communication without consent or legitimate interest. Clearbit’s claim.clearbit.com service provides functionality that helps Customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer’s behalf.
Clearbit and the European Union – GDPR and EU-U.S. / Swiss-U.S. Privacy Shield:
This document is a summary of our current policies and practices relating to European Union data privacy laws.
EU-U.S. / Swiss-U.S. Privacy Shield:
EU-U.S. / Swiss-U.S. Privacy Shield covers the transfer of personal data from the EU to the US. US companies that certify to and comply with the Privacy Shield principles have established a legal mechanism to receive personal data from customers in the EU.
The GDPR (General Data Protection Regulation) is a new EU regulation regarding the collection, use, and other processing of personal data that will become effective on May 25, 2018, replacing the current EU Data Protection Directive. The GDPR establishes more rigorous obligations regarding the handling of personal data of EU residents. Ultimately Clearbit’s customers are responsible for determining their compliance obligations under the GDPR and any other applicable laws and regulations.
- The GDPR expands the scope of data privacy coverage to potentially include companies which collect and use personal data of EU residents, even if those companies do not otherwise have a legal or physical presence in the EU.
- Customers using Clearbit content are responsible for obtaining any required consent from data subjects, including EU data subjects, before communicating with them (e.g. sending marketing emails, showing ads, cold calling, etc). Clearbit does not undertake this responsibility on behalf of its customers even where Clearbit data is used.
- For Eligible Clearbit customers, a future release of our services will include an optional EU Company Data Only feature. When this feature is enabled, Clearbit will make best efforts to return only EU company data and exclude return of personal data for data subjects located in the EU.
Clearbit’s services include features to help address customer obligations under data protection laws like GDPR including:
- A strong commitment to both technical and organizational security measures.
- Features that support customers’ ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing customers to access and modify applicable personal information collected by Clearbit via claim.clearbit.com.
- Features that support Customers’ ability to handle data subject requests for data portability by allowing any customer to access applicable personal data Clearbit maintains on their behalf, in a structured and standardized format.
- A Data Processing Agreement (DPA) upon request in conjunction with a Master Subscription Agreement (MSA). Clearbit reserves the right to require certain commercial terms with a given customer who makes such a request.
This is a summary of the current status of Clearbit’s data policies and is not a comprehensive review or legal advice. Questions on Clearbit’s data policies are welcome and are best directed to your Customer Success Manager or our Support team.