What steps has Clearbit taken to help its Customers be ready for GDPR?
Within our product:
Clearbit requires minimal business contact information (e.g., email address) to process and return results. We offer plans to Eligible Customers that limit processing of EU personal data altogether (please refer to our Please "EU data suppression" settings) and we have built features to enable us to respond to Customer Requests to erase applicable personal data.
As a business:
Clearbit offers a Data Processing Agreement to Eligible Customers to address required terms related to purposes of processing, security incidents, storage, and more. Our Data Processing Agreement has been updated to implement the new Standard Contractual Clauses to meet GDPR requirements for relevant international data transfers. Please refer to Additional Information below for more detail
What information does Clearbit process or collect?
Clearbit combines numerous public and private data sources (including company websites, legal filings, social presence) to provide business intelligence. Clearbit only processes B2B data for your use within a business context, regardless of where an individual is based, across all of our solutions. This usually includes things like their job role and details about their employing company. This means that Clearbit does not provide or collect consumer data, which includes, but is not limited to, things like age, health, web browsing history, health records, or economic status. You can always see the latest list of data attributes at: clearbit.com/attributes.
In addition, Clearbit only requires minimal input (e.g., email address) to generate a resulting response and may not necessarily return or require input of any personal data, especially where only company data is being transmitted.
How can I reach out to EU Data Subjects in a GDPR compliant manner?
Outreach to data subjects is permitted under GDPR, subject to certain requirements. You need to have a legal basis for reaching out to data subjects.
Most commonly, businesses can procure explicit opt-in consent from the data subject or, alternatively, establish that they have a legitimate interest in the outreach. We encourage you to work with your legal counsel to determine how to reach out to data subjects in a GDPR compliant manner.
Are there different ramifications based on the product(s) that Clearbit offers?
Yes, there are. Several of our products such as Reveal or Company Enrichment, only return company-level information. Person Enrichment allows a Customer to submit information about an individual (such as the individual's email address), to enrich the business contact information they have about that individual.
As the data controller, the Customer is responsible for having collected this input information in accordance with GDPR and any other applicable laws and regulations. Clearbit's preferences.clearbit.com/privacy service provides functionality that helps Customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer's behalf.
With regards to Clearbit products such as Prospector, where personal data on EU subjects may be returned, Clearbit makes contractual commitments to its Eligible Customers about its responsibilities in gathering this data, and also reminds the Customer that they are ultimately responsible for how they use this information in accordance with rules and regulations. Clearbit's preferences.clearbit.com/privacy service provides functionality that helps Customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer's behalf.
Clearbit and the GDPR
The EU's General Data Protection Regulation (GDPR) strengthens the rights of EU individuals regarding how their personal data is used & collected. You, the Customer, may be based in the EU or engage in other activities that require you to comply with this new legislation. As part of this process, you may be verifying that you have appropriate arrangements in place with your vendors.
Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our Customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams have been hard at work in making sure we have appropriate product safeguards, policies, and knowledge to facilitate our Customers' continued use of Clearbit via SaaS App, API, or officially supported Partner integration (Partner). While you may need to adjust your growth strategies, Clearbit will continue to be available to help you regardless of how those evolve over time.
From a data privacy standpoint, Clearbit is the "data processor" of the data we handle on behalf of our Customers, whereas the Customer or Partner is usually the "data controller". As a data processor, Clearbit has obligations to comply with the terms of its data processing agreement with the data controller, which specifies how it can process personal data on the data controller's behalf.
Jurisdictional Privacy Control (Compliant with GDPR)
In order to help our customers comply with the EU's General Data Protection Regulation (GDPR), we've added EU suppression settings to both our Enrichment and Prospector products.
Enrichment Suppression settings
When enabled, Enrichment suppression prevents people with EU location data or with unknown location data from being returned in person enrichment. Emails of people that fall into these categories will return as Not Found, but Company data will be unaffected.
Note: This is a global setting that will affect results from Enrichment API and any integrations connected to your Clearbit account.
Prospector Suppression Settings
When enabled, Prospector suppression prevents people with EU location data or with unknown location data from being returned as a result in Prospector. This is particularly useful when prospecting into multi-national companies, where employees may not be located in the companies country of operation.
Learn how to enable EU supression on your account here
Clearbit is committed to helping our enterprise customers (Customers) maintain their compliance obligations under the EU's General Data Protection Regulation (GDPR).
Clearbit has taken a number of steps to help Customers of all sizes, from Fortune 500 to SMB, address their GDPR needs when using our enterprise services (applicable services are those covered by a Master Subscription Agreement between Clearbit and the Customer). For example:
- Clearbit's services provide functionality that helps customers address data subject requests, such as requests for access, rectification, or erasure of personal data that Clearbit maintains about that individual on the customer's behalf.
- Clearbit offers a Data Processing Agreement to qualifying, paid subscription Customers (Eligible Customers) to document our commitments as a data processor.
- We recently updated our Data Processing Agreement primarily to account for and incorporate the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA). These new SCCs are meant to better align with the regulatory requirements of the General Data Protection Regulation (GDPR), and to address issues highlighted in recent legal decisions such as Schrems II. We also took this opportunity to revise and reformat our Data Processing Agreement to make it easier to read and understand for all Eligible Customers.
- Further sections of this document offer more detail regarding our relevant technical and business policies.
Clearbit only processes B2B professional data, regardless of where an individual is based. This usually includes things like their job role and details about their employing company. This means that Clearbit does not provide or collect consumer-focused data such as age, health, web browsing history, health records, or economic status.
While Clearbit is committed to assisting its Customers in its role as a data processor, Customers are still ultimately responsible for adhering to their obligations as a “data controller.” Broadly speaking, this means that Customers are responsible for obligations such as:
- Properly collecting, processing, and transmitting personal data from EU subjects
- Properly marketing and communicating to current/potential customers
- Properly handling requests from EU data subjects, such as erasure and access
Clearbit and the European Union – GDPR
The GDPR (General Data Protection Regulation) is an EU regulation regarding the collection, use, and other processing of personal data that became effective on May 25, 2018, replacing the current EU Data Protection Directive. The GDPR established more rigorous obligations regarding the handling of personal data of EU residents. We encourage our customers to work with legal counsel to determine their compliance obligations under the GDPR and any other applicable laws and regulations.
- The GDPR expands the scope of data privacy coverage to potentially include companies which collect and use personal data of EU residents, even if those companies do not otherwise have a legal or physical presence in the EU.
- Customers using Clearbit content are responsible for establishing appropriate legal basis for reaching out to data subjects, including EU data subjects, before communicating with them (e.g. sending marketing emails, showing ads, cold calling, etc).
- Clearbit's services include features to help address customer obligations under data protection laws like GDPR including:
- A strong commitment to both technical and organizational security measures.
- Features that support customers' ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing customers to access and modify applicable personal information collected by Clearbit via preferences.clearbit.com/privacy .
- Features that support Customers' ability to handle data subject requests for data portability by allowing any customer to access applicable personal data Clearbit maintains on their behalf, in a structured and standardized format.
- A Data Processing Agreement (DPA) upon request in conjunction with a Master Subscription Agreement (MSA). Clearbit reserves the right to require certain commercial terms with a given customer who makes such a request.
This is a summary of the current status of Clearbit's data policies and is not a comprehensive review or legal advice. Questions on Clearbit's data policies are welcome and are best directed to your Customer Success Manager or our Support team.
Last updated on November 22, 2021 by Catherine Zhu.