Privacy notice regarding Data HQ business database

GDPR and PECR position and statements

Privacy Notice regarding Data HQ business database.

IMPORTANT - This notice explains that Data HQ Limited has obtained your personal data from a business marketing database provided by Creditsafe Business Solutions Ltd and/or Dun and Bradstreet Ltd and/or Cognism Ltd, we may have also obtained data directly from your public online business social profiles or your company’s website.

Data HQ Limited (‘the Company’) is responsible for the processing of personal data and is a data controller for the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation (‘GDPR’)). The Company’s registered address is Hyatt Place, 50-60 Broomfield Road, Chelmsford, CM11SW (company no. 04193862). The Data Protection Officer (‘DPO’) is contactable at or on 01245 807470. This notice is produced in accordance with relevant data protection law.

The categories of personal data we are processing

We are processing your:

  • Name
  • Business mobile phone number (if applicable)
  • Business email address

Where we obtained your personal data

The Data HQ database is built from a variety of trusted and compliant data sources for UK B2B marketing. Predominantly our sources are obtained from Creditsafe Business Solutions Ltd and Dun and Bradstreet Ltd and Cognism Limited and data obtained directly from your business social profile or your company’s website. On occasion we may act as a Data Broker to obtain your data from specialist providers. Due diligence is carried out on all suppliers prior to the licensing and/or provision of their data.

Details of the processing

Data HQ Limited is processing your data on the basis that it has a legitimate interest pursuant to Article 6(1)(f) of the GDPR to process your data for commercial purposes. We will process your data in the following ways:

  • Store it in our secure servers. Your personal data is stored on our secure, UK based network, which meets internationally recognised security standards. Our systems are certified to Cyber Essentials Plus standards, and our hosted servers are certified to ISO 27001
  • Use and refer to it for statistical and marketing intelligence analysis
  • Combine it with other personal data to form marketing lists
  • Licence or sell those lists to other customers who would like to market to you (categories of these customers are listed below)

Recipients of your Data

In pursuance of our commercial purposes we will transfer your personal data to some or all of the following categories of recipients/industries:

  • Agriculture, Hunting and Forestry
  • Fishing
  • Mining and Quarrying
  • Manufacturing
  • Electricity, Gas and Water Supply
  • Construction
  • Wholesale and Retail Trade; Repair of Motor Vehicles and Goods
  • Hotels and Restaurants
  • Transport, Storage and Communication
  • Financial Intermediation
  • Real Estate, Renting and Business Activities
  • Public Administration and Defence, Compulsory Social Security
  • Education, including Higher Education
  • Health and Social Work
  • Other Community, Social and Personal Service Activities

Other Transfers

Your data is not transferred internationally by us. It may be disclosed to international organisations with offices within the European Economic Area only. These organisations will be subject to an adequacy decision pursuant to Article 45 from the European Commission.

Data Retention Period

Your data will be retained only for the duration that it is required for Data HQ to perform its services to our clients.


We do not conduct specific profiling or automated decision-making processes on your personal data. We will use it to generate market intelligence analysis and general statistical analysis. These processes will not have any foreseeable legal affects concerning you.

IMPORTANT – Your Rights

Access - Firstly you have the right to access your personal data (a Data Subject Access Request). You will need to prove your identity to us in order for us to provide you with access to the personal data we are processing.

Rectification - If your personal data is inaccurate, you have the right to have it rectified.

Erasure - Under certain conditions you have the right to have your personal data erased from our database, (the right ‘to be forgotten’).

Restriction - You can suppress the processing of your personal data. This might be applicable where you do not object to us holding it, but you do not agree to it being processed in certain way/s.

The Right to Object - Where a data controller processes your personal data because they have legitimate interests to process it where your consent has not been obtained vis-à-vis that processing, you may object to that processing.

Data Portability - If you provided us with your personal data directly, and we are processing that data in a digital format, based on your consent or under a contract between us, you have the right to request a machine-readable copy of the personal data we are processing.

Automated Individual Decision-Making or Profiling - You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects you. This applies to processes without human intervention. As mentioned above, this does not apply to the processing of your personal data by Data HQ Limited in this instance.

Objecting to Processing

If you do not want Data HQ Limited, or its recipients as listed above to process your personal data as explained above, you may exercise your rights to object or to erasure. You can do this by contacting the DPO at the above email address at any time, and we will comply with your request in accordance with the relevant provisions of the GDPR.

Making a Complaint

You have the right to lodge a complaint with the Supervisory Authority, which in the UK is the Information Commissioner’s Office (ICO). Full details can be found on the ICO’s website

PECR (Privacy and Electronic Communications Regulations)

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

In a nutshell it is not lawful to send e-mail marketing to sole traders or partnerships as they are considered to be ‘individuals’ and therefore your company will need prior specific and clear consent to do so. This is why Data HQ does not supply personal email addresses of sole traders and partnerships to our customers.

However, it is lawful to send emails and make phone calls to individuals at corporate bodies. It is good practice to offer an opt-out mechanism and the list must be screened against CTPS and TPS within 28 days of you calling the data.

For absolute clarification please see the following links and extracts taken from the ICO website in Nov 2020

When can we email or text businesses?

Sole traders and some partnerships are treated as individuals – so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance.

You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.

You may also need to consider data protection implications if you are emailing employees at a corporate body who have personal corporate email addresses (e.g. For further information, see our guidance on direct marketing.

Business-to-business texts and emails

GDPR Update

If you are processing an individual’s personal data to send business to business texts and emails the right to object at any time to processing of their personal data for the purposes of direct marketing will apply. The right to object to marketing is absolute and you must stop processing for these purposes when someone objects. See our right to object guidance for further details.

142.These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies e.g. limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.

143.However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.

144.Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individual customers. If an organisation does not know whether a business customer is a corporate body or not, it cannot be sure which rules apply. Therefore, we strongly recommend that organisations respect requests from any business not to email them.

145.In addition, many employees have personal corporate email addresses (e.g., and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address