WhiteBlueOcean Ltd. is deeply committed to protecting your personal data. In accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) we have set out this notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.
This notice also sets out how you can engage with us should you have any further questions about your personal data or how you can contact the Information Commissioner’s Office, if you have any concerns about how your personal data is being processed.
Who we are and how to contact us
WhiteBlueOcean is a company registered in the United Kingdom (Registration Number: 10931403) and our Data Protection Officer is contactable at dpo.uk@crif.com or if you wish to write to us in this regard, please use the following address:
Data Protection Officer
WhiteBlueOcean Ltd.
55 Old Broad Street
London EC2M 1RX
The type of information we have
WhiteBlueOcean Ltd (“We”) processes data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities.
1: DATA controller activities
Database construction
Our core Data Controller activity is the compilation of a database of personal information that is available on the “dark” web (the dark web is a portion of the world wide web that has been intentionally hidden and is inaccessible through standard browsers and methods). We continually update this database so that we can provide notifications to data subjects that their personal or financial data is available on the dark web and is therefore at risk of being used for illegal purposes. WhiteBlueOcean gathers this data by interacting with the typically anonymous actors in this dark web.
The data concerned includes basic contact details such as email addresses or telephone numbers, tax or social security numbers, bank accounts including credit cards.
Running our business
In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. Such data includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you.
The information systems and software procedures involved in the operation of this site acquire certain personal data during their normal operation. The transmission of this data is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified parties, however, due to its very nature, it could make it possible to identify users through processing activity and association with data held by third parties. The type of data acquired includes IP addresses and the domain names of users' computers who connect to the site, the addresses of the resources requested in URI notation (Uniform Resource Identifier), the time the request was made, the method used in making the request to the server, and other parameters related to the operating system and the computer environment of the user. The optional and voluntary sending of emails to the addresses indicated on the site, involves the acquisition of the user's personal data, necessary in order to respond to their requests.
2: DATA processor activities
We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of those Data Controllers:
We are a Data Processor
• on behalf of our client companies who in turn provide services whereby they can alert their customers if specified personal or financial data is discovered on the “dark” web that would constitute a risk to the customer’s financial status. This includes processing required to support the maintenance of subscriptions to such services.
• on behalf of the same client companies where typically the services provided include ‘real time’ searches on the “public” or visible web for specified personal or financial data. This includes processing required to support the maintenance of subscriptions to such services.
• on behalf of client companies where we are requested to check for the presence of specified credit card numbers in our “dark” web database.
Why we may have your data and how we get it
Dark Web Database construction
The nature of this database requires us to interact on the dark web with anonymous individuals who may be engaged in criminal activity such as selling stolen financial or identity data. Indeed the nature of this activity is that we must continually update our database with the data we gather from the dark web because unlike for the “normal” or visible web, it is not possible to carry out on-demand searches of the entire dark web for the data of specific individuals by using a search engine.
Consequently, in maintaining our database of dark web data, we may gather financial or personal data of individuals who are not and may never be users of our clients’ services.
We gather this data on the basis of our Legitimate Interests and the Legitimate Interests of our clients and their customers. We have prepared a Legitimate Interests Assessment to illustrate how these Legitimate Interests are not overridden by the interests or fundamental rights and freedoms of the data subjects concerned. The full Legitimate Interest Assessment is available on application to the DPO as set out above.
If we were to receive data subject access requests from individuals seeking to understand what data might be held on them, we might need to seek additional data in order to verify that the inquiry is indeed coming from the data subject in question.
Data Processor activities
For these services, we act on the instructions of our clients who provide the names and other specific details of individuals who wish to be alerted to the presence of their personal data in our dark web database or in ‘real-time’ searches on the public or visible web.
Clients might also provide credit card numbers or partial numbers where it is simply the presence of that data that needs to be checked.
Running our business
Your information may have been gathered from your employer who provides a service to us or takes a service from us. Such data can be used to enable us to administer your or your employer’s contract with us, including invoicing, debt recovery etc.
Our legal basis for processing this data is either for our legitimate interests or on the basis of consent. If we are dealing with your employer, they should be advising you as to why they are providing your personal data to their customers or suppliers.
Purpose of Processing Activity |
Legal Basis |
Source of data |
Constructing Dark Web database |
Legitimate Interests |
Engagement with Dark Web actors |
Administrating sales and purchasing contracts |
Legitimate Interests |
Contracting entities |
Answering your queries from the web form |
Legitimate Interests |
Provided by you |
What we do with the information
As a Data Controller, we are principally concerned with the construction of the database of individuals whose personal data has been found on the “dark” web.
Our client companies provide alert services to their customers as to personal data that is either on the dark web or public/visible web. We act as a Data Processor to these client companies in the provision of such services, including where we search our dark web database for data related to specific individuals on the instructions of the respective client companies (the Data Controllers).
How long do we store your information for
Where we are the Data Controller, we keep the information for three years.
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or investigations by supervisory authorities.
Where we are a data processor, we keep your data for as long as the Data Controller asks us to taking into account the instructions set out in the Data Processor Agreement signed with them.
Your data protection rights
Where we are processing your personal data as a Data Controller, you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of the processing concerning your data or to object to the processing as well as the right to data portability.
Please bear in mind that your rights in relation to your Personal Data are not absolute. It is important to note that we are processing much of the data on the basis of legitimate interests rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it.
Please contact us at the email or postal addresses at the top of this notice if you wish to make a data subject request.
In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective “Data Controller” to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.
How to complain
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s postal address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline telephone number: 0303 123 1113
Online at https://ico.org.uk/make-a-complaint/
COOKIE NOTICE: This site places cookies on your device as was explained when you entered. Details of those cookies and other tracking technologies can be found by following this link.
Date: November 2020