Privacy Policy

1. Purpose and Scope

This Privacy Policy explains how Bedrock Business Outsourcing (BBO) processes personal data strictly as a Data Processor on behalf of its clients (the Controllers).

BBO is committed to compliance with the following frameworks and legislation:

  • General Data Protection Regulation (GDPR) (EU 2016/679) and UK GDPR;
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada’s Anti-Spam Legislation (CASL);
  • Singapore’s Personal Data Protection Act (PDPA);
  • Other applicable data protection and privacy laws depending on the jurisdictions in which our clients operate.

BBO collects and processes data solely on the documented instructions of its clients. Under no circumstances does BBO sell, rent, or use personal data for its own purposes outside of the agreed scope of services.

2. Data Categories Processed

BBO processes only professional, business-related contact data. We do not collect consumer or private personal information unrelated to professional activities. The categories of data we may process include, but are not limited to:

2.1 Identification and Professional Details

  • Full name (first name, surname, and, where applicable, middle initials);
  • Job title, function, or professional role within the company;
  • Department, division, or area of responsibility;
  • Professional qualifications, certifications, or memberships (if publicly available or client-provided).

2.2 Company and Organizational Information

  • Company name and trading style;
  • Registered business address and office locations;
  • Industry sector, business activity, and company size;
  • Corporate hierarchy (subsidiaries, affiliates, parent company) where relevant.

2.3 Professional Contact Information

  • Business email addresses (including verified formats such as firstname.lastname@company.com);
  • Business telephone numbers, including switchboard, direct lines, and extensions;
  • Professional mobile numbers, only if publicly available or voluntarily confirmed during verification;
  • Fax numbers where still used for business communication.

2.4 Technical and Contextual Information

  • Office location, branch office identifiers, or country of employment;
  • Professional social media handles or identifiers (e.g. LinkedIn profile URLs), where publicly available;
  • Corporate domains used for business communication.

2.5 Exclusions – Sensitive or Special Categories of Data
BBO does not collect or process special categories of personal data as defined in Article 9 GDPR, such as:

  • Racial or ethnic origin;
  • Political opinions or affiliations;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic or biometric data;
  • Health data;
  • Sex life or sexual orientation;
  • Criminal convictions or offences (Article 10 GDPR).

If such information is inadvertently encountered during research, it is immediately excluded from datasets and not processed further.

2.6 Alignment with Data Minimization Principle
All data is collected strictly in line with the principle of data minimization. Only information necessary, relevant, and proportionate to the client’s specified purpose (B2B lead generation, list enrichment, or verification) is processed.

3. Sources of Data Collection

BBO follows a structured and transparent methodology for collecting professional business data. We obtain information only from lawful, reliable, and business-relevant sources. These sources include, but are not limited to:

3.1 Publicly Accessible Professional Sources

  • Corporate websites (official staff directories, press releases, contact pages);
  • Professional networking platforms (e.g., LinkedIn, Xing, industry portals);
  • Business directories and registers (trade associations, chambers of commerce, professional licensing boards);
  • Published business content (conference agendas, professional publications, press mentions, industry reports).

These sources are publicly available and intended for professional use.

3.2 Client-Provided Data

  • Clients may provide datasets for validation, cleansing, or enrichment.
  • BBO processes such data strictly under client instructions and does not alter the scope defined by the client.
  • When enrichment is requested, BBO supplements client lists with additional business-relevant information from public sources.

3.3 Telephonic Research and Direct Outreach

  • Calls to company switchboards or reception desks to confirm an employee’s role, job title, and professional contact details;
  • Direct conversations with the professional (where available), during which the purpose of the call is clearly explained (e.g., confirming employment details on behalf of a client conducting lawful B2B outreach);
  • Verification of company-wide email formats through standard receptionist or HR enquiries, based on legitimate interest for accuracy of business contact data.

3.4 Third-Party Validation Tools

  • Use of third-party platforms for email validation, domain checks, or contact hygiene;
  • All providers are vetted for compliance with GDPR and equivalent standards;
  • Formal Data Processing Agreements (DPAs) are in place with these sub-processors to ensure confidentiality, security, and lawful use of the data.

3.5 Exclusions and Restrictions

  • BBO does not use covert scraping, hidden surveillance, consumer data brokers, or sources that are not lawfully and openly accessible.
  • No behavioural tracking, cookies, or IP address monitoring are conducted.
  • If sensitive or special category data is inadvertently encountered, it is excluded immediately and not processed further.

4. Purpose of Processing

BBO processes professional business contact data exclusively for the purpose of delivering contracted B2B services to its clients. These purposes are limited, clearly defined, and strictly aligned with client instructions. They include:

4.1 Building Targeted B2B Contact Lists

  • Compiling bespoke contact lists tailored to the client’s specific requirements (e.g., industry, job title, geography, company size).
  • Ensuring accuracy and relevance by cross-verifying information from multiple lawful sources.

4.2 Data Enrichment and Cleansing

  • Enhancing existing datasets provided by clients by adding missing or supplementary professional details (such as direct phone lines, verified email formats, or updated job titles).
  • Removing duplicates, outdated entries, and correcting inaccuracies to maintain dataset quality.

4.3 Verification and Validation

  • Conducting structured web research and telephonic outreach to confirm the accuracy of professional roles and contact details.
  • Applying third-party validation tools (e.g., email hygiene and deliverability checks) to ensure technical accuracy and reduce bounce rates.

4.4 Data Formatting and Delivery

  • Structuring the data in a consistent, machine-readable format (such as CSV, Excel, or client-specified template).
  • Delivering the data securely through encrypted channels or protected links.

4.5 Supporting Client Compliance

  • Assisting clients in meeting their own compliance obligations under GDPR, CASL, PDPA, and similar frameworks by providing verified professional contact data;
  • Ensuring that the datasets supplied are suitable for use under a lawful basis such as legitimate interest or consent (where applicable).

4.6 Explicit Exclusions

  • BBO does not directly engage in marketing, sales, or promotional communications to data subjects;
  • BBO does not profile individuals, monitor online behaviour, or combine business contact data with consumer or sensitive data;
  • All outreach to data subjects is conducted directly by the client, who acts as the Controller and bears full responsibility for compliance with direct marketing and e-privacy laws.

5. Lawful Bases for Processing

BBO processes personal data exclusively on the documented instructions of its clients (the Controllers). The legal bases relied upon for processing depend on the applicable jurisdiction and the client’s lawful purpose.

5.1 GDPR and UK GDPR
Under Article 6 GDPR and UK GDPR, processing of personal data must be based on one or more lawful bases. For professional business contact data, the following apply:

  • Legitimate Interests (Article 6(1)(f)) – BBO processes professional contact data where necessary for legitimate B2B communications. This includes ensuring that the data is proportionate, relevant, and limited to business use only. Clients must conduct and document a Legitimate Interests Assessment (LIA) to demonstrate that their interests are balanced against the rights and freedoms of data subjects.
  • Contractual Necessity (Article 6(1)(b)) – Processing is carried out where it is necessary to fulfil contractual obligations, such as delivering enriched or verified datasets as part of a service agreement.
  • Consent (Article 6(1)(a)) – Where explicit consent has been lawfully obtained and documented by the Controller, BBO may process the data in accordance with such consent. This basis is less common in B2B contexts but may apply in jurisdictions or situations where consent is required.

5.2 Canada – PIPEDA and CASL

  • PIPEDA (Personal Information Protection and Electronic Documents Act) – Requires meaningful consent for data collection and processing. In a B2B context, consent is often implied where the information is professional, publicly available, and used for purposes consistent with the individual’s role.
  • CASL (Canada’s Anti-Spam Legislation) – Governs commercial electronic messages (CEMs). While BBO does not send CEMs, clients using BBO’s data must ensure CASL compliance by:
    • Providing identification and contact details;
    • Ensuring the communication is relevant to the recipient’s professional role;
    • Including a clear and functioning unsubscribe mechanism.

5.3 Singapore – PDPA (Personal Data Protection Act 2012)

  • Consent Principle – Consent is the default basis for processing personal data.
  • Legitimate Interests Exception – Permits processing without consent if the benefits to the organisation or third parties outweigh any adverse effects on individuals, provided safeguards are in place.
  • Publicly Available Data – PDPA permits use of data that has been made publicly available, provided it is collected reasonably and for legitimate business purposes.
  • Spam Control Act – Regulates unsolicited electronic messages; clients are responsible for ensuring compliance when using datasets for outreach.

5.4 Adherence to GDPR Principles
In addition to lawful bases, all processing is carried out in line with the data protection principles under Articles 5–6 GDPR, including: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

6. Data Sharing and International Transfers

BBO does not disclose personal data to third parties except in the following limited circumstances:

  • On documented instructions from the client (Controller);
  • Where required by law, regulation, or court order;
  • Where necessary to ensure secure and reliable service delivery, for example through trusted infrastructure, hosting, and software providers.

BBO does not sell or otherwise monetize personal data.

6.1 International Transfers under GDPR (Chapter V)
Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, BBO ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR and equivalent provisions under UK GDPR and the Swiss FADP.

These safeguards include:

  • EU Standard Contractual Clauses (SCCs, 2021/914, Module 2 – Controller to Processor): incorporated into all relevant Data Processing Agreements for transfers from the EU/EEA;
  • UK International Data Transfer Addendum (B1.0, 21 March 2022): applied to restricted transfers from the United Kingdom;
  • Swiss Addendum: applied to transfers of personal data subject to the Swiss Federal Data Protection Act (FADP).

Where applicable, BBO also considers supplementary technical and organisational measures (encryption, pseudonymisation, access restrictions) to address potential conflicts of law in third-country jurisdictions.

6.2 Sub-Processors
BBO engages a limited number of trusted sub-processors to support its services. All sub-processors are contractually bound by Data Processing Agreements that include equivalent safeguards and, where applicable, Standard Contractual Clauses.

Current authorised sub-processors include:

  • Microsoft Corporation – cloud storage and hosting services (Microsoft OneDrive), including encryption and secure access controls;
  • Google LLC – cloud-based productivity and collaboration services (Google Workspace), including secure login and document processing;
  • IONOS Inc. (1&1 IONOS) – professional email hosting services, including secure sending, receiving, and storage of communications.

6.3 Ongoing Oversight

  • BBO maintains an updated list of sub-processors in Annex III of its Data Processing Agreement.
  • Clients are notified in advance of any intended changes to sub-processors and are given the opportunity to object within a defined timeframe.
  • BBO remains fully liable for the acts and omissions of its sub-processors.

6.4 Transparency
Data subjects and clients may request additional details of the safeguards applied to international transfers by contacting BBO’s Data Protection Officer at dpo@bbocompany.com.

7. Data Retention

BBO retains personal data only for as long as necessary to fulfil contractual obligations, comply with applicable legal requirements, and in line with the documented instructions of its clients (Controllers).

7.1 General Retention Periods

  • Working datasets: retained for up to 24 months from the date of delivery to the client, to allow clients to re-access and confirm data integrity if needed.
  • Temporary system backups: retained solely for operational continuity and disaster recovery purposes. These backups are automatically overwritten and fully erased within defined timeframes.
  • Client instructions: if a client requests earlier deletion or return of data, BBO will comply without undue delay, subject to reasonable verification of the request.

7.2 Secure Deletion
At the end of the retention period, or upon client request, data is securely and permanently deleted from BBO’s systems using recognised industry-standard erasure methods. Where deletion is not technically possible (e.g., within immutable backup archives), the data is placed beyond operational use until automated overwriting occurs.

7.3 Exceptions

  • Legal obligations: Certain records may be retained longer if required by applicable laws, regulatory requirements, or contractual obligations.
  • Ongoing disputes or audits: If a legal claim, investigation, or audit is anticipated, relevant data may be preserved until the matter is resolved.

7.4 Principle of Storage Limitation
BBO applies the storage limitation principle under Article 5(1)(e) GDPR, ensuring that personal data is not retained in an identifiable form for longer than is necessary for the purposes for which it was collected.

7.5 Documentation
Retention and deletion practices are documented within BBO’s internal policies. Records of deletion requests and confirmations are maintained for accountability in accordance with Article 30 GDPR (Records of Processing Activities).

7.6 Client Responsibility
As Controllers, clients remain responsible for defining the lawful retention period for personal data in line with their own compliance requirements. BBO will act in accordance with these instructions, provided they are consistent with applicable laws.

8. Security Measures

BBO implements comprehensive technical and organisational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required under Article 32 GDPR and equivalent provisions under UK GDPR, PIPEDA, and PDPA. These measures include, but are not limited to:

8.1 Data Encryption and Transmission Security

  • End-to-end encryption of data at rest and in transit, using industry-standard protocols (e.g. AES-256, TLS 1.2+).
  • Encrypted file transfer methods for all client deliverables, including password-protected links and secure email attachments.
  • Strict prohibition on the use of unencrypted portable media.

8.2 Secure Hosting and Cloud Infrastructure

  • Use of trusted cloud providers (Microsoft, Google, IONOS) with contractual security commitments.
  • Data stored in geographically distributed, SOC 2/ISO 27001-certified data centres.
  • Continuous monitoring of service provider compliance and certification updates.

8.3 Access Control and Authentication

  • Role-based access controls (RBAC) ensuring employees can only access data strictly necessary for their tasks.
  • Multi-factor authentication (MFA/2FA) for all accounts with access to personal data.
  • Unique user IDs for traceability, with immediate revocation of access upon employment termination.

8.4 Physical and Environmental Security

  • Biometric entry systems and CCTV monitoring at BBO offices.
  • Server rooms kept locked and accessible only to authorised IT personnel.
  • Visitor logs and restricted access zones.

8.5 System Integrity and Monitoring

  • Up-to-date antivirus and endpoint protection solutions.
  • Monthly patch management and vulnerability scanning.
  • Intrusion detection and event logging with regular reviews by IT security staff.

8.6 Data Backup and Business Continuity

  • Daily automated backups to secure cloud environments.
  • Periodic restore testing to ensure recoverability.
  • Business Continuity and Disaster Recovery (BC/DR) plan reviewed annually.

8.7 Audit and Compliance Controls

  • Regular internal audits of security practices.
  • Independent third-party assessments and penetration tests commissioned periodically.
  • Support for client-initiated audits under the terms of the DPA.

8.8 Staff Training and Awareness

  • Mandatory onboarding and annual refresher training on GDPR, data protection, and security awareness.
  • Confidentiality agreements signed by all staff handling data.
  • Disciplinary measures for policy violations.

8.9 DPIA Support
Where clients’ processing activities require a Data Protection Impact Assessment (DPIA) under Articles 35–36 GDPR, BBO supports Controllers by providing necessary technical and organisational information.

9. Rights of Data Subjects

BBO recognises and respects the rights of data subjects as enshrined in the GDPR, UK GDPR, PIPEDA, and PDPA. As a Data Processor, BBO enables and supports its clients (Controllers) in fulfilling these rights. Data subjects may exercise the following:

9.1 Right of Access (GDPR Article 15)
Individuals have the right to obtain confirmation as to whether their personal data is being processed and, if so, access to that data along with information on the purpose, categories, recipients, and safeguards applied in case of international transfers.

9.2 Right to Rectification (GDPR Article 16)
Individuals may request correction of inaccurate data or completion of incomplete data held about them.

9.3 Right to Erasure – “Right to be Forgotten” (GDPR Article 17)
Data subjects may request deletion of their personal data where:

  • The data is no longer necessary for the purposes for which it was collected;
  • Consent has been withdrawn and no other lawful basis applies;
  • The data has been unlawfully processed;
  • Erasure is required to comply with a legal obligation.

9.4 Right to Restriction of Processing (GDPR Article 18)
Individuals may request temporary suspension of processing while accuracy is verified, lawfulness is challenged, or data is required for legal claims.

9.5 Right to Object (GDPR Article 21)
Data subjects have the right to object at any time to processing based on legitimate interests. In such cases, the Controller must cease processing unless compelling legitimate grounds override the interests, rights, and freedoms of the individual.

9.6 Right to Withdraw Consent (GDPR Article 7(3))
Where processing is based on consent, data subjects may withdraw consent at any time without affecting the lawfulness of prior processing.

9.7 Right to Data Portability (GDPR Article 20)
Where technically feasible, individuals may request transfer of their data in a structured, commonly used, and machine-readable format to another Controller.

9.8 Rights under PIPEDA (Canada)

  • Right to access personal information and be informed of its use;
  • Right to challenge accuracy and request corrections;
  • Right to withdraw consent, subject to contractual or legal restrictions.

9.9 Rights under PDPA (Singapore)

  • Right to access and correction;
  • Right to withdraw consent;
  • Right to be informed of purposes of collection and use;
  • Right to lodge complaints with the Personal Data Protection Commission (PDPC).

9.10 Exercise of Rights
Requests may be submitted to BBO’s Data Protection Officer at dpo@bbocompany.com. BBO will respond to verified requests within legally required timeframes (generally 30 days under GDPR, PIPEDA, and PDPA), in cooperation with its clients as Controllers.

10. Roles and Responsibilities

BBO operates under a Processor–Controller model, as defined by the General Data Protection Regulation (GDPR Articles 4, 28–30), the UK GDPR, PIPEDA, and PDPA. The allocation of responsibilities is as follows:

10.1 BBO (Processor)
As a Data Processor, BBO acts strictly on the documented instructions of its clients (Controllers). In this role, BBO:

  • Processes personal data only for the purposes defined by the Controller;
  • Implements and maintains appropriate technical and organisational measures (TOMs) in line with Article 32 GDPR;
  • Ensures confidentiality of personal data and restricts access to authorised personnel only;
  • Assists Controllers in meeting their obligations regarding:
    • Data Subject rights requests (Articles 15–22 GDPR);
    • Security of processing (Article 32 GDPR);
    • Notification of data breaches (Articles 33–34 GDPR);
    • Data Protection Impact Assessments (DPIAs) (Articles 35–36 GDPR);
  • Maintains records of processing activities (RoPA) in compliance with Article 30(2) GDPR;
  • Notifies Controllers of any intended changes to the use of sub-processors and ensures equivalent safeguards are applied through binding contracts.

10.2 Clients (Controllers)
As Data Controllers, clients retain primary responsibility for the lawful and transparent use of personal data. Controllers must:

  • Define the lawful basis for processing under Article 6 GDPR (e.g., legitimate interests, consent, contractual necessity);
  • Provide clear and transparent privacy notices to data subjects, as required by Articles 13–14 GDPR;
  • Honour data subject rights requests, including rights to access, rectification, erasure, objection, and portability;
  • Document and maintain Legitimate Interest Assessments (LIAs), where legitimate interest is relied upon;
  • Implement appropriate opt-out mechanisms in their communications, in compliance with GDPR, CASL (Canada), and PDPA (Singapore);
  • Ensure that direct marketing activities are proportionate, targeted, and compliant with all applicable laws in the jurisdictions of the data subjects.

10.3 Joint Responsibilities
Both BBO (Processor) and its clients (Controllers):

  • Must ensure compliance with international transfer safeguards (GDPR Chapter V, UK Addendum, Swiss FADP);
  • Are expected to cooperate in the event of audits, regulatory inquiries, or enforcement actions;
  • Share accountability for maintaining records, policies, and safeguards demonstrating compliance under the principle of accountability (Article 5(2) GDPR).

11. Updates to this Policy

BBO may revise or update this Privacy Policy from time to time in order to:

  • Reflect changes in its services, operations, or internal data protection practices;
  • Incorporate updates required by changes in applicable data protection legislation, including but not limited to GDPR, UK GDPR, PIPEDA, and PDPA;
  • Address recommendations or requirements issued by supervisory authorities or regulators;
  • Ensure ongoing alignment with industry best practices and recognised standards (e.g. ISO/IEC 27001, SOC 2).

11.1 Notification of Changes

  • Clients will be notified in advance of any material changes that may affect the scope, lawful basis, or nature of processing activities.
  • Updated versions of this Privacy Policy will be made available to all clients in electronic format and will take effect upon publication unless otherwise specified.
  • Where required by law, clients (as Controllers) are responsible for communicating such updates to data subjects in their own privacy notices.

11.2 Version Control and Accountability

  • Each version of this Privacy Policy will be date-stamped and assigned a version number to ensure clear audit trails.
  • Historic versions will be retained for accountability and compliance demonstration purposes.
  • BBO commits to documenting the reasons for updates and making such documentation available to clients upon request.
Scroll to Top

Need help? Our team is just a message away