GDPR Compliance Statement for Atogu

Purpose and scope

This memorandum is intended to support vendor due diligence by explaining how Atogu’s operations align with the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). It focuses on: (i) the data products described in Atogu’s documentation (Mercantile/Corporate Registry, Employment, Digitalisation/Tech Stack, and Financing modules); and (ii) the personal data processed in connection with access to and use of Atogu’s platform by customer users.

Atogu’s legal entity (as published in its Privacy Policy) is Datary Analytics, S.L., established in Madrid, Spain, with the dedicated compliance contact email legal@atogu.com.

Data scope and GDPR applicability

Core dataset orientation: legal persons first

Atogu’s core business activity is the “collection, processing and sale of data” sourced from databases about companies.

The Mercantile module is described as the “legal and bibliographic data” layer for companies, structuring interactions with the Spanish Commercial Registry and the Spanish Tax Agency (Agencia Tributaria) across the company lifecycle (incorporation through closure).

As a matter of GDPR scope, Recital 14 clarifies that GDPR protection applies to natural persons and “does not cover” data concerning legal persons, including the name, legal form, and the contact details of the legal person.

Agencia Española de Protección de Datos (AEPD) expresses the same principle in its public guidance: GDPR does not regulate data relating to legal persons (company name, brand, or legal form), and protection applies exclusively to natural persons.

Accordingly, a substantial portion of Atogu’s B2B dataset—company identifiers and attributes such as corporate tax identification numbers, company name, legal form, registered address, and business classification—falls outside GDPR’s material scope to the extent it does not relate to an identified or identifiable natural person.

Borderline and mixed-content cases and how they are addressed

GDPR applies where information relates to an identified or identifiable natural person (“personal data”).

Borderline scenarios relevant to a B2B company intelligence service typically include: sole traders (autónomos), natural-person officers or contacts, and free-text fields that can incidentally include personal identifiers.

Sole traders / autónomos.

Atogu explicitly documents that tax identifiers (“VatId”) can belong to natural persons or legal persons and that, in European markets, the VatId helps distinguish sole-trader data (protected by GDPR) from companies. It also notes that official formats can enable automatic filtering of sole-trader data.

In addition, Atogu’s Mercantile module documentation highlights that some B2B datasets mistakenly include autónomos and that this misclassification is operationally problematic for enterprise sales teams.

Taken together, the published documentation supports the compliance posture that Atogu’s product design uses formal identifiers and schema controls to prioritize corporate entities and reduce inclusion of sole-trader personal data.

Professional contact details.

The Mercantile module schema includes email addresses and phone numbers that are “publicised by the company as a contact route,” alongside company websites.

In practice, some corporate email formats (e.g., firstname.lastname@company.tld) can identify a natural person and therefore constitute personal data. Where such professional contact data is processed, AEPD guidance indicates that Spanish law (LOPDGDD) presumes a legitimate interest under Article 6(1)(f) GDPR for processing professional contact data (and data about role/function) of individuals working for a legal person, provided the processing is limited to what is necessary to locate them professionally and is used exclusively to maintain relationships with the legal person.

Employment module free-text.

The Employment module covers job postings published by companies on major job boards and includes structured fields such as job title, source link, location, and a “description” field containing the text of the job advertisement.

Job ads are generally public employer communications; however, they may occasionally contain personal contact details (e.g., a recruiter’s name/email). In such cases, the data would be treated as personal data under GDPR’s definition.

Assumption (explicit): The public module description does not specify whether Atogu applies automated or manual redaction to remove incidental personal identifiers from free-text job descriptions. This memo therefore does not claim a specific redaction technique; it instead treats this as a managed edge case under Atogu’s general compliance controls described below.

Directors/administrators and shareholder changes. The Mercantile module description references “changes of partners/shareholders,” which in some cases could involve natural persons.

However, the published variable list for the module is company-centric and does not document named natural-person officers as a standard output field.

Assumption (explicit):

Unless a customer contract defines bespoke fields that include named natural persons, Atogu’s standard deliverables (as documented) are primarily at the legal-person level.

Data provenance and lawful bases

Sources: public registers and publicly available information

Atogu’s documentation describes data sourcing consistent with public and open-source collection:

• Mercantile data is structured from company interactions with the Commercial Registry and the Tax Agency.
• Employment data is derived from job offers posted by companies on major employment portals.
• Digitalisation data monitors the technologies used by companies and records the source of detection (e.g., from the company website or job offers).
• Financing data covers public grants and private funding rounds for companies.

Where personal data is processed (e.g., professional contact data, incidental identifiers in public job ads), the relevant lawful basis is typically legitimate interests under Article 6(1)(f) GDPR, subject to a documented balancing assessment.

European Data Protection Board guidance emphasizes that reliance on Article 6(1)(f) requires three cumulative conditions—legitimate interest, necessity, and a balancing test—and that controllers should assess and document these before processing.

Transparency considerations for indirect collection

For personal data not obtained directly from the data subject, GDPR imposes transparency obligations (Article 14), including disclosure of the controller’s identity, purposes, legal basis, categories of data, recipients, transfer safeguards, retention criteria, and the source (including whether from publicly accessible sources).

In due diligence terms, Atogu addresses transparency for its platform users through a publicly available Privacy Policy that identifies the controller, explains categories of personal data processed, legal bases, processors, international transfers, retention, and rights channels.

Assumption (explicit): For any third-party natural-person contact data that may appear in datasets, Atogu’s public policies and contact channels (legal@atogu.com) are used as the practical transparency and rights-management interface, consistent with the Article 14 framework.

Role allocation and contractual posture

Atogu as controller for the compiled B2B dataset

GDPR defines a controller as the entity that determines the purposes and means of processing.

Atogu’s published description of its activity—collecting, processing, and selling company data—indicates that Atogu determines the purposes and means of compiling and providing the dataset.

On that basis, for the standard data products described in the public documentation, Atogu operates as an independent controller for the compilation and provision of the datasets, while the customer (e.g., Oracle) acts as an independent controller for its subsequent use of the data in its own systems and decision-making.

Atogu as processor for specific customer-instructed processing

GDPR also defines a processor as an entity that processes personal data on behalf of a controller and requires an Article 28 processing contract when such a relationship exists.

Atogu’s Privacy Policy notes that it may rely on third-party providers (hosting, infrastructure, analytics, support), which act as processors under Article 28 through data protection contracts.

Assumption (explicit): If Oracle requests bespoke processing that involves Oracle-provided personal data and Atogu processes it strictly on Oracle’s documented instructions (rather than providing Atogu’s standard datasets), Atogu would be positioned as a processor for that specific activity and would execute an Article 28-compliant Data Processing Agreement (DPA) consistent with Article 28 requirements.

Technical and organisational measures

GDPR Article 32 requires “appropriate technical and organisational measures” proportionate to risk, including (as appropriate) encryption, confidentiality/integrity/availability controls, restore capability, and regular testing of control effectiveness.

Atogu’s published security statement describes a control set aligned with Article 32 expectations.

In summary:

Access control and authentication measures include two-factor authentication protecting servers, source code, and third-party tools; unique customer credentials; token-based authentication with automatic expiry; and least-privilege assignment for staff and collaborators.

Encryption and secure transmission controls include TLS 1.2+ for data in transit; AES-256 encryption at rest for stored data; and industry-standard key generation and management practices (as described at a high level).

Secure development and vulnerability management practices include automated vulnerability detection for dependencies, rapid patching, periodic vulnerability analysis, and peer review for code changes prior to deployment.

Third-party assurance is described through annual third-party security audits and penetration tests, with reports available on written request.

Hosting posture includes that servers are hosted with providers holding internationally recognized certifications (ISO 27001, SOC 1, SOC 2, PCI DSS Level 1) and that primary data storage is in the EU.

These measures support the GDPR principles of integrity and confidentiality (Article 5(1)(f)) and accountability (Article 5(2)), as well as Article 32’s “security appropriate to the risk” standard.

Data minimisation, rights handling, retention, and international transfers

Data minimisation and avoidance of personal profiling

The GDPR principle of data minimisation requires personal data be “adequate, relevant and limited to what is necessary.”

Atogu’s published module schemas show a company-level focus—e.g., corporate identifiers and attributes in the Mercantile module; company-level signals from job posting activity; and company technology stack monitoring rather than individual behavioural profiling.

For Atogu platform users, the Privacy Policy states Atogu does not perform automated decisions or profiling that produce legal or similarly significant effects for users.

Rights handling

Atogu’s Privacy Policy provides a clear channel for exercising GDPR rights (access, rectification, erasure, objection, restriction, portability) via legal@atogu.com.

This is consistent with GDPR’s broader rights framework and with the expectation that controllers facilitate the exercise of data subject rights.

Retention and updating

For platform-user personal data, Atogu states that data is retained for the duration of the contractual relationship and thereafter for legally required periods.

Separately, Atogu’s security statement specifies that access and activity logs are retained for a maximum of 30 days unless a longer period is legally required.

Assumption (explicit): The public module documentation emphasizes data currency (e.g., preventing “outdated” mercantile databases) but does not publish a single retention schedule for the corporate datasets themselves; therefore, this memo does not assert specific retention periods for non-personal company data beyond what is stated for logs and user data.

International transfers

GDPR restricts transfers of personal data to third countries absent compliance with Chapter V, including the general principle in Article 44.

Atogu states that primary data storage is in the EU.

Where transfers of personal data outside the EEA occur (e.g., via certain service providers), Atogu’s Privacy Policy states that such transfers will use “appropriate safeguards,” including Standard Contractual Clauses approved by the European Commission or other legally recognized mechanisms.

Conclusion

Atogu’s public documentation supports a compliance narrative in which GDPR risk is structurally low because the platform’s primary datasets are oriented around legal-person (company) information—data that, per GDPR Recital 14 and AEPD guidance, is generally outside GDPR’s scope when it does not relate to identifiable natural persons.

Where personal data may arise in edge cases (notably professional contact details and incidental identifiers in publicly posted job content), the applicable compliance framework is legitimate interests under Article 6(1)(f), implemented with documented assessments consistent with European Data Protection Board guidance and Spanish supervisory authority expectations for professional contact data.

From a security and vendor-assurance standpoint, Atogu publicly reports a set of technical and organisational measures—2FA, least-privilege access, encryption in transit (TLS 1.2+) and at rest (AES-256), vulnerability management, annual third-party penetration testing, and EU primary data storage—consistent with GDPR Article 32’s risk-based security standard.