Why Three Databases Have Your Name

Most private clients' names appear in a number of commercial aggregator databases they have never knowingly given consent to. The mechanism is in the legitimate-interest basis for processing under GDPR, in the equivalent under US data-broker law, and in the structure of the data-broker industry itself.

A commercial aggregator (the typical examples are Refinitiv World-Check, Dow Jones Risk, LSEG Government Records, Bureau van Dijk Orbis, and Sayari Graph) builds its database by ingesting public records: corporate filings, regulatory disclosures, sanctions lists, court records, archived press, social-media profiles where public, and dozens of other sources. The aggregator's value to its customers (private banks, compliance teams, journalists, due-diligence firms) is in how well it ranks, deduplicates, and normalises the inputs.

The aggregator's processing of personal data is conducted under a legitimate-interest basis under GDPR Article 6(1)(f). The legitimate interest is the public interest in financial-crime prevention. The processing is not, as a matter of law, conditional on the individual's consent.

From the individual's perspective, this means a record about them exists in three to five major aggregator databases regardless of any action they have taken. The record reflects what is in the underlying public sources, ranked and edited according to each aggregator's editorial logic. Errors are common; the aggregators have grievance procedures, but the grievance procedures are not always well-known and not always responsive.

What the audit does, in part, is read what each major aggregator says about the client. Where the picture differs from what is actually true (a sanctions adjacency that is not actually present, a director appointment that has been resigned but not removed, an archived press story that has been retracted but not corrected in the aggregator's index), the audit identifies the inconsistency and points to the grievance procedure available.

What the audit does not do is contact the aggregator on the client's behalf. That is properly the work of the client (often through counsel) once the inconsistency has been identified and the supporting evidence assembled.