Data Protection Policy

Data Protection Policy

Information notice on the processing of personal data for business information purposes

This privacy notice, pursuant to the relevant data protection legislation (Italian Legislative Decree no. 196/2003 - Personal data protection code and EU Regulation 2016/679 - hereafter “Regulation”), is provided by CRIF S.p.A., with registered office located at via M. Fantin, 1-3, Bologna (BO), Italy, R.E.A. no. 410952 Bologna Business Register, Tax Code and VAT. No. 02083271201, in its role as Controller (hereafter “our Company”) based on the “Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes” (“Code of Conduct”), approved by the Italian Data Protection Authority with Resolution no. 479 of 17/09/2015, and published in the Official Journal no. 238 of 13/10/2015.

  1.  SOURCES OF PROCESSED DATA

Dear Sir or Madam,We would like to inform you, including based on the appropriate prefectural authorization (pursuant to art. 134 of Italian Public Security Legislation), that our Company collects and processes personal data provided directly by data subjects, as well as certain personal data coming from public registers, directories and archives or contained in publicly available records or documents (held, for example, by Italian Chambers of Commerce or the Italian Revenue Agency) or in any case generally accessible (i.e. obtained, for example, from trade directories, press releases, and publicly accessible internet sites).

  1.  TYPE OF DATA PROCESSED

Our Company can acquire information concerning organizational, production, industrial, commercial, economic, financial, property, administrative and accounting aspects relating to the activities carried out by economic operators (including, for example, sole proprietorships or family-run businesses, small business owners, professionals, significant company representatives, etc.), as well as data relating to natural persons that do not undertake any business or professional activities (business information also includes data relating to, for example, Chamber of Commerce searches, financial statements, protested bills, prejudicial information from land registries, mortgage search data, as well as any judicial data reported in public sources or generally accessible to anyone).  Wherever requested by our clients, personal data can be supplemented and enriched through searches, by mail, fax or telephone, of private sources of additional business information (other companies and economic operators) and also related to the so-called payment habits of a company or professional in their business relations with clients, suppliers or partners. In these cases, the information notices provided by these parties to data subjects include the possibility of communicating data to business information companies, like ours, for the purposes of reliability or solvency checks of the economic operator. This is information of an accounting nature processed in aggregate form within our systems and information reports. The acquisition of sensitive data is excluded, as well as information covered by trade secrets.  In the cases strictly provided for by the Code of Conduct, our Company can process data relating to criminal convictions and offenses (art. 10 of the Regulation) coming from public sources or, under certain circumstances, also from generally accessible sources, including those identified in section 1 above. 3.    PURPOSE OF DATA PROCESSING

The data are processed by our Company, as Data Controller, in order to provide third parties who request them (our clients) with business information services for the assessment of the activities, stability and capacity in economic and business terms of a person, and to perform checks in relation to any existing or prospective business relationships (which in the absence of accurate and complete information could be blocked) and for the protection of the related rights.  Business information can also be requested by our clients, including in the form of lists (by sector or category), for marketing activities, telephone contact and mailing for commercial, promotional and advertising purposes (in compliance with the information notice obligation and the prohibition under the regulations from the use of automated systems, including e-mail, fax, prerecorded telephone messages and SMS, in the absence of prior consent of the data subjects).  The personal data acquired by our Company can also be subject to additional processing or statistical analysis, both automated and through experts, in order to assign an assessment or opinion, including in summary form or as a score, on the level of reliability, solvency and capacity in economic and business terms of the company or person concerned and/or on the probability of insolvency of a company, taking into account, for example, its overall economic and financial standing, as well as current and past receivables and payables, including in reference to subjects with significant responsibilities and positions.

  1.  LEGAL BASIS FOR THE PROCESSING

The processing of data for the purposes of business information as described above, including when aimed at forming, as set out previously, an opinion on the stability, solvency and reliability of the subject, is based on the need to pursue the legitimate interests of our Company, which provides business information services, and of our customers who request them, both to perform the necessary checks on the economic and financial standing of data subjects, for the purposes of protection, prior to the establishment and management of business relationships, including pre-contractual, to the supply of goods and services and to the definition of the related payment methods and terms, as well as in order to comply with related regulatory obligations, including anti-money laundering, fraud prevention and the protection of rights, including in court. It is understood that this processing will be carried out in full compliance with the Code of Conduct and applicable legislation and respecting the interests and rights and fundamental freedoms of the data subjects, pursuant to art. 6, paragraph 1, lett. f) of the Regulation.

  1.  PROCESSING METHODS AND SECURITY

The data are predominantly collected using IT tools and, following the appropriate checks, including direct IT controls, to guarantee consistency, completeness and accuracy, they are recoded in our Company’s electronic databases and regularly updated. These databases are organized and managed through computerized procedures required for communication with our clients, including electronically, of documents reporting the data extracted from public sources and/or for analyses, collation and processing of these data for the preparation of reports or information files of an economic or commercial nature to be provided to clients who request them.                                                                                                                                                                                                                                                                                                                           All personal data collected and processed by our Company are stored and protected using appropriate confidentiality and security measures, including in the case of use of electronic communication networks and systems, and within our Company are made known only to employees and external partners responsible for or appointed to perform the collection, analysis, processing and communication of the data or the preparation of economic information reports, as well as technical support and maintenance activities regarding our information systems.

  1.  SCOPE OF DATA COMMUNICATION

The personal data can only be communicated, including by electronic means, to our clients, located in Italy and abroad, who request them and who will act as independent controllers.  The data will not be subject to dissemination in any case.

  1.  DATA RETENTION

The information coming from public sources and relating to negative events according to the terms set out in this information notice, as better detailed in the Code of Conduct, are retained by our Company for the purposes of providing business information services, in compliance with the following time limits: a)    information relating to bankruptcies or insolvency proceedings for a period of no more than 10 years from the date of opening of the bankruptcy proceedings; at the end of this period, the information can be further used by our Company only when there is other information concerning a subsequent bankruptcy or when new bankruptcy or insolvency proceedings have been initiated referring to the party or another related party, in which case, the processing can be extended for a maximum period of 10 years from their respective opening; b)    information regarding prejudicial and mortgage records (mortgages and foreclosures) for a period of no more than 10 years from the date of their registration, except where canceled before this time, in which case the data will be retained for 2 years from the cancellation. Notwithstanding what is specified above, personal data coming from the sources indicated in section 1 above can be retained by our Company for the purposes of providing clients with business information services for the time in which these sources remain published and/or publicly accessible, in compliance with the applicable regulations.

  1.  DATA SUBJECT RIGHTS

It should be noted that the applicable legislation recognizes the possibility for the data subject to exercise specific rights at any time, including (i) right of access, aimed at checking if and what data have been processed by our Company, (ii) right of amendment and updating of inaccurate and incomplete data, (iii) right to delete data in the cases set out in art. 17 of the Regulation, (iv) right to obtain the restriction of processing when the established conditions are met (art. 18 of the Regulation), (v) right to be notified of any amendments, deletions or restrictions by the company in relation to subjects to which the data were communicated, (vi) right to submit a complaint to the Italian Data Protection Authority.  Data subjects can exercise their right to oppose the processing of business information by our Company whenever they show, according to art. 21, paragraph 1 of the Regulation, that their interests, rights and freedoms have precedence over the legitimate interests of the controller referred to in section 4 above. Exercising the right to data portability (art. 20 of the Regulation) should be considered excluded, except in the case where the processing by our Company related to data collected directly from the data subject occurs through automated means and is aimed at executing a contract between our Company and the data subject itself. Data subjects can exercise their rights as long as the related request does not involve the amendment or supplementation of personal data of an evaluative nature processed by our Company and relating to judgments, opinions and other assessments of a subjective nature, or to specification of policies to be implemented or decision-making activities by our Company. Data subjects can send an initial request to our Company through the www.informativaprivacyancic.org portal and the specific section (link) to confirm if any personal data relating to them are held in our Company’s archive or database. The data subject can then contact our Company directly using the specific contact details indicated to exercise any other rights previously referenced.

Notwithstanding the option of using the www.informativaprivacyancic.org portal, the data subject can send a similar request by e-mailing consensoprivacy@crif.com, or writing to CRIF S.p.A., via M. Fantin, 1-3, Bologna (BO), Italy.

The data subject can also submit a complaint to the Italian Data Protection Authority, following the instructions through the link: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524

  1.  DATA PROTECTION OFFICER

For any questions regarding the processing of their personal data, data subjects can contact the Data Protection Officer as follows:

E-mail: dirprivacy@crif.it; certified e-mail: crif@pec.crif.com.

The complete ANCIC information notice (in Italian) is available via the following link:

https://www.informativaprivacyancic.it/informativa-sul-trattamento-dei-dati-personali-per-finalita-di-informazione-commerciale.aspx