Privacy policy

With this Privacy Policy, CRIF S.p.A. intends to describe the methods of managing this website with reference to the processing of the personal data of users who access it. This is a general information notice provided to all visitors to the website in accordance with the EU Data Protection Regulation No. 2016/679 (GDPR) and all other applicable laws. If users decide to sign up to the ESG initiative, a specific and detailed information notice will be provided to them in accordance with Articles 13 and/or 14 of the GDPR, and specific consent to the processing of personal data will be requested, if necessary.


Following access to and consultation of this Website, data relating to identified or identifiable persons may be processed. The Controller for the processing of the collected personal data is CRIF S.p.A., with registered office located at Via della Beverara 21, 40131 Bologna (BO), Italy (“CRIF”). You can contact the Controller at the above mailing address or via the following e-mail address:

Location of data processing

The processing of data collected with reference to those who access the website is carried out at the CRIF head office, as communicated to the Italian Data Protection Authority and in accordance with the provisions of the GDPR and all other applicable laws. Personal data is processed only by specially trained employees or contractors with appropriate technical skills, and who are appointed and authorized to perform the processing.

Methods of data processing

The data will be processed lawfully and fairly, guaranteeing its security and confidentiality, according to the provisions of the GDPR and all other applicable laws. Personal data will be processed using electronic and, in any case, automated equipment.

Purpose of data processing

User data may be processed for:

  1. the performance of the operations strictly necessary to provide the services or initiatives that may be requested by the user, including navigating the website;
  2. the provision of technology services (remote or on-site assistance and maintenance, etc.), including by specifically authorized third parties;
  3. statistical processing of aggregated data in relation to website services;
  4. sending e-mails to be informed about news, by subscribing to the newsletter.

On the website pages where your personal data is explicitly collected, you will find, where necessary, any additional privacy specifications, as well as the methods for acquiring your consent and/or identifying any further basis for the legitimacy of the processing pursuant to Article 6 of the GDPR.

Legal basis for data processing

Your personal data will be processed on the basis of one or more of the following conditions. In particular, processing carried out for the purposes referred to in points: no. 1 and 2 above, have as their legal basis the need to fulfill the requests for the provision of a service or to participate in an initiative directly available through the website: therefore, this type of data processing is strictly necessary and connected to a pre-contractual and/or contractual phase or designed to respond to a specific request according to Art. 6 par. 1 (b) of the GDPR, and as such, the personal data collected are necessary. If the data is not provided, it will not be possible to provide the service or to respond to your request; no. 3 above, has as its legal basis the legitimate interest of the Controller in accordance with Art. 6 par. 1 (f) of the GDPR, consisting of improving the performance and verifying the proper functioning of the website. In this regard, we also invite you to consult the Website Cookie Policy; no. 4 above, has its legal basis the free consent of the data subjects pursuant to art. 6, par. 1 (a) and to art. 7 of GDPR. This consent is optional and does not affect the provision of any services requested. The data subject can withdraw the consent at any time through the opt-out link at the bottom of each message and in any case by exercising their right to withdraw their consent.

Categories of recipients of personal data

The data may be communicated to different categories of recipients, according to the service/initiative requested by the CRIF client. For each service/initiative requested by the CRIF client, a special information notice will be provided with the details of the recipients of the personal data.

Transfer of personal data

Generally, the data provided by CRIF clients will not be transferred outside the European Union. However, this transfer may occur according to the individual service provided by CRIF. For each service requested by the CRIF client, a special information notice will be provided with the details of the countries to which the data will be transferred. However, should personal data be transferred outside the European Union, the transfer will be carried out in accordance with the provisions of the GDPR and all other applicable laws (as will be indicated in the information notice).

Type of personal data processed

With reference to browsing data, the computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit to the use of Internet communication protocols. This information is not collected in association with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of computers used by users who connect to the Website, Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the request to the server, and other parameters related to the user’s operating system and computing environment. The optional and voluntary sending of e-mails to the addresses indicated on the website involves the acquisition of the user’s personal data which is necessary to respond to user requests.

Data provision

The user is free to provide the personal data necessary to allow CRIF to provide services or to participate in the requested initiatives. Failure to provide the data may result in the inability of the company to provide the requested information or services.

Retention period

CRIF retains the navigation data for a period not exceeding 18 months from the last interaction with the Website. For each service or initiative requested by the CRIF client, a special information notice will be provided with details of the data retention period or the criteria used to determine this period.


For details about the use of cookies on this Website, please refer to the Cookie Policy.

Data subject rights

We hereby inform you that, pursuant to the GDPR, the user can exercise the following rights: the right to access his or her personal data, ask for the amendment or deletion of the data, or restriction of the processing. Users also have the right to oppose the processing, as well as the right to portability. In addition, users can withdraw their consent at any time, it being understood that the withdrawal of consent does not affect the lawfulness of the processing carried out up to the point of withdrawal. In any case, for each service requested by the CRIF client, a special information notice will be provided with details of the rights that can be exercised and the ways in which to exercise them. In such cases, you can exercise your rights by contacting the Controller using the following contact details: CRIF S.p.A., via della Beverara 21, 40131 Bologna (BO), Italy or writing to the following e-mail address The data subject can also submit a complaint to the Italian Data Protection Authority, following the instructions through the link: For any questions regarding the processing of your personal data, you can contact the Data Protection Officer by e-mailing:; certified e-mail: