Privacy notice on the processing of personal data for business information purposes

This privacy notice, pursuant to the relevant privacy legislation (Italian Legislative Decree no. 196/2003 - Personal Data Protection Code and EU Regulation 2016/679 - hereafter “Regulation”), is provided by CRIF S.p.A., with registered office located at Via della Beverara 21, 40131 Bologna (BO), Italy, R.E.A. no. 410952 Bologna Business Register, Tax Code and VAT. No. 02083271201, in its role as Controller (hereafter “our Company”) based on the “Code of conduct in processing personal data for business information purposes” (“Code of Conduct”), definitively approved by the Italian Data Protection Authority with Resolution of April, the 29th of 2021.


To whom it may concern:
We would like to inform you, including based on the appropriate prefectural authorization (pursuant to Art. 134 of Italian Public Security Legislation), that our Company collects and processes personal data provided directly by data subjects, as well as certain personal data coming from public registers, directories and archives or contained in publicly available records or documents (held, for example, by Italian Chambers of Commerce or the Italian Revenue Agency) or in any case generally accessible (i.e., obtained, for example, from trade directories, press releases, and publicly accessible internet sites).


Our Company can acquire information concerning organizational, production, industrial, commercial, economic, financial, property, administrative and accounting aspects relating to the activities carried out by economic operators (including, for example, sole proprietorships or family-run businesses, small business owners, professionals, significant company representatives, etc.), as well as data relating to natural persons that do not undertake any business or professional activities (business information also includes data relating to, for example, Chamber of Commerce searches, financial statements, protested bills and insolvency proceedings, county court judgment information from land registries, mortgage search data, as well as any judicial data reported in public sources or generally accessible to anyone).

Wherever requested by our clients by mail, fax or telephone, personal data can be supplemented and enriched through searches of private sources of additional business information (other companies and economic operators) and also related to the so-called payment habits of a company or professional in their business relations with clients, suppliers or partners. In these cases, the privacy notices provided by these parties to data subjects include the possibility of communicating data to business information companies, like ours, for the purposes of reliability or solvency checks of the economic operator. This is information of an accounting nature processed in aggregate form within our systems and information reports. The acquisition of special categories of personal data is excluded, as well as information covered by trade secrets. Within the context of business information, the acquisition and processing of special categories of personal data as referred to in Art. 9(1) of the Regulation, and information covered by trade secrets is excluded.

In the cases strictly provided for by the Code of Conduct, our Company can process data relating to criminal convictions and offenses (Art. 10 of the Regulation) coming from public sources or, under certain circumstances, also from generally accessible sources, including those identified in section 1 above.


3.1 The data is processed by our Company, as the independent Controller, in order to provide third parties who request the information (our clients) with business information services for the assessment of the activities, stability and capacity in economic and business terms of a person, and to perform checks in relation to any existing or prospective business relationships (which in the absence of accurate and complete information could be blocked) and for the protection of the related rights. Business information can also be requested by our clients, including in the form of lists (by sector or category), for use in marketing activities, telephone contact, and communications for commercial, promotional, and advertising purposes, and in compliance with the regulations in force, with specific reference to the use of automated systems, including e-mail, fax, prerecorded telephone messages, and SMS.
The personal data acquired by our Company can also be subject to additional processing or statistical analysis, both automated and through experts, in order to assign an assessment or opinion, including in summary form or as a score, on the level of reliability, solvency and capacity in economic and business terms of the company or person concerned and/or on the probability of insolvency of a company, taking into account, for example, its overall economic and financial standing, as well as current and past receivables and payables, including in reference to subjects with significant responsibilities and positions.

3.2 Your data may also be processed by our Company for the following purposes:

  1. telephone support in completing the ESG questionnaire;
  2. customer satisfaction contact by telephone;
  3. reminder, by telephone, to update the questionnaire;
  4. proposal relating to the Synesgy Company List Management service during the aforementioned telephone contact, only if you have given your consent;
  5. for marketing purposes, including by means of automated calling systems (such as, for example, SMS, MMS, e‐mail, fax).

3.3 We also hereby inform you that at the end of the retention period, your personal data may be anonymized for the purposes of further statistical analysis.


4.1 The processing of data for the purposes of business information as described in point 3.1, including when aimed at forming, as set out previously, an opinion on the stability, solvency and reliability of the subject, is based on the need to pursue the legitimate interests of our Company, which provides business information services, and of our customers who request them, both to perform the necessary checks on the economic and financial standing of data subjects, for the purposes of protection, prior to the establishment and management of business relationships, including pre-contractual, to the supply of goods and services and to the definition of the related payment methods and terms, as well as in order to comply with related regulatory obligations, including anti-money laundering, fraud prevention and the protection of rights, including in court.
It is understood that this processing will be carried out in full compliance with the Code of Conduct and applicable legislation and respecting the interests and rights and fundamental freedoms of the data subjects, pursuant to Art. 6(1)(f) of the Regulation.

4.2 Under no circumstances does the processing of evaluation information by our Company, even when based on fully automated business information processes, including profiling, determine or imply the adoption of a decision by our Company which produces legal effects or which in any case significantly affects the data subject in a similar way. Any decision that affects the rights and freedoms of the data subject is reserved exclusively to our clients and is based on all personal data and information in their possession and not solely on the evaluation information processed and communicated by our Company.

4.3 For the purpose set out in point 3.2(a) of this privacy notice, the legal basis is the performance of the contract as defined in Art. 6(1)(b) of the Regulation.

4.4 For the purpose set out in point 3.2(b) of this privacy notice, the legal basis is the legitimate interests as defined in Art. 6(1)(f) of the Regulation.

4.5 For the purposes set out in point 3.2(c) of this privacy notice, the legal basis is the performance of the contract as defined in Art. 6(1)(b) of the Regulation.

4.6 For the purposes set out in point 3.2(d) of this privacy notice, the legal basis is the consent as defined in Art. 6(1)(a) of the Regulation.

4.7 For the purpose set out in point 3.2(e) of this privacy notice, the legal basis is the consent as defined in Art. 6(1)(a) of the Regulation.

4.8 For the processing activities described in point 3.3 of this privacy notice, the legal basis is the performance of the contract as defined in Art. 6(1)(b) of the Regulation.

4.9 The provision of data for the purposes referred to in point 3.2(d) and (e) is optional, and the related processing requires the consent of the data subject; any refusal to provide consent will not give rise to any consequences.

4.10 The provision of data for the purposes referred to in point 3.2(a) and (c) and point 3.3 is necessary and does not require consent. The user is free to not provide this information, but in this case, we will not be able to fulfill your requests.


The data is predominantly collected using IT tools and, following the appropriate checks, including direct IT controls, to guarantee consistency, completeness and accuracy, it is recoded in our Company’s electronic databases and regularly updated.

These databases are organized and managed through computerized procedures required for communication with our clients, including electronically, of documents reporting the data extracted from public sources and/or for analyses, collation and processing of the data for the preparation of reports or information files of a financial or business nature to be provided to clients who request them.
All personal data collected and processed by our Company is stored and protected using appropriate confidentiality and security measures, including in the case of use of electronic communication networks and systems, and within our Company can be made known only to employees and external partners responsible for or appointed to perform the collection, analysis, processing and communication of the data or the preparation of financial information reports, as well as technical support and maintenance activities regarding our information systems.


6.1 Personal data can be communicated, including by electronic means, to our clients, located in Italy and abroad, who request it and who will act as independent controllers.

6.2 The personal data can be communicated to Group companies located in Italy, which will incorporate the data into business information services provided by those Group companies as independent controllers, as resellers of business information based on an appropriate prefectural authorization (pursuant to Art. 134 of the Italian Public Security Law), and in compliance with the provisions of the “Code of conduct in processing personal data for business information purposes”.
The data will not be subject to dissemination in any case.

6.3 The personal data can also be communicated to Group companies located outside Italy, who will process the information as independent controllers.

6.4 The personal data can be communicated to third parties, based on appropriate agreements, who will process the information as independent controllers.

6.5 In the rare cases when the communication of data involves the transfer of the information to third countries, i.e., outside the European Economic Area, it will be the responsibility of our Company to guarantee compliance with the conditions set out in Chapter V of the Regulation.


The personal data you provide for the purposes set out in points 3.1, 3.2(a), (b) and (c), will be retained for a period of 18 months.

Your personal data will be processed and stored for the purposes set out in point 3.2(d) for a maximum of 18 months or until consent is withdrawn.

Your personal data will be processed and stored for the purposes set out in point 3.2(e) for a maximum of 5 years or until consent is withdrawn. In this regard, we hereby inform you that you can withdraw consent for the processing of personal data at any time by writing to: dirprivacy@crif.com.


It should be noted that the applicable legislation recognizes the possibility for the data subject to exercise specific rights at any time, including (i) right of access, aimed at checking if and what data has been processed by our Company, (ii) right of amendment and updating of inaccurate and incomplete data, (iii) right to delete data in the cases set out in Art. 17 of the Regulation, (iv) right to obtain the restriction of processing when the established conditions are met (Art. 18 of the Regulation), (v) right to be notified of any amendments, deletions or restrictions by the company in relation to subjects to which the data was communicated, (vi) right to submit a complaint to the Italian Data Protection Authority, (vii) right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Data subjects can exercise their right to oppose the processing of business information by our Company whenever they show, according to Art. 21(1) of the Regulation, that their interests, rights and freedoms have precedence over the legitimate interests of the controller referred to in section 4 above.

The data subject has the right to object to the processing of his or her personal data for additional purposes pursuant to and with the limitations set out in Art. 21 of the Regulation, even only for automated contact.

Exercising the right to data portability (Art. 20 of the Regulation) should be considered excluded, except in the case where the processing by our Company related to data collected directly from the data subject occurs through automated means and is aimed at executing a contract between our Company and the data subject itself.

The data subject may withdraw his or her consent for marketing purposes at any time, without prejudice to the lawfulness of the processing based on consent given before withdrawal.
Data subjects can exercise their rights as long as the related request does not involve the amendment or supplementation of personal data of an evaluative nature processed by our Company and relating to judgments, opinions and other assessments of a subjective nature, or to specification of policies to be implemented or decision-making activities by our Company.
Data subjects can send an initial request to our Company through the www.informativaprivacyancic.org portal and the specific section (link) to confirm if any personal data relating to them is held in our Company’s archive or database. The data subject can then contact our Company directly using the specific contact details indicated to exercise any other rights previously referenced.

Notwithstanding the option of using the www.informativaprivacyancic.org portal, the data subject can send a similar request by writing to dirprivacy@crif.com or to the certified e-mail address crif@pec.crif.com, or by writing to CRIF S.p.A. via della Beverara 21, 40131 Bologna (BO), Italy.

The data subject can also submit a complaint to the Italian Data Protection Authority, following the instructions through the link: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.


For any questions regarding the processing of their personal data, data subjects can contact the Data Protection Officer as follows:

E-mail: dirprivacy@crif.com; Certified e-mail: crif@pec.crif.com.

The complete ANCIC information notice (in Italian) is available via the following link: https://www.informativaprivacyancic.it/informativa-sul-trattamento-dei-dati-personali-per-finalita-di-informazione-commerciale.aspx.


Compliance of our Company with this Code of Conduct is guaranteed by the appropriate Monitoring Body, accredited in accordance with the legislation.

Any Data Subjects who believe that their rights and freedoms have been infringed by any data processing carried out by our Company pursuant to this Code of Conduct can make a complaint to the Monitoring Body, sending a written complaint that must contain a brief description of the facts and alleged harm. This is without prejudice to the right of the Data Subject to submit a complaint to the Italian Data Protection Authority and/or to initiate legal proceedings to protect his or her rights. However, the submission of a complaint to the Italian Data Protection Authority precludes the initiation of, or results in the impossibility to proceed with, any proceedings, whatever the status, concerning the same subject matter or relating to the same issues before the Monitoring Body.