Privacy Policy for Board Members or Representatives of Clients and Suppliers of CRIF Sp. z o.o.

Information on the processing of personal data of the Partner’s board members or representatives by CRIF

Joint Controllers The joint controllers of your personal data are CRIF Sp. z o.o. with its registered office in Kraków, ul. Lublańska 34, 31-476 Kraków, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register under KRS number 0000185908, NIP: 5251556766, with a share capital of PLN 3,163,500.00, email address: info.pl@crif.com, phone number: +48 12 291 55 60, and CRIF S.p.A. with its registered office in Bologna (Italy), via della Beverara 21, hereinafter collectively referred to as CRIF.

The joint controllers have jointly determined the purposes and means of data processing by concluding an appropriate agreement, which regulates the responsibilities of both companies regarding the fulfillment of obligations under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR. CRIF S.p.A. is responsible for: administrative, financial, and accounting management, including the management and support related to issued invoices and payment supervision, management and support in the field of marketing services and communication and events, IT systems integration. On the other hand, CRIF Sp. z o.o. is responsible for: contract execution, information collection, monitoring compliance with GDPR, including managing the exercise of data subjects’ rights, information updates. Additionally, CRIF Sp. z o.o. has been designated as the contact point for matters related to the processing of your data.

Data Protection Officer For all matters related to data processing by CRIF, you can contact the Data Protection Officer by mail at: CRIF Sp. z o.o., ul. Lublańska 34, 31-476 Kraków or electronically at: dpo@crif.com.

Source of your data If CRIF has not obtained personal data directly from you, we inform you that the personal data was provided to CRIF by a partner of CRIF Sp. z o.o, hereinafter referred to as the Partner, who indicated you as a person authorized to represent or was obtained by CRIF from publicly available sources (National Court Register). CRIF processes the following categories of data concerning you: basic identification data – name and surname, job position, business contact details – email address or phone number.

Purposes of data processing Your data will be processed for the purpose of:

1. concluding a contract between the Partner and CRIF Sp. z o.o. and its proper implementation based on the legitimate interest of the administrator (CRIF Sp. z o.o.) (Article 6(1)(f) of the GDPR), which involves enabling the conclusion of a contract between the Partner and CRIF Sp. z o.o., making and accepting declarations of intent of the parties to the contract, and conducting communication related to the conclusion and implementation of the contract,
2. managing relations with the Partner based on the legitimate interest of the administrator (Article 6(1)(f) of the GDPR), which involves enabling the maintenance and improvement of relations with partners,
3. establishing, pursuing, or defending against potential claims arising from the contract concluded between the Partner and CRIF Sp. z o.o. based on the legitimate interest of the administrator (CRIF Sp. z o.o.) (Article 6(1)(f) of the GDPR), which involves ensuring the possibility of pursuing potential claims arising from the contract concluded between the Partner and CRIF Sp. z o.o. or defending against such claims,
4. exchanging information by entities belonging to the CRIF Capital Group – based on the legitimate interest of the administrator (CRIF) or a third party (other entities from the CRIF Capital Group) (Article 6(1)(f) of the GDPR), which in this case involves ensuring cooperation and communication within the CRIF Capital Group.

Data retention period Your data will be stored for the duration of the contract concluded between the Partner and CRIF Sp. z o.o. Subsequently, your personal data may be processed until the expiration of the limitation period for any claims arising from this contract.

Recipients of your data Recipients of your personal data may include entities such as: entities providing email hosting services, entities providing communication software, contractors, entities providing auditing and IT services. Additionally, CRIF may transfer data to other companies within the CRIF Group, which, upon receiving your data, will become separate data controllers. In such a case, you will receive appropriate information regarding data processing in accordance with Article 14 of the GDPR.

Transfer of the data outside the EEA Your data may be shared with companies within the CRIF Group that are located outside the European Economic Area (EEA). Furthermore, your data may be transferred outside the EEA in connection with CRIF's use of communication software provided by entities based outside the EEA. In any case, data transfer outside the EEA may only take place if the entity based outside the EEA meets the conditions set out in Chapter V of the GDPR. In particular, the transfer may be made without special permissions if the third country to which the transfer is made is considered by the European Commission to provide an adequate level of protection. In the absence of such a decision, the transfer of data to recipients located in a third country may be made by adopting and documenting appropriate safeguards based on Article 46 of the GDPR. In the absence of a decision regarding adequate data protection or appropriate safeguards, the transfer of personal data to companies within the CRIF Group or other recipients located outside the EEA may be carried out if additional conditions established by the GDPR are met.

Your rights In connection with the processing of your data by CRIF, you have the following rights: the right to request access to personal data, rectification, deletion, or restriction of processing, as well as the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office. Additionally, you have the right to object, on grounds relating to your particular situation, to the processing of personal data if CRIF processes it based on the legitimate interest of the controller or a third party. If such an objection is raised, CRIF will cease processing your data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.