Privacy Policy for CRIF Sp. z o.o.’s customers

Information on the processing of personal data of CRIF Sp. z o. o.’s customers

Joint controllers of your personal data The joint controllers of your personal data are CRIF Sp. z o. o. with its registered office in Kraków, ul. Lublańska 34, 31 – 476 Kraków, e-mail address: info.pl@crif.com , and CRIF SpA with its registered office in Bologna (Italy), Via della Beverara, 21, 40131 Bologna BO, Italy, hereinafter jointly referred to as CRIF.

The joint controllers have jointly determined the purposes and methods of data processing by concluding an appropriate agreement, which regulates the scope of responsibility of both companies regarding the fulfillment of the obligations arising from the GDPR. CRIF SpA is responsible for: administrative, financial and accounting management, including management and support regarding issued invoices and supervision of payments, management and support in the field of marketing services and communication and events, integration of IT systems. In turn, CRIF Sp. z o. o. is responsible for: execution of the contract with you, collection of information, monitoring compliance with the GDPR, including management of the exercise of data subjects' rights, updating information. In addition, CRIF Sp. z o. o. has been designated as the contact point for matters concerning the processing of your personal data.

Data Protection Officer For all matters relating to data processing by CRIF, you can contact the Data Protection Officer by mail at the following address: CRIF Sp. z o. o., ul. Lublańska 38, 31-476 Kraków or by e-mail at: dpo@crif.com .

Purposes of data processing Data will be processed for the purpose of:

1. proper performance of the contract, pursuant to Article 6 paragraph 1 letter b) of the GDPR – for the duration of the contract,
2. customer relationship management based on the legitimate interest of the administrator 6 section 1 letter f of the GDPR), which consists in enabling the maintenance and improvement of customer relationships – for the duration of the contract,
3. determining, pursuing or defending against any claims arising from the Agreement, pursuant to Article 6 paragraph 1 letter f) of the GDPR, which consists in ensuring the possibility of pursuing any claims arising from the Agreement or defending against such claims – for the period until the expiry of the limitation period for claims in accordance with the applicable provisions of law,
4. performance of accounting, bookkeeping and tax obligations, pursuant to Article 6 paragraph 1 letter c) of the GDPR – for the period resulting from the relevant provisions of law on accounting, bookkeeping and tax law,
5. exchange of information by entities belonging to the CRIF Capital Group – pursuant to Article 6 paragraph 1 letter f) of the GDPR, i.e. the legitimate interest of the data controller or a third party, which in this case consists in the need to ensure cooperation and communication within the CRIF Capital Group – for the duration of the contract.

Recipients of the data The recipients of your personal data may be entities such as: entities providing email hosting services, contractors, entities providing auditing and IT services. In addition, CRIF may transfer data to other companies from the CRIF Capital Group, which, if transferred to them, will become their separate controllers. In such a case, you will receive appropriate information regarding data processing in accordance with Article 14 of the GDPR.

Transfer outside the EEA Data may be shared with CRIF Group companies based outside the European Economic Area (EEA). In addition, data may be transferred outside the EEA in connection with CRIF's use of communication software provided by entities based outside the EEA. In any case, data may be transferred outside the EEA only if the entity based outside the EEA meets the conditions set out in Chapter V of the GDPR. In particular, the aforementioned transfer may be made without special authorisations if the third country to which the transfer is made is among the countries that, according to a decision of the European Commission, ensure an adequate level of protection. In the absence of such a decision, data may be transferred to recipients located in a third country by adopting and documenting appropriate guarantees pursuant to Article 46 of the GDPR. In the absence of a decision on the adequacy of personal data protection or appropriate guarantees, personal data may be transferred to CRIF Group companies or other recipients located outside the EEA if the additional conditions set out in the GDPR are met.

Your rights In connection with the processing of data by CRIF, you have the following rights: the right to request access to personal data, its rectification, erasure or restriction of processing, as well as the right to transfer data and the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Office for Personal Data Protection. In addition, you have the right to object, for reasons related to a specific situation, to the processing of personal data if CRIF processes it based on the legitimate interest of the controller or a third party.

You can send requests regarding the exercise of your rights by post to CRIF Sp. z o. o., ul. Lublańska 34, 31-476 Kraków or by e-mail to: dpo@crif.com .

In any case, regardless of the arrangements between the joint controllers, you may exercise the rights indicated above in relation to each of the joint controllers.