Privacy Policy for Employees or Collaborators of Clients and Suppliers of CRIF Sp. z o.o.

Information on the processing of personal data of employees or collaborators of clients and suppliers of CRIF Sp. z o.o.

The joint controllers The joint controllers of your personal data are CRIF Sp. z o.o., based in Krakow, ul. Lublańska 34, 31 – 476 Krakow, registered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for Krakow – Śródmieście in Krakow, XI Commercial Division of the National Court Register under the number KRS 0000185908, NIP: 5251556766, with a share capital of PLN 3,163,500.00, email address: info.pl@crif.com, and CRIF S.p.A., based in Bologna (Italy), via della Beverara 21, hereinafter collectively referred to as CRIF.

The joint controllers have jointly determined the purposes and means of processing data by concluding an appropriate agreement, which regulates the responsibilities of both companies regarding the fulfillment of obligations arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR. CRIF S.p.A. is responsible for administrative, financial, and accounting management, including the management and support of issued invoices and payment supervision, management and support in the field of marketing services, communication and events, and IT systems integration. On the other hand, CRIF Sp. z o.o. is responsible for contract execution, information collection, GDPR compliance monitoring, including managing the exercise of data subjects' rights, and information updates. Additionally, CRIF Sp. z o.o. has been designated as the contact point for matters concerning the processing of your data.

Data Protection Officer For all matters related to data processing by CRIF, you can contact the Data Protection Officer by mail at: CRIF Sp. z o.o., ul. Lublańska 34, 31-476 Kraków or electronically at: dpo@crif.com.

The source of your data If CRIF did not obtain personal data directly from you, we inform you that the personal data was provided to CRIF by a partner of CRIF Sp. z o.o., hereinafter referred to as the Partner, who indicated you as a contact person for the purpose of executing the contract concluded with CRIF Sp. z o.o. CRIF processes the following categories of data concerning you: basic identification data – name and surname, job position, business contact details – email address or phone number.

Purposes of data protection Your data will be processed for the purpose of:

1. Proper execution of the contract concluded between the Partner and CRIF Sp. z o.o. based on the legitimate interest of the controller (CRIF Sp. z o.o.) (Article 6(1)(f) of the GDPR), which involves enabling communication related to the conclusion and execution of the contract and directing any complaints or claims,
2. Managing relationships with the Partner based on the legitimate interest of the controller (Article 6(1)(f) of the GDPR), which involves enabling the maintenance and improvement of relationships with partners,
3. Managing customer relationships within the CRM systems used by CRIF. The basis for processing is the legitimate interest of the controller (Article 6(1)(f) of the GDPR), which involves enabling CRIF to manage CRIF’s contact database,
4. Establishing, pursuing, or defending against any claims arising from the contract concluded between the Partner and CRIF Sp. z o.o. based on the legitimate interest of the controller (CRIF Sp. z o.o.) (Article 6(1)(f) of the GDPR), which involves ensuring the possibility of pursuing any claims arising from the contract concluded between the Partner and CRIF Sp. z o.o. or defending against such claims,
5. Exchange of information by entities belonging to the CRIF Group – based on the legitimate interest of the controller (CRIF Sp. z o.o. or CRIF S.p.A.) or a third party (other entities from the CRIF Group) (Article 6(1)(f) of the GDPR), which in this case involves ensuring cooperation and communication within the CRIF Group.

Data retention period Your data will be stored for the duration of the contract concluded between the Partner and CRIF Sp. z o.o. Subsequently, your personal data may be stored until the expiration of the limitation period for any claims arising from this contract.

Recipients of your data Recipients of your personal data may include entities such as: providers of email hosting services, providers of communication software, contractors, providers of auditing and IT services. Additionally, CRIF may transfer data to other companies within the CRIF Group, for example, if you are interested in establishing contact with another company within the CRIF Group. In such a case, the company that receives your data will become a separate controller and will provide you with relevant information regarding data processing in accordance with Article 14 of the GDPR.

Transfer outside the EEA Your data may be shared with companies within the CRIF Group that are located outside the European Economic Area (EEA). Additionally, your data may be transferred outside the EEA in connection with CRIF’s use of communication software provided by entities based outside the EEA. In any case, the transfer of data outside the EEA can only take place if the entity located outside the EEA meets the conditions set out in Chapter V of the GDPR. In particular, the aforementioned transfer may be made without special permissions if the third country to which the transfer is made is considered by the European Commission to provide an adequate level of protection. In the absence of such a decision, the transfer of data to recipients located in a third country may be made by adopting and documenting appropriate safeguards under Article 46 of the GDPR. In the absence of a decision on adequate data protection or appropriate safeguards, the transfer of personal data to companies within the CRIF Group or other recipients located outside the EEA may be made if the additional conditions established by the GDPR are met.

Your rights In connection with the processing of your data by CRIF, you have the following rights: the right to request access to personal data, rectification, erasure, or restriction of processing, as well as the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office. Additionally, you have the right to object, on grounds relating to your particular situation, to the processing of personal data if CRIF processes it based on the legitimate interest of the controller or a third party. If such an objection is raised, CRIF will cease processing your data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

Requests regarding the exercise of rights can be sent by mail to CRIF Sp. z o.o., ul. Lublańska 34, 31-476 Kraków or electronically to: dpo@crif.com.