Information notice on the protection of personal data when using Credit Passport Platform
July 2023, Version 2.0
1. Name and contact details of the Controller and the Data Protection Officer
The Company xxx CRIF SA (hereinafter referred to as "ICAP CRIF") based in Kallithea, 2 Eleftheriou Venizelou street., PC 17676, with VAT no. 996952940, tel: 210.72.00.000, which is member of the group of the Italian company “CRIF SpA”, a leader in the provision of credit and business information services, processes the following information for the provision of Credit Passport services to the client.
The contact details of the DPO of ICAP CRIF are as follows: 2 Eleftheriou Venizelou street., PC 17676, Kallithea, Athens, email: privacy@icapcrif.com.
2. Purpose of data processing by ICAP CRIF
2.1. General
We shall only use the SME Data for the following purposes as follows: (a) to provide you with the Services; (b) to improve the App, the Services and our services generally; (c) to anonymize the SME Data and use them for statistical purposes; and/or (d) to share the SME Data (i) with third parties that assist us in providing the requested services to you, (ii) with third parties for statistical purposes and/or (iii) to third parties (for example lenders or professional service companies) for the assessment of your company’s eligibility for their offerings, only upon your explicit consent; (e) to share it with third parties only as described in the existing Privacy Notice and only for the purposes described in the Privacy Notice itself; (f) to promote offers to you.
2.2. Registration as a registered user of Credit Passport service portal (Client)
When you register as a user of Credit Passport portal, we process personal data concerning you or the company - insofar as such information is necessary to carry out the services offered - in order to provide you with the requested services or information, as well as for internal purposes such as billing, client identification and contacting you. If you have any questions, we will use the telephone number or email address you provide to us when registering / ordering. We also process the data you provide us for credit reporting activities. Further information about the data processing activities pursued by ICAP CRIF can be found in the Privacy Notice, which is available here: https://www.icapcrif.com/en/privacy-notice/.
For the provision of the aforementioned Credit Passport services, we will receive and process your company Bank Account Data and, consequently, the supply of the Services, are subject to the signature, by You, of the EULA with the RAISP, through which You expressly authorize the RAISP to collect the Bank Account Data and to transfer such Bank Account Data to Us and to our Subcontractors for the supply of this Services.
The provision of the Services is strictly connected and subject to the execution of the EULA entered between the You and the RAISP for the access to the Bank Account Data.
In order for us to provide the Credit Passport to you, you must give us your explicit consent via the App for us to use Bank Account Data in accordance with the Permitted Purposes.
2.3. Registration as an associate (Trader) of a registered user
As part of the survey initiated by your client, you will be asked to upload data about your company so that the information is accessible for the client via the Credit Passport platform. We also process this data in order to contact you for any questions you may have. Your data will be used for the provision of Credit Passport services to your client. We will also transfer your information to the general business information database maintained by ICAP CRIF. For more information on ICAP CRIF’s activities, please visit https://www.icapcrif.com/en/privacy-notice/.
Furthermore, the data provided are forwarded to the company CRIF SpA for the provision of Credit Passport services as well as for credit reporting activities performed by the aforementioned company. More information on the processing of personal data pursued by CRIF SpA for credit reporting activities can be found here: https://crifesg.com/it/#InfoPrivacy.
2.4. When visiting our website
We collect the information when you access and/or visit our website for the following purposes:
1. The performance of the operations strictly necessary to provide the services or initiatives that may be requested by the user, including navigating the website;
2. Statistical processing of aggregated data relating to the website services.
On the website pages where you will be asked to provide your personal data in an explicit manner you will find, when appropriate, additional information on the protection of personal data and the means of collecting your consent, and/or about the applicable legal basis for the lawful processing of personal data in accordance with Article 6 of GDPR.
2.5. Personal data may also be processed by ICAP CRIF whenever you have given your consent for marketing purposes, including via automated calling systems (e.g., SMS, MMS, e-mail). The provision of personal data for this purpose is optional, and the related processing requires your consent; any refusal by you to provide your consent will not give rise to any consequences.
2.6. Data anonymization
ICAP CRIF also processes personal data (transaction data) in order to anonymize it and then use the information resulting from such processing to train and improve the categorisation engine and risk models.
3. Categories of personal data processing
3.1. When registering and filling in the information in the Credit Passport platform, we collect the following data: Name, first name, address, company data, contact details, VAT number for the proper registration and authorization into the platform.
3.2. After you make a request for a Credit Passport using the App, subject to your compliance with the signed Terms & Conditions we shall: (a) collect all available Bank Account Data directly from RAISP; (b) gather data relating to your business and financial position from relevant third party sources (“Third Party Data”); (c) utilize the Bank Account Data and the Third Party Data (together the “SME Data”) in our systems on an “as is” basis and we shall not verify, audit or carry out any due diligence analysis in relation to the SME Data and/or its accuracy, quality or completeness; (d) use the SME Data to assess your creditworthiness using our credit scoring model; (e) provide you with a Credit Passport; (f) provide you with an updated Credit Passport on a regular basis for the duration of the Term; (g) promptly address any queries that you may have in relation to the content of the Credit Passport, at the time of issue and afterwards; (h) if you notify us of any error in the Credit Passport, promptly support you at no cost to You; (i) in addition, if on the Online Order Form you have chosen to subscribe for the Plus Subscription: (i) provide you with a Credit Passport report in electronic format on the outcome of such assessment and the level of your creditworthiness (“Credit Passport Full Report”); and (ii) only when you get an A++, A+, A or B score, award a badge in electronic format containing the same score scale of the Credit Passport report (“Badge”) for display on your website in accordance with the licence granted in clause 6.1; (j) provide you with information within the App or via email on relevant products and services offered by our Third Party Partners that we believe will be of interest to you.
3.3. When visiting our website:
With reference to browsing data, the computer systems and software procedures used to operate this Website acquire, during their normal operation, some personal data whose transmission is implicit to the use of Internet communication protocols. This information is not collected in association with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of computers used by users who connect to the Website, Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the server request, and other parameters related to the user’s operating system and computing environment. The optional and voluntary sending of e-mails to the addresses indicated on the website involves the acquisition of the user’s personal data which is necessary to respond to user requests.
4. Profiling
We use the information we obtain from you to produce scores and ratings (Credit Passport full report) via highly developed scoring models and algorithms.
We recommend to our customers to interpret and use our scores by their own standards. Our customers may choose to use our scores individually or combine the scores with other information available to them. Their decision making will be based around whether to insure or market to, extend credit, acquire, trade or partner with a business entity. Our scores predict the probability of default and/or bankruptcy, whether a business is likely to continue trading, pay its bills on time, receive credit, whether they would be likely to purchase a product or service, where they benchmark within their industry or whether they are subject to any specific risks. We do not make any decisions for an organization – nor do we maintain blacklists and we do not encourage our customers to decide whether to trade with an organization.
The data subject shall have the right not to be subject to a decision made solely on the basis of automated processing, including profiling, which produces legal effects that affect or substantially affect it in a similar manner (Article 21 of the GDPR). ICAP CRIF hereby declares that it does in some cases automate the processing of personal data of the data subjects without however employing automated decision-making processes which in any case do not produce legal effects that affect or significantly affect them by refusing to provide access to services and goods or lead to unjustified discrimination.
5. Categories of recipients of personal data
We share your personal data with other persons only to the extent necessary for the fulfillment of contractual and legal obligations of ICAP CRIF, as well as for our legitimate interest mainly with respect to the Credit Passport platform services Terms and Conditions.
In particular, we share your data (i) with third parties that assist us in providing the requested services to you, (ii) with third parties for statistical purposes and/or (iii) with third parties (for example lenders or professional service companies) for the assessment of your company’s eligibility for their offerings, only upon your explicit consent, (iv) with Crif Realtime Ltd to collect, process and deliver data relevant to your selected use of the service v) with CRIF S.p.A. to train and improve the categorization engine and risk models.
6. Legal basis for data processing
The processing of the aforementioned data in the scope of the Credit Passport service is based on Article 6 (1) (b) GDPR, given that the data processed is necessary for the execution of the contract and the provision of the Credit Passport service. The processing of the aforementioned data for the purposes of the credit reporting activities of ICAP CRIF and the group companies is based on the legitimate interests following the conduct of a legitimate interest assessment according to Art. 6 (1) (f) GDPR. The data processing when using our website is based on one or more of the following conditions. When you request a service or when you participate in a service provided through the website, we process data that are strictly necessary on the basis of Article 6 par. 1 (b) GDPR. In case where other processing takes place such as for marketing purposes or tracking analysis of data is carried out, this processing is based on Art. 6 (1) (a) GDPR. In this context, please review the website's cookies policy. The data processing which consists in anonymizing your data takes place pursuant to a further processing in line with the original purpose for which the personal data was collected. The said processing is based on Art. 6 (1) (f) GDPR, as the anonymised data is then used for ICAP CRIF’s legitimate interest to: a) train and improve the categorisation engine and risk models b) provide, support and improve the Services, c) to conduct analytical research, compile statistical reports and performance tracking, d) develop other services and products and e) to share such data with our affiliates, agents or third parties with whom we have a business relationship.
7. Transfer to a third country
No transfer of information collected will be transferred to a third country or recipient other than those explicitly stated in section 5 hereof and agreed within service Terms & Conditions. Should any third company express interest in receiving such information (e.g. Credit Passport score), this will be activated only upon formal notification and consent.
8. Duration of data processing
Information collected from the initiation of the credit passport service will be retained for a period of seven (7) years.
We store the navigation data that is collected when you visit our website for a maximum period of eighteen (18) months from the last interaction with the website.
9. Rights of data subjects
Data subjects have the right of access according to Art. 15 GDPR, the right of correction according to Art. 16 GDPR, the right to erasure according to Art. 17 GDPR, the right to restrict the processing according to Art. 18 GDPR as well as the right of data portability according to Art. 20 GDPR and the right to object to processing according to Art. 21 GDPR.
You may exercise any of the above rights any time utilizing our privacy office contact details: 2 Eleftheriou Venizelou street., PC 17676, Kallithea, Athens, email: privacy@icapcrif.com.
You can also contact the supervisory authority responsible for us, the Hellenic Data Protection Authority (Kifissias 1-3, PC 115 23, Athens, Greece, Telephone: +30-210 6475600, Ε-mail: contact@dpa.gr).
If the processing of data is based on your consent, you are entitled according to Art. 7 GDPR to revoke your consent at any time. Please note that the withdrawal will only have an effect for the future. Processing of data performed before the withdrawal is not affected. Please also note that we may have to keep certain data for a certain period of time in order to meet legal requirements.