Privacy Notice

Clients and their employees CRIF Decision Solutions Ltd. is deeply committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.

This notice also sets out how you can engage with us or how you can contact the Information Commissioner’s Office, if you have any concerns about your personal data.

Who we are and how to contact us

CRIF Decision Solutions Ltd. Is a company registered in the United Kingdom (Registration Number: 03395992) and our Data Protection Officer is contactable at dpo.uk@crif.com or if you wish to write to us in this regard, please use the following address:

Data Protection Officer / Head of Compliance
CRIF Decision Solutions Ltd.
55 Old Broad Street, London EC2M 1RX

The type of information we have

CRIF Decision Solutions Ltd (“We”) processes data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities.

1: DATA CONTROLLER ACTIVITIES

Provision of services
We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial and insurance services sectors, which allow them to, amongst other things:

• screen the personal details of an individual and validate their identity (for example for Anti Money Laundering and ‘Know Your Customer’ purposes);
• assess insurance claims history for Motor, Personal Injuries and Home policies;
• allow insurers check Pet insurance claims;
• investigate potential fraud;
• assess Cyber Risk.

For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.

Running our business
In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data.
In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.

Promoting our services
Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this web site or an industry information service.

2: DATA PROCESSOR ACTIVITIES

We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:

We are a Data Processor:
• in our role as a Nominated Supplier to the Motor Insurers’ Bureau, (https://www.mib.org.uk/ - a group that manages databases that support the UK insurance industry, for example the Claims and Underwriting Exchange (CUE) database).
• for Claims Portal Ltd. (https://www.claimsportal.org.uk), a not-for-profit company which manages the Small Claims Process for the processing of pre-action personal injury claims for the Ministry of Justice.
• for an insurance industry service called Elixir Intelligence which monitors the collection of premia from brokers on behalf of insurers.
• in the provision of a messaging system between our insurance clients and the UK Department of Work & Pensions relating to certificates and compensation.
• when we process personal data provided to us by prospective clients to allow them to assess the appropriateness of our services for their business.

How we get the information and why we have it

Provision of services
A) We provide clients with information that allows them to check the identity of their customers or potential customers (e.g. information on former addresses, Politically Exposed Persons, Sanctions lists, court judgements, electoral roll etc.). We may obtain this information from commercial or public sources.

B) We provide clients with information that allows them to check if there are frauds in the insurance sector. We may obtain this information from insurance claims databases, commercial or public sources, or from our clients, for example when they share information about suspected or actual fraud.

For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, avoid cyber security risks, etc. These interests are set out in Legitimate Interests Assessments which are available on request.

C) We provide our Cyber Check service and a related service called KYND ON to allow our clients to assess their cyber security risks and we need the personal data of key contacts within those clients to activate the service and manage the contract.

Running our business
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us.

Such data can be used to enable us to:
• provide you with the ability to use our services (for example provide you with username and password), provide support services such as a Helpdesk service, and to monitor such use for billing or security purposes
• administer your or your employer’s contract with us, including invoicing, debt recovery etc.

Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers.

We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.

Promoting our services
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website (for example through the “Contact us” page, website analytics or cookies) or from another organisation involved in business-to-business information services.

Such data can be used to enable us to keep you informed about developments at CRIF Decision Solutions Ltd and in our services, conducting market research and analysis, or determining your suitability for our services.

We may not be able to respond to your requests, if you choose not to supply the data requested.

We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.
The following table summarises the data we process as a Data Controller, the sources of that data and our legal bases:

	CATEGORIES OF DATA SUBJECTS	CATEGORIES OF PERSONAL DATA	SOURCE	LEGAL BASIS
Identity Verification Services (ID Check, AML Check, Vehicle Check and Vehicle Keeper Check)	Policyholders, prospective policyholders, claimants, Bankrupts, persons with judgements Politically Exposed Persons and their relatives and close associates; criminals and individuals or organisations that are subject to global sanctions, terrorists; users of the system. Politically Exposed Persons and their relatives and close associates; criminals and individuals or organisations that are subject to global sanctions, terrorists; users of the system.	Names; contact details; place and date of birth; country of residence and country of citizenship; occupations; relationship (if applicable) to a public figure; bank account details; judgements and insolvency information;	Commercially available sources for anti-money laundering services	Legitimate Interest
Insurance Claims Searches History and Risk Assessment (RADAR Personal Injury, Home and Motor Policy Check)	Policyholder/proposer Claimant; users of the system.	Names; contact details; date of birth, gender; occupations; injury details; representatives’ contact details; car registration. User login credentials and permissions. .	Motor, home and personal injury claims data supplemented by commercially available data.	Legitimate Interest
Pet Insurance Claims (CACHE Pet)	Policyholders, Third Parties; Veterinary Surgeons; Suppliers (other than Veterinary Surgeons; Witnesses; users of the system.	Names; gender; date of birth; occupation; contact details; bank account; claim details. User login credentials and permissions.	Insurer	Legitimate Interest
Insurance Fraud (Sherlock and Footprint)	Employees of insurance companies, fraud investigators; persons linked to the claim; users of the system.	Names; contact details; gender; date of birth; NIN; driving licence; investigator’s case history, including previous queries. Details of linkages between persons and the claim. User login credentials and permissions. Details of linkages between persons and the claim. User login credentials and permissions.	Inquiries by insurers and investigators	Legitimate Interest
Cyber Security Risks (Cyber Check and KYND ON)	Clients and their employees	Name, business email and phone	Clients when accounts are set up	Legitimate Interest
Promoting our services	Clients and their agents and employees	Business or personal contact details	Directly from our website or through third party sources	Legitimate Interest
Assisting users of our services	Clients and their agents and employees	Business or personal contact details	Directly from the data subject, or indirectly from their employer or our resellers, as part of the process for activating users on our services.	Legitimate Interest
Employment	Our employees	For employees: Name, DOB, Address, Contact information, Health records, performance and disciplinary records, annual leave history, salary and payroll details. For their NOK: Name, address, contact number. For their children: Name, date of birth.	Direct from employees	Performance of contract
Business contacts	Contacts in suppliers and clients	Names, business emails and telephones	Either directly or from employers	Legitimate Interest
Data Subject Rights Requests	Data subjects	Identification data including NIN	Directly from data subject	Legal Obligation

In all cases we will also process personal data as required by applicable law.

What we do with the information

As a Data Controller, we make information available to our clients to assist them in their decision-making, whether that is about financial services or insurance quotations/claims. Our clients include financial and insurance services organisations and professional advisers (e.g. solicitors, loss adjustors).

The electronic processing of personal data for which we are a Controller is generally undertaken by our parent company CRIF SpA., located in Italy, under a formal contract that provides protection appropriate to the personal data. CRIF SpA is accredited to ISO27001:2013, the international standard for information security management systems.

For the management of some marketing contact data, client Helpdesk services etc. we use external services that may be based outside the United Kingdom and the EEA. We use Standard Contractual Clauses as a safeguard for such transfers to ensure they are made in compliance with Data Protection Legislation.

	SHARED WITH
Identity Verification Services	Clients
Insurance Claims Searches	Clients
Pet Insurance Claims	Clients
Cyber Security Risk	KYND as the service provider and Stripe for online payments
Promoting our services	External service providers, other CRIF companies
Assisting users of our services	External service providers
Employment	Other CRIF companies
Business contacts	Other CRIF companies
Data Subject Rights Requests	Outsourced Data Protection Officer

Where we are the “data processor”, we act on the instructions of the data controller.

How we store your information

Where we are the Data Controller, we keep the information according to the following criteria:

	DATA RETENTION CRITERIA/PERIOD
Identity Verification	Three years after client search
Insurance Claims Searches and Risk Assessment	Results of search enquiries performed by users is retained for one month. Claims data is retained for a period determined by the MIB.
Insurance Claims Searches and Risk Assessment	Results of search enquiries performed by users is retained for one month. Claims data is retained for a period determined by the MIB.
Pet Insurance Claims	Six years after the claims are closed
Insurance Fraud Investigations	Enquiry history retained for three years after client search. Enquiries can be packaged into investigation cases; these cases are retained for one month.
Cyber Security Risks	One year after termination of contract
Promoting our services	Eighteen months if no contract established
Assisting users of our services	One year after termination of contract
Employment	10 years from termination of employment relationship
Business contacts	One year after termination of contract
Data Subject Rights Requests	Two years from last contact with Data Subject

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or investigations by supervisory authorities, or the management or mitigation of operational or strategic risks to the organisation.

Where we are a data processor, we keep your data for as long as the Data Controller asks us to.

Your data protection rights

Where we are processing your personal data as a Data Controller, you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of processing concerning your data or to object to processing as well as the right to data portability. Furthermore, to the extent that our processing may be based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal.

Please bear in mind that your rights in relation to your Personal Data are not absolute. It is important to note that we are processing much of the data either on the basis of legitimate interests or performance of contract, rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it.

In circumstances where we have obtained your data from a third party we may need to confirm the accuracy of the data with that third party before rectification.

Marketing communications with you will be conducted in compliance with the Privacy and Electronic Communications Regulations (PECR) which give you specific privacy rights in relation to electronic communications. We provide an opt-out in each communication which allows you express your preferences with regard to receiving subsequent communications.

Please contact us at the email or postal addresses above if you wish to make a data subject request.

In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective “Data Controller” to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.

How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s postal address is:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

Helpline telephone number: 0303 123 1113
Online at https://ico.org.uk/make-a-complaint/

COOKIE POLICY: This site places cookies on your device and you can click on this link to understand which cookies we use and why.

Date: November 2020