Privacy Notice

CRIF Decision Solutions Ltd. is deeply committed to protecting your privacy.

This privacy notice provides you with information regarding the management of this website and the services that we provide, describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.

Where we provide links to other websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

From time to time, we may provide you with additional privacy notices or information around the processing of personal data to supplement this notice.

  1. Contact details
  2. What information we collect, use, and why
  3. Lawful bases
  4. Your data protection rights
  5. How long we keep information
  6. Who we share information with
  7. Sharing information outside the UK
  8. How to complain
  9. Last Updated

1. Who are we and how to contact us:

CRIF Decision Solutions Ltd. is a company registered in the United Kingdom (Registration Number: 03395992).

You can contact the Company’s DPO

  • Via email: dpo.uk@crif.com
  • Via post: Data Protection Officer, CRIF Decision Solutions Ltd., 14 Austin Friars, London, EC2N 2HG, UK

2. What information we collect, use, and why

CDS processes personal data both as a Data Controller and as a Data Processor on behalf of other entities.

We act as Data Controller when:

  • The Website automatically collects and processes personal data directly from your device using standard internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses ​​notation of the requested resources, the time of the request, the method used in submitting the request to the server and other parameters relating to the operating system and the user's IT environment.
  • We collect and process personal data directly through Contact Forms as indicated therein (e.g. name, surname, e-mail, telephone number, Company, VAT number, Address, Postcode, City, Province, Country), to enable us to respond to your requests.
  • We collect and process personal data indirectly (from commercial or public sources, from suppliers and other business partners, from insurance claims information provided by insurance companies) in the provision of our services to our clients: we provide information services, consumer reporting to a broad range of clients, particularly in the financial and insurance services sectors (our clients include financial and insurance services organisations and professional advisers e.g. solicitors, loss adjustors) to assist them in their decision-making. This allows our clients to, amongst other things: screen the personal details of an individual and validate their identity; assess insurance claims history for Motor, Personal Injuries and Home policies; allow insurers check Pet insurance claims; investigate potential fraud. In doing so:
    • We provide clients with information that allows them to check the identity of their customers or potential customers.
    • We provide clients with information that allows them to check if there are fraudulent activities pertaining to insurance.
  • In running our business: we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide you with an appropriate information notice. Such data can be used to enable us to:
    • Provide you with the ability to use our services (for example provide you with username and password), provide support services such as a Helpdesk service, and to monitor such use for billing or security purposes;
    • Administer your or your employer’s contract with us, including invoicing, debt recovery etc.
  • In and for promoting our services: we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this web site or an industry information service, e.g. such as sponsored content on other websites.

The electronic processing of personal data for which we are a Controller is generally undertaken by our parent company CRIF SpA. under a formal contract that provides protection appropriate to the personal data. CRIF SpA is accredited to ISO27001:2022, the international standard for information security management systems.

3. Our lawful bases for the collection and use of your data

Under UK data protection law, we must have a lawful basis for collecting and using your personal information.

Our lawful bases for collecting and processing your personal information for dealing with your queries (media, general, on solutions, news and events and resources) is:

  • Legitimate interest - for informing you of our services, unless you have specifically opted out from receiving marketing communications by email or by telephone.

Our lawful basis for collecting and processing your personal information for dealing with data subjects’ rights requests are:

  • Legal obligation [ex. Art 15 UK GDPR]

Our lawful bases for collecting and processing your personal information to provide and improve products and services for clients are:

  • Legitimate interests – we’re collecting or using your data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, etc. These interests are set out in Legitimate Interests Assessments, which are available upon request.
  • In some circumstances, where we process Special Category Personal Data we do so due to the substantial public interest in regard to fraud prevention and the prevention of money laundering and terrorist financing.

Our lawful bases for collecting and processing your personal information to run our business are:

  • Legitimate interest if we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers.
  • In some circumstances, where we process Special Category Personal Data we do so due to the substantial public interest in regard to fraud prevention and the prevention of money laundering and terrorist financing.

Our lawful bases for collecting and processing your personal information to promote our services are:

  • Legitimate interests in promoting and developing our business. Such data can be used to enable us to keep you informed about developments at CRIF Decision Solutions Ltd and in our services, conducting market research and analysis, or determining your suitability for our services. A specific Legitimate Interests Assessment for these purposes is available on request.

The following table summarises the data we process as a Data Controller, the sources of that data and our legal bases.

NEW PURPOSES CATEGORIES OF DATA SUBJECTS CATEGORIES OF PERSONAL DATA SOURCE LEGAL BASIS UK GDPR UK DPA SCHEDULE 1 CONDITION
ID CHECK AND AML CHECK VEHICLE CHECK AND VEHICLE KEEPER CHECK Identity Verification Services Bankrupts, Policyholders, Prospective policyholders; Claimants, Persons with judgements; Politically Exposed Persons and their relatives and close associates; Criminals and individuals or organisations that are subject to global sanctions; Terrorists; Users of the system. Names; contact details; place and date of birth; country of residence and country of citizenship; occupations; relationship to a public figure (if applicable); bank account details; judgements and insolvency information; Commercially available sources for anti-money laundering services Legitimate Interest; processing is necessary for reasons of substantial public interest; 14. Preventing fraud
RADAR PERSONAL INJURY, HOME AND MOTOR POLICY CHECK Insurance Claims Searches History and Risk Assessment Policyholder/proposer Claimant; users of the system. Names; contact details; date of birth, gender; occupations; injury details; representatives’ contact details; car registration. User login credentials and permissions. Motor, home and personal injury claims data supplemented by commercially available data. Legitimate Interest 14. Preventing fraud
CACHE PET Pet Insurance Claims Policyholders, Third Parties; Veterinary Surgeons; Suppliers; Witnesses; users of the system. Names; gender; date of birth; occupation; contact details; bank account; claim details. User login credentials and permissions. Insurer Legitimate Interest -
PET CHECK Supporting insurance clients Insurance companies; prospective policyholders Claims under other pet insurance policies; addresses; identity of prospective policyholder; County Court Judgments (CCJs) and any PEPs or Sanctions data. Insurance clients and from public sources (CCJs) Legitimate Interest 14. Preventing fraud
SHERLOCK INVESTIGATION & ALERT FOOTPRINT Insurance Fraud Employees of insurance companies, fraud investigators; persons linked to the claim; users of the system. Names; contact details; gender; date of birth; NIN; driving licence; investigator’s case history, including previous queries. Details of linkages between persons and the claim. User login credentials and permissions. Details of linkages between persons and the claim. Inquiries by insurers and investigators Legitimate Interest; processing is necessary for reasons of substantial public interest; UK Data Protection Act 2018 Schedule 1 10. Preventing or detecting unlawful acts; 14. Preventing fraud;
PROMOTING OUR SERVICES - Business or personal contact details Business or personal contact details Directly from our website or through third party sources Legitimate Interest -
ASSISTING USERS OF OUR SERVICES - Business or personal contact details Business or personal contact details Directly from the data subject, or indirectly from their employer or our resellers, as part of the process for activating users on our services. Legitimate Interest -
BUSINESS CONTACTS Contacts in suppliers and clients Business contacts; Contacts in suppliers and clients Names, business emails and telephones Either directly or from employers Legitimate Interest -
DATA SUBJECT RIGHTS REQUESTS Processing any subject rights exercised, including verification, reviewing and actioning a request Individuals exercising their rights under applicable data protection laws Any and all personal data CRIF Decision Solutions has a record of in relation to you. All sources where CDS obtains personal data from. Legal Obligation -

4. Data Protection Rights

You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website For the public | ICO

More information on How to submit a data subject request to CDS is available at the end of this notice and here

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete..
  • Your right to erasure - You have the right to ask us to delete your personal information..
  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information..
  • Your right to object to processing - You have the right to object to the processing of your personal data..
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you..
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time..

Please bear in mind that your rights in relation to your Personal Data are not absolute. Which lawful basis we rely on may affect your data protection rights.

In particular:

  • When we are processing your personal data as a Data Controller: you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of processing concerning your data or to object to processing as well as the right to data portability. Furthermore, to the extent that our processing may be based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal.
  • It is important to note that we are processing much of the data either on the basis of legitimate interests or performance of contract, rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it.
  • In circumstances where we have obtained your data from a third party we may need to confirm the accuracy of the data with that third party before rectification.
  • Marketing communications with you will be conducted in compliance with the Privacy and Electronic Communications Regulations (PECR) which give you specific privacy rights in relation to electronic communications. We provide an opt-out in each communication which allows you express your preferences with regard to receiving subsequent communications.
  • In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective “Data Controller” to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.

5. How long we keep your personal data

  • Identity Verification: Three years after the client search.
  • Insurance Claims Searches and Risk Assessment: Results of search enquiries performed by users are retained for one month. Claims data is retained for a period determined by the MIB.
  • Pet Insurance Claims: Six years after the claims are closed.
  • Insurance Fraud Investigations: Enquiry history is retained for three years after the client search. Enquiries can be packaged into investigation cases; these cases are retained for one month.
  • Promoting our services: Eighteen months if no contract has been established.
  • Assisting users of our services: One year after termination of contract.
  • Business contacts: One year after termination of contract.
  • Data Subject Rights Requests: Two years from last contact with the Data Subject.

On a case-by-case basis, records may be retained for longer where required for the establishment, exercising or defending of actual or potential legal actions or investigations by supervisory authorities, or the management or mitigation of operational or strategic risks to the organisation.

Where we are a Data Processor, we keep your data for as long as the Data Controller asks us to.

6. Recipients of your data

When we act as Data Controllers:

  • Identity Verification: Clients
  • Insurance Claims: Clients
  • Pet Insurance: Clients
  • Promoting our services: External service providers, other CRIF companies
  • Assisting users of our services: External service providers
  • Business contacts: Other CRIF companies

7. Sources of your data

We act as a Data Processor in the provision of a number of services and in this role, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:

  • In our role as a Nominated Supplier to the Motor Insurers’ Bureau, (https://www.mib.org.uk - a group that manages databases that support the UK insurance industry, for example the Claims and Underwriting Exchange (CUE) database).
  • For Claims Portal Ltd. (https://www.claimsportal.org.uk), a not-for-profit company which manages the Small Claims Process for the processing of pre-action personal injury claims for the Ministry of Justice.
  • For an insurance industry service called Elixir Intelligence which monitors the collection of premia from brokers on behalf of insurers.
  • In the provision of a messaging system between our insurance clients and the UK Department of Work & Pensions relating to certificates and compensation.
  • When we process personal data provided to us by prospective clients to allow them to assess the appropriateness of our services for their business.

8. Transfers outside the UK

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

  • CRIF S.p.A. is located in Italy.
    • How the transfer complies with UK data protection law: Italy has a UK data bridge (also known as Adequacy Regulations).

9. How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

10. Last updated

September 2025

crif-logo
crif-logo
Contact Us