Clients and their employees CRIF Decision Solutions Ltd. is deeply committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.
This notice also sets out how you can engage with us or how you can contact the Information Commissioner’s Office, if you have any concerns about your personal data.
Who we are and how to contact us
CRIF Decision Solutions Ltd. Is a company registered in the United Kingdom (Registration Number: 03395992) and our Data Protection Officer is contactable at email@example.com or if you wish to write to us in this regard, please use the following address:
Data Protection Officer / Head of Compliance
CRIF Decision Solutions Ltd.
55 Old Broad Street, London EC2M 1RX
The type of information we have
CRIF Decision Solutions Ltd (“We”) processes data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities.
1: DATA CONTROLLER ACTIVITIES
Provision of services
We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial and insurance services sectors, which allow them to, amongst other things:
• screen the personal details of an individual and validate their identity (for example for Anti Money Laundering and ‘Know Your Customer’ purposes);
• assess insurance claims history for Motor, Personal Injuries and Home policies;
• allow insurers check Pet insurance claims;
• investigate potential fraud;
• assess Cyber Risk.
For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.
Running our business
In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data.
In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.
Promoting our services
Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this web site or an industry information service.
2: DATA PROCESSOR ACTIVITIES
We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:
We are a Data Processor:
• in our role as a Nominated Supplier to the Motor Insurers’ Bureau, (https://www.mib.org.uk/ - a group that manages databases that support the UK insurance industry, for example the Claims and Underwriting Exchange (CUE) database).
• for Claims Portal Ltd. (https://www.claimsportal.org.uk), a not-for-profit company which manages the Small Claims Process for the processing of pre-action personal injury claims for the Ministry of Justice.
• for an insurance industry service called Elixir Intelligence which monitors the collection of premia from brokers on behalf of insurers.
• in the provision of a messaging system between our insurance clients and the UK Department of Work & Pensions relating to certificates and compensation.
• when we process personal data provided to us by prospective clients to allow them to assess the appropriateness of our services for their business.
How we get the information and why we have it
Provision of services
A) We provide clients with information that allows them to check the identity of their customers or potential customers (e.g. information on former addresses, Politically Exposed Persons, Sanctions lists, court judgements, electoral roll etc.). We may obtain this information from commercial or public sources.
B) We provide clients with information that allows them to check if there are frauds in the insurance sector. We may obtain this information from insurance claims databases, commercial or public sources, or from our clients, for example when they share information about suspected or actual fraud.
For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, avoid cyber security risks, etc. These interests are set out in Legitimate Interests Assessments which are available on request.
C) We provide our Cyber Check service and a related service called KYND ON to allow our clients to assess their cyber security risks and we need the personal data of key contacts within those clients to activate the service and manage the contract.
Running our business
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us.
Such data can be used to enable us to:
• provide you with the ability to use our services (for example provide you with username and password), provide support services such as a Helpdesk service, and to monitor such use for billing or security purposes
• administer your or your employer’s contract with us, including invoicing, debt recovery etc.
Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers.
We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.
Promoting our services
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website (for example through the “Contact us” page, website analytics or cookies) or from another organisation involved in business-to-business information services.
Such data can be used to enable us to keep you informed about developments at CRIF Decision Solutions Ltd and in our services, conducting market research and analysis, or determining your suitability for our services.
We may not be able to respond to your requests, if you choose not to supply the data requested.
We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.
The following table summarises the data we process as a Data Controller, the sources of that data and our legal bases: