Last modified: July 2020
This website (“Website”) is provided by CRIF Decision Solutions Ltd. (“CDS” / “we” / “us”), a company registered in England and Wales and located at Suite 1, 3rd Floor 11 - 12 St. James's Square, SW1Y 4LB London, United Kingdom.
A number of our services are presented on this Website (“Services”). How you buy and use each of these Services will depend on separate terms and conditions provided by us or other organisations.
Nothing on this Website shall constitute an offer by us to provide any Services to any person at any time accessing this Website.
You must follow any policies made available to you on the Website. Do not misuse the Website. For example, do not interfere with the Website functionalities or try to access it using a method other than the interface and the instructions that we provide.
You may use the Website only as permitted by law.
The content on this Site is for your personal use only and not for commercial exploitation. You may not reproduce, republish, distribute, display or transmit for commercial, non-profit or public purposes all or any portion of the Website, except to the extent permitted above. You may not use this Website to transmit any false, misleading, fraudulent or illegal communications.
We reserve the right to investigate complaints or reported violations of our Terms and to take any action we deem appropriate including but not limited to reporting any suspected unlawful activity to law enforcement officials, regulators, or other third parties and disclosing any information necessary or appropriate to such persons or entities relating to user profiles, e-mail addresses, usage history, posted materials, IP addresses and traffic information.
We may suspend or stop providing the Website to you if you do not comply with our Terms or policies or if we are investigating suspected misconduct.
We are constantly changing and improving the Website. We may add or remove functionalities or features, and we may suspend or stop providing the Website altogether.
CDS may also add or create new limitations to the Website at any time. If we discontinue or change a functionality of the Website, we will give you reasonable advance notice, where possible.
In connection to your use of the Website, we may send you service announcements, administrative messages, and other information.
You need to create a Company Account in order to subscribe to and use our Services.
You can create your own Company Account by signing up and registering your company.
Only the legal representatives of your company or those with duly authorised power of attorney are allowed to create a Company Account on behalf of the company. When you sign up, you declare that you have the authority to accept these Terms on behalf of the company.
If your request for registration is accepted:
- your Company Account will be created
- a default area for your Company Account will be created
- a default billing centre for your Company Account will be created
- the credentials and instructions on how to access the Account will be sent to the email address you specified when signing up
- when you login, you will access the Company Account using the “Account Administrator” profile.
Once a Company Account has been successfully created, one or more User Accounts may be created and assigned to your employees or representatives exclusively by the Account Administrator in order to use our Services as part of the same Company Account.
Every User Account you add is a subsidiary account with specific access rights to an individual Company Account.
The Account Administrator can create and disable any User Account.
Each User Account registration is for an individual user only. We do not permit a) anyone other than you to access the Company Account by using your credentials; or b) access through an individual User Account being made available to multiple users on a network or otherwise. You are the sole person responsible for preventing such unauthorised use.
To protect your Company Account, be diligent and pay maximum attention to the secrecy and confidentiality of your username and password, preventing them from being used inappropriately, erroneously or without authorisation. Do not reuse your password on third-party applications.
You are the sole person responsible for the activity carried out by your employees or representatives or by any unauthorised third party on or through your Company Account.
If you learn of any unauthorised use of your Company Account, immediately inform CDS in writing to the relevant contact details set out on the 'Contact us' page.
You hereby agree to provide accurate and complete registration information. It is your responsibility to inform us of any changes to that information.
By creating and accessing an Account, you agree that CDS can process your data in accordance with our privacy policies.
You need to login to a Company Account with an Account Administrator profile in order to subscribe to one of our Services.
In order to subscribe to a Service, an Account Administrator should go to the homepage of the Service and click the button to send a subscription request.
The submission of a request to subscribe to a Service does NOT mean that the Service is automatically activated or that either party is bound to sell or purchase the Service.
CDS will be notified and will start the procedures to activate the Service for the relevant Company Account.
Only when your company subscribes will the relevant terms and conditions of the Service be activated for that Company Account.
Our Website is provided using commercially reasonable skill and care, and we hope you will enjoy using it.
Other than as expressly set out in these Terms or additional terms, CDS makes no specific promises about the Website.
We do not make any commitments about the content of the Website, the specific functions of the Website, or their reliability, availability, or ability to meet your needs.
We provide the Website “as is” and give no warranties, conditions, guarantees or representations, explicit or implied, that this Website will be available without interruption, or that it is free of errors, viruses or bugs. You acknowledge that it is your responsibility to implement sufficient procedures and virus checks (including anti-virus and any other appropriate or applicable security checks) to satisfy your specific requirements as to the accuracy and or content of information.
When permitted by law, CDS will not be responsible for lost profits, revenues or data, financial losses or indirect, special, consequential, exemplary, or punitive damages.
In all cases, CDS will not be liable for any loss or damage that is not reasonably foreseeable.
However, nothing in these Terms removes or limits our liability for death or personal injury caused by our negligence or for any liability which we cannot limit or exclude under the law.
We shall not be liable for any loss, injury, claim, liability or damage of any kind resulting from your use of the Website. You shall hold harmless and indemnify CDS and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Website or violation of these Terms, including any liability or expenses arising from claims, losses, damages, suits, judgments, litigation costs and legal fees.
This Website may contain hypertext links to web pages operated and maintained by third parties. These links are provided for your convenience only and we do not control and are not responsible for the content of such web pages. Our inclusion of such links does not imply any endorsement of the material contained therein or of the owners. If you use the links to visit third party web pages, you do so at your own risk. You must not link to our Website without first obtaining our written permission.
We may modify these Terms to, for example, reflect changes to the law or changes to the Website.
We will post a notice of modifications to these Terms on this page.
If you do not agree to the modified Terms you must discontinue using the Website.
These Terms control the relationship between CDS and you. They do not create any third-party beneficiary rights.
If you do not comply with these Terms, and we do not take action right away, this does not mean that we are giving up any rights that we may have (such as taking action in the future).
If one specific term is not enforceable, this will not affect any other terms.
You agree that the laws of England and Wales, excluding choice-of-law provisions, will apply to any disputes arising out of or relating to these Terms.
All claims arising out of or relating to these Terms will be litigated exclusively in the courts of London, UK.
If you have any questions about this Website or these Terms, please use the relevant contact details set out on the 'Contact us' page.
Last modified: July 2020
CRIF Decision Solutions Ltd. is deeply committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.
This notice also sets out how you can engage with us or how you can contact the Information Commissioner’s Office, if you have any concerns about your personal data.
CRIF Decision Solutions Ltd. is a company registered in the United Kingdom (Registration Number: 03395992) and our Data Protection Officer is contactable at firstname.lastname@example.org or if you wish to write to us in this regard, please use the following address:
Data Protection Officer / Head of Compliance
CRIF Decision Solutions Ltd.
55 Old Broad Street
London EC2M 1RX
CRIF Decision Solutions Ltd (“We”) processes data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities.
We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial and insurance services sectors, which allow them to, amongst other things:
For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.
In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data.
In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.
Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this web site or an industry information service.
We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:
We are a Data Processor:
For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, etc. These interests are set out in Legitimate Interests Assessments which are available on request.
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us. Such data can be used to enable us to:
Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers.
We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website (for example through the “Contact us” page, website analytics or cookies) or from another organisation involved in business-to-business information services.
Such data can be used to enable us to keep you informed about developments at CRIF Decision Solutions Ltd and in our services, conducting market research and analysis, or determining your suitability for our services.
We may not be able to respond to your requests, if you choose not to supply the data requested.
We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.
The following table summarises the data we process as a Data Controller, the sources of that data and our legal bases:
|ACTIVITY||CATEGORIES OF DATA SUBJECTS||CATEGORIES OF PERSONAL DATA||SOURCE||LEGAL BASIS|
|Identity Verification Services (ID Check, AML Check, Vehicle Check and Vehicle Keeper Check)||Policyholders, prospective policyholders, claimants, Bankrupts, persons with judgements Politically Exposed Persons and their relatives and close associates; criminals and individuals or organisations that are subject to global sanctions, terrorists; users of the system.||
Names; contact details; place and date of birth; country of residence and country of citizenship; occupations; relationship (if applicable) to a public figure; bank account details; judgements and insolvency information;
User login credentials and permissions.
|Commercially available sources for anti-money laundering services||Legitimate Interest|
|Insurance Claims Searches History and Risk Assessment (RADAR Personal Injury, Home and Motor Policy Check)||Policyholder/proposer Claimant; users of the system.||
Names; contact details; date of birth, gender; occupations; injury details; representatives’ contact details; car registration.
User login credentials and permissions.
|Motor, home and personal injury claims data supplemented by commercially available data.||Legitimate Interest|
|Pet Insurance Claims (CACHE Pet)||Policyholders, Third Parties; Veterinary Surgeons; Suppliers (other than Veterinary Surgeons; Witnesses; users of the system.||
Names; gender; date of birth; occupation; contact details; bank account; claim details.
User login credentials and permissions.
|Insurance Fraud (Sherlock and Footprint)||Employees of insurance companies, fraud investigators; persons linked to the claim; users of the system.||
Names; contact details; gender; date of birth; NIN; driving licence; investigator’s case history, including previous queries. Details of linkages between persons and the claim.
User login credentials and permissions.
|Inquiries by insurers and investigators||Legitimate Interest|
|Promoting our services||Clients and their agents and employees||Business or personal contact details||Directly from our website or through third party sources.||Legitimate Interest|
|Cyber Check||Clients and their employees||Name, business email and phone||Clients when accounts are set up||Legitimate Interest|
|Assisting users of our services||Clients and their agents and employees||Business or personal contact details||Directly from the data subject, or indirectly from their employer or our resellers, as part of the process for activating users on our services.||Legitimate Interest|
For employees: Name, DOB, Address, Contact information, Health records, performance and disciplinary records, annual leave history, salary and payroll details.
For their NOK: Name, address, contact number
For their children: Name, date of birth.
|Direct from employees||Performance of contract|
|Business contacts||Contacts in suppliers and clients||Names, business emails and telephones||Either directly or from employers||Legitimate Interest|
|Data Subject Rights Requests||Data subjects||Identification data including NIN||Directly from data subject||Legal Obligation|
In all cases we will also process personal data as required by applicable law.
As a Data Controller, we make information available to our clients to assist them in their decision-making, whether that is about financial services or insurance quotations/claims. Our clients include financial and insurance services organisations and professional advisers (e.g. solicitors, loss adjustors).
The electronic processing of personal data for which we are a Controller is generally undertaken by our parent company CRIF SpA., located in Italy, under a formal contract that provides protection appropriate to the personal data. CRIF SpA is accredited to ISO27001:2013, the international standard for information security management systems.
For the management of some marketing contact data, client Helpdesk services etc. we use external services that may be based outside the United Kingdom and the EEA. We use Standard Contractual Clauses as a safeguard for such transfers to ensure they are made in compliance with Data Protection Legislation.
|Identity Verification Services||Clients|
|Insurance Claims Searches||Clients|
|Pet Insurance Claims||Clients|
|Cyber Check||KYND as the service provider|
|Promoting our services||External service providers, other CRIF companies|
|Assisting users of our services||External service providers|
|Employment||Other CRIF companies|
|Business contacts||Other CRIF companies|
|Data Subject Rights Requests||Outsourced Data Protection Officer|
Where we are the “data processor”, we act on the instructions of the data controller.
Where we are the Data Controller, we keep the information according to the following criteria:
|ACTIVITY||DATA RETENTION CRITERIA/PERIOD|
|Identity Verification||Three years after client search|
|Insurance Claims Searches and Risk Assessment||
Results of search enquiries performed by users is retained for one month.
Claims data is retained for a period determined by the MIB.
|Pet Insurance Claims||Six years after the claims are closed|
|Insurance Fraud Investigations||
Enquiry history retained for three years after client search.
Enquiries can be packaged into investigation cases; these cases are retained for one month.
|Cyber Check||One year after termination of contract|
|Promoting our services||Eighteen months if no contract established|
|Assisting users of our services||One year after termination of contract|
|Employment||10 years from termination of employment relationship|
|Business contacts||One year after termination of contract|
|Data Subject Rights Requests||Two years from last contact with Data Subject|
On a case by case basis, records may be retained for longer where required for actual or potential legal actions or investigations by supervisory authorities, or the management or mitigation of operational or strategic risks to the organisation.
Where we are a data processor, we keep your data for as long as the Data Controller asks us to.
Where we are processing your personal data as a Data Controller, you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of processing concerning your data or to object to processing as well as the right to data portability. Furthermore, to the extent that our processing may be based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal.
Please bear in mind that your rights in relation to your Personal Data are not absolute. It is important to note that we are processing much of the data either on the basis of legitimate interests or performance of contract, rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it.
In circumstances where we have obtained your data from a third party we may need to confirm the accuracy of the data with that third party before rectification.
Marketing communications with you will be conducted in compliance with the Privacy and Electronic Communications Regulations (PECR) which give you specific privacy rights in relation to electronic communications. We provide an opt-out in each communication which allows you express your preferences with regard to receiving subsequent communications.
Please contact us at the email or postal addresses above if you wish to make a data subject request.
In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective “Data Controller” to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s postal address is:Information Commissioner’s Office
Helpline telephone number: 0303 123 1113
Online at https://ico.org.uk/make-a-complaint/