Privacy policy

With this Privacy Policy, CRIF SpA intends to describe the methods of managing the Website with reference to the processing of the personal data of users who access it.

This is a general information notice provided to all visitors to the website (“Website”) in accordance with the EU Data Protection Regulation No. 679/2016 (GDPR) and all other applicable laws.

If users decide to use specific services, a specific and detailed privacy notice will be provided to them in accordance with articles 13 and/or 14 of the GDPR, and specific consent to the processing of personal data will be requested, if necessary.

Data Controller

Following access to and consultation of the Website, data relating to identified or identifiable persons may be processed.

The Controller for the processing of the collected personal data is CRIF SpA, with registered office in via M. Fantin 1-3, 40131 Bologna.
Users can contact the Controller at the above mailing address or via the following e-mail addresses: and pec:

Data processing location

The processing of data collected with reference to those who access the Website is mainly carried out at the CRIF SpA head office, as communicated to the Italian Data Protection Authority and in accordance with the provisions of the GDPR and all other applicable laws.

In any case, personal data is processed only by specially trained employees or contractors with appropriate technical skills, and who are appointed and authorized to perform the processing.

Data processing methods

The data will be processed lawfully and fairly, guaranteeing its security and confidentiality, according to the provisions of the GDPR and all other applicable laws. Personal data will be processed using electronic and in any case automated equipment

Categories of personal data processed

With reference to browsing data, the computer systems and software procedures used to operate this Website acquire, during their normal operation, some personal data whose transmission is implicit to the use of Internet communication protocols. This information is not collected in association with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of computers used by users who connect to the Website, Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the server request, and other parameters related to the user’s operating system and computing environment.

The optional and voluntary sending of e-mails to the addresses indicated on the Website or by filling out the appropriate contact form involves the acquisition of the user’s personal data, as indicated therein (e.g., first name, last name, e-mail address, telephone number, company, VAT no., address, zip code, city), which is necessary to respond to user requests.

Use of the Website and purposes of processing

User data may be processed for:

  1. the performance of operations that allow browsing of the Website pages. The Controller, like most web page owners, needs to process personal information relating to users collected automatically or provided by the users themselves through the navigation or use of the Website in order to allow them to browse and use the site. Therefore, this Privacy Policy refers exclusively to the Website and does not refer to any other online sites, pages or services that can be accessed through hyperlinks published on the Website
  2. the performance of the operations strictly necessary to provide the services or to respond to and/or manage any requests made by the user through the appropriate contact form on the home page of the Website as well as making an appointment for the sales force if necessary;
  3. statistical processing of aggregated data in relation to the Website services.;
  4. direct marketing activities and marketing communications for products and services of CRIF SpA and other CRIF Group companies (CRIF S.p.A. affiliates). If, following specific selection of the relevant check box, the user consents to receiving information, marketing communications, direct sales, and market research on the products or services provided through the Website, the user’s information will be processed for this purpose. Such communications may be sent through the use of traditional tools (telephone/mail) or automated tools (e-mail, fax, SMS, etc.), always on the basis of the preferences previously expressed by the user. After the initial telephone/e-mail contact, if the user decides not to subscribe to any service or to purchase any product or states that he/she does not want to be contacted again, the Controller will cancel the user’s details. Likewise, users can decide not to receive any marketing communications at any time by using the opt-out link at the bottom of each message and in any case exercising the relative right to withdraw consent.

If users decide to use specific services, a specific and detailed privacy notice will be provided to them in accordance with articles 13 and/or 14 of the GDPR, and specific consent to the processing of personal data will be requested, if necessary.

Legal grounds for data processing

The user's personal data will be processed on the basis of one or more of the following legitimacy conditions. In particular, processing carried out for the purposes referred to in:

letters (a) and (b) above, which have as their legal basis the need to fulfill the requests for the provision of a service or to respond to a user request. Such processing is therefore strictly necessary and connected to a pre-contractual phase at the request of the data subject and/or contractual or in order to provide feedback to a specific user request according to art. 6 par. 1(b) of the GDPR. In this regard, the personal information collected from time to time through the Website is necessary. If the user decides not to provide the information, it will not be possible to provide the service or proceed with the requests.

letter (c) above, which has as its legal basis, to a proportionate and necessary extent, the legitimate interests of the Controller in accordance with art. 6 (1)(f) of the GDPR, consisting of improving the performance and verifying the proper functioning of the Website. In this regard, we also invite you to consult the Website Cookie Policy.

letter (d) above, which requires the prior and specific consent of the user for use of the user’s details by the Controller. This consent is optional and does not affect the provision of any additional services requested.

The user has the right to withdraw consent for the marketing purposes referred to in letter (d) at any time without prejudice to the lawfulness of the processing based on the consent given before withdrawal and has the right to oppose the processing for marketing purposes referred to in letter (d), including in part, or with reference to the marketing information and offers, and the advertising and promotional material on services through automated methods.

Categories of recipients of personal data

The Controller, for the same purposes specified in section: “Use of the Website and purposes of processing” of this Privacy Policy and/or in any case for purposes strictly related to the services provided by the Website, may communicate the user’s data to subjects that act in the role of Processors pursuant to art. 28 of the GDPR, which will perform or provide specific services, including:

Hosting and back-end infrastructure. This type of service has the function of hosting data and files that enable the Website to function and perform data processing in order to enable the Website to be browsed by users.

Shipping and logistics;

Site Administration (administration, sales, marketing and legal personnel, and system administrators)

Cookie Management. This type of service allows use of user data for marketing communication purposes in a variety of forms as specified above.

The user can ask the Controller for an up-to-date list of Processors at any time.

User’s data could be sent to several recipients in compliance with the characteristic of the service supplied by CRIF to the client. If users decide to use specific services, a specific and detailed privacy notice will be provided to them in accordance with articles 13 and/or 14 of the GDPR, and specific consent to the processing of personal data will be requested, if necessary.

Transfer of personal data

Personal data may be transferred to a non-EU country, subject to the conditions set out in the GDPR. Specifically, the above transfer may be put in place, without specific authorizations, if the third country to which the data is transferred falls under those which guarantee an adequate level of protection according to the European Commission. In the absence of such an adequacy decision adopted by the European Commission, this transfer to third countries can be carried out by adopting the adequate guarantees referred to in art. 46 of the Regulation, based on which the above-mentioned personal data transfer occurs. In the absence of an adequacy decision or additional guarantees, the transfer of personal data to third countries can be carried out if the terms are met and the additional conditions set out by the GDPR exist, including the possibility to make use of the derogations for specific situations in art. 49 of the GDPR. In addition, this transfer may occur on the basis of the individual service provided by CRIF or as a result of the installation of third-party cookies. For each service requested by the CRIF customer, a special information notice will be provided with the details of the countries to which the data will be transferred, and within the Cookie Policy the user is also given the opportunity to check the information notices of third-party controllers and to opt-out if desired. In any case, in relation to services provided by CRIF, if personal data is transferred outside the European Union, the transfer will be carried out in accordance with the provisions of the GDPR and all other applicable laws (as will be specified in the specific information notices). 

Data Submission

Users are free to decide whether to provide the personal data necessary for CRIF SpA to supply the requested services. Failure to provide this data may make it impossible CRIF to supply the requested information or services.

Retention period

For each service or initiative requested by the CRIF client, a special information notice will be provided with details of the data retention period or the criteria used to determine this period.

CRIF SpA shall process and retain the browsing data for the time required by the purposes for which the data was collected.

As regards the purposes of the processing, the following retention periods shall apply:

  • any data collected for purposes essential to the execution of a contract between the Controller and the user will be retained until the execution of the contract/request is complete and for the duration of the contractual relationship.
  • when the processing is based on user consent, such as for the subscription to marketing communications, the Controller can retain the personal data for a maximum period of 5 years unless such consent is withdrawn;
  • in addition, the Controller may be obliged to retain the personal information for a longer period in compliance with a legal obligation or to retain it based on its legitimate interests for the management of any ongoing litigation or pre-litigation.

As for browsing data, the Controller will delete this information 12 months after the last online interaction that occurred in relation to the Controller’s communications or the content published on the Website for which the Controller has direct evidence of this interaction (e.g. clicks, opening, response). Please check our Cookie Policy as well and/or the orange button on left corner of this page.


For details about the use of cookies on this Website, please refer to the Cookie Policy.

Data subject’s rights

We hereby inform you that, pursuant to articles 15 – 22 of the GDPR, users can exercise the following rights: the right to access their personal data, ask for the amendment or deletion of the data, or restriction of the processing. User also have the right to oppose the processing, as well as the right to portability. In addition, the user can withdraw his or her consent at any time, it being understood that the withdrawal of consent does not affect the lawfulness of the processing carried out up to the point of withdrawal. In any case, for each service requested by the CRIF client, a special information notice will be provided with details of the rights that can be exercised and the ways in which to exercise them

In these cases, requests should be sent to CRIF SpA, Via M. Fantin, 1-3, 40131 Bologna​

The data subject can lodge a complaint with supervisory authority, using the following link:

Data protection officer

For any questions regarding the processing of your personal data, please contact our Data Protection Officer, using the following contact details:



UK Representative

Since the UK left the EEA, in compliance with the new regime known as the “UK GDPR”, Crif S.p.a. as sub-processor on behalf of Crif Decision Solution Ltd (with registered office in Suite 1 3rd Floor 11-12 Street, James’s Square SW1Y London – United Kingdom) has appointed its UK Representative.

With reference to the data processing activities performed by Crif S.p.a. on behalf of Crif Decision Solution Ltd, UK residents and the Information Commissioner’s Office can reach this Representative at:

Cookie policy amendments

The data controller has the right to make changes to this Policy at any time by informing users on this page as well as through the banner and, if possible on the Site. Please therefore consult this page and/or the banner regularly, referring to on the date of the last modification indicated at the bottom.

Last modification date: 09/07/2021