Information on the Processing of Personal Data and Guidance on Data Subject’s Rights within the CRIBIS Application

Information on the Processing of Personal Data and Guidance on Data Subject’s Rights within the CRIBIS Application

Dear Sir or Madame

I. CRIBIS and its Operator

CRIF – Czech Credit Bureau, a.s., Company ID No.: 262 12 242, a company having its registered office at Štětkova 1638/18, Nusle, 140 00 Prague 4, registered in the Commercial Register kept by the Municipal Court in Prague, file ref. No. B 6853 (hereinafter “CRIF CZ”) is the operator of the CRIBIS web application available to users through a secured technical interface at www2.cribis.cz. The CRIBIS application is made up of information and data on entities established under Czech and/or Slovak law or having their residence, registered office or doing business in the territory of the Czech Republic and/or the Slovak Republic, collected from various information sources and databases, including public ones, or from the information sources and databases of other third parties (hereinafter the “CRIBIS application”).

II. Purposes of Processing and Lawfulness of Processing

The personal data are processed for one or more of the following purposes:

1. protection and exercise of rights, legally protected and other legitimate interests of business and other entities when entering into relationships based on obligations with third parties, for the period of their fulfilment and after the termination thereof;
2. assessment, management and optimisation of the business and reputation risk of business and other entities;
3. optimisation of decision-making processes and processes in the field of financial management and cash flow management;
4. optimisation of the process of recovering claims, assessment of the risk of their non-payment;
5. verifying and monitoring the state of assets, receivables and payables (including tax liabilities and levies to be paid), solvency and payment discipline of trading partners or clients, business and other entities, including potential trading partners or potential clients and persons that are connected in terms of assets and staff for some of the purposes set forth in points 1 to 4 above;
6. screening persons and assets in connection with the performance of legal obligations concerning the exercise of caution, including the purpose of preventing the legitimisation of proceeds of crime and the financing of terrorism and other dealings of an unlawful and/or fraudulent nature;
7. support of educational processes at secondary schools and universities in the Czech Republic and at accredited educational institutions and accredited providers or educational activities; support of scientific and research activities;
8. support in the performance of journalistic activities or for the purposes of academic, artistic or literary expression;
9. securing background information and support in the provision of consultancy and other services by legal, accounting and tax advisors, auditors and other advisors, consultants and mediators;
10. conducting audits, especially tax, legal and/or accounting audits;
11. securing background information and support in the performance of activities of bailiffs in accordance with legal regulations;
12. support in the exercise of the competences of public authorities in accordance with legal regulations; 
13. protection of the rights and legally protected interests of natural and legal persons in connection with the disposal of real property, monitoring of the legal situation thereof and monitoring of ongoing cadastral proceedings under the applicable legislation.

Individual services within the CRIBIS application are provided in two modes (i.e., as an on-line service and aggregation tool) depending on the particular service and the method of processing of personal data in accordance with the General Data Protection Regulation, and the lawful basis of CRIF CZ for processing these personal data for both the modes is the legitimate interest pursued by the controller or a third party within the meaning of Article 6(1)(f) of Regulation of the European Parliament and of  the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to  the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation”). Such processing of personal data does not require the consent of the person concerned.

CRIBIS Service as an On-line Service:
The CRIBIS Service as regards the Land Register, Central Register of Executions, Central Register of Executions of the Slovak Republic and AML InfoCheck service (only in the event of an inquiry about a natural person) is provided as an on-line service, the object of which is, based on a command by a user of the CRIBIS application, to search and collect information and data on a particular entity from various information sources and databases, including public ones and/or from the information sources and databases of other third parties. No other information is added by CRIF CZ to the data collected from such available sources.

CRIF CZ acts in this case in the position of a processor and an appropriate agreement on personal data processing is always concluded between it and the personal data controller, i.e., a user of the CRIBIS application.

CRIBIS Service as an Aggregation Tool:
The other services (including the service of data supply for SkyMinder), not stated above work as an aggregation tool that gathers commercial information and data, including some personal data, available from various public information sources and databases and/or also from the information sources and databases of other third parties, creating an own database out of them, thereby helping manage the business risk of users of the CRIBIS application who send an inquiry to the CRIBIS aggregated database instead of sending an inquiry to a larger number of databases.

In this case, CRIF CZ acts in the position of a controller and transmits personal data to a user of the CRIBIS application as another (independent) controller, with the application of contractual guarantees to ensure the lawful processing of such personal data on the user’s part.

III. Recipients of Personal Data

Personal data processed in the CRIBIS application are provided to users of the CRIBIS application with whom CRIF CZ has entered into relevant agreements for the provision of the CRIBIS Service, CRIF S.P.A., a company having its registered office at Via M. Fantin 1-3, 40131 Bologna, Italy, which ensures final automated technical processing of information in the CRIBIS application for CRIF CZ pursuant to relevant contract documents, and CRIF – Slovak Credit Bureau, s.r.o., Company ID No.: 35886013, a company having its registered office at Mlynské nivy 14, 821 09 Bratislava, and to their contract partners.

IV. Extent of Personal data to be Processed

The extent of personal data to be collected and processed always depends on a particular purpose (see above) for which such personal data are processed. CRIF CZ takes care to collect personal data only to the extent necessary to fulfil the given purpose.  

In particular, the following categories of personal data are processed within the CRIBIS application:

• identification personal data (first name, surname, date of birth, company ID number, VAT registration number, residential address, place of business);
• contact details of some natural persons doing business (e.g., phone number and e-mail address);
• data concerning the payment discipline of a data subject;
• information about bankruptcy proceedings and restructuring processes and related information;
• information about links between entities that are connected in terms of assets and staff;
• information published in public registers and lists such as in the Commercial Bulletin, Commercial Register, Central Register of Executions, Central Register of Executions of the Slovak Republic, Land Register, Register of Trade Licences, Insolvency Register etc.

No special categories of personal data within the meaning of the General Data Protection Regulation (e.g., data on health condition etc) are processed in the CRIBIS application.

Personal data processed within the CRIBIS application originate especially from publicly accessible sources, including information subject to mandatory publication by such sources, as well as from users of the CRIBIS application, under a relevant agreement concluded with CRIF CZ.

No automated decision-making within the meaning of the General Data Protection Regulation takes place in the CRIBIS application.

V. Duration of Processing of Personal Data

Personal data are processed and stored in the CRIBIS application only for the period for which a certain piece of information is relevant in relation to the purpose of processing for which such personal data are processed. Subsequently, the personal data are included in pre-archival care in accordance with applicable legislation.  

VI. Transfer of Personal Data to Third Countries

No transfer of personal data to third countries, i.e., countries outside the European Economic Area, takes place when information is being processed in the CRIBIS application.

VII. Exercise of the Rights under the General Data Protection Regulation

We would hereby like to advise you on your rights arising from applicable provisions of the General Data Protection Regulation relating to the processing of your personal data in the CRIBIS application.

You can exercise the rights set forth below in writing to the address of the registered office of CRIF CZ, Štětkova 1638/18, Nusle, 140 00 Prague 4, or electronically to helpdesk.cz@crif.com:

1. The right of access to personal data: the right to ask CRIF CZ for confirmation as to whether your personal data are actually being processed in the CRIBIS application, and, where that is the case, for access to such personal data. In such a case, CRIF CZ will provide you with a copy of the personal data being processed, in electronic or paper form;
2. The right to rectification: the right to obtain the rectification of inaccurate personal data or to have incomplete personal data that are being processed about you in the CRIBIS application completed;
3. The right to erasure (“the right to be forgotten”): the right to obtain the erasure of your personal data where some of the grounds set forth by the General Data Protection Regulation applies;
4. The right to restriction of processing: the right to obtain restriction of processing of your personal data where some of the grounds set forth by the General Data Protection Regulation applies (e.g., due to the inaccuracy of personal data being processed, or the unlawfulness of their processing);
5. The right to lodge a complaint: if you consider that the processing of your personal data in the CRIBIS application infringes applicable legislation, especially the General Data Protection Regulation, you can refer your complaint to the Office for Personal Data Protection, Sochora 27, 170 00 Prague 7, www.uoou.cz
6. The right to object to the processing of personal data that concern you and that are being processed based on a legitimate interest, CRIF CZ will not process your personal data any longer if we do not demonstrate compelling legitimate grounds for the processing which override your interests or rights and freedoms, or for the establishment, exercise or defence of legal claims.
7. We point out that the right to data portability, i.e., the right to receive personal data (that concern you and that you have provided to a user) in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the user or CRIF CZ, is not relevant considering the nature of processing of your personal data in the CRIBIS application and, therefore, we cannot grant requests concerning data portability.

We will provide you with requested information and documents and/or information on measures implemented without undue delay but no later than one month from the date of delivery of your request. In some cases, however, this period may be extended. We will notify you of that. If your request cannot be granted, we will inform you about this fact and reasons and we will also give you guidance on your other rights (of the right to lodge a complaint and the right to judicial protection).

If necessary, we are entitled to ask you, in connection with your request, for additional information to confirm your identity. If we are unable to establish your identity, we usually cannot grant your request.

You can assert your rights free of charge. Where requests filed by you are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee to you or we may refuse to act on your request.

VIII. Data Protection Officer

If your matter is not resolved in a satisfactory manner, you can also contact the data protection officer through poverenec@crif.com.

VIII. Pověřenec pro ochranu osobních údajů

Nepodaří-li se Vám vyřešit Vaši záležitost uspokojivě, můžete též kontaktovat pověřence pro ochranu osobních údajů prostřednictvím poverenec@crif.com.

Verze k 1. 3. 2020