Information on the Processing of Personal Data and Guidance on Data Subject’s Rights within the CRIBIS Application
Information on the Processing of Personal Data and Guidance on Data Subject’s Rights within the CRIBIS Application
Dear Sir or Madame
I. CRIBIS and its Operator
CRIF – Czech Credit Bureau, a.s., Company ID No.: 262 12 242, a company having its registered office at Štětkova 1638/18, Nusle, 140 00 Prague 4, registered in the Commercial Register kept by the Municipal Court in Prague, file ref. No. B 6853 (hereinafter “CRIF CZ”) is the operator of the CRIBIS web application available to users through a secured technical interface at www2.cribis.cz. The CRIBIS application is made up of information and data on entities established under Czech and/or Slovak law or having their residence, registered office or doing business in the territory of the Czech Republic and/or the Slovak Republic, collected from various information sources and databases, including public ones, or from the information sources and databases of other third parties (hereinafter the “CRIBIS application”).
II. Purposes of Processing and Lawfulness of Processing
The personal data are processed for one or more of the following purposes:
- protection and exercise of rights, legally protected and other legitimate interests of business and other entities when entering into relationships based on obligations with third parties, for the period of their fulfilment and after the termination thereof;
- assessment, management and optimisation of the business and reputation risk of business and other entities;
- optimisation of decision-making processes and processes in the field of financial management and cash flow management;
- optimisation of the process of recovering claims, assessment of the risk of their non-payment;
- verifying and monitoring the state of assets, receivables and payables (including tax liabilities and levies to be paid), solvency and payment discipline of trading partners or clients, business and other entities, including potential trading partners or potential clients and persons that are connected in terms of assets and staff for some of the purposes set forth in points 1 to 4 above;
- screening persons and assets in connection with the performance of legal obligations concerning the exercise of caution, including the purpose of preventing the legitimisation of proceeds of crime and the financing of terrorism and other dealings of an unlawful and/or fraudulent nature;
- support of educational processes at secondary schools and universities in the Czech Republic and at accredited educational institutions and accredited providers or educational activities; support of scientific and research activities;
- support in the performance of journalistic activities or for the purposes of academic, artistic or literary expression;
- securing background information and support in the provision of consultancy and other services by legal, accounting and tax advisors, auditors and other advisors, consultants and mediators;
- conducting audits, especially tax, legal and/or accounting audits;
- securing background information and support in the performance of activities of bailiffs in accordance with legal regulations;
- support in the exercise of the competences of public authorities in accordance with legal regulations;
- protection of the rights and legally protected interests of natural and legal persons in connection with the disposal of real property, monitoring of the legal situation thereof and monitoring of ongoing cadastral proceedings under the applicable legislation.
Individual services within the CRIBIS application are provided in two modes (i.e., as an on-line service and aggregation tool) depending on the particular service and the method of processing of personal data in accordance with the General Data Protection Regulation, and the lawful basis of CRIF CZ for processing these personal data for both the modes is the legitimate interest pursued by the controller or a third party within the meaning of Article 6(1)(f) of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Data Protection Regulation”). Such processing of personal data does not require the consent of the person concerned.
CRIBIS Service as an On-line Service:
The CRIBIS Service as regards the Land Register, Central Register of Executions, Central Register of Executions of the Slovak Republic and AML InfoCheck service (only in the event of an inquiry about a natural person) is provided as an on-line service, the object of which is, based on a command by a user of the CRIBIS application, to search and collect information and data on a particular entity from various information sources and databases, including public ones and/or from the information sources and databases of other third parties. No other information is added by CRIF CZ to the data collected from such available sources.
CRIF CZ acts in this case in the position of a processor and an appropriate agreement on personal data processing is always concluded between it and the personal data controller, i.e., a user of the CRIBIS application.
CRIBIS Service as an Aggregation Tool:
The other services (including the service of data supply for SkyMinder), not stated above work as an aggregation tool that gathers commercial information and data, including some personal data, available from various public information sources and databases and/or also from the information sources and databases of other third parties, creating an own database out of them, thereby helping manage the business risk of users of the CRIBIS application who send an inquiry to the CRIBIS aggregated database instead of sending an inquiry to a larger number of databases.
In this case, CRIF CZ acts in the position of a controller and transmits personal data to a user of the CRIBIS application as another (independent) controller, with the application of contractual guarantees to ensure the lawful processing of such personal data on the user’s part.
III. Recipients of Personal Data
Personal data processed in the CRIBIS application are provided to users of the CRIBIS application with whom CRIF CZ has entered into relevant agreements for the provision of the CRIBIS Service, CRIF S.P.A., a company having its registered office at Via M. Fantin 1-3, 40131 Bologna, Italy, which ensures final automated technical processing of information in the CRIBIS application for CRIF CZ pursuant to relevant contract documents, and CRIF – Slovak Credit Bureau, s.r.o., Company ID No.: 35886013, a company having its registered office at Mlynské nivy 14, 821 09 Bratislava, and to their contract partners.
IV. Extent of Personal data to be Processed
The extent of personal data to be collected and processed always depends on a particular purpose (see above) for which such personal data are processed. CRIF CZ takes care to collect personal data only to the extent necessary to fulfil the given purpose.
In particular, the following categories of personal data are processed within the CRIBIS application:
- identification personal data (first name, surname, date of birth, company ID number, VAT registration number, residential address, place of business);
- contact details of some natural persons doing business (e.g., phone number and e-mail address);
- data concerning the payment discipline of a data subject;
- information about bankruptcy proceedings and restructuring processes and related information;
- information about links between entities that are connected in terms of assets and staff;
- information published in public registers and lists such as in the Commercial Bulletin, Commercial Register, Central Register of Executions, Central Register of Executions of the Slovak Republic, Land Register, Register of Trade Licences, Insolvency Register etc.
No special categories of personal data within the meaning of the General Data Protection Regulation (e.g., data on health condition etc) are processed in the CRIBIS application.
Personal data processed within the CRIBIS application originate especially from publicly accessible sources, including information subject to mandatory publication by such sources, as well as from users of the CRIBIS application, under a relevant agreement concluded with CRIF CZ.
No automated decision-making within the meaning of the General Data Protection Regulation takes place in the CRIBIS application.
V. Duration of Processing of Personal Data
Personal data are processed and stored in the CRIBIS application only for the period for which a certain piece of information is relevant in relation to the purpose of processing for which such personal data are processed. Subsequently, the personal data are included in pre-archival care in accordance with applicable legislation.
VI. Transfer of Personal Data to Third Countries
No transfer of personal data to third countries, i.e., countries outside the European Economic Area, takes place when information is being processed in the CRIBIS application.
VII. Exercise of the Rights under the General Data Protection Regulation
We would hereby like to advise you on your rights arising from applicable provisions of the General Data Protection Regulation relating to the processing of your personal data in the CRIBIS application.
You can exercise the rights set forth below in writing to the address of the registered office of CRIF CZ, Štětkova 1638/18, Nusle, 140 00 Prague 4, or electronically to firstname.lastname@example.org:
- The right of access to personal data: the right to ask CRIF CZ for confirmation as to whether your personal data are actually being processed in the CRIBIS application, and, where that is the case, for access to such personal data. In such a case, CRIF CZ will provide you with a copy of the personal data being processed, in electronic or paper form;
- The right to rectification: the right to obtain the rectification of inaccurate personal data or to have incomplete personal data that are being processed about you in the CRIBIS application completed;
- The right to erasure (“the right to be forgotten”): the right to obtain the erasure of your personal data where some of the grounds set forth by the General Data Protection Regulation applies;
- The right to restriction of processing: the right to obtain restriction of processing of your personal data where some of the grounds set forth by the General Data Protection Regulation applies (e.g., due to the inaccuracy of personal data being processed, or the unlawfulness of their processing);
- The right to lodge a complaint: if you consider that the processing of your personal data in the CRIBIS application infringes applicable legislation, especially the General Data Protection Regulation, you can refer your complaint to the Office for Personal Data Protection, Sochora 27, 170 00 Prague 7, www.uoou.cz
- The right to object to the processing of personal data that concern you and that are being processed based on a legitimate interest, CRIF CZ will not process your personal data any longer if we do not demonstrate compelling legitimate grounds for the processing which override your interests or rights and freedoms, or for the establishment, exercise or defence of legal claims.
- We point out that the right to data portability, i.e., the right to receive personal data (that concern you and that you have provided to a user) in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the user or CRIF CZ, is not relevant considering the nature of processing of your personal data in the CRIBIS application and, therefore, we cannot grant requests concerning data portability.
We will provide you with requested information and documents and/or information on measures implemented without undue delay but no later than one month from the date of delivery of your request. In some cases, however, this period may be extended. We will notify you of that. If your request cannot be granted, we will inform you about this fact and reasons and we will also give you guidance on your other rights (of the right to lodge a complaint and the right to judicial protection).
If necessary, we are entitled to ask you, in connection with your request, for additional information to confirm your identity. If we are unable to establish your identity, we usually cannot grant your request.
You can assert your rights free of charge. Where requests filed by you are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee to you or we may refuse to act on your request.
VIII. Data Protection Officer
If your matter is not resolved in a satisfactory manner, you can also contact the data protection officer through email@example.com.
VIII. Pověřenec pro ochranu osobních údajů
Nepodaří-li se Vám vyřešit Vaši záležitost uspokojivě, můžete též kontaktovat pověřence pro ochranu osobních údajů prostřednictvím firstname.lastname@example.org.
Verze k 1. 3. 2020
Access to this Website may result in processing data about identified or identifiable natural persons (known as data subjects). The data controller is CRIF CZ. Personal data may also be processed by the data processor, i.e. CRIF S.P.A., having its registered office at Via M. Fantin 1-3, 40131 Bologna, Italy (“CRIF S.P.A.”), which shall ensure proper organisational and technical processing of data in order to protect it from unauthorised access, loss, damage, theft, unauthorised use or any other disclosure.
Data Processing Location
Personal data is processed at the premises of CRIF CZ and CRIF S.P.A. The data is handled solely by persons with relevant technical skills and abilities who have been assigned specific data processing roles and made familiar with the content of the General Data Protection Regulation.
Data Processing Methods
Data is processed in a correct manner and in full compliance with the General Data Protection Regulation so as to ensure data security and protect data confidentiality. Data is processed using electronic or automated means and kept in secured systems.
Processed Data Types
The information systems involved in the operation of this Website use certain personal data during their normal operation. The transmission of this data is implicit in the use of ICP protocols. The data is not collected in order to associate it with specific entities; however, due to its nature, the processing and relation to other data possessed by third parties allow to identify the users. This data category includes IP addresses and the domain names of the computers used by the users connecting to the network, the URL addresses of the requested sources, the time the request was made, the method used in making the request and other parameters related to the user’s operating system and information environment. The data also includes information provided by cookies on the user’s hard disk – see the section below. We also collect aggregate data on Website use, such as the traffic the Website gets, the number of Website visits per day and the average time spent by users on each Website.
Use of Collected Data
Collected data may be used, for example, to meet the user’s requirements, provide useful advice and instructions, provide quotes on demand and/or process and fulfil the user’s offers. Furthermore, the data may be used to provide order status details and information on services and new content on the Website, etc.
Some operational data may also be processed to ensure the security and availability of the Website and related services. Statistical data on Website use is processed to improve the Website functionality and user-friendliness and prepare aggregate and anonymous information used for marketing and similar activities.
Recipients of Collected Data
CRIF CZ may provide the information collected through the Website to other companies of the CRIF Group, namely to CRIF S.P.A., CRIF – Slovak Credit Bureau, s.r.o., ID No.: 35886013, having its registered office at Mlynské nivy 14, 821 09 Bratislava, and to CRIF – Registr platebních informací s. r. o., ID No.: 057 75 809, having its registered office at Štětkova 1638/18, Nusle, 140 00 Praha 4 and registered in the Commercial Register maintained by the Municipal Court in Prague under file C 268784, and to third parties such as contractors or other entities that provide services (or products) demanded by the user. We may also provide these companies with aggregate statistics on visitors, transactions and other activities on the Website. Information on users may also be disclosed to other entities if it is required by the relevant law or necessary to safeguard the rights and legally protected interests of the GRIF Group members or another entity.
Privacy Protection and User Rights
The transmission of all information through the Website is encrypted. Nevertheless, CRIF CZ provides no warranties as to the security of the transmission of information a user sends to CRIF CZ. Any use of the Website is at the user’s sole responsibility.
What is a cookie?
A cookie is an information text string sent by a web server (e.g. a website) to the user's web browser, which automatically saves it on the user's computer and automatically sends it back to the server each time the website is accessed. Each cookie contains different data, such as the name of the server, where it comes from, a numeric identifier, etc.
Cookies are not used to transfer personal data. Using cookie sessions which are not permanently stored on the user’s computer and disappear after closing the browser is strictly limited to the transfer of session identification codes containing random server-generated numbers necessary for safe navigation on the website. Therefore, the use of such cookie sessions prevents the use of other information technologies which could pose a potential threat to the confidential nature of the navigation. They do not allow for acquiring personal data which could identify the user.
However, each web browser allows cookies to be restricted and deleted (for more information refer to the section in this information notice on “How to enable, disable or delete cookies”). Remember, however, that disabling or deleting cookies may impede the optimum use of some parts of the website or compromise the use of services requiring authentication.
Types of Cookies Used by CRIF
This Website uses the following cookie categories:
- Technical cookies: technical cookies are those used solely for the purposes of sending a message through an electronic communication network, or to the extent strictly necessary for the service provider of the information company to provide a service explicitly requested by the subscriber or user. These cookies may be divided into: navigation or session cookies, which ensure a regular navigation and use of the website, analytic cookies used directly by the website administrator to collect overall information on the number of users and how they visit the website, and functional cookies, which enable the users to navigate themselves based on a series of selected criteria in order to improve the services provided.
- Profile cookies: used to track the user’s navigation on a network and create profiles of the user's tastes, habits, and choices. Based on these cookies, advertising messages can be sent to the user's computer according to the demonstrated preferences.
How to enable, disable or delete cookies
By default, almost all web browsers are set up to automatically accept cookies. These can be restricted or blocked in the browser settings. If you prefer websites not to save certain cookies on your computer, set up the browser so that you receive a notification prior to saving each cookie. Alternatively, you can set up your browser to reject all cookies or only third-party cookies. You can also delete all cookies already existing in the system. It is important to note that the settings must be changed separately for each browser and each computer. If you block saving the cookies, we cannot guarantee a correct operation of the website. Some functions may be unavailable and it may no longer be possible to view certain websites.
Information on the processing of personal data in the Cribis application
Information on the processing of personal data in the Cribis application
This document provides potential and existing CRIBIS users with practical information, in particular on how and in what way CRIBIS users are affected by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the "General Data Protection Regulation") concerning the GDPR. If you are interested in general information about the basic objectives, terms or terminology associated with the general regulation on personal data protection, we recommend that you read the Basic Guide to GDPR, which has been prepared by the Office for Personal Data Protection.
We hope the information below will help you work with the information associated with the screening of your business partners.
Links between the General Data Protection Regulation and the creation of the Cribis application
CRIF - Czech Credit Bureau, a.s., Business ID: 262 12 242, with its registered office at Štětkova 1638/18, Nusle, 140 00 Prague 4, entered in the Commercial Register kept by the Municipal Court in Prague, file number B 6853 (hereinafter referred to as "CRIF CZ“) as a global operator of the CRIBIS application, has always fully respected the principles of personal data processing in the Czech Republic regulated in Act No. 101/2000 Coll., on personal data protection, as amended, which was based on EU Directive 95/46 / EC. The General Data Protection Regulation replaced the above-mentioned Directive and is implemented in EU countries in the form of continuity, which in practice means that the new Regulation does not fundamentally change personal data processing processes or basic concepts, but the General Data Protection Regulation unification and updating of rules on the processing of personal data throughout Europe.
However, it places higher demands on the description and modification of company processes associated with the processing of personal data.
At the same time, as the operator of the CRIBIS application, we are aware that it is absolutely correct and justified for companies to reduce their business risks by examining their business partners. This form of risk prevention is highly effective for companies and at the same time benefits the entire economy.
Use of personal data when creating the Cribis application
In order to reconcile the higher demands on the processes associated with the use of personal data, and the legitimate needs of CRIBIS users, we performed an extensive analysis of mappings of data and data sources containing personal data used in creating and updating CRIBIS before the General Data Protection Regulation came into effect.
This analysis showed that as the operator of the CRIBIS application, CRIF CZ is:
A) Personal data controller - in cases where the services provided within the CRIBIS application function as an aggregation tool that collects information and data available in various public databases (or from other sources), creates its own database from them, and thus helps to facilitate the activity a client who, instead of querying a large number of public databases in a complex and time-consuming manner, queries the aggregated CRIBIS application. The processing of personal data in the CRIBIS application in this case takes place mainly in order to protect the legitimate interests of its clients, or on the basis of other appropriate legal titles.
In this sense, there is an administrator-administrator relationship between CRIF CZ and users of the CRIBIS application.
B) The processor of personal data - in the case of the Real Estate Cadastre, Central Register of Executions and AMLInfoCheck (only when inquiring about a natural person), provides it as an outsourcing (on-line) service, the subject of which is to search for and collect information and data about a person from various information sources and databases, including public and/or information sources and databases of other third parties. CRIF CZ adds no further information to the data collected from these available sources.
In this sense, there is an processor-administrator relationship between CRIF CZ and users of the CRIBIS application.
If you have any questions about the processing of personal data in the CRIBIS application, contact us by e-mail at email@example.com. We will get back with you as soon as possible.
Updated on 2021-01-06T10:27:47+02:00, by .