CRIF VisionNet Limited is committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it. If cookies are your particular interest, you will find our separate cookie notice here. This notice also sets out how you can engage with us and how you can contact the Data Protection Commission, if you have any concerns about your personal data.

Who we are and how to contact us

CRIF VisionNet Limited is registered in Ireland (Registration Number: 177790). Our Data Protection Officer is contactable at privacy@vision-net.ie or if you wish to write to us, please use the following address:

Data Protection Officer
CRIF VisionNet Limited
3rd Floor, Adelphi Plaza,
George's Street Upper,
Dun Laoghaire,
County Dublin,
A96 T927

Data subjects in the UK may wish to note that we have appointed a UK Representative as required under the UK GDPR whom they are welcome to contact if they prefer:

Compliance Officer
CRIF Decision Solutions
55 Old Broad Street
London EC2M 1RX

Email: dpo.uk@crif.com

Our data processing activities

CRIF Vision-net Ltd ("We") processes personal data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities

1: DATA CONTROLLER ACTIVITIES

Provision of services

CRIF VisionNet Limited is an aggregator of business information in order to provide services to those striving to fulfil compliance requirements, reduce business risk and make informed business decisions. It does so through its vision-net.ie and solocheck.ie websites.

We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial services sectors (including insurance companies), which allow them to, amongst other things:

  • Understand the individuals running limited companies, Friendly Societies and owners of registered business names in order to manage the risk of dealing with them (for example for Anti-Money Laundering and 'Know Your Customer' purposes which are regulatory requirements on companies offering certain services)
  • Ascertain the financial and corporate histories of individuals with whom they have engaged and
  • Understand who owns registered properties

For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.

Running our business

In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data. In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.

Promoting our services

Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this website or an industry information service.

2: DATA PROCESSOR ACTIVITIES

We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:

  • For financial services companies who wish us to check nominated individuals which they need to screen for sanctions and other regulations to which they are subject.
  • Providing a gateway that can simultaneously check the Central Credit Register and the Irish Credit Bureau's databases.
  • Providing identity verification services (IDVerify) for our clients and providing storage for related documentation in a service we call DigitalHub.
  • Providing access to an Open Banking solution (NEOS) that analyses a client's payment transaction data for credit evaluation purposes.

How we get your personal data and our legal basis for processing it

Provision of services

We provide clients with information that allows them to check the identity of their customers or potential customers (e.g. information on directorships of companies or ownership of Registered Business Names, Politically Exposed Persons, Sanctions lists, court judgments, bankruptcies etc.) for Know Your Customer (KYC) and Anti-Money Laundering (AML) amongst other purposes. We may obtain this information from public sources such as the Companies' Registration Office, the Revenue Commissioners or the courts, or from commercial providers of business and risk intelligence data.

For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, avoid cyber security risks etc. These interests are set out in Legitimate Interests Assessments which are available on request.

Running our business

Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us. Such data can be used to enable us to:

  • Provide you with the ability to use our services (for example provide you with username and password), provide support services such as a Helpdesk service, and to monitor such use for billing or security purposes including downloads of reports or other content
  • Administer your or your employer's contract with us, including invoicing, debt recovery etc.

Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers. We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.

Promoting our services

Certain information will have been gathered from you or your employer when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website or via email or telephone enquiries. Please see our separate Cookie Notice for more details on the cookies we are using in order to better understand your interests. Such data can be used to enable us to keep you informed about developments at CRIF VisionNet Limited and our services, conducting market research and analysis, or determining which of our services are most suitable for you. We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.

Note however that by signing up for email updates, you are also consenting to us using a small pixel to see which of our emails you open. This helps us in developing messages that are appropriate to you in the future. If you have any reservations about the pixel being placed on your device(s), please do not subscribe.

As with any website, we interact with your device and browser to serve pages to you. This involves collecting certain information, but we do not use this data to identify you by connecting it to other data that we collect. Rather we might only do so for security and fraud prevention purposes. The type of data acquired includes IP addresses, the addresses of the resources requested in URI notation (Uniform Resource Identifier), the time the request was made, the method used in making the request to the server, and other parameters related to the operating system and the computer environment of the user.

The following table summarises the data we process as a Data Controller, the sources of that data and our legal basis:

ACTIVITY CATEGORIES OF DATA SUBJECTS CATEGORIES OF PERSONAL DATA SOURCE LEGAL BASIS
Provision of information on Irish Directors and Owners of Registered Business Names Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs, Examiners, Receivers and Liquidators, Authorised Persons, Business Owners, Accountants, Company Presenters, Auditors. Names, business and residential addresses and date of birth, shareholding, and directorships. Companies Registration Office Legitimate Interests
Provision of UK and International Search services Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs etc. Names, business and residential addresses and date of birth, shareholding, and directorships. Commercial providers Legitimate Interests
Provision of Know Your Customer and Anti Money Laundering services Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs etc. Names, business and residential addresses and date of birth, shareholding, and directorships. Public Registers and commercial providers. Legitimate Interests
Provision of Consumer Check (Individual) reports Individuals Names, residential addresses and dates of birth. Public Registers and commercial providers. Legitimate Interests
Provision of reports on Friendly Societies and International Companies Members of governing group of friendly societies and directors of registered companies in certain overseas territories. Names, residential or business addresses and dates of birth. Public Registers Legitimate Interests
Provision of Land Registry Document Service Owners of registered properties Names and residential or business addresses. Public Register Legitimate Interests
Running our services Employees of client companies and individual subscribers Names, business contact details, usage records including the IP address of the logged in user and partial credit card details. For our website: IP addresses, resources requested, time of request and computing environment. Employees of clients and individuals Legitimate Interests
Promoting our services Employees of client companies, individual subscribers and enquirers about our services Names, business contact details Employees of clients and individuals Legitimate Interests
Tracking of recipients' opening of our update emails Recipients of our email updates Open rates Subscribers from website and employees of clients/individual clients Consent
Data Subject Rights Requests All data subjects seeking to establish and assert rights. As and if necessary to verify identity of data subject. Direct from data subject. Legal obligation.

In all cases we will also process data as required by applicable law.

What we do with your personal data

As a Data Controller, we make information available to our clients to assist them in their decision-making. Our clients include financial and insurance services organisations and professional advisers (e.g. solicitors, accountants). This data is almost made available to similar organisations overseas through a network of affiliates. We use the services of a company based outside the EEA to assist us in preparing data from the Companies Registration Office so that it is accessible to our clients and international affiliates. We use Standard Contractual Clauses as a safeguard for these transfers.

For the management of some marketing contact data, we also use external services that are based outside the EEA. Again, we use Standard Contractual Clauses as a safeguard for such transfers to ensure they are made in compliance with data protection legislation.

ACTIVITY SHARED WITH
Irish Directors and Owners of Registered Business Names Clients and international affiliates.
UK and International Search Clients
Know Your Customer and Anti-Money Laundering Clients
Consumer Check Individual Clients
Reports on Friendly Societies and International Companies Clients
Land Registry Document Service Clients
Employment Employment
Running our services Running our services
Promoting our services Electronic mailing service provider.
Data Subject Rights Requests Data Subject Rights Requests

Where we are the "data processor", we act on the instructions of the data controller.

How long we keep your personal data

Where we are the Data Controller, we retain personal data according to the following criteria:

ACTIVITY DATA RETENTION CRITERIA/PERIOD
Irish Directors and Owners of Registered Business Names Data updated daily. Records of searches undertaken by clients are retained for thirty seven months. Ad hoc listings of companies that are generated in response to client queries are deleted after six months.
UK and International Search Results of search enquiries performed by users are retained for thirty seven months.
Know Your Customer and Anti Money Laundering Results of search enquiries performed by users are retained for thirty seven months
Consumer Check Individual Results of search enquiries performed by users are retained for thirty seven months.
Reports on Friendly Societies and International Companies Results of search enquiries performed by users are retained for six months.
Land Registry Document Service Use of search facility is retained for thirty-seven months.
Employment 10 years from termination of employment relationship.
Running our services Seven years after the termination of the contract. All search records are anonymised after thirty seven months.
Promoting our services One year after termination of contract for clients and eighteen months for prospective clients who do not contract in that time period. If you unsubscribe before them, we will still need to retain some minimal personal data to ensure that your request is observed and not inadvertently revoked.
Tracking of recipients' opening of our update emails Open history will be deleted in conjunction with the record on the individual.
Data Subject Rights Requests Two years from last contact with Data Subject.

Where we are a "data processor", we keep your data for as long as the Data Controller instructs us to.

Your data protection rights

Where we are processing your personal data as a Data Controller, you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of processing concerning your data or to object to processing as well as the right to data portability. Furthermore, to the extent that our processing may be based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal. Please bear in mind that your rights in relation to your Personal Data are not absolute. It is important to note that we are processing much of the data either on the basis of legitimate interests or performance of contract, rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it. In circumstances where we have obtained your data from a third party we may need to confirm the accuracy of the data with that third party before rectification. Marketing communications by electronic means with you will be conducted in compliance with Statutory Instrument 336 of 2011 which give you specific privacy rights in relation to electronic communications. We provide an opt-out in each communication which allows you express your preferences with regard to receiving subsequent communications. As mentioned above, the service we use places a small pixel on your device that allows us know which items you choose to open and we use this information to refine the content of the messages that we are sending to you. Please contact us at the email or postal addresses above if you wish to make a data subject request. In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective "Data Controller" to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.

How to complain

You can report a concern to the Data Protection Commission using this form which is the DPC's preferred route for such communications.

If you have any issues using that route, you can communicate in writing to:

Data Protection Commission,
21 Fitzwilliam Square South
Dublin 2
D02 RD28


email: info@dataprotection.ie


Website: www.dataprotection.ie


Date: November 2021