CRIF VisionNet Limited is committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it. If cookies are your particular interest, you will find our separate cookie notice here. This notice also sets out how you can engage with us and how you can contact the Data Protection Commission, if you have any concerns about your personal data.
CRIF VisionNet Limited is registered in Ireland (Registration Number: 177790). Our Data Protection Officer is contactable at privacy@vision-net.ie or if you wish to write to us, please use the following address:
Data Protection Officer
CRIF VisionNet Limited
3rd Floor, Adelphi Plaza,
George's Street Upper,
Dun Laoghaire,
County Dublin,
A96 T927
Data subjects in the UK may wish to note that we have appointed a UK Representative as required under the UK GDPR whom they are welcome to contact if they prefer:
Compliance Officer
CRIF Decision Solutions
55 Old Broad Street
London EC2M 1RX
Email: dpo.uk@crif.com
CRIF Vision-net Ltd ("We") processes personal data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities
1: DATA CONTROLLER ACTIVITIES
Provision of services
CRIF VisionNet Limited is an aggregator of business information in order to provide services to those striving to fulfil compliance requirements, reduce business risk and make informed business decisions. It does so through its vision-net.ie and solocheck.ie websites.
We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial services sectors (including insurance companies), which allow them to, amongst other things:
For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.
Running our business
In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data. In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.
Promoting our services
Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this website or an industry information service.
2: DATA PROCESSOR ACTIVITIES
We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:
Provision of services
We provide clients with information that allows them to check the identity of their customers or potential customers (e.g. information on directorships of companies or ownership of Registered Business Names, Politically Exposed Persons, Sanctions lists, court judgments, bankruptcies etc.) for Know Your Customer (KYC) and Anti-Money Laundering (AML) amongst other purposes. We may obtain this information from public sources such as the Companies' Registration Office, the Revenue Commissioners or the courts, or from commercial providers of business and risk intelligence data.
For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry out anti-money laundering checks, detect fraud, avoid cyber security risks etc. These interests are set out in Legitimate Interests Assessments which are available on request.
Running our business
Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us. Such data can be used to enable us to:
Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers. We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.
Promoting our services
Certain information will have been gathered from you or your employer when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website or via email or telephone enquiries. Please see our separate Cookie Notice for more details on the cookies we are using in order to better understand your interests. Such data can be used to enable us to keep you informed about developments at CRIF VisionNet Limited and our services, conducting market research and analysis, or determining which of our services are most suitable for you. We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.
Note however that by signing up for email updates, you are also consenting to us using a small pixel to see which of our emails you open. This helps us in developing messages that are appropriate to you in the future. If you have any reservations about the pixel being placed on your device(s), please do not subscribe.
As with any website, we interact with your device and browser to serve pages to you. This involves collecting certain information, but we do not use this data to identify you by connecting it to other data that we collect. Rather we might only do so for security and fraud prevention purposes. The type of data acquired includes IP addresses, the addresses of the resources requested in URI notation (Uniform Resource Identifier), the time the request was made, the method used in making the request to the server, and other parameters related to the operating system and the computer environment of the user.
The following table summarises the data we process as a Data Controller, the sources of that data and our legal basis:
ACTIVITY | CATEGORIES OF DATA SUBJECTS | CATEGORIES OF PERSONAL DATA | SOURCE | LEGAL BASIS |
---|---|---|---|---|
Provision of information on Irish Directors and Owners of Registered Business Names | Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs, Examiners, Receivers and Liquidators, Authorised Persons, Business Owners, Accountants, Company Presenters, Auditors. | Names, business and residential addresses and date of birth, shareholding, and directorships. | Companies Registration Office | Legitimate Interests |
Provision of UK and International Search services | Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs etc. | Names, business and residential addresses and date of birth, shareholding, and directorships. | Commercial providers | Legitimate Interests |
Provision of Know Your Customer and Anti Money Laundering services | Directors (including Secretaries and disqualified or restricted Directors), shareholders, UBOs etc. | Names, business and residential addresses and date of birth, shareholding, and directorships. | Public Registers and commercial providers. | Legitimate Interests |
Provision of Consumer Check (Individual) reports | Individuals | Names, residential addresses and dates of birth. | Public Registers and commercial providers. | Legitimate Interests |
Provision of reports on Friendly Societies and International Companies | Members of governing group of friendly societies and directors of registered companies in certain overseas territories. | Names, residential or business addresses and dates of birth. | Public Registers | Legitimate Interests |
Provision of Land Registry Document Service | Owners of registered properties | Names and residential or business addresses. | Public Register | Legitimate Interests |
Running our services | Employees of client companies and individual subscribers | Names, business contact details, usage records including the IP address of the logged in user and partial credit card details. For our website: IP addresses, resources requested, time of request and computing environment. | Employees of clients and individuals | Legitimate Interests |
Promoting our services | Employees of client companies, individual subscribers and enquirers about our services | Names, business contact details | Employees of clients and individuals | Legitimate Interests |
Tracking of recipients' opening of our update emails | Recipients of our email updates | Open rates | Subscribers from website and employees of clients/individual clients | Consent |
Data Subject Rights Requests | All data subjects seeking to establish and assert rights. | As and if necessary to verify identity of data subject. | Direct from data subject. | Legal obligation. |
Creating ESG KPIs | Company Directors and Secretaries. | Forename, surname and gender. | Public Register. | Legitimate interests. |
In all cases we will also process data as required by applicable law.
As a Data Controller, we make information available to our clients to assist them in their decision-making. Our clients include financial and insurance services organisations and professional advisers (e.g. solicitors, accountants). This data is almost made available to similar organisations overseas through a network of affiliates. We use the services of a company based outside the EEA to assist us in preparing data from the Companies Registration Office so that it is accessible to our clients and international affiliates. We use Standard Contractual Clauses as a safeguard for these transfers.
For the management of some marketing contact data, we also use external services that are based outside the EEA. Again, we use Standard Contractual Clauses as a safeguard for such transfers to ensure they are made in compliance with data protection legislation.
ACTIVITY | SHARED WITH |
---|---|
Irish Directors and Owners of Registered Business Names | Clients and international affiliates. |
UK and International Search | Clients |
Know Your Customer and Anti-Money Laundering | Clients |
Consumer Check Individual | Clients |
Reports on Friendly Societies and International Companies | Clients |
Land Registry Document Service | Clients |
Employment | Employment |
Running our services | Running our services |
Promoting our services | Electronic mailing service provider. |
Data Subject Rights Requests | Data Subject Rights Requests |
Where we are the "data processor", we act on the instructions of the data controller.
Where we are the Data Controller, we retain personal data according to the following criteria:
ACTIVITY | DATA RETENTION CRITERIA/PERIOD |
---|---|
Irish Directors and Owners of Registered Business Names | Data updated daily. Records of searches undertaken by clients are retained for thirty seven months. Ad hoc listings of companies that are generated in response to client queries are deleted after six months. |
UK and International Search | Results of search enquiries performed by users are retained for thirty seven months. |
Know Your Customer and Anti Money Laundering | Results of search enquiries performed by users are retained for thirty seven months |
Consumer Check Individual | Results of search enquiries performed by users are retained for thirty seven months. |
Reports on Friendly Societies and International Companies | Results of search enquiries performed by users are retained for six months. |
Land Registry Document Service | Use of search facility is retained for thirty-seven months. |
Employment | 10 years from termination of employment relationship. |
Running our services | Seven years after the termination of the contract. All search records are anonymised after thirty seven months. |
Promoting our services | One year after termination of contract for clients and eighteen months for prospective clients who do not contract in that time period. If you unsubscribe before them, we will still need to retain some minimal personal data to ensure that your request is observed and not inadvertently revoked. |
Tracking of recipients' opening of our update emails | Open history will be deleted in conjunction with the record on the individual. |
Data Subject Rights Requests | Two years from last contact with Data Subject. |
Where we are a "data processor", we keep your data for as long as the Data Controller instructs us to.
Where we are processing your personal data as a Data Controller, you may have the right to request
of us access to, and rectification or erasure, of personal data or the restriction of processing
concerning your data or to object to processing as well as the right to data portability.
Furthermore, to the extent that our processing may be based on consent, you have the right to
withdraw your consent at any time, without affecting the lawfulness of processing based on consent
before this withdrawal.
Please bear in mind that your rights in relation to your Personal Data are not absolute. It is
important to note that we are processing much of the data either on the basis of legitimate
interests or performance of contract, rather than consent. This means there is no absolute right to
have such data erased, but you may have rights to both object to such processing or to restrict it.
In circumstances where we have obtained your data from a third party we may need to confirm the
accuracy of the data with that third party before rectification.
Marketing communications by electronic means with you will be conducted in compliance with Statutory
Instrument 336 of 2011 which give you specific privacy rights in relation to electronic
communications. We provide an opt-out in each communication which allows you express your
preferences with regard to receiving subsequent communications. As mentioned above, the service we
use places a small pixel on your device that allows us know which items you choose to open and we
use this information to refine the content of the messages that we are sending to you.
Please contact us at the email or postal addresses above if you wish to make a data subject request.
In our role as Data Processor, we also hold personal data. In such cases, you would need to contact
the respective "Data Controller" to exercise your data protection rights. If you have any requests
we can direct you to the appropriate Data Controller.
CRIF VisionNet Limited's ESG (Environmental, Social & Governance) indicator involves statistical analysis of over 130 KPIs
covering Environment, Social and Governance aspects of Irish and UK companies. As part of the Governance KPIs we include an assessment of gender balance based on the forenames
of the company's registered officers. We use a curated database of forenames commonly associated with male and female genders to assign a gender to each officer.
Where a forename is commonly used by either gender we assign a value of 'unknown'. If you wish to find out which gender has been assigned to you as an officer of a company,
or wish to have that gender changed please contact us at privacy@vision-net.ie.
Gender is also used for statistical analysis, but in a non-identifiable way. We do not process gender for any other purpose.
You can report a concern to the Data Protection Commission using this form which is the DPC's preferred route for such communications.
If you have any issues using that route, you can communicate in writing to:
Data Protection Commission,
21 Fitzwilliam Square South
Dublin 2
D02 RD28
email: info@dataprotection.ie
Website: www.dataprotection.ie
Date: September 2024