1.    Introduction
Based on Article 13 of the Federal Constitution of the Swiss Confederation as well as the data protection provisions of the Swiss Confederation (Swiss Federal Act on Data Protection, FADP) and - where applicable - the EU General Data Protection Regulation (GDPR), every person has the right to protection of their privacy as well as protection against misuse of their personal data. The protection of your personal data is important to us. You can expect us to handle your data sensitively and carefully and to ensure a high level of data security.
This Privacy Policy explains how CRIF AG - hereinafter also referred to as “we” - collects and further processes personal data, insofar as this is not apparent from the circumstances or regulated by law.

2.    Identity and contact details of the controller
The data controller within the meaning of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR) is:
Hagenholzstrasse 81
8050 Zurich, Switzerland
VAT ID: CHE-107.708.282
CRIF AG has not appointed a data protection advisor or data protection officer within the meaning of Art. 10 FADP or Art. 37 GDPR. Any enquiries, claims or information relating to data protection law should be sent to the aforementioned contact details of the controller.

3.    Purpose of the processing and legal basis
We process your personal data mentioned under section 4 below for the following purposes:

4.    Categories of personal data processed
The following categories of personal data may be processed by us in connection with our services:

5.    Categories of recipients of data
In principle, without your express prior consent, your personal data will be transferred only to the recipients named below:

6.    Data transmission outside of Switzerland
Your personal data will always be processed in Switzerland. However, we may transfer your data to trusted recipients in third countries (both in the European Union and elsewhere in the world).
This transfer will take place on the basis of what is known as an adequacy decision of the Swiss Federal Council or the European Commission. If a recipient is located in a country without adequate statutory data protection, we oblige the recipient to comply with the applicable data protection on the basis of suitable guarantees pursuant to Art. 16 (2) FADP or Art. 46 (2) GDPR, in particular by means of what are called standard contractual clauses, which have also been issued by the European Commission or recognised, issued or approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC). We can dispense with such an obligation if we can rely on an exemption clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires disclosure abroad, if you have consented or if the data in question were made generally accessible by you and you have not objected to their processing.
We transfer the data provided to companies belonging to our Group - a list of Group companies is available at the following link:; these companies include our parent company, CRIF S.p.A, Italy, whose Privacy Policy is available at: andà-di-informazione-commerciale/. In the present case, it cannot be ruled out that data will be transmitted outside the European data protection area, in particular also to recipients in the USA. Please also note that data exchanged via the internet is often routed via third countries. Your data may therefore pass through other countries even if the sender and recipient are in the same country.

7.    Duration of storage
The deletion period regulates the time from when personal data must be deleted. The following deletion periods apply regardless of whether the underlying data were collected and stored on a statutory basis or on the basis of consent. The data must be deleted by the end of this period at the latest.
We store your personal data for as long as (i) statutory retention obligations exist or (ii) any legal claims for the assertion or defence of which the personal data are required have not yet become time-barred.
Otherwise, your personal data will be kept by us at most until the purpose on which the processing is based (see section 3 above) has ceased to apply. For archiving purposes, the data can also be stored for longer.
The statutory deletion period for creditworthiness data is 10 years. Receivables and payment experiences that have not been pursued will be deleted by us after only 5 years.

8.    Automated data collection and processing on our website
We use various technologies on our website that enable us and third parties we engage to recognise you when you use our website and, in some circumstances, to track you across multiple visits. We will inform you about these in this section.
Essentially, this is so that we can distinguish your access (via your system) from access by other users, so that we can ensure the functionality of the website and carry out evaluations and customisations. We do not intend to infer your identity in doing so, although we may be able to do so insofar as we or third parties engaged by us can identify you by combining the data with registration data. Even without registration data, however, the technologies used are designed in such a way that you are recognised as an individual visitor each time you access the site, for example by our server (or the servers of third parties) assigning you or your browser a specific identification number (i.e., a “cookie”).
We use such technologies on our website and allow certain third parties to do so as well. However, depending on the purpose of these technologies, we may ask for your consent before they are used. You can adjust your current cookie settings on the website at any time. You can program your browser to block or deceive certain cookies or alternative technologies, or to delete existing cookies. You can also use a browser extension that blocks tracking by certain third parties. You can find further information on this on the help pages of your browser (usually under the keyword “data protection”) or on the websites of the third parties.
A distinction is made between the following cookies (technologies with comparable functions such as fingerprinting are included here):

9.    Your rights in connection with the processing of your personal data
Right to information (Art. 25 FADP or Art. 15 GDPR): You have the right to request information about your personal data processed by us at reasonable intervals. Upon request, we will provide you with a copy of the data that are the subject of the processing.

Right to rectification (Art. 32 FADP or Art. 16 GDPR): You have the right to request that we correct incorrectly processed data.

Right to withdraw consent (Art. 6 (6) and Art. 31 (1) FADP or Art. 7 (3) GDPR): If the data processing by us is based on your consent, you have the right to revoke any consent given to us at any time. The lawfulness of the processing carried out on the basis of the consent up to the revocation remains unaffected by the revocation.

Right to restriction of processing (Art. 30 (2) lit. b FADP or Art. 18 GDPR): Under certain conditions, you have the right to restrict the processing of your personal data (e.g., with regard to the duration of use, the material reference or the purpose of the processing, etc.). In such a case, we may continue to process the data in the previous manner only if there is a legally provided justification.

Right to erasure (Art. 30 (3) FADP or Art. 17 GDPR): You furthermore have the right to request that we delete your personal data. Among other things, we are obliged to delete your personal data if you expressly prohibit us from processing them and there is no justifiable reason for further processing, if your personal data are no longer required for the purposes for which they were collected or otherwise processed, if you have withdrawn previously granted consent or if the data have been processed unlawfully.
It is not possible to delete or block individual payment experiences. However, you have the option to correct such information if there are errors. In the case of publicly published data relevant to creditworthiness, blocking or deletion is not possible.
If you request deletion, CRIF AG will block all your data for any queries. However, the identification data are not deleted; this is to ensure that a data subject is not re-entered into the database with a new registration.

Right to data portability (Art. 28 FADP or Art. 20 GDPR): Where we process your data automatically for the conclusion or performance of a contract or with your consent, we shall, at your request, release these data to you in a machine-readable format or - at your option - transfer it to a third party.

Right to object (Art. 21 GDPR): If we process your data for the performance of a task in the public interest or in the exercise of official authority (Article 6 (1) clause 1 lit. e GDPR) or if the data processing is based on our legitimate interests, you have the right, on the basis of the GDPR, to object to the processing of your personal data at any time for reasons arising from your particular situation. We will then stop the processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests in stopping the processing.
You can object to the processing of your personal data for direct marketing purposes at any time without restrictions.

Right to lodge a complaint (Art. 49 FADP or Art. 77 GDPR): Insofar as applicable to you, there is a right to lodge a complaint with a competent data protection authority. The supervisory authority which is competent in Switzerland can be contacted at the following address: Federal Data Protection and Information Commissioner, Feldeggweg 1, CH 3003 Bern, Switzerland.

Exclusion of liability
CRIF AG accepts no liability with regard to the correctness, accuracy, topicality, reliability or completeness of the content of the information.
Any liability claims against CRIF AG in relation to losses of a material or non-material form (whether arising from accessing or using/not using the published information, from misuse of the link or from technical faults) shall be excluded. All quotations are non-binding. CRIF AG expressly reserves the right to modify, supplement, delete or temporarily or permanently cease publication of parts of the sites or the full range of services, without providing any specific prior notice.

The copyrights and all other rights relating to content, images, photographs or other files on the website are the exclusive property of CRIF AG or the specifically named owners of those rights. The written agreement of the copyright holders must be obtained in advance for the reproduction of any of the elements.

Liability for links
References and links to third-party websites lie outside our area of responsibility. We reject any liability for such websites. Any access to and use of such websites is at the user’s own risk.