Privacy Policy


With this Privacy Policy, CRIF SPA intends to describe the methods of managing this website with reference to the processing of the personal data of users who access it. This is a general information notice provided to all visitors to the website in accordance with the EU Data Protection Regulation No. 2016/679 (GDPR) and all other applicable laws. If users decide to sign up to the ESG initiative, a specific and detailed information notice will be provided to them in accordance with Articles 13 and/or 14 of the GDPR, and specific consent to the processing of personal data will be requested, if necessary.


Following access to and consultation of this Website, data relating to identified or identifiable persons may be processed. The Controller for the processing of the collected personal data is CRIF Spa, with registered office located at Via Mario Fantin 1-3, 40131 Bologna (BO), Italy (“CRIF”). You can contact the Controller at the above mailing address or via the following e-mail address: .

Location of data processing

The processing of data collected with reference to those who access the website is carried out at the CRIBIS head office, as communicated to the Italian Data Protection Authority and in accordance with the provisions of the GDPR and all other applicable laws. Personal data is processed only by specially trained employees or contractors with appropriate technical skills, and who are appointed and authorized to perform the processing.

Methods of data processing

The data will be processed lawfully and fairly, guaranteeing its security and confidentiality, according to the provisions of the GDPR and all other applicable laws. Personal data will be processed using electronic and, in any case, automated equipment.

Purpose of data processing

User data may be processed for:

  1. the performance of the operations strictly necessary to provide the services or initiatives that may be requested by the user, including navigating the website;
  2. the provision of technology services (remote or on-site assistance and maintenance, etc.), including by specifically authorized third parties;
  3. statistical processing of aggregated data in relation to website services.

On the website pages where your personal data is explicitly collected, you will find, where necessary, any additional privacy specifications, as well as the methods for acquiring your consent and/or identifying any further basis for the legitimacy of the processing pursuant to Article 6 of the GDPR.

Legal basis for data processing

Your personal data will be processed on the basis of one or more of the following conditions. In particular, processing carried out for the purposes referred to in points: no. 1 and 2 above, have as their legal basis the need to fulfill the requests for the provision of a service or to participate in an initiative directly available through the website: therefore, this type of data processing is strictly necessary and connected to a pre-contractual and/or contractual phase or designed to respond to a specific request according to Art. 6 par. 1(b) of the GDPR, and as such, the personal data collected are necessary. If the data is not provided, it will not be possible to provide the service or to respond to your request; no. 3 above, has as its legal basis the legitimate interest of the Controller in accordance with Art. 6 par. 1 (f) of the GDPR, consisting of improving the performance and verifying the proper functioning of the website. In this regard, we also invite you to consult the Website Cookie Policy.

Categories of recipients of personal data

The data may be communicated to different categories of recipients, according to the service/initiative requested by the CRIBIS client. For each service/initiative requested by the CRIBIS client, a special information notice will be provided with the details of the recipients of the personal data.

Transfer of personal data

Generally, the data provided by CRIBIS clients will not be transferred outside the European Union. However, this transfer may occur according to the individual service provided by CRIBIS. For each service requested by the CRIBIS client, a special information notice will be provided with the details of the countries to which the data will be transferred. However, should personal data be transferred outside the European Union, the transfer will be carried out in accordance with the provisions of the GDPR and all other applicable laws (as will be indicated in the information notice).

Type of personal data processed

With reference to browsing data, the computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit to the use of Internet communication protocols. This information is not collected in association with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of computers used by users who connect to the Website, Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the request to the server, and other parameters related to the user’s operating system and computing environment. The optional and voluntary sending of e-mails to the addresses indicated on the website involves the acquisition of the user’s personal data which is necessary to respond to user requests.

Data provision

The user is free to provide the personal data necessary to allow CRIBIS to provide services or to participate in the requested initiatives. Failure to provide the data may result in the inability of the company to provide the requested information or services.

Retention period

CRIBIS retains the navigation data for a period not exceeding 18 months from the last interaction with the Website. For each service or initiative requested by the CRIBIS client, a special information notice will be provided with details of the data retention period or the criteria used to determine this period.


For details about the use of cookies on this Website, please refer to the Cookie Policy.

Data subject rights

We hereby inform you that, pursuant to the GDPR, the user can exercise the following rights: the right to access his or her personal data, ask for the amendment or deletion of the data, or restriction of the processing. Users also have the right to oppose the processing, as well as the right to portability. In addition, users can withdraw their consent at any time, it being understood that the withdrawal of consent does not affect the lawfulness of the processing carried out up to the point of withdrawal. In any case, for each service requested by the CRIBIS client, a special information notice will be provided with details of the rights that can be exercised and the ways in which to exercise them. In such cases, you can exercise your rights by contacting the Controller using the following contact details: CRIF SPA, Via Mario Fantin 1-3, 40131 Bologna (BO), Italy or writing to the following e-mail address:  The data subject can also submit a complaint to the Italian Data Protection Authority, following the instructions through the link: For any questions regarding the processing of your personal data, you can contact the Data Protection Officer by e-mailing: ; certified e-mail: