EU-US Data Protection Framework Privacy Notice
Creditsafe Canada Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Creditsafe has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
The Federal Trade Commission has jurisdiction over Creditsafe Canada's compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
This document answers the following questions:
1. Who is Creditsafe?
2. How can I contact Creditsafe?
3. Where does Creditsafe’s data originate from?
4. What data does Creditsafe process and for which purposes?
5. What is the legal basis for Creditsafe to process the business information data?
6. Who does Creditsafe share data with?
7. Where is the business information data stored?
8. How long does Creditsafe store business information data?
9. Is data transferred to a recipient outside of the UK, European Union, or the European Economic Area?
10. What are my rights as a data subject?
11. Is your data used for automated decision making?
12. Where can you raise a complaint?
13. Do you have an obligation to share or update data with Creditsafe?
14. Is your data used for profiling or scoring?
Who is Creditsafe?
Creditsafe has the largest wholly owned database in the industry, providing accurate and reliable data to over 500,000 subscribers across the globe. Our global database contains insights on more than 365 million businesses, directors and shareholders worldwide.
We gather data from our local, trusted partners and combine it with our scoring algorithm, resulting in the superior data powering our complete business solutions product suite.
Creditsafe is the founder and administrator of a global network of leading commercial credit reference agencies. We have live data streams for over 70 countries, working with partners that are recognized market leaders in each country for online database reports. By using local providers wherever possible, we are ensuring niche knowledge is streamed into our data and updated on a regular basis.
How can I contact Creditsafe?
Creditsafe USA can be contacted at:
Creditsafe Canada Inc.
4635 Crackersport Rd,
Allentown, PA 18104
E-Mail: https://help.creditsafe.com/en/support/home
Website: https://www.creditsafe.com/us/en.html
Tel: (855)551-6903
You can reach our Data Protection Officer as follows:
Caspian Point One,
Pierhead Street,
Cardiff,
CF10 4DQ
United Kingdom
Email: [email protected]
Tel: +44 (0) 2920 886 500
In accordance with Article 27 of the GDPR we have appointed an EU representative. The contact information is as follows:
Creditsafe Ireland Limited
Block B Joyce’s Court,
Talbot Street,
DUBLIN 1
Ireland
E-Mail: [email protected]
Website: https://www.creditsafe.com/ie/en.html
Telephone: 01 898 3200
Where does Creditsafe’s data originate from?
The data comes from public sources such as commercial registers, insolvency publications and the register on defaulting debtors, which is kept at central enforcement courts as well as from contractual business partners of Creditsafe. Information on payment behaviour and special payment agreements are provided by business partners of Creditsafe. Creditsafe uses the same raw data to feed all of its business information products.
Personal data is also processed by us where we receive information from contractual business partners that may rely on consent to share data. You can revoke your consent at any time with the source. This has no retroactive effect. However, due to your revoked consent, we are then no longer allowed to process your data.
In addition, verifiable information you as the data subject decide to provide can be used to update your organisation’s credit reference information.
On request of a client, we purchase data on the creditworthiness of natural persons from TransUnion Limited.
What data is covered by this privacy notice?
Creditsafe processes a variety of data sets, including the following:
· Client and supplier data.
· Data used in our products.
What client data does Creditsafe process and for which purposes?
There are two data sets that Creditsafe processes:
· Data held in Creditsafe’s CRM system. This would include names, company names, business postal addresses, business email addresses, business telephone numbers. This data is visible to all Creditsafe offices, but limited to those who need to view this information.
· Data used to access Creditsafe’s products. This would include names and business email addresses. This data is only visible to our back-office operations team based in the UK.
What supplier data does Creditsafe process and for which purposes?
· Data held in Creditsafe’s CRM system. This would include names, company names, business postal addresses, business email addresses, business telephone numbers. This data is visible to all Creditsafe offices, but limited to those who need to view this information.
What is the legal basis for Creditsafe to process the client and supplier data?
Creditsafe uses Contract as its legal basis for processing the data detailed above.
What data does Creditsafe process in its products and for which purposes?
Company Credit Checks
Creditsafe processes business related information regarding the financial standing and creditworthiness of businesses, and other organisations, so that businesses can manage their financial risks. Creditsafe uses its proprietary scoring systems to analyse key statistical metrics to determine the financial stability of a company. It provides a credit report that includes information on a company’s group structure, annual accounts, trading locations, court judgement information and Company registry documentation. This information can be monitored and updated whenever there are changes made.
The aim of a creditworthiness check is not only to avoid losses in the (trade) credit business but also to protect borrowers from over-indebtedness.
Ledger Management.
Creditsafe’s clients provide its 3D Ledger and Industry Platform products with their own accounts receivable ledger data. Creditsafe then combines it with its live international business data and over 300 million trade payment experiences to provide it with the means to prioritise its collections and gives a view of the risk of default.
Compliance Checks.
Creditsafe provides checks on businesses and individuals for the following compliance reasons:
· Fraud Prevention
· Anti-Money Laundering
· PEPs and Sanctions checks,
· Identity and KYC checks and
· Tracing missing persons
· Compliance Alerts
These products take the name of the business, the names, country of residence and date of birth for current directors of the business and any ultimate beneficial owners and screens them against various anti-money laundering sources, such as global sanctions regimes, national law enforcement agencies, political exposed persons lists and AML relevant adverse media.
It should be noted that the product displays possible matches. It is up to the client to investigate further to either confirm or reject the match.
Data Matching and Enrichment
Creditsafe receives business information data from a number of sources, as indicated above, and then uses its proprietary algorithms and technologies to cross reference, match and append this data, thereby providing a more complete picture of any organisation or company director and shareholder. Typically the data provided is restricted to Director name(s), director’s date of birth (month and year), business address, website addresses and business telephone numbers as well as basic financial information about the companies, including a credit score.
Prospect Lists
Creditsafe uses the business information data gathered from a number of sources, as indicated above, and then sorts this data to provide its customers with a list of businesses that match their own criteria. Typically the data provided is restricted to the Company name, business address, website addresses, business telephone numbers, director name(s), director’s date of birth (month and year), as well as basic financial information about the companies, e.g. revenues, as well as a credit score.
News Search
Creditsafe provides its clients with the ability to search for newspaper articles and other media sources that reference the companies, or directors, that they are interested in trading with. Data is inputted by the client and Creditsafe uses a powerful search engine to source relevant articles.
We process the following categories of business information data:
· Data on Individuals, for example name, given name, date of birth, place of birth, residential address, previous addresses, business address, business email-addresses and telephone numbers.
· Due Diligence Information, for example information to indicate if there is a possible connection to a criminal offence, a Politically Exposed Person (PEP), appearance on a Sanctions list or there is an adverse media story connected to a name that is the same, or very similar, to a director’s name.
· Information on debts, payment behaviour and settlement of claims.
· Creditworthiness and financial information, entries in the register of defaulting debtors, information on insolvency proceedings and other adverse information as well as credit scores.
Special categories of personal data in the sense of the Art 9 GDPR (e.g. ethnic origin, health data, or data on political or religious attitudes are neither processed nor taken into account in the calculation of credit scores).
What is the legal basis for Creditsafe to process the business information data?
The legal basis for the processing of personal data is Legitimate Interest, Art. 6 (1) (f) GDPR. Creditsafe’s legitimate business interest is the supply of commercial data. The legal basis for providing this business information to its clients is Contract. The purpose of this processing is to enable businesses to manage their financial risks, protect against fraud, know who they are doing business with, meet compliance and regulatory obligations and better understand organisations, industries and markets. We also licence or sell professional business contact information to authorized resellers or organisations for marketing and data management purposes.
Information is only provided if the respective contracting party has substantiated a legitimate interest in obtaining the information (for example, in the course of an envisaged business transaction which entails the granting of credit for which there is a risk of default) and provided that there is no outweighing interest of the individual. This is confirmed in Creditsafe’s Terms and Conditions which every client must sign.
Who does Creditsafe share data with?
Recipients of the business information data are customers of Creditsafe, who need to assess the creditworthiness of the potential customers before establishing a business relationship with default risk. We also share business information data with other third-party business data partners, including other credit reporting agencies.
We transfer business information data to third parties which process the data on our behalf as a service provider bound by contracts pursuant to data protection law.
We transfer contact information (postal addresses and telephone numbers) to contracted parties for marketing purposes, as long as you have not objected against the processing of your data for marketing purposes.
There may be instances of a requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
Finally, personal data is also transmitted to members of the Creditsafe group of companies.
Creditsafe acknowledges its liability in cases of onward transfers to third parties.
Where is the business information data stored?
Business Information data is stored on servers in the UK and the EU.
How long does Creditsafe store business information data?
We store personal data only for as long as necessary to achieve the purposes described above. We may hold data in an archived form for research and development, analytics and analysis, or for audit purposes, and as appropriate for the establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
What are your rights as a data subject?
According to Art. 15 GDPR you have the right to obtain information regarding all data we stored about you.
In the event that you discover outdated or incorrect information about yourself, you have the right in accordance with Art. 16 GDPR to have it updated and corrected by us at any time. However should your data have been sourced from a public registry, then you will be advised to have the data corrected at the source. This is because Creditsafe’s databases are automatically updated and therefore any changes that Creditsafe makes will be overwritten by the information from the registry.
Furthermore, in accordance with Art. 17 GDPR, you may also have the right to have your personal data deleted provided that we have no right or authority to further process the data. Please note that if your business information appears in public registries, then it will automatically be ingested into our databases. Therefore you should contact the relevant registry to have your data removed.
Under the conditions set out in Art. 18 GDPR, you have the right to restrict the processing of your personal data.
According to Art. 21 (1) GDPR you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data.
If you object we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
In addition, pursuant to Art. 21 (2) GDPR, you may also object against the use of your data for direct marketing purposes. In this case, we will no longer use your personal information for marketing or advertising purposes.
Please direct all data subject rights requests to the contact address found at the top of this page.
Is your data used for automated decision making?
In principle, we do not make any automated decisions within the meaning of Art. 22 GDPR on the conclusion of a legal transaction or its terms (such as offered payment methods, payment conditions or interest), but support our contractual partners only with information to assist in the relevant decision-making. The risk assessment and assessment of the creditworthiness of a person or a company for a particular transaction is carried out solely by the contractual partners of Creditsafe.
Dispute resolution; where can you raise a complaint?
Please direct all initial complaints to the contact addresses found at the top of this page.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DP, Creditsafe commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
Creditsafe is registered with the Information Commissioners Office, if you are based in the UK, or if you are based in the EU, then we are registered with the Data Protection Commission in Ireland, with our EU representative being based in Dublin, Ireland.
You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Data Protection Framework compliance not resolved by any of the other DPF mechanisms. See Annex I for additional information on when to invoke binding arbitration: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
Is your data used for profiling and/or scoring?
The information provided by us often includes so-called creditworthiness assessments (scores), which uses information and assessments from the past to generate a forecast of solvency and payment default probabilities. The scoring is based on the information we have on file for the respective person or business entity.
The following categories of data may be used for the scoring:
· data on the size of the organisation
· industry type
· age of a company
· number of employees
· payment behaviour and defaulting payments,
· debtor registrations and information on insolvency proceedings
· accounting information, e.g. balance sheet, profitability statements and contingent liabilities
· corporate links
· address-related data (publicity of address and name at the address), address data (information on non-conforming payment behaviour in the address environment)
· information gathered from contractual partners of Creditsafe.
This DPF Privacy Notice was created in September 2023.