Information according to the GDPR

Names and contact details of those respnsible

CRIF AG, Hagenholzstrasse 81, 8050 Zürich, UID: CHE-107.708.282

Contact details of the person responsible for data protection

In writing: Data Protection Officer, CRIF AG, Hagenholzstrasse 81, 8050 Zürich

The purposes for which the personal details are intended to be processed and the legal basis upon which the processing takes place

Purposes: Verifying identity and managing credit risk (= calculating the probability of debt default in future), as well as combating fraud and money laundering, and reconciling with sanctions lists, using an IT-based address and credit rating database for businesses (see “RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DETAILS” below).

Legal basis: § 13 (2) c FADP (the Swiss Federal Act on Data Protection) (“to verify the creditworthiness”)

Categories of personal details that are to be processed and their sources

Categories: Application details, address details, date of birth, date of death, information obtained from payment history details about adherence to payment due dates, as well as from payment history details about uncontested payment demands that are overdue and for which several reminders have been sent.
Personal details subject to special protection (such as health-related details, or political or biometric  data) are neither stored nor processed in CRIF’s identity and credit rating database.

Sources: Sources that are publicly accessible, such as the Commercial Register, Land Register and bankruptcy authorities, together with address list publishers, debt enforcement offices and residents’ registration offices, and messages from a (potential) contractual partner/creditor of the person concerned or from a debt collection service provider instructed by them.

Recipients or categories of recipients of the personal details

Only those businesses that have previously entered into a written contractual relationship and have undertaken to adhere to all the statutory data protection regulations/laws may obtain data from CRIF. These mainly include companies involved in the credit industry, debt collection companies and companies that can provide evidence of a contract with an end customer / affected person. The term “credit industry” includes all cases in which a company provides advance finance (e.g. purchase on account, provision of credit terms, credit card transactions, etc…).
Consumers cannot become recipients except in the area covered by the myCRIFdata product range ( and, where private individuals can access their own details and monitor them on a continuous basis.

The duration for which the personal details are to be stored / the criteria used to determine this duration

The details are stored for as long as their content is correct, while there is no legal reason for them to be deleted, and for as long as their storage fulfils the purpose of the processing activity. Incorrect details are deleted or corrected by law, either autonomously or by application from the affected person.

Legitimate interests pursued by the responsible person or by a third party

Safeguarding the legitimate interests of the recipient of the personal details (see above). In this case, the interests to be safeguarded comprise the verification of the identity of customers; protection against any potential failure to pay; the safeguarding of (the statutory) obligations relating to the fight against fraud or money laundering and reconciliation with sanctions lists.

Automated decision-making procedure/profiling, including information about the logic system involved

CRIF AG itself does not make any decisions; it only provides its information to the contractual partner with which it is associated as part of the decision-making procedure. The direct business partner alone assesses the risk involved and evaluates credit worthiness, since that partner is in sole possession of many other items of information. This condition still applies, even if the partner relies solely on the information and probability values provided by CRIF AG.


The Score is a statistical measure that predicts the probability of a serious payment problem:
•    Scores within the red area point to a high probability of debt default.
•    Scores within the yellow area point to a medium probability of debt default.
•    Scores within the green area point to a low probability of debt default.

The higher the number of points, the less likely is any default on debt. The Score is essentially made up of the following three factors: the number of any known payment problems and their status, and how long ago they happened. The larger the number of individual events, the more serious the status of each individual event and the more recent the individual events, the more weight is given to them.

The rights of the people concerned

To be informed about any stored details

This is possible free of charge on one occasion every year, without providing any reasons. More information is available at

To rectify or delete

In the event of evidence that the stored details are incorrect or were wrongfully processed, or if any consent that may have been granted to process the details has been withdrawn.

To restrict the processing activity
In the event that any data processing activity is proven to be wrongful, the person concerned can ask for the processing activity to be restricted, rather than for the details to be deleted completely.
The same condition applies if the details are no longer required for the processing purposes, but the person concerned needs them to assert, exercise or defend legal rights.
It is also possible for a restriction of the processing activity to be requested while an examination is made of any request for the rectification or deletion of details, or any objection.

To object against the processing activity

For verifiable reasons, arising from the particular circumstances of the person concerned.

Data portability

To the extent that the relevant details have been made available to CRIF by the persons concerned themselves.

To revoke a consent in the data processing activity with regard to the company that has  communicated the details to CRIF, in so far as any such consent has been granted.

To lodge a complaint
Should the people concerned wish to lodge requests in connection with the data protection law (e.g. for rectification, deletion or objection), they can apply directly to CRIF AG Hagenholzstrasse 81, 8050 Zürich, Should the request not be granted, or not granted sufficiently, they also have the right to appeal to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

The obligatory information according to the GDPR are set out here.