CSP Rules

CSP Rules of CRIF Services Sp. z o.o. with its registered seat in Kraków

§ 1
These CSP (CRIF SOLUTION PLATFORM) Rules are the terms and conditions for the provision of electronic services within the meaning of the Act of 18 July 2002 on the provision of services by electronic means, consolidated text: Journal of Laws of 2017 item 1219, and shall set forth in particular:
1. the types and range of services provided by electronic means by CRIF Services Sp. z o.o. with its seat in Kraków via CSP;
2. terms and conditions for the provision of services by electronic means, including:
a) technical requirements for working with CSP;
b) ban on delivery by the customer of illegal content;
3. terms of use of the CSP;
4. terms and conditions for the conclusion and termination of agreements for the provision of services by electronic means;
5. rights and obligations of parties to agreements for the provision of services by electronic means;
6. complaint procedure.

§ 2
Terms used in the Rules shall have the following meaning:
1. Rules – these CSP Rules.
2. Service –
a) “CSP Portal” service available at: www.crif.pl;
b) XML service;
c) file sharing by other electronic means;
via which services available at CSP may be used.
3. CRIF — CRIF Services Sp. z o.o. with its registered office in Kraków, ul. Lublańska 38, 31–476 Kraków, entered into the Register of Entrepreneurs of the National Court Register kept by District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register under KRS number: 0000156341, Tax Identification Number (NIP): 5272400006, Statistical Identification Number (REGON): 015294671, with share capital of: PLN 50,000.00.
4. Partner – an entrepreneur that concluded an Agreement with CRIF.
5. User – Partner and a natural person acting on its behalf, holding a system account for access to the Service.
6. Co-operator - an entity that under an agreement with CRIF makes data available to CRIF’s Partners via the Service.
7. Agreement – Agreement on the provision of “CSP” Services as concluded by CRIF with a Partner, under which the Partner gains access to the Service.
8. Login – a unique string of characters assigned to the User by CRIF, uniquely identifying the User.
9. Password – a string of characters that is used to authenticate the User in the Service when trying to log in.
10. Act – the Act of 9 April 2010 on disclosure of economic information and exchange of economic data, consolidated text: Journal of Laws of 2018 item 470.
11. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
12. P.S.E.M.A. – the Act of 18 July 2002 on the provision of services by electronic means, consolidated text: Journal of Laws of 2017 item 1219.
13. Economic information – economic information within the meaning of Article 2(1) of the Act.
14. Economic data – data within the meaning of Article 9 and Article 13 of the Act.

§ 3
1. Via the Service the Partner may use CRIF Services set out in the Agreement.
2. Services referred to in paragraph 1 may include in particular:
a) making available of economic entities searching;
b) making available to placing orders for:
• preparing reports on Polish economic entities;
• preparing reports on foreign economic entities;
• access to data of Co-operators and processing this data (including economic information and economic data obtained from economic information offices, institutions created on the basis of Article 105(4) of the Act of 29 August 1997 – banking law, or foreign institutions and data providers).
3. The number of searches of entities referred to in paragraph 2(a) in a calendar month may not exceed twice the number of orders referred to in paragraph 2(b) placed in the same calendar month.
4. Under the terms and conditions specified in the Agreement, the Partner may entrust CRIF with processing of personal data on the basis of art. 28 of GDPR.
5. Within the framework of the services provided, CRIF keeps a history of searches and reports ordered in a private electronic archive of the Partner, hereinafter referred to as the archive, and allows the Partner to access the archive via the Service.
6. Economic information and economic data must be deleted by the Partner within 90 days of its receipt. If the Partner fails to delete economic information and economic data from its archive by the deadline referred to in the preceding sentence, CRIF shall delete it automatically.
7. Providing reports and individual data contained in reports obtained via the Service to third parties is prohibited.
8. CRIF shall not be liable for the accuracy, validity and completeness of the information made available to the Partner, including reports.
9. CRIF shall not be liable for the decisions and actions or omissions made on the basis of the information, including reports, disclosed to the Partner.
10. If, on the basis of reports obtained, the Partner makes towards data subjects decisions based solely on automated processing within the meaning of GDPR, the Partner is obliged to implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Partner, to express his or her point of view and to contest the decision.

§ 4
1. In the case of a personal data breach, the Partner shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
2. In the case of becoming aware of a personal data breach, CRIF shall notify it to the Partner and cooperate with Partner to make notification referred to in paragraph 1 by the Partner.

§ 5
1. Service is owned by CRIF.
2. The name of the Service, its idea, the graphical layout, software and database are protected by law.
3. Use of the Service shall be under the principles defined in these Rules.
4. Technical requirements necessary for the proper use of the Service, and in particular necessary for the cooperation with CRIF ICT system, are as follows:
a) “CSP Portal” website – web browser Internet Explorer ver. 7 or higher, FireFox ver. 4 or higher, with connections encrypted according to TLS 1.0 or SSL 3.0 protocol, using RC4 SHA (128 bit), AES 256 (256 bit) or AES 128 (128 bit) encryption algorithms;
b) XML service – SOAP client ver. 1.1. in conformity with WS-I specification and supporting connection encryption according to TLS 1.0 or SSL 3.0 protocol, using RC4 SHA (128 bit), AES 256 (256 bit) or AES 128 (128 bit) encryption algorithms;
c) file sharing – SFTP client ver. 6 or FTPS client supporting connection encryption according to TLS 1.0 or SSL 3.0 protocol, using encryption algorithms using RC4 SHA (128 bit), AES 256 (256 bit) or AES 128 (128 bit) encryption algorithms; all files supplied by the Partner should be compressed in popular format (e.g. ZIP), provided, however, that the size of a single archive file should be no larger than 2GB; in other cases, file sharing is only possible using secure encryption mechanisms, such as PGP.
5. Partner is registered in the Service by CRIF after the conclusion of the Agreement.
6. The Service may be used after activation of User account by first logging in to the Service by the User, authorised in accordance with § 6 of the Terms.
7. It is forbidden to enter any illegal content to the Service.

§ 6
1. Partner shall provide CRIF with a natural person/persons authorised to use the Service registration by e-mail sent to the address designated by CRIF.
2. Registration of each natural person shall include the following personal data of this person: name, surname, business mobile phone number and business e-mail address.
3. CRIF shall process personal data of the natural person included in this person registration for the proper performance of the Agreement and the proper use of the Service.
4. Before providing CRIF with the natural person`s personal data, Partner is obliged to gain, if required by law, the natural person`s consent on providing CRIF with the natural person`s data for the purpose as provided for in paragraph 3 and, in each case, to fulfill towards this person information obligaton resulting from legal regulations in force, especially to inform this person that data controller of this person`s personal data is CRIF Services Sp. z o.o. with its registered office in Kraków, ul. Lublańska 38, 31–476 Kraków, entered into the Register of Entrepreneurs of the National Court Register kept by District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register under KRS number: 0000156341. Partner is exclusively liable for performance of this obligation.
5. CRIF shall assign each natural person whose data are included in the registration a system account, which is connected to a Login and a temporary Password.
6. After receipt of a User registration, CRIF shall send the Login to the User by e-mail to the e-mail address indicated in a User registration.
7. CRIF shall send a temporary Password via a text message (SMS) to each User at a mobile phone number indicated in a User registration.
8. Upon first login, User changes the temporary Password to a new Password known only to the User;
9. At the written request of the Partner, CRIF shall immediately block User’s access to the Service, thereby preventing logging in and further use of the Service.
10. CRIF may block User’s access to the Service in the event of User’s breach of the provisions of these Rules.
11. CRIF may block access to the Service to all Users of the Partner in the event of a breach by the Partner of the Agreement or the Rules, and in particular in the event of delay in payments due to CRIF.

§ 7
1. CRIF is authorised to send to the Partner to the e-mail address provided in the Agreement any information for the proper performance of the Agreement.

§ 8
1. CRIF represents that:
a) it applies high standards to ensure the security of provision services by electronic means;
b) it has the resources to correctly process personal data;
c) its IT system allows the organisation of automatic circulation and exchange of information by electronic means;
d) it shall make available to the Partner all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Partner or another auditor mandated by the Partner.
2. Notwithstanding the provisions of paragraph 1, in the performance of the obligations arising under Article 6(1) of the P.S.E.M.A., CRIF hereby informs that using electronic services can potentially involve risks caused by, in particular, the activities of internet hackers, such as receiving unsolicited commercial information (spam), loss of data or the possibility of having the ICT system “infected” by various types of software – malware, spyware, worm, cracking, phishing, and more. To limit these risks, User should have an up-to-date antivirus program running on their computer, and use caution when installing any software, opening e-mail and attachments, etc. and keep logins and passwords strictly confidential.

§ 9
Notwithstanding the provisions of the Agreement:
1. CRIF’s liability shall be strictly limited to the obligations contained in these Rules.
2. CRIF shall not be liable for the disturbance to the functioning of the Service and for any interruption in the provision of services.
3. CRIF shall have the right to disable the Service or limit its availability in order to carry out the necessary maintenance.
4. CRIF shall not be liable for any damage resulting from events beyond the control of CRIF, including as a result of an act or omission by the User or a third party.
5. CRIF shall not be liable in the event of the occurrence of the force majeure event. The term force majeure shall be understood as any circumstance that is independent of CRIF, unpredictable and, in the given circumstances, impossible to avoid, e.g. in particular: flood, fire, earthquake, other natural disasters, acts of terrorism, war or acts of war, martial law, riots.

§ 10
1. Any complaints should be addressed by registered mail to the following address of CRIF: ul. Lublańska 38, 31–476 Kraków.
2. Any complaint should contain, in particular, identification details of the Partner, as well as indicate the basis for the complaint.
3. CRIF shall consider complaints within 30 days from the date of complaint delivery to CRIF.

§ 11
1. If the Agreement has been concluded for an indefinite period of time, each Party may terminate the Agreement in writing with the effect at the end of the calendar month with a three-month notice period.
2. If the Agreement has been concluded for a definite period of time, it shall be terminated upon the expiry of the period for which it has been concluded.
3. The Parties may provide in the Agreement for different notice periods than those provided for in paragraphs 1 and 2, and specify the conditions justifying the Agreement termination with immediate effect due to each Party.

§ 12
1. These Rules shall enter into force on the day of their announcement at www.crif.pl.
2. CRIF shall have the right to make amendments to the Rules at any time, without giving any reason. CRIF shall inform of the amendment made by posting the relevant information at the address referred to in paragraph 1.
3. The invalidity, in whole or in part, of any provision of these Rules – for any reason – shall not affect the validity of the remaining provisions of the Rules. In such a case, the relevant provisions of the law shall apply.