Last Updated: April 10, 2019
This General Privacy Statement describes Charles River Development’s (“CRD”, “we”, “us”, or “our”) practices regarding the use and disclosure of information about certain individuals that we collect and use when we run our business (referred to as “personal data”).
The individuals we collect personal data about are:
- our prospective, current and former employees
- the representatives of our prospects, customers and suppliers
- the attendees to our events
- visitors of our websites and
- other individuals with whom we interact in the marketplace.
In particular, as from 25 May 2018, CRD will become subject to and will comply with the revised data protection rules applicable in the European Union (“EU”) under the General Data Protection Regulation 2016/679 of 27 April 2016 (the “GDPR”).
As part of our commitment to protect your personal data, we want to inform you:
- why and how CRD collects, uses and stores your personal data, for how long and under which legal basis;
- with whom we share your personal data;
- our role as the legal entity deciding about the processing of your personal data (referred to as the “controller”); and
- what your rights and our obligations are in relation to such processing.
1) What does this General Privacy Statement cover?
This statement applies to any and all forms of use (“processing”) of personal data that you provide to us. Provisions where reference is made to the GDPR in this General Privacy Statement apply when we act as a “controller” within the meaning of the GDPR (i.e. when CRD determines the purpose (why) and the means (how) for the processing of your personal data) in relation to personal data originating from or processed in the European Union.
2) Who is responsible for the processing of your personal data?
For individuals other than the prospective, current, or former employees of one of the CRD group entities in the EU, Charles River Systems Inc. d/b/a Charles River Development, a company incorporated under the laws of the United States of America, with registered office at 700 District Avenue, Burlington, MA 01803, USA is responsible, as controller, for the processing of your personal data.
CRD is represented in the EU by its subsidiary Charles River Development Ireland Ltd., a company incorporated under the laws of the Republic of Ireland, with registered office at One Grants Row, Dublin 2, Ireland.
If you are a prospective, current, or former employee of the CRD group entities in the EU (namely, Charles River Development Ireland Ltd or Charles River Development Limited in the United Kingdom), then such entity (as applicable) will be responsible, as controller, for the processing of your personal data.
3) What type of personal data do we collect and process?
We collect and process identification information about all individuals with whom we interact, such as the name, title, position, company name, email and/or postal address, and the professional fixed and/or mobile phone number as well as information regarding any communications you may have with CRD. This information may either be directly provided by you or provided by the legal entity for whom you work (e.g. if you are the contact person designated by your employer to manage the CRD account).
For candidates who apply for a job at CRD as well as for our current and former employees, we also collect and process:
- further detailed identification information (such as date and place of birth, gender, National Insurance Number (in the United Kingdom) or Pay-As-You-Earn (PAYE) Number (in Ireland), a picture, ID card and/or passport details, visa details, works permits, private email and postal address, private fixed and/or mobile phone number);
- electronic identification data (such as login access right, badge number, IP address, online identifiers/cookies, logs and connection time, sound or image recording such as CCTV or voice recording);
- family and other relatives information (such as marital status, number and date of birth of children, name of emergency contact and contact details, beneficiaries in case of death of the employee);
- education and employment information (such as education, certification, former employers’ names, locations and contact details, current and previous remuneration, bonus, pension entitlements, insurance and other benefits such as gym membership, expenses, travel expenses employment dates such as dates of hiring/promotion/position change, note from recruiters, performance evaluation, results of technical knowledge test, information regarding presence including illness or leave of absence, language skills);
- financial information (such as bank account details, professional credit card numbers and credit score); and
- information in relation to background checks (e.g. addresses for the past seven years, information from public domain search, international sanctions including terrorism check, presence or absence of criminal convictions).
For representatives of our customers, we also collect and process:
- identification information (e.g. current employer and, where relevant, past employer);
- electronic identification data (e.g. log in and password to access the products and services provided by CRD and data relating to the use of such products and services such as are included in logs).
- information regarding the products and services CRD is providing to your employer; and
- For the attendees to our events, we also collect and process:employment information (e.g. title, (previous) organization, role in organization, area of expertise, professional contact details, country);
- information regarding your communications with CRD (e.g. who is your client manager, can you be contacted by mail, did you opt in to receive commercial communications, whether you gave your consent to put your contact details in the mobile application);
- information in relation to the event (e.g. attendance to the event);
- payment information (e.g. bank card number, fees, billing address) and
- dietary requirements (e.g. any special needs in relation to your diet).
For our website visitors, we collect and process:
- electronic identification data (e.g. your User ID and Password, your device identifier and your IP address);
- technical information (e.g. type and version of your browser and your operating system, information regarding the pages you visit, the information researched, the time spent on our website and other statistics regarding your browsing experience on our website); and
- information regarding your preferences on our website.
You may participate in public forums on our websites, such as commenting on a posting or submitting questions, responses or other content. Any information you post will be publicly viewable on the website as soon as that information is submitted, and could be used by others to send you unsolicited communications. Please be careful about disclosing information in public forums. Our website also contains links to other websites that are not owned by CRD. Please note that these other websites’ privacy statements may differ from that of CRD. We encourage you to read the privacy statement of any website you may visit because we are not responsible for such websites’ content or policies.
To the extent authorized by law, we also process so-called sensitive data, such as health related data. CRD will only do so as strictly required to comply with its legal obligations and to enable you to obtain benefits (e.g. completion of relevant forms for maternity leaves, etc.) and, where necessary, with your prior consent. In such case, the data will be accessed and processed solely under the responsibility of a representative of CRD who is subject to an obligation of confidentiality.
Whenever personal data is collected (e.g. in application forms), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.
We may also collect your national registry number, social security number or local equivalent, but will only process such data if and when legally required.
4) On which legal basis and for which purposes do we process personal data?
4.1 – Legal basis for the processing
Where required by applicable data protection law, including the GDPR, we will only process your personal data provided that:
- such processing is necessary to comply with our legal or regulatory obligations; or
- such processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request; or
- we have obtained your prior consent; or
- such processing is necessary to protect your vital interest; or
- such processing is necessary for the legitimate interest of CRD to the extent it is not overridden by your own interest or fundamental rights and freedom.
In relation to the processing of your personal data, our legitimate interests are:
- to benefit from cost-effective services (e.g. using platforms operated by third party suppliers);
- to offer our products and services to our customers via their representatives (e.g. by communicating a newsletter or other marketing materials);
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks; and
- to meet our corporate and social responsibility objectives.
4.2 – Purposes of the processing of your personal data
How we use information we collect about you depends, in large part, on the purpose for which it is provided to us. We process your personal data for specific purposes and only to the extent relevant to achieve these purposes. In particular, we process your personal data for the following purposes:
4.2.1 – In relation to our prospective, current and former employees:
- for recruitment purposes and onboarding;
- to manage our personnel (including tasks, benefits and absence management);
- for training purposes;
- to manage our payroll;
- to manage our HR records;
- to carry out performance reviews;
- for the purpose of pre-employment and annual background checks;
- to monitor our employees’ activities in the workplace, including compliance with our internal policies, IT security as well as health and safety rules in place;
- to manage our IT resources, including infrastructure management & business continuity;
- to handle internal complaints relating to violence, moral harassment and undesirable (sexual) conduct;
- for disciplinary action;
- to reply to an official request from a public or judicial authority in compliance with legal requirements; and
- more generally, to comply with any legal obligations imposed on CRD in relation to its employees (e.g. tax reporting).
4.2.2 – In relation to representatives of our prospects, customers and suppliers
- to undertake marketing/procurement activities relating to our products;
- to manage our customers and suppliers;
- to implement tasks in preparation of or under existing contracts;
- to provide our products and services;
- to monitor activities at our facilities, including compliance with our applicable policies, IT and other security related internal rules as well as health and safety rules in place;
- to manage our IT resources, including infrastructure management & business continuity;
- to manage our archiving and records;
- to track our activities (measuring sales, number of calls, visits to our website, etc.);
- for invoicing purposes;
- to improve our existing products and services (or those under development) by means of customer and non-customer surveys, statistics and testing;
- to improve the quality of services to our clients by taking into account their preferences in terms of means of communication (phone, e-mail, etc.), frequency and otherwise;
- to preserve our economic interests;
- to reply to any official request from a public or judicial authority in compliance with legal requirements;
- more generally, to comply with any legal, accounting and tax obligations imposed on CRD in its relation with its customers and suppliers; and
- to periodically send promotional emails about our products, special offers and information which you or your company may find interesting, using the email address which you have provided (if any).
4.2.3 – In relation to attendees of our events
- to organize our events and provide networking tools (i.e. the mobile application) to the attendees; and
- to meet the dietary requirements of the attendees to our events.
4.2.4 – In relation to website visitors
- to manage and improve our website;
- to measure the usage of our website (including drawing up statistics);
- to manage users (such as account management and answering questions).
5) Who has access to personal data and who do we share personal data with?
5.1 – Within CRD group
We may transfer personal data to our members of personnel and other CRD group companies (e.g. other offices of CRD to provide support in relation to our products and services). Such other CRD group companies will either act as another independent controller or will process your personal data on our behalf and upon our request (thereby acting as processor). In all cases, the personal data will be processed only for the purposes set out in Section 4.2.
5.2 – Outside CRD group
We may also transfer personal data to third parties outside CRD, acting as processors, to achieve the purposes listed in Section 4.2 above, to the extent they need it to carry out the instructions we have given to them. Such third parties include our (IT) systems, cloud service, data centers and database providers, our payroll provider; benefits providers (e.g. insurers, pension funds, gym club) competent authorities and HR related services providers (such as headhunters, test providers, compliance consultant, background check services providers). As processors, the aforementioned third parties enter into an agreement with CRD to process your personal data in accordance with the GDPR.
Where required, we may also transfer your personal data to:
- any third party to whom we assign or novate any of our rights or obligations under a relevant agreement; and
- any national or international public or judicial authority, where we are required to do so by applicable law or regulation or at their request, in compliance with law.
We do not transfer personal data to third parties for commercial use without your explicit consent.
5.3 – Transfers outside the European Economic Area and the United Kingdom
The personal data transferred within or outside CRD as set out in Sections 5.1 and 5.2, may also be processed in a country outside the European Economic Area, which covers the EU Member States, Iceland, Liechtenstein and Norway (“EEA”) and the United Kingdom. In particular, your personal data may be transferred to the United States and the other countries where we have offices (for a full list of our offices, please check www.crd.com/company/offices/). These other countries may not offer the same level of personal data protection as EEA countries or the United Kingdom.
If your personal data is transferred outside the United Kingdom or the EEA to a country that has not been recognized by the European Commission as offering an adequate level of protection for personal data, we will put in place the legally required safeguards or rely on the relevant legal derogations to ensure such transfer is carried out in compliance with the applicable law. CRD is Privacy-Shield certified for both HR and non-HR intra-group data transfers. For other transfers, such safeguards may include the entry into EU standard contractual clauses as approved by the EU Commission or reliance on the EU-US Privacy Shield prior to such transfer to ensure the required level of protection for the transferred personal data.
You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.
6 ) Do we collect personal data about children?
Our websites, products, and services are not directed at children. We do not knowingly collect personal data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us as described in Section 8 below and we will take steps to delete such personal data from our systems.
7) How long do we store your data?
We will only retain personal data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
Employee data that is subject to GDPR is kept for 7 years post-termination, after which they are destroyed, unless overriding legal or regulatory schedules require a longer or shorter retention period.
Personal data we hold in our database about prospects or attendees to our events who are not related to a specific contract will be stored for 6 months after your last interaction with CRD. Dietary requirements of attendees to our events will be deleted after such event.
Personal data we hold in relation to candidates who applied for a position at CRD and who are subject to GDPR will be kept for 2 years after the last contact with CRD.
For contracts, the retention period is the term of your (or your company’s) contract with us (including any employment contract), plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period.
Personal data processed in the context of a dispute are deleted (i) as soon as an amicable settlement has been reached, (ii) once a decision of last resort has been rendered and enforced or (iii) when the claim becomes time barred, except as otherwise specified in the preceding paragraphs.
We hold the personal data collected in the framework of CRD’s website for a period of 6 months following the last visit to our website.
When the above periods expire, your personal data will be removed from our systems, but some data may still be processed following such deletion or return request due to technical constraints (e.g. use of back-up tapes and e-mail archives which may continue to contain personal data for a period of time following the termination of our relationship with you or your employer).
8) What are your rights and how can you exercise them?
8.1 – Your Rights
Under the GDPR and within the limits and under the conditions set forth therein, you have the following rights (and may have equivalent rights under any other applicable legislation):
- to access your personal data as processed by us and obtain a copy thereof;
- to request any correction or update thereof;
- to request the erasure of your personal data;
- to request the restriction of the processing of your personal data;
- to withdraw your consent where CRD based its processing of your personal data on your consent (without such withdrawal affecting the lawfulness of processing prior thereto);
- to object to the processing of your personal data;
- to request the portability of your personal data (i.e. to obtain the personal data you have provided to CRD in a structured, commonly used and machine-readable format and/or to request the transmission of such personal data to a third party, without hindrance from CRD and subject to your own confidentiality obligations).
8.2 – Exercising your rights
To exercise the above rights, you may send a request by email to firstname.lastname@example.org, with a scan/copy of your identity card or passport for identification purpose. We will respond in compliance with applicable law. If you are not satisfied with how CRD processes your personal data, please let us know and we will investigate your concern. You also have the right to make a complaint to the competent data protection authority.
Personal data generated through cookies are collected in a pseudonymised/anonymised form and subject to your right to object to such data processing, as set out below. In particular, we use the following types of cookies:
|Cookie Provider||Cookie Name (Expiration)||Purpose|
|crd.com||PHPSESSID (Session)||Preserves user session state across page requests. This is a general purpose identifier used to maintain user session variables. It is normally a randomly generated number. An example of its use is maintaining a logged-in status for a user between pages.|
|crd.com||aoOref (1 Year)
wp25224 (1 Year)
|We use social sharing and marketing tools and these may set some cookies that enable the providers of these tools to track activity across other sites.|
|__atuvc (1 Year)
bt2 (255 Days)
di2 (1 Year)
loc (1 Year)
mus (1 Year)
ouid (1 Year)
uid (1 Year)
uvc (1 Year)
vc (1 Year)
xtc (1 Year)
|These cookies are associated with the AddThis social sharing widget which is commonly embedded in websites to enable visitors to share content with a range of networking and sharing platforms. It registers a unique ID that identifies a returning user’s device and user’s sharing of content via social media. It stores geolocation, updated page share count and keeps a record of parts of the site that have been visited in order to recommend other parts of the site.|
|Google AdWords||ads/ga-audiences (Session)||Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor’s online behavior across websites.|
|Google Analytics||_ga (2 Years)
|This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. It stores and updates a unique value for each page visited. By default it is set to expire after 2 years, although this is customizable by website owners.|
|IDE (2 Years)
|Used by Google DoubleClick to check if the user’s browser supports cookies and to register and report the website user’s actions after viewing or clicking one of the advertiser’s ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.|
|Act-On||acton/bn/25224 (Session)||We use social sharing and marketing tools and these may set some cookies that enable the providers of these tools to track activity across other sites.|
|tapad.com||TapAd_DID (2 Months)
TapAd_TS (2 Months)
|Used to determine what type of devices (smartphones, tablets, computers, TVs etc.) are used by a user.|
|semasio.net||SEUNCY (179 Days)||Registers a unique ID that identifies the user’s device for return visits.|
|adnxs.com||uuid2 (3 Months)||Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.|
|adsrvr.org||TDCPM (1 Year)
TDID (1 Year)
|Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.|
|code.visitor-track.com||cke108831 (5 Years)||We use social sharing and marketing tools and these may set some cookies that enable the providers of these tools to track activity across other sites.|
For more information as to how to manage cookies on your device, please consult the Help function of your browser or visit www.aboutcookies.org, which contains comprehensive information on how to do so on a wide variety of browsers (link is external).
10) Updates of this statement
This statement may be subject to amendments. Any future changes or additions to the processing of personal data as described in this statement affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.