Charles River’s Privacy Shield Policy

Privacy Statement

Effective Date: September 30, 2016
Last Modified: January 25, 2018

This Privacy Shield Policy (“Policy”) describes how Charles River Systems, Inc. d/b/a Charles River Development (“Charles River”) and its subsidiaries and affiliates in the United States of America (“US”) collect, use, and disclose certain personally identifiable information that we receive in the US from the European Union (“EU Personal Data”). This Policy supplements our Website Privacy Policy located at www.crd.com/Privacy-Statement, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as the Website Privacy Policy. Charles River has elected to self-certify to the EU-US Privacy Shield Framework administered by the US Department of Commerce (“Privacy Shield”), with respect to such EU Personal Data. Charles River’s certification can be found at: www.privacyshield.gov/list.

For purposes of enforcing compliance with the Privacy Shield, Charles River is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: www.privacyshield.gov.

Personal Data Collection and Use

Charles River may receive the following categories of EU Personal Data in the US: Data provided by its customers or their partners for processing in connection with the software and services Charles River provides, human resources and recruiting data in connection with its employee relations, website data as identified in www.crd.com/Privacy-Statement/, and marketing & sales data, including voluntarily provided contact information. To the extent that Charles River customers input EU Personal Data into Charles River’s products and services, there is no way to distinguish such EU Personal Data from any other type of data. Charles River will only process EU Personal Data in ways that are compatible with the purpose that Charles River collected it for, or for purposes the data subject later authorizes. Before Charles River uses EU Personal Data for a purpose that is materially different than the purpose we collected it for or a purpose later authorized by the data subject, Charles River will provide you with the opportunity to opt out.

By providing Charles River with unsolicited sensitive personal data, you explicitly consent to such data being collected, processed and transferred by Charles River.

Data Transfers to Third Parties

Third-Party Agents or Service Providers. Charles River may transfer EU Personal Data to its third-party agents or service providers who perform functions its behalf. Where required by the Privacy Shield, Charles River enters into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of EU Personal Data to the specified services provided on Charles River’s behalf. Under certain circumstances, Charles River may remain liable for the acts of its third-party agents or service providers who perform services on its behalf for their handling of EU Personal Data that Charles River transfers to them.

Compelled Disclosure: Under certain circumstances, Charles River may be required to disclose EU Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security

Charles River maintains reasonable and appropriate security measures to protect EU Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.

Access Rights

EU data subjects may have the right to access the EU Personal Data in Charles River’s possession, and to limit use and disclosure of such EU Personal Data. Concerns regarding EU Personal Data not collected by Charles River, but provided to Charles River from its customers for processing should be addressed to the parties who provided the EU Personal Data for processing. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU Personal Data, you can submit a written request to Charles River via the contact information provided below. Charles River may request specific information from you to confirm your identity. In some circumstances Charles River may charge a reasonable fee for access to your information.

Questions or Complaints

In compliance with the Privacy Shield Principles, Charles River commits to resolve complaints about our collection or use of your personal information. Charles River will investigate and attempt to resolve any complaints or disputes regarding the collection or use of your EU Personal Data within 45 days of receiving your complaint.

Independent Recourse

For any unresolved Privacy Shield complaints, Charles River has agreed to cooperate with the EU data protection authorities (DPAs).

In addition to above, Charles River is committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

Privacy Shield also affords the opportunity, under certain conditions, for the individual to invoke binding arbitration.

Contact Us

EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Charles River by email to the Director of Risk Management, with “Privacy Shield: “ in the subject line.

John Galda
Director of Risk Management
RiskManager@crd.com

Changes To This Policy

We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.