General Privacy Notice
Prepared by: Sr. Compliance Officer
Approved by: ZAFAR I. ANJUM, Group CEO
What is the purpose of this document?
CRI Group is committed to protecting the privacy and security of your personal information.
CRI Group (and all affiliates and subsidiaries) is committed to complying with the applicable data privacy and security requirements in the countries in which it operates. CRI Group complies with internationally recognised standards of privacy protection, and with various privacy laws globally including, but not limited to, the GDPR.
CRI Group provides due diligence, screening, compliance and other risk consultancy services to clients. In provision of these services, CRI Group acts as a Data processor, and under Data Privacy Laws, this policy fulfils our obligation to provide certain information to third parties whose personal data we process in this capacity as required by GDPR.
CRI Group is ISO 27001:2013 certified organisation which supports information security adoption in all areas of its business, including operations, finance and human resources. This ensures that we tend to shield the most effective interests of our employees, clients and candidates.
CRI Group respects concerns about maintaining the privacy of the data submitted in connection with the range of services CRI Group is providing including Employ smart, Due diligence, third party risk management and market research services to the clients around the globe. CRI Group is serving the mainstream multiple industry employers of individuals who either submit personal data through the CRI Group screening Portal or via manual submission required for obtaining such services.
WHAT PERSONAL DATA DO WE COLLECT?
In performing the range of screening services, CRI Group receives personal data from Clients that may include
- Username / password (clients);
- Home or work address, email address and/or phone number;
- Job title;
- Personal data related to the browser or device you use to access our website;
- Internet browser and operating system;
- Recordings of calls you make to our customer service team; and
- Any other personal data you provide.
PROCESSING OF PERSONAL DATA
- To perform the services requested by clients and individuals pursuant to statement of work, or similar (where the processing is necessary for establishing and fulfilling a contract with you).
- For complying with obligations provided by laws, current regulations and European legislation (e.g. tax regulations) (where processing is based on a legal obligation).
- For legitimate business purposes to advise you through e-mail, phone call, or post, in the framework of our ordinary commercial relationship, about other products or services similar to the products or services we have provided to you and that we think will be of interest to you (where the processing is necessary for our legitimate business interests).
- For marketing purposes. We may use information you provide to personalise (i) our communications to you; (ii) our website; and (iii) products or services for you, in accordance with our legitimate interests. You can withdraw your consent or opt out of receiving our marketing communications at any time. If you are not located in the EU, you may opt-out of receiving marketing communications and updates at any time. You can manage your receipt of marketing and non-transactional communications by clicking on the «unsubscribe» link located on the bottom of CRI Group’s marketing emails.
1. to monitor use of our websites and online services. We may use your information to help us check, improve and protect our products, content, services and websites, both online and offline, in accordance with our legitimate interests;
2. with your express consent to respond to any comments or complaints we may receive from you, or to investigate any complaints received from you or from others, about our website or our products or services;
- For improving CRI Group’s communications with you. Emails sent to you by CRI Group may include standard tracking, including open and click activities. CRI Group may collect information about your activity as you interact with our email messages and related content.
- For security purposes. For example, we may use your data to protect CRI Group and its third parties against security breaches and to prevent fraud and violation of CRI Group’s applicable agreements (where the processing is necessary for our legitimate business interests).
Whenever we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.
We may monitor any customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law and our legitimate interests;
HOW DATA IS PROCESSED
Personal data is processed both manually and electronically in accordance with the purposes and in compliance with current regulations. We permit only authorised CRI Group employees and third-party providers to have access to your information. Such employees and third-party providers are appropriately designated and trained to process data only according to the instructions we provide them.
TRANSFER AND STORAGE OF PERSONAL DATA
CRI Group will retain personal data for a reasonable period, considering legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with CRI Group’s Records Retention Policy.
Where you are or have at any time been resident or based for work outside the European Economic Area, the personal data that we receive from you may be transferred to, and stored at, a location outside the European Economic Area. Submission of your personal data, you agree to this transfer, storing and processing.
DISCLOSURE/SHARING OF PERSONAL DATA
CRI Group may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
If CRI Group’s business enters into a joint venture with or is merged with another business entity, your information may be disclosed to our new business partners.
CONSENT AND CHOICE
PROVIDING INFORMATION TO CRI GROUP
If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s).
In CRI Group personal data processing is conducted only for the permitted purposes only as defined by Data privacy legislations applicable locally and internationally including the General Data Protection Regulation.
CROSS – BORDER TRANSFERS OF PERSONAL DATA
Data concerning EU data subjects may be transferred to or processed in locations outside of the EU only where one of the following safeguards is in effect:
Transfers to certain countries which the EU Commission has determined ensures an adequate level of protection (including via participation in the EU-U.S. Privacy Shield)
Transfers pursuant to standard contractual clauses or contract terms ensuring adequate data protection
The Data Submitted on CRI Group screening Portal or via manual submission considered to be accurate as submitted and you are responsible for the accuracy of all the personal data that you submit. You warrant that all such personal data is complete, true and accurate in all respects. We keep the data electronically on secure Cloud storage, and we erase the data as per our agreements with our Clients after which time we destroy those copies.
The data you submit either through Screening Portal or manual submission. You may contact us to determine whether we hold personal data about you, and to access personal data about you, at any time for purposes of reviewing or correcting your personal data upon receiving the request from.
You have the following rights concerning your data processed by CRI Group:
Access: You have the right to access personal information that CRI Group holds about you.
Rectification: You have the right to ask us to rectify information CRI Group holds about you if it is inaccurate or not complete.
Erasure: You can request that CRI Group erase your personal data. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
Restrict Processing: You have the right to ask CRI Group to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
Object to processing: Where processing is based on legitimate interests, you have the right to object to CRI Group processing your data. CRI Group will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
Portability: Where processing is based on consent or performance of a contract, you have the right to data portability. CRI Group must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data. This right only applies to personal data that you have provided to CRI Group as the Data Controller.
Please contact Compliance Team to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.
Cookies we use:
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first party cookies. We also use third party cookies; you may receive third party cookie notification on you first visit. which are cookies from a domain different than the domain of the website you are visiting, for our advertising and marketing efforts. We have no direct control over the information that is collected by these cookies (CookiePro, 2020).
THIRD PARTY WEBSITES OR OTHER SERVICES
We are not responsible for the privacy practices of any non-CRI Group operated websites, mobile apps or other digital services, including those that may be linked through CRI Group websites or services, and we encourage you to review the privacy policies or policies published thereon.
You may review the policy of third-party. We are using HubSpot, you may find the list of cookies used by HubSpot here.
AUTOMATED DECISION MAKING
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
CRI Group does not make automated decisions using personal data. If automated decisions are to be made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.
ENSURING COMPLIANCE WITH PRIVACY POLICIES AND PRINCIPLES
If you have any queries with reference to your personal data or you want to file a complaint, please feel free to contact us on the following:
All requests will be acknowledged and responded to as quickly as possible, in conformity with applicable law.
For data subjects located in the EU: CRI Group will make up the most effort to resolve all your queries. However, if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information for the supervisory authorities may be found here:
EU Data Protection Authorities