General Privacy Notice
PRIVACY POLICY
Prepared by: Sr. Compliance Officer
Approved by: ZAFAR I. ANJUM, Group CEO
What is the purpose of this document?
CRI Group is committed to protecting the privacy and security of your personal information.
This privacy policy is provided in accordance with the General Data Protection Regulation 2016/679 (“GDPR”) and any EU national laws implementing or supplementing the same (the “Data Privacy Laws”). The Privacy Policy is intended to set out your rights and answer any queries you may have about your personal data.
CRI Group (and all affiliates and subsidiaries) is committed to complying with the applicable data privacy and security requirements in the countries in which it operates. CRI Group complies with internationally recognised standards of privacy protection, and with various privacy laws globally including, but not limited to, the GDPR.
CRI Group provides due diligence, screening, compliance and other risk consultancy services to clients. In provision of these services, CRI Group acts as a Data processor, and under Data Privacy Laws, this policy fulfils our obligation to provide certain information to third parties whose personal data we process in this capacity as required by GDPR.
CRI Group is ISO 27001:2013 certified organisation which supports information security adoption in all areas of its business, including operations, finance and human resources. This ensures that we tend to shield the most effective interests of our employees, clients and candidates.
PRIVACY STATEMENT
CRI Group respects concerns about maintaining the privacy of the data submitted in connection with the range of services CRI Group is providing including Employ smart, Due diligence, third party risk management and market research services to the clients around the globe. CRI Group is serving the mainstream multiple industry employers of individuals who either submit personal data through the CRI Group screening Portal or via manual submission required for obtaining such services.
CRI Group This Privacy Policy provides you with information regarding the usage and processing of personal data submitted by the Clients. In addition to your express consent to our collection and use of data, as described below, by submitting any personal data to us, you will be deemed to have read and accepted this Privacy Policy.
WHAT PERSONAL DATA DO WE COLLECT?
In performing the range of screening services, CRI Group receives personal data from Clients that may include
- Name;
- Username / password (clients);
- Home or work address, email address and/or phone number;
- Job title;
- Personal data related to the browser or device you use to access our website;
- Internet browser and operating system;
- Recordings of calls you make to our customer service team; and
- Any other personal data you provide.
PROCESSING OF PERSONAL DATA
The data you provide to us will be processed in accordance with the purposes specified in this Privacy Policy, namely:
- To perform the services requested by clients and individuals pursuant to statement of work, or similar (where the processing is necessary for establishing and fulfilling a contract with you).
- For complying with obligations provided by laws, current regulations and European legislation (e.g. tax regulations) (where processing is based on a legal obligation).
- For legitimate business purposes to advise you through e-mail, phone call, or post, in the framework of our ordinary commercial relationship, about other products or services similar to the products or services we have provided to you and that we think will be of interest to you (where the processing is necessary for our legitimate business interests).
- For marketing purposes. We may use information you provide to personalise (i) our communications to you; (ii) our website; and (iii) products or services for you, in accordance with our legitimate interests. You can withdraw your consent or opt out of receiving our marketing communications at any time. If you are not located in the EU, you may opt-out of receiving marketing communications and updates at any time. You can manage your receipt of marketing and non-transactional communications by clicking on the «unsubscribe» link located on the bottom of CRI Group’s marketing emails.
1. to monitor use of our websites and online services. We may use your information to help us check, improve and protect our products, content, services and websites, both online and offline, in accordance with our legitimate interests;
2. with your express consent to respond to any comments or complaints we may receive from you, or to investigate any complaints received from you or from others, about our website or our products or services;
- For improving CRI Group’s communications with you. Emails sent to you by CRI Group may include standard tracking, including open and click activities. CRI Group may collect information about your activity as you interact with our email messages and related content.
- For security purposes. For example, we may use your data to protect CRI Group and its third parties against security breaches and to prevent fraud and violation of CRI Group’s applicable agreements (where the processing is necessary for our legitimate business interests).
Whenever we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.
We may monitor any customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law and our legitimate interests;
HOW DATA IS PROCESSED
Personal data is processed both manually and electronically in accordance with the purposes and in compliance with current regulations. We permit only authorised CRI Group employees and third-party providers to have access to your information. Such employees and third-party providers are appropriately designated and trained to process data only according to the instructions we provide them.
TRANSFER AND STORAGE OF PERSONAL DATA
CRI Group will retain personal data for a reasonable period, considering legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with CRI Group’s Records Retention Policy.
Personal information submitted to CRI Group for any of the screening services may at times be transferred outside from the local jurisdiction to perform the screening. All personal information will be transmitted and stored in a secure manner in accordance with the terms of this Privacy Policy.
Where you are or have at any time been resident or based for work outside the European Economic Area, the personal data that we receive from you may be transferred to, and stored at, a location outside the European Economic Area. Submission of your personal data, you agree to this transfer, storing and processing.
DISCLOSURE/SHARING OF PERSONAL DATA
We only share your personal data with your consent or in accordance with this Policy. We will not otherwise share, sell or distribute any of the information you provide to us except as described in this Privacy Policy.
We share personal data among CRI Group-controlled affiliates and subsidiaries who act for CRI Group for the purposes set out in this Privacy Policy.
CRI Group may share your information with external third parties, such as vendors, consultants, legal advisors, auditors and other service providers who are performing, advising or assisting with certain services on behalf of CRI Group. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable contract, and not for any other purpose. CRI Group requires these third parties to undertake security measures consistent with the protections specified in this Privacy Policy.
CRI Group may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
If CRI Group’s business enters into a joint venture with or is merged with another business entity, your information may be disclosed to our new business partners.
CONSENT AND CHOICE
We respect privacy and are fully in compliance with applicable legislations local or international in each jurisdiction we operate. The submission of personal data is at will and you are free if you don’t want to submit your personal data. We only process data once we receive your duly filled consent form, provided to you by CRI Group or our client. By filling out and submitting the consent form you expressly agree to provide personal data and its processing hence your consent to our use of that data is in accordance with this Privacy Policy.
PROVIDING INFORMATION TO CRI GROUP
If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s).
PERMITTED PURPOSE
In CRI Group personal data processing is conducted only for the permitted purposes only as defined by Data privacy legislations applicable locally and internationally including the General Data Protection Regulation.
CRI Group may use such data for purposes of verifying the information that you provide and to check on references that you supply. we are obligated to use and maintain the confidentiality of the information provided by our Clients or individuals in a manner consistent with this Privacy Policy. We do not share any such information with any third party other than CRI Group.
CROSS – BORDER TRANSFERS OF PERSONAL DATA
Personal information may be transferred, accessed and stored globally as necessary for the uses stated above in accordance with this Privacy Policy, and in compliance with local law and regulations.
Data concerning EU data subjects may be transferred to or processed in locations outside of the EU only where one of the following safeguards is in effect:
Transfers to certain countries which the EU Commission has determined ensures an adequate level of protection (including via participation in the EU-U.S. Privacy Shield)
Transfers pursuant to standard contractual clauses or contract terms ensuring adequate data protection
DATA INTEGRITY
The Data Submitted on CRI Group screening Portal or via manual submission considered to be accurate as submitted and you are responsible for the accuracy of all the personal data that you submit. You warrant that all such personal data is complete, true and accurate in all respects. We keep the data electronically on secure Cloud storage, and we erase the data as per our agreements with our Clients after which time we destroy those copies.
ACCESS
The data you submit either through Screening Portal or manual submission. You may contact us to determine whether we hold personal data about you, and to access personal data about you, at any time for purposes of reviewing or correcting your personal data upon receiving the request from.
YOUR RIGHTS
You have the following rights concerning your data processed by CRI Group:
Access: You have the right to access personal information that CRI Group holds about you.
Rectification: You have the right to ask us to rectify information CRI Group holds about you if it is inaccurate or not complete.
Erasure: You can request that CRI Group erase your personal data. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
Restrict Processing: You have the right to ask CRI Group to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
Object to processing: Where processing is based on legitimate interests, you have the right to object to CRI Group processing your data. CRI Group will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
Portability: Where processing is based on consent or performance of a contract, you have the right to data portability. CRI Group must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data. This right only applies to personal data that you have provided to CRI Group as the Data Controller.
Please contact Compliance Team to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.
COOKIES
We use cookies on our website to improve the performance of the website during your visit. If you do not want us to use cookies you can change the respective settings in the settings menu of your browser. However, even when declined, this website tracks your IP address and might use strictly necessary cookies which is not managed by CRI Group by all means. We suggest changing DNT settings in your browser.
Cookies we use:
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first party cookies. We also use third party cookies; you may receive third party cookie notification on you first visit. which are cookies from a domain different than the domain of the website you are visiting, for our advertising and marketing efforts. We have no direct control over the information that is collected by these cookies (CookiePro, 2020).
THIRD PARTY WEBSITES OR OTHER SERVICES
We are not responsible for the privacy practices of any non-CRI Group operated websites, mobile apps or other digital services, including those that may be linked through CRI Group websites or services, and we encourage you to review the privacy policies or policies published thereon.
You may review the policy of third-party. We are using HubSpot, you may find the list of cookies used by HubSpot here.
AUTOMATED DECISION MAKING
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
CRI Group does not make automated decisions using personal data. If automated decisions are to be made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.
ENSURING COMPLIANCE WITH PRIVACY POLICIES AND PRINCIPLES
We, at CRI Group, take seriously our obligations toward maintaining and securing the privacy of your personal data. We adhere to implement best internal control policies which are in consistent with this Privacy Policy.
UPDATING AND REVISING PRIVACY POLICY
Any revision in this Privacy Policy is discretion of CRI Group to make sure it complies with the applicable law and conforms to changes in our business. We may need to update this Privacy Policy, and we reserve the right to do so at any time. Your use of the Services constitutes your acceptance of the terms of this Privacy Policy as amended or revised by us from time to time.
Contact us
If you have any queries with reference to your personal data or you want to file a complaint, please feel free to contact us on the following:
All requests will be acknowledged and responded to as quickly as possible, in conformity with applicable law.
For data subjects located in the EU: CRI Group will make up the most effort to resolve all your queries. However, if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information for the supervisory authorities may be found here:
EU Data Protection Authorities
http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm