CRI GROUP
PRIVACY POLICY

COMPUTER RESOURCES INTERNATIONAL (LUXEMBOURG) S.A. (“CRI”)

This privacy notice is made in accordance with articles 12, 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or the “GDPR”)

In this notice we will set out information about the processing of your personal data at CRI. Please, feel free to contact us if you need any further information or additional clarifications to the points, discussed below. You may contact us on the following e-mail: pdpo@cri.lu.

  1. WHO WE ARE:

Computer Resources International (Luxembourg) S.A. (“CRI” or “we”)
Address: 11 Rue de l’Industrie L-8399 Windhof, GD of Luxembourg
e-mail: pdpo@cri.lu

We are personal data controller according to the GDPR.

  1. PURPOSES OF AND LEGAL BASIS FOR PERSONAL DATA PROCESSING:

We process personal data of individuals with whom CRI has signed contract as well as with individuals with whom CRI does not have signed contract (candidates), as follows:

2.1. Purposes and legal grounds for processing data of individuals, with whom CRI does not have signed contract:

2.1.1. We process the personal data, provided by the individuals (candidates) in their CVs, directly to us or through recruiters, for recruiting purposes, namely to analyse the profile of the candidates, when we have vacancy at CRI, in view of their education, knowledge, skills, experience etc.

2.1.2. The data provided in the CVs are processed initially for the vacancy in relation to the CV is presented. The data are further processed for evaluation of whether profiles match to new vacancies, as may be opened at CRI. In this relation, please, see the retentions periods in section 7 below.

2.1.3. The legal ground for the processing under sections 2.1.1. and 2.1.2. is legitimate interest. Please, see more details about the legitimate interests in section 3 below.

2.2. Purposes and legal grounds for processing data of individuals, with whom CRI has signed contract:

2.2.1. We process the personal data of all employees, consultants providing services to CRI directly (freelancers) or through companies, management staff etc., as follows:

2.2.1.1. Some of the personal data of our employees, consultants, freelancers and management staff are processed for payment purposes. The legal basis for this type of processing is our contract with the individual.

2.2.1.2. We process the personal data of the individuals with whom we have contract for the recruiting purposes set out in section 2.1.2. above in case of openings for new positions. The legal ground for this processing is a legitimate interest. Please, see more details about the legitimate interests in section 3 below.

2.2.1.3. We also process personal data as required by law for the purposes of social insurance, tax legislation, state compensation (e.g. in case of childbirth children), pay-row and labour law purposes. The legal ground for this type of processing is the law regulating the relevant area and we are processing the data because it is our obligation by law.

  1. THE LEGITIMATE INTERESTS FOR THE PROCESSING

We have made legitimate interest assessment (“LIA”), which was positive that we may relay on the legal ground legitimate interests when processing personal data for recruiting purposes and for the purposes of filling vacancies at CRI. The LIA is made on the basis of a three-part test, namely:

3.1. Purpose test, which confirmed that we are pursuing a legitimate interest;

3.2. Necessity test, which confirmed that the processing is necessary for that purpose; and

3.3. Balancing test, which confirmed that the individuals’ interests do not override our legitimate interest.

You can find below summary of our LIA:

Our legitimate interests are the legal ground for processing personal data of both candidates and individuals with whom CRI has signed contract, for recruiting purposes and to fill vacancies at CRI. Our interests are legitimate and the processing of the personal data provided in the CVs of the candidates are necessary for the selection process (i.e. to assess the candidatures for each relevant vacancy).

We process personal data of candidates, received directly from individuals or, indirectly through recruiters, in relation to vacancies at CRI. In this scenario, the candidates clearly expect that their CVs (i.e. the personal data provided in the CVs) will be processed for recruiting purposes. That’s why our legitimate interests to fill the vacancy at CRI is not overridden by any interests or rights of the candidates. In fact, this legitimate interest is more likely to align with the interest of the candidate.

We also process the personal data of individuals with whom CRI has signed contract, for new work or services provision opportunities, as such may be opened at CRI. We are in contractual relations with those individual and we believe that it will not be surprising for them to analyse their personal data. We also think it is in their interest to be offered new opportunities while they are not under any obligation to accept it.

We are processing only the personal data that are necessary for the recruitment and selection process, which data are provided by the individuals themselves in their CVs. The processing is for limited period of time (as set out in section 7 herein). This processing has a low privacy impact and we think that it is more appropriate for the individuals as well instead bombarding them with unnecessary consent requests. All individuals, whose personal data are processed, are provided with opt-out in section 9 below.

  1. THE CATEGORIES OF PERSONAL DATA OBTAINED

We obtain the following personal data directly from the individuals or from recruiters:

  • Name;
  • Contact details (address, phone, e-mail, skype-name, linked-in, websites etc.)
  • Date of birth;
  • EU citizen information;
  • Education details;
  • Professional experience details;
  • NATO or EU security clearance information;
  • Bank account details;
  • Civil status;
  • Date of birth of children, if applicable.
  1. TO WHOM WE DISCLOSE THE PERSONAL DATA / PERSONAL DATA PROCESSORS

Most of the personal data are processed through Greenhouse and Salesforce cloud services. We have executed the standard EU clauses guarantying compliance with GDPR and high-level of personal data protection. Greenhouse is certified to the EU-US Privacy Shield.

We disclose pseudonymised personal data provided in the CVs of the individuals (profile, education, professional experience etc.) to our customers and partners in consortium or teaming agreements, who need to check and approve the profile of the individual for the opened position. We mainly provide services to the EU institutions, directly or as member of consortium or as subcontractor in projects with end-customer EU institutions. Those are the recipients of the personal data.

In addition, we may disclose personal data to some the other companies from CRI Group of companies, mainly to CRI GROUP S.A., CRI LUXEMBOURG S.A., CRI BELGIUM S.P.R.L., DIGITERA GROUP S.A., DIGITERA GROUP BELGIUM S.P.R.L. Those companies maintain the same standards for personal data protection as we do.

  1. TRANSFERS OF THE PERSONAL DATA OUTSIDE EU

The cloud services could be in EU and also outside EU (in US). We have undertaken all steps required in this relation by the GDPR to make sure that even if not EU, the clouds meet the GDPR standard for personal data protection.

Otherwise, we do not transfer personal data outside the EU.

  1. THE RETENTION PERIODS FOR THE PERSONAL DATA

The retention periods for the personal data, processed by CRI are, as follows:

  • Personal data of individuals (employees or consultants) who work at or, provide services to, CRI – until their contract with CRI is in force and effect. We will store the personal data without any processing, for additional period of 10 years after the termination of the contract in case we need to comply with any legal requirements towards CRI (e.g. accounting, contracts guarantee etc.).
  • Personal data of unsuccessful candidates – 2 years after the CV submission;
  • Personal data of management staff are stored until the individual is member in the board and 10 years after his release or leave again for the purposes set out in section 7.1. above;
  • After the retention periods set out above, the data will be deleted.
  1. YOUR RIGHTS UNDER THE GDPR

We have summarised below the rights that you have according to the GDPR. In order to exercise your rights, please, send us e-mail to the following e-mail address: pdpo@cri.lu. You can also submit paper request in any of our offices depending on which office is most convenient for you. The addresses of our offices are published at our website www.cri-group.eu.

We will process your request at the soonest possible but in any case, not longer than 1 month after its submission.

Please, note that we need to verify the identity of your personality when making the request, using any reasonable means, including by asking you to present your ID when necessary.

If your requests are manifestly unfounded (for instance, if it is repetitive in nature), the GDPR gives us the right to charge you a reasonable fee. We will exercise this right only as exception for the cases where the request is indeed manifestly unfounded.

You will be duly informed on any development on your request. If we believe it is not our obligation to comply with your request, we will explain you our position and provide you with the grounds we have in order not to comply with your request. You will have the right to object our position before the National Personal Data Commission in Luxembourg, www.cnpd.public.lu.

  • Right to be informed

You have the right to be informed about your personal data processing by CRI and through this noticed we aim to inform you accordingly. The note may be updated from time to time as we constantly work to improve our policy and standards and you will be always have access to the most updated notice.

Please, feel free to contact us by e-mail, to pdpo@cri.lu, for any questions or further clarifications in this relation.

  • Right of access

You have the right to access the personal data that we process. Once we receive your request for access, we will send you your personal data that we process and any supplementary information, if applicable. We note that in order to secure best protection of the personal data we may ask you to properly identify yourself in order to confirm your identity, including requesting your ID before providing you the data.

  • Right to rectification

You have the right to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed.

The personal data shall be considered inaccurate if it is incorrect or misleading as to any matter of fact.

If you submit such request, we will restrict the processing of your personal data, for which you seek rectification whilst we are verifying its accuracy, whether or not you exercise your right to restriction.

  • Right to erasure

According to the GDPR, you have the right to have your personal data erased provided that:

  • the personal data is no longer necessary for the purpose, which we originally collected or processed them for;
  • CRI is relying on consent as lawful basis for holding the data, and you would like withdraws your consent;
  • CRI is relying on legitimate interests as basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • CRI is processing the personal data for direct marketing purposes and the individual objects to that processing;
  • CRI has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  • If CRI has to erase the data in order to comply with a legal obligation.
  • Right to restrict processing

You have the right to restrict the processing of your personal data and limit the way we use them in the following circumstances:

  • When you contest the accuracy of your personal data and CRI is verifying the accuracy of the data;
  • When the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and you request restriction instead erasure;
  • CRI no longer need your personal data but you need that we keep them to keep in order to establish, exercise or defend a legal claim; or
  • You have objected the processing of your data under Article 21(1) of the GDPR and CRI is considering whether our legitimate grounds override those of the individual and you would like that we restrict until we consider the case.

When CRI receives request for restriction, we will not process the restricted data in any way except to store it.

There are thought some exceptions, which we may apply, e.g. in case of exercise or defence of legal claims, if it is for the protection of the rights of another person (natural or legal) and if it is for reasons of important public interest. Those exceptions we will apply only to the extent necessary if necessary at all.

  • Right to data portability

You have right to data portability allowing you to obtain and reuse your personal data for your own purposes across different services.

The right to data portability only applies:

  • to personal data an individual has provided directly to CRI;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.
  • Right to object

According to the GDPR, you have the right to object processing, on grounds relating to your situation, as follows:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • processing for direct marketing purposes (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

As you will see in section 9 below, in addition to this right, CRI provides you the option to opt-out and request to cease the processing and erase your personal data without а reason.

  • Rights in relation to automated decision making and profiling.

At CRI we do not apply automated decision making and profiling.

  1. THE RIGHT TO WITHDRAW CONSENT AND OPT OUT

Because we respect your privacy and our processing is only done because we believe that we have mutual interest in this processing, we will respect you wish to opt-out without any reason. You are free at any time to inform us that you do not want CRI to process your data anymore. We will respect your request.

As said above, before entering into force of the GDPR, we collected and processed some of the personal data based on consent. Taking into account the new GDPR, we have determined the legitimate interest as most appropriate ground for us to collect and process the data.

As the main difference between the two legal grounds for you is the right to withdraw your consent (given before), please, note that by providing you with the option to opt-out, you will be again able to request from us to cease the processing of your data and we undertake the obligation to do so, as if you have withdrawn your consent.

  1. THE SOURCE OF THE PERSONAL DATA

We obtain the personal data that we collect either from you directly or through recruitment agencies.

We do not buy data basis or do not have any access to any data basis containing personal data. We could takе data from public sources (such as linked-in, facebook etc.) which you have made available there and to which we have access.

  1. THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

You have the right to lodge a complaint before the National Personal Data Commission in Luxembourg if you think that we process your data in breach of the GDPR articles and principles.

Here is the web address from where you can directly file the complaint: https://cnpd.public.lu/en/declarer/notification_violation_securite.html