CRI GROUP
PRIVACY POLICY

Computer Resources International (Luxembourg) S.A. (“CRI”)

This privacy notice is made in accordance with articles 12, 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or the “GDPR”)

In this notice, we will set out information about the processing of your personal data at CRI. Please, feel free to contact us if you need any further information or additional clarifications to the points, discussed below. You may contact us at the following e-mail: pdpo@cri.lu.

1. WHO WE ARE:

Computer Resources International (Luxembourg) S.A. (“CRI” or “we”)
Address: 11 Rue de l’Industrie L-8399 Windhof, GD of Luxembourg
e-mail: pdpo@cri.lu

2. PURPOSES OF AND LEGAL BASIS FOR PERSONAL DATA PROCESSING:

We process personal data of individuals with whom CRI has signed a contract as well as with individuals with whom CRI does not have signed contract (candidates):

2.1. Purposes and legal grounds for processing data of individuals with whom CRI does not have signed a contract:

2.1.1. We process the personal data, provided by the individuals (candidates) in their CVs, directly to us or through recruiters, for recruiting purposes, namely to analyze the profile of the candidates, when we have a vacancy at CRI, in view of their education, knowledge, skills, experience etc.

2.1.2. The data provided in the CVs are processed initially for the vacancy in relation to the CV is presented. The data are further processed for evaluation of whether profiles match to new vacancies, as may be opened at CRI. In this relation, please, see the retentions periods in section 7 below.

2.1.3. The legal ground for the processing under sections 2.1.1. and 2.1.2. is a legitimate interest. Please, see more details about the legitimate interests in section 3 below.

2.2. Purposes and legal grounds for processing data of individuals with whom CRI has signed a contract:

2.2.1. We process the personal data of all employees, consultants providing services to CRI directly (freelancers) or through companies, management staff etc., as follows:

2.2.1.1. Some of the personal data of our employees, consultants, freelancers and management staff are processed for payment purposes (e.g. for payment of agreed remunerations). The legal basis for this type of processing is our contract with the individual.

2.2.1.2. We process the personal data of the individuals with whom we have a contract for the recruiting purposes set out in section 2.1.2. above in case of openings for new positions. The legal ground for this processing is of legitimate interest. Please, see more details about the legitimate interests in section 3 below.

2.2.1.3. We also process personal data as required by law for the purposes of social insurance, tax legislation, state compensation (e.g. in case of childbirth children), pay row and labor law purposes. The legal ground for this type of processing is the law regulating the relevant area and we are processing the data because it is our obligation by law.

2.3. We should note that some of the personal data collected before entering into force of the GDPR, were processed based on the individuals’ consent provided either оnline (when submitting the data) or in the contract signed with CRI.

3. THE LEGITIMATE INTERESTS FOR THE PROCESSING

We have made legitimate interest assessment (“LIA”), which was positive that we may rely on the legal ground legitimate interests when processing personal data for recruiting purposes and for the purposes of filling vacancies at CRI. The LIA is made on the basis of a three-part test, namely:

3.1. Purpose test, which confirmed that we are pursuing a legitimate interest;

3.2. Necessity test, which confirmed that the processing is necessary for that purpose; and

3.3. Balancing test, which confirmed that the individuals’ interests do not override our legitimate interest.

You can find below a summary of our LIA:

Our legitimate interests are the legal ground for processing personal data of both candidates and individuals with whom CRI has signed a contract, for recruiting purposes and to fill vacancies at CRI. Our interests are legitimate and the processing of the personal data provided in the CVs of the candidates are necessary for the selection process (i.e. to assess the candidatures for each relevant vacancy).

We process personal data of candidates, received directly from individuals or, indirectly through recruiters, in relation to vacancies at CRI. In this scenario, the candidates clearly expect that their CVs (i.e. the personal data provided in the CVs) will be processed for recruiting purposes. That’s why our legitimate interests to fill the vacancy at CRI is not overridden by any interests or rights of the candidates. In fact, this legitimate interest is more likely to align with the interest of the candidate.

We also process the personal data of individuals with whom CRI has signed a contract, for new work or services provision opportunities, as such may be opened at CRI. We are in contractual relations with those individual and we believe that it will not be surprising for them to analyze their personal data. We also think it is in their interest to be offered new opportunities while they are not under any obligation to accept it.

We are processing only the personal data that are necessary for the recruitment and selection process, in which data are provided by the individuals themselves in their CVs. The processing is for a limited period of time (as set out in section 7 herein). This processing has a low privacy impact and we think that it is more appropriate for the individuals as well instead of bombarding them with unnecessary consent requests. All individuals, whose personal data are processed, are provided with the opt-out in section 9 below.

4. THE CATEGORIES OF PERSONAL DATA OBTAINED

We obtain the following personal data directly from the individuals or from recruiters:

  • Name;
  • Contact details (address, phone, e-mail, skypename, etc.)
  • Date of birth;
  • Education details;
  • Professional experience details;
  • Bank account details;
  • Civil status;
  • Date of birth of children, if applicable.

5. TO WHOM WE DISCLOSE THE PERSONAL DATA

We disclose pseudonymized personal data provided in the CVs of the individuals (profile, education, professional experience etc.) to our customers and partners in the consortium or teaming agreements, who need to check and approve the profile of the individual for the opened position. We mainly provide services to the EU institutions, directly or as a member of the consortium or as a subcontractor in projects with end-customer EU institutions. Those are the recipients of the personal data.

As mentioned, the data are pseudonymized, which means that we disclose the professional profile (age, education experience etc.) without indicating the name of the person.

The name will be disclosed only if the individual is approved for the position and he agrees to undertake it.

6. TRANSFERS OF THE PERSONAL DATA OUTSIDE EU

We do not transfer personal data outside the EU.

7. THE RETENTION PERIODS FOR THE PERSONAL DATA

The retention periods for the personal data, processed by CRI are, as follows:

  • Personal data of individuals (employees or consultants) who work at or, provide services to, CRI – until their contract with CRI is in force and effect. We will store the personal data without any processing, for a period of 1 year after the termination of the contract in case we need to comply with any legal requirements towards CRI.
  • Personal data of unsuccessful candidates – 1 year after the CV submission;
  • Personal data of management staff are stored until the individual is a member in the board and 5 years after his release or leave;

8. YOUR RIGHTS UNDER THE GDPR

We have summarised below the rights that you have according to the GDPR. In order to exercise your rights, please, send us an e-mail to the following e-mail address: pdpo@cri.lu. You can also submit a paper request in any of our offices depending on which office is most convenient for you. The addresses of our offices are published at our website www.cri-group.eu.

We will process your request at the soonest possible but in any case, not longer than 1 month after its submission.

Please, note that we need to verify the identity of your personality when making the request, using any reasonable means, including by asking you to present your ID when necessary.

If your requests are manifestly unfounded (for instance, if it is repetitive in nature), the GDPR gives us the right to charge you a reasonable fee. We will exercise this right only as an exception for the cases where the request is indeed manifestly unfounded.

You will be duly informed on any development on your request. If we believe it is not our obligation to comply with your request, we will explain you our position and provide you with the grounds we have in order not to comply with your request. You will have the right to object our position before the National Personal Data Commission in Luxembourg, www.cnpd.public.lu.

  • Right to be informed

You have the right to be informed about the collection and use of your personal data by CRI and through this noticed we aim to inform you accordingly.

Please, feel free to contact us by e-mail, to pdpo@cri.lu, for any questions or further clarifications in this relation.

  • Right of access

You have the right to access the personal data that we process. Once we receive your request for access, we will send you your personal data that we store and process and any supplementary information, if applicable. We note that in order to secure the best protection of the personal data we may ask you to properly identify yourself in order to confirm your identity, including requesting your ID before providing you the data.

  • Right to rectification

You have the right to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed.

The personal data shall be considered inaccurate if it is incorrect or misleading as to any matter of fact.

If you submit such request, we will restrict the processing of your personal data, for which you seek rectification whilst we are verifying its accuracy, whether or not you exercise your right to restriction.

  • Right to erasure

According to the GDPR, you have the right to have your personal data erased provided that:
(i) the personal data is no longer necessary for the purpose, which we originally collected or processed them for;
(ii) CRI is relying on consent as a lawful basis for holding the data, and you would like withdraws your consent;
(iii) CRI is relying on legitimate interests as a basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
(iv) CRI is processing the personal data for direct marketing purposes and the individual objects to that processing;
(v) CRI has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
(vi) If CRI has to erase the data in order to comply with a legal obligation.

  • Right to restrict processing

You have the right to restrict the processing of your personal data and limit the way we use them in the following circumstances:
(i) When you contest the accuracy of your personal data and CRI is verifying the accuracy of the data;
(ii) When the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and you request restriction instead of erasure;
(iii) CRI no longer need your personal data but you need that we keep them to keep in order to establish, exercise or defend a legal claim; or
(iv) You have objected the processing of your data under Article 21(1) of the GDPR and CRI is considering whether our legitimate grounds override those of the individual and you would like that we restrict until we consider the case.

When CRI receives a request for a restriction, we will not process the restricted data in any way except to store it.

There are thought some exceptions, which we may apply, e.g. in case of exercise or defense of legal claims, if it is for the protection of the rights of another person (natural or legal) and if it is for reasons of important public interest. Those exceptions we will apply only to the extent necessary if necessary at all.

  • Right to data portability

You have the right to data portability allowing you to obtain and reuse your personal data for your own purposes across different services.

The right to data portability only applies:
(i) to personal data an individual has provided directly to CRI;
(ii) where the processing is based on the individual’s consent or for the performance of a contract; and
(iii) when processing is carried out by automated means.

  • Right to object

According to the GDPR, you have the right to object processing, on grounds relating to your situation, as follows:
(i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
(ii) processing for direct marketing purposes (including profiling); and
(iii) processing for purposes of scientific/historical research and statistics.

As you will see in section 9 below, in addition to this right, CRI provides you the option to opt-out and request to cease the processing and erase your personal data without а reason.

  • Rights in relation to automated decision making and profiling.

At CRI we do not apply automated decision making and profiling.

9. THE RIGHT TO WITHDRAW CONSENT AND OPT OUT

Because we respect your privacy and our processing is only done because we believe that we have a mutual interest in this processing, we will respect your wish to opt-out without any reason. You are free at any time to inform us that you do not want CRI to process your data anymore. We will respect your request.

As said above, before entering into force of the GDPR, we collected and processed some of the personal data based on consent. Taking into account the new GDPR, we have determined the legitimate interest as the most appropriate ground for us to collect and process the data.

As the main difference between the two legal grounds for you is the right to withdraw your consent (given before), please, note that by providing you with the option to opt-out, you will be again able to request from us to cease the processing of your data and we undertake the obligation to do so, as if you have withdrawn your consent.

10. THE SOURCE OF THE PERSONAL DATA

We obtain the personal data that we collect either from you directly or through recruitment agencies.

We do not buy data basis or do not have any access to any data basis containing personal data. We could takе data from public sources (such as linked-in, facebook etc.) which you have made available there and to which we have access.

11. THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

You have the right to lodge a complaint before the National Personal Data Commission in Luxembourg if you think that we process your data in breach of the GDPR articles and principles.

Here is the web address from where you can directly file the complaint: https://cnpd.public.lu/en/declarer/notification_violation_securite.html