COMPUTER RESOURCES INTERNATIONAL (LUXEMBOURG) S.A. (“CRI”)

This privacy notice is made in accordance with articles 12, 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or the “GDPR”)

This notice describes how CRI processes your personal data. Feel free to contact us if you need more information or additional clarifications on the points discussed below. You can contact us at the following address: pdpo@cri.lu.

1. WHO WE ARE:

Computer Resources International (Luxembourg) S.A. (“CRI” or “we”) Address: 11, rue de l’Industrie L-8399 Windhof, Grand Duchy of Luxembourg email: pdpo@cri.lu

We are a personal data controller according to the GDPR.

2. PURPOSES OF AND LEGAL BASIS FOR PERSONAL DATA PROCESSING:

We process personal data of individuals with whom CRI has a signed contract as well as with individuals with whom CRI does not have a signed contract (candidates), as follows:

2.1. Purposes and legal grounds for processing data of individuals, with whom CRI does not have a signed contract:

2.1.1. We process the personal data, provided by the individuals (candidates) in their CVs directly to us or through recruiters, for recruiting purposes, namely to analyse the profile of the candidates, when we have a vacancy at CRI, in view of their education, knowledge, skills, experience etc.

2.1.2. The data provided in the CVs are processed initially for the vacancy in relation to which the CV is presented. The data are further processed for the evaluation of whether profiles match new vacancies, as may be opened at CRI. In this relation, see the retention periods in section 7 below.

2.1.3. The legal ground for the processing of personal data under sections 2.1.1. and 2.1.2. is legitimate interest. Additional information about legitimate interest can be found in section 3 below.

2.2. Purposes and legal grounds for processing data of individuals, with whom CRI has a signed contract:

2.2.1. We process the personal data of all employees and consultants providing services to CRI directly (freelancers) or through companies, management staff etc., as follows:

2.2.1.1. Some of the personal data of our employees, consultants, freelancers and management staff are processed for payment purposes. The legal basis for this type of processing is the signed contract with the individual.

2.2.1.2. We process the personal data of the individuals with whom we have a signed contract for the recruiting purposes set out in section 2.1.2. above in case of openings for new positions. The legal ground for this processing is a legitimate interest. Additional information about legitimate interest can be found in section 3 below.

2.2.1.3. We also process personal data as required by law for the purposes of social insurance, tax legislation, state compensation (e.g. in case of childbirth), pay-row and labour law purposes. The legal ground for this processing is the law regulating the relevant area and we are processing the data because it is our obligation by law.

3. THE LEGITIMATE INTERESTS FOR THE PROCESSING

We have carried out a legitimate interest assessment (“LIA”), that has confirmed that we may rely on the legal ground “legitimate interest” when processing personal data for recruiting purposes and for the purposes of filling vacancies at CRI. The LIA was made on the basis of a three-part test, namely:

3.1. Purpose test, which confirmed that we are pursuing a legitimate interest;

3.2. Necessity test, which confirmed that the processing is necessary for that purpose; and

3.3. Balancing test, which confirmed that the individuals’ interests do not override our legitimate interest.

You can find below a summary of our LIA:
Our legitimate interests are the legal ground for processing personal data of both candidates and individuals with whom CRI has a signed contract, for recruiting purposes and to fill vacancies at CRI. Our interests are legitimate, and the processing of the personal data provided in the CVs of the candidates are necessary for the selection process (i.e. to assess the candidatures for each relevant vacancy).

We process personal data of candidates, received directly from individuals or, indirectly through recruiters, in relation to vacancies at CRI. In this scenario, the candidates clearly expect that their CVs (i.e. the personal data provided in the CVs) will be processed for recruiting purposes. That is why our legitimate interest to fill the vacancy at CRI is not overridden by any interests or rights of the candidates. In fact, this legitimate interest is more likely to align with the interest of the candidate.

We also process the personal data of individuals with whom CRI has a signed contract, for new work or service provision opportunities, as such work or service provision opportunities may be opened at CRI. We are in a contractual relation with those individuals and it is therefore not surprising that we analyse their personal data. We also think it is in their interest to be offered new opportunities while they are not under any obligation to accept them.

We only process the personal data that are necessary for the recruitment and selection process, data that are provided by the individuals themselves in their CVs. The processing is for a limited period of time (as set out in section 7 below). This processing has a low privacy impact and we think that it is more appropriate for the individuals as well instead of bombarding them with unnecessary consent requests. All individuals, whose personal data are processed, are provided with opt-out as set out in section 9 below.

4. THE CATEGORIES OF PERSONAL DATA OBTAINED

We obtain the following personal data directly from the individuals or from recruiters:

• Name;
• Contact details (address, phone, email address, Skype name, LinkedIn, websites etc.);
• Date of birth;
• EU citizen information;
• Education details;
• Professional experience;
• NATO or EU security clearance information;
• Bank account details;
• Civil status;
• Date of birth of children, if applicable.

5. TO WHOM WE DISCLOSE THE PERSONAL DATA / PERSONAL DATA PROCESSORS

Most of the personal data are processed through Greenhouse and Salesforce cloud services. We have implemented the standard EU clauses guarantying compliance with GDPR and a high level of personal data protection. Greenhouse is certified under the EU-US Privacy Shield.

We disclose pseudonymised personal data provided by the individuals in their CVs (profile, education, professional experience etc.) to our customers and partners in consortium or teaming agreements, who need to check and approve the profiles of individuals for opened positions. We mainly provide services to the European institutions, directly or as a member of a consortium or as a subcontractor in projects where the end-customer are European institutions. Those are the recipients of the personal data.

In addition, we may disclose personal data to some of the other companies in the CRI Group of companies, mainly CRI GROUP S.A., CRI LUXEMBOURG S.A., CRI BELGIUM S.P.R.L., DIGITERA GROUP S.A., DIGITERA GROUP BELGIUM S.P.R.L. Those companies maintain the same standards for personal data protection as we do.

6. TRANSFERS OF THE PERSONAL DATA OUTSIDE EU

The cloud services could be in EU and also outside EU (in US). We have undertaken all steps required in this relation by the GDPR to make sure that even if not EU, the clouds meet the GDPR standard for personal data protection.

Otherwise, we do not transfer personal data outside the EU.

7. THE RETENTION PERIODS FOR THE PERSONAL DATA

The retention periods for personal data processed by CRI are as follows:

7.1. Personal data of individuals (employees or consultants) who work at, or provide services to, CRI — until their contract with CRI is in force and effect. We will store the personal data without any processing, for an additional period of 10 years after the termination of the contract in case we need to comply with any legal requirements towards CRI (e.g. accounting, contract guarantees, etc.).

7.2. Personal data of unsuccessful candidates — 2 years after the CV submission.

7.3. Personal data of management staff are stored until the individual is member of the board and 10 years after his release or leave again for the purposes set out in section 7.1. above.

7.4. After the retention periods set out above, personal data will be deleted.

8. YOUR RIGHTS UNDER THE GDPR

We have summarised below the rights that you have according to the GDPR. In order to exercise your rights, please, send us an email to the following email address: pdpo@cri.lu. You can also submit a paper request in any of our offices depending on which office is most convenient for you. The addresses of our offices are published on our website www.cri-group.eu.

We will process your request at the soonest but in any case, not longer than 1 month after its submission.

Please, note that we need to verify your personal identity when you place your request, using any reasonable means, including by asking you to present your ID if necessary.

If your requests are manifestly unfounded (for instance, if they are repetitive in nature), the GDPR gives us the right to charge you a reasonable fee. We will exercise this right only as an exception for the cases where the request is indeed manifestly unfounded.

You will be duly informed of any development on your request. If we believe it is not our obligation to comply with your request, we will explain our position and provide you with the reasons we do not comply with your request. You will have the right to object to our position before the National Personal Data Commission in Luxembourg, www.cnpd.public.lu.

• Right to be informed

You have the right to be informed about your personal data processing by CRI and through this notice we aim to inform you accordingly. The note may be updated from time to time as we constantly work to improve our policy and standards and you will always have access to the most updated notice.

Please, feel free to contact us by email, to pdpo@cri.lu, for any question or further clarification in this relation.

• Right of access

You have the right to access the personal data that we process. Once we receive your request for access, we will send you your processed personal data and any supplementary information, if applicable. We note that in order to secure the best protection of the personal data we may ask you to properly identify yourself in order to confirm your identity, including requesting your ID before providing you the data.

• Right to rectification

You have the right to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed.

The personal data shall be considered inaccurate if it is incorrect or misleading as to any matter of fact.

If you submit such a request, we will restrict the processing of your personal data, for which you seek rectification whilst we are verifying its accuracy, whether or not you exercise your right to restriction.

• Right to erasure

According to the GDPR, you have the right to have your personal data erased provided that:

• the personal data is no longer necessary for the purpose which we originally collected or processed them for;
• CRI is relying on consent as a lawful basis for holding the data, and you would like to withdraw your consent;
• CRI is relying on legitimate interests as a basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
• CRI is processing the personal data for direct marketing purposes and the individual objects to that processing;
• CRI has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the first principle of the GDPR);
• CRI has to erase the data in order to comply with a legal obligation.

• Right to restrict processing

You have the right to restrict the processing of your personal data and limit the way we use them in the following circumstances:

• When you contest the accuracy of your personal data and CRI is verifying the accuracy of the data;
• When the data have been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and you request restriction instead of erasure;
• CRI no longer needs your personal data but you need that we keep them in order to establish, exercise or defend a legal claim; or
• You have objected to the processing of your data under Article 21(1) of the GDPR and CRI is considering whether our legitimate grounds override those of the individual and you would like that we restrict access to your data until we consider the case.

When CRI receives a request for restriction, we will not process the restricted data in any way except to store them.

There are some exceptions which we may apply, e.g. in case of exercise or defence of legal claims, if it is for the protection of the rights of another person (natural or legal) and if it is for reasons of important public interest. We will apply those exceptions only to the extent necessary, if necessary at all.

• Right to data portability

You have the right to data portability allowing you to obtain and reuse your personal data for your own purposes across different services.

The right to data portability only applies:

• to personal data an individual has provided directly to CRI;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means.

• Right to object

According to the GDPR, you have the right to object processing, on grounds relating to your situation, as follows:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
• processing for direct marketing purposes (including profiling); and
• processing for the purposes of scientific/historical research and statistics.

As you will see in section 9 below, in addition to this right, CRI provides you with the option to opt-out and request to cease the processing and erase your personal data without а reason.

• Rights in relation to automated decision-making and profiling

At CRI we do not apply automated decision-making and profiling.

9. THE RIGHT TO WITHDRAW CONSENT AND OPT OUT

Because we respect your privacy and our processing is only done because we believe that we have a mutual interest in this processing, we will respect your wish to opt out without any reason. You are free at any time to inform us that you do not want CRI to process your data anymore. We will respect your request.

As said above, before GDPR entered into force, we collected and processed some of the personal data based on consent. Taking into account the new GDPR, we have determined the legitimate interest as the most appropriate ground for us to collect and process the data.

As the main difference between the two legal grounds for you is the right to withdraw your consent (given before), please, note that by providing you with the option to opt out, you will be again able to request from us that we cease the processing of your data and we undertake the obligation to do so, as if you had withdrawn your consent.

10. THE SOURCE OF THE PERSONAL DATA

We obtain the personal data that we collect either from you directly or through recruitment agencies.

We do not buy data from databases and do not have access to any database containing personal data. We may gather data from public sources (such as LinkedIn, facebook, etc.) which you have made available there and to which we have access.

11. THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

You have the right to lodge a complaint before the National Personal Data Commission in Luxembourg if you think that we have processed your data in breach of the GDPR articles and principles.

Here is the URL from which you can directly file the complaint:

https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html