Privacy Notice
1. Introduction
1.1 This privacy notice (“Notice“) sets out the basis on which CRA processes the personal data we collect from you and others as set out below.
1.2 This Notice applies to current employees, job applicants, interview candidates, interns, contractors, and third parties whose information you provide to us in connection with our relationship (for example, in respect of emergency contact information).
1.3 This Notice is not a contract, and does not confer any contractual right on you, or place any contractual obligation on CRA.
1.4 We reserve the right to update or otherwise amend this Notice at any time.
2. Speed Read and Key Shortcuts
CRA collects and uses personal details which you provide as part of the recruitment and onboarding processes, together with additional personal data collected throughout the course of your employment or affiliation with CRA (for instance, in relation to performance reviews, disciplinary processes, or participation in voluntary benefit schemes).
The personal data CRA collects is used primarily for recruitment, managing its workforce and complying with its contracts of employment or affiliation with CRA. The data may be stored in systems based around the world, and may be processed by third party service providers acting on CRA’s behalf.
You have certain rights in respect of your personal data, which you can exercise by contacting Human Capital in the first instance.
– How we use your personal data – Section 4
– Who receives your personal data – Section 7
– Your rights – Section 10
3. Types of Personal Data Processed
3.1 “Personal data” is a concept defined by applicable data protection law, and refers to information which relates to an identified or identifiable individual.
3.2 The types of personal data which we process will vary depending on your role, your location and the terms and conditions of employment or affiliation with CRA (if any) relevant to you. Typically the types of personal data will include, but may not be limited to, the following:
3.2.1 Your Personal Details – for example, your name, date of birth, gender, personal contact details, emergency contact/next of kin details, immigration and eligibility to work data and languages spoken;
3.2.2 Basic Work Details – for example, your work contact details (corporate email address and telephone numbers), employee number, photograph, job title, job description, assigned business unit or group, reporting lines, primary work location, working hours and your terms and conditions of employment or affiliation with CRA;
3.2.3 Professional Qualifications and Regulatory Data – where applicable, including certifications and unique regulatory identifiers;
3.2.4 Recruitment/Selection Data – for example, any personal data contained in your CV, application form, record of interview or interview notes, and vetting and verification documentation;
3.2.5 Remuneration and Benefits Data – details of your pay and benefits package, bank account details, social security or national insurance number, tax information and third party benefit recipient information;
3.2.6 Criminal Records Data – as collected during the recruitment/application processes or in the course of your employment or affiliation with CRA, as permitted under local law;
3.2.7 Leave Data – for example, your holiday and family leave records;
3.2.8 Incapacity Data – for example, any personal data contained in your absence records, medical forms, reports or certificates and records relating to accommodations or adjustments;
3.2.9 Disciplinary and Grievance Data – for example, any personal data contained in records of allegations, investigations and proceeding records and outcomes;
3.2.10 Performance Management Data – for example, colleague and manager feedback, appraisals, outputs from talent programmes and formal and informal performance management processes;
3.2.11 Equality and Diversity Data – where permitted under local law and provided voluntarily, data regarding gender, age, race, nationality, religious belief, etc.;
3.2.12 Training and Development Data – data relating to training and development needs or training received;
3.2.13 Monitoring Data – where permitted under local law, identifiable images contained in CCTV footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programs and filters;
3.2.14 Health and Safety Data – personal data in audits, risk assessments and incident reports;
3.2.15 Employee Claims, Complaints and Disclosures Data – personal data related to employment or affiliation with CRA based litigation and complaints, employee involvement in incident reporting and disclosures;
3.2.16 Termination Data – for example, dates and reason for leaving, termination arrangements and payments, exit interviews and references;
3.2.17 Any other personal data that you choose to disclose to CRA personnel during the course of your employment or affiliation with CRA, whether verbally or in written form (for example in work emails); and
3.2.18 Informal data, including opinion data, generated in the course of your employment or affiliation with CRA or engagement and relating to the administration or management of CRA’s relationship with you.
4. Legal Bases and Purposes for Processing
4.1 We use your personal data for a number of purposes which we have listed at paragraph 4.5 below.
4.2 Whenever we process your personal data, we do so on the basis of a “lawful condition” for processing, as further explained in paragraph 4.3. If we process special categories of personal data (including data relating to health, sexual orientation, racial or ethnic origin or religious beliefs), we do so on the basis of an additional condition, as described in 4.4.
4.3 In the majority of cases, the processing of your personal data will be justified on one of the following bases:
4.3.1 it is provided for in your contract of employment or affiliation with CRA, and therefore necessary to give effect to that contract (for example, collecting bank account details to pay your salary);
4.3.2 it is necessary for us to comply with a legal obligation (for example, disclosing tax data to the IRS or HMRC); or
4.3.3 it is in our legitimate interests as a business and as your employer, and our interests are not overridden by your interests, fundamental rights or freedoms (for example, reviewing your performance at work).
4.4 Any processing of special categories of data will be justified by a condition in paragraph 4.3, in addition to one of the following special conditions:
4.4.1 it is necessary for the purposes of carrying out obligations under employment law;
4.4.2 it is carried out subject to your explicit consent;
4.4.3 it is necessary for the establishment, exercise or defence of legal claims;
4.4.4 it is necessary for an assessment of your working capacity; or
4.4.5 in exceptional circumstances, where it is necessary to protect your vital interests and you are incapable of giving consent.
4.5 The purposes for which we process your personal data are to:
4.5.1 assess applications for employment or affiliation with CRA and make recruitment decisions;
4.5.2 review eligibility to work;
4.5.3 where authorized by law and required for your role, seek criminal record disclosure;
4.5.4 conduct an equal opportunities monitoring program;
4.5.5 create an employee record in Workday, our human resources IT system;
4.5.6 create IT and building access rights;
4.5.7 manage day-to-day aspects of your employment or affiliation with CRA, including:
4.5.7.1 paying salary, reimbursable expenses, bonuses and distributing stock awards;
4.5.7.2 administering benefits;
4.5.7.3 creating and maintaining records relating to your absence from work (including for sickness, parental leave, discretionary leave, sabbaticals etc.);
4.5.7.4 creating and maintaining training records and administering training programmes;
4.5.7.5 addressing occupational health issues, incapacity at work and making reasonable adjustments;
4.5.7.6 reviewing and reporting on your performance at work;
4.5.7.7 responding to and resolving grievances;
4.5.7.8 conducting disciplinary processes; and
4.5.7.9 managing professional certifications / licences and liaising with regulatory bodies on your behalf;
4.5.8 maintain emergency contact and beneficiary details;
4.5.9 manage health and safety at work and report on incidents;
4.5.10 monitor employee use of IT and communications, consistent with the law and with CRA internal policies;
4.5.11 investigate and respond to complaints from clients;
4.5.12 administer employment termination and provide references;
4.5.13 other purposes consistent with the processes envisaged by the categories of data listed in Section 3.2; and
4.5.14 exercise our rights to defend, respond to or conduct prospective or actual legal claims or proceedings.
5. Retention of Personal Data
5.1 Our general approach is to retain employee personal data only for as long as is required to satisfy the purpose for which it was collected by CRA or provided by you.
5.2 In certain cases, legal or regulatory obligations require CRA to retain specific records for a set period of time, including following the end of your employment or affiliation with CRA.
5.3 In other cases, we retain records in order to resolve queries or disputes which we think may arise from time to time.
6. Sources of Personal Data
6.1 The personal data we process about you will have been provided primarily by you, either during your application for employment or affiliation with CRA, the employee onboarding process, or on an ad hoc basis during the course of your employment or affiliation with CRA.
6.2 During the recruitment process, we may request references from third parties, and carry out screening and vetting processes using third party sources.
6.3 We also receive information which may include your personal data from your line manager (for example, in respect of performance reviews) or, from time to time, from other colleagues (for instance, in the course of conducting a disciplinary investigation).
6.4 From time to time, we may receive personal data about you from other third parties, for example clients, brokers and regulatory bodies.
7. Disclosures of Personal Data
7.1 We may share your personal data across the CRA organization where required in order to, for example, run global processes, carry out company-wide reporting, or make decisions about hires or promotions.
7.2 We use a number of third party suppliers to help us provide human resource services. These third parties may have access to or merely host your personal data, but will always do so under CRA’s instruction and subject to a contractual relationship.
7.3 Some third parties to whom we may provide personal data, for instance private health insurance providers, are data controllers in their own right, and you should refer to their own privacy notices and policies in respect of how they use your personal data.
7.4 We may be required to disclose your personal data to third parties:
7.4.1 in response to orders or requests from court, regulators, government agencies, parties to a legal proceeding or public authorities; or
7.4.2 to comply with regulatory requirements or as part of a dialogue with a regulator.
7.5 Your personal data may also be disclosed to advisors, potential transaction partners or interested third parties in connection with the consideration, negotiation or completion of a corporate transaction or restructuring of the business or assets of any part of CRA.
8. Cross-border Transfers
8.1 The global nature of our business means that your personal data may be disclosed to members of the CRA organization based outside of the European Economic Area (“EEA”).
8.2 Where third parties transfer your personal data outside of the EEA, we will take steps to ensure that your personal data receives an adequate level of protection, including by, for example, entering into data transfer agreements or by ensuring that third parties are certified under appropriate data protection schemes.
8.3 You have a right to request a copy of any data transfer agreement under which your personal data is transferred, or to otherwise have access to the safeguards used. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity.
9. Security of your Personal Data
9.1 We implement reasonable physical, technical and administrative security standards designed to protect your personal data from loss, misuse, alteration, destruction or damage. More information about the specific measures implemented is available in the CRA Data Security Policy (available upon request).
9.2 We take steps to limit access to your personal data to those colleagues who need to have access to it for one of the purposes listed in Section 4.
9.3 You also have an important role to play in protecting the security of your personal data, and you should take care about whom you disclose personal data to, and how you protect your communications and devices. Please refer to the CRA Data Security Policy and to the Security and Confidentiality Framework for more information about your responsibilities. These documents are made available as part of onboarding or upon request.
10. Data Subject Rights
10.1 You have the following rights in respect of your personal data:
10.1.1 to obtain a copy of your personal data from Human Capital, together with information about how and on what basis that personal data is processed;
10.1.2 to rectify inaccurate personal data (including the right to have incomplete personal data completed);
10.1.3 to erase your personal data in limited circumstances where it is no longer necessary in relation to the purposes for which it was collected or processed;
10.1.4 to restrict processing of your personal data where:
10.1.4.1 the accuracy of the personal data is contested;
10.1.4.2 we no longer require the personal data for the purposes for which it was collected, but where CRA is entitled to retain the data nonetheless for the establishment, exercise or defense of a legal claim;
10.1.5 to challenge processing which we have justified on the basis of a legitimate interest;
10.1.6 to object to decisions which are based solely on automated processing or profiling;
10.1.7 to obtain a portable copy of your personal data, or to have a copy transferred to a third party controller; or
10.1.8 to obtain a copy of or access to safeguards under which your personal data is transferred outside of the EEA (see Section 8.3).
10.2 In addition to the above, you have the right to lodge a complaint with the relevant supervisory authority:
10.2.1 Belgium – Commission for the Protection of Privacy
10.2.2 France – Commission Nationale de l’ Informatique et des Libertés (CNIL)
10.2.3 Germany – The Federal Commissioner for Data Protection and Freedom of Information
10.2.4 Netherlands – Dutch Data Protection Authority
10.2.5 Switzerland – Federal Data Protection and Information Commissioner
10.2.6 United Kingdom – Information Commissioner’s Office (ICO)
10.2.7 United States – Federal Trade Commission