The policy of Chrome River is to respect and protect Personal Data collected or maintained by or on behalf of the Company.  As part of this commitment, Chrome River has certified that we adhere to the Privacy Principles set forth in the US-EU Privacy Shield Framework regarding Personal Data related to employees of Chrome River resident in the European Economic Area ("EEA" or "EU") and processed in support of Chrome River human resources operations.

Since Chrome River may now and/or in the future transfer or provide access to Personal Data regarding employees of the EEA to the United States, we adhere to the Privacy Shield principles as agreed to by the U.S. Department of Commerce and the European Commission and are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

In compliance with the Privacy Shield Principles, Chrome River commits to resolve complaints about our collection or use of your personal information.  EEA individuals with inquiries or complaints regarding our Private Shield policy should first contact Chrome River at: 

privacy@chromeriver.com

Chrome River has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.  If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint.  The services of EU DPAs are provided at no cost to you. 

This Policy applies to all Personal Data processed by Chrome River related to employees of Chrome River resident in the EEA whether in electronic or tangible format.

Definitions

a. Agent. “Agent” means any third party that processes personal information pursuant to the instructions of, and solely for the benefit of Chrome River or to which Chrome River discloses personal information for processing on Chrome River’s behalf.

b. Controller. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

c. Data Subject. “Data Subject” is a natural person resident in the EEA who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any current and former Chrome River employees, including but not limited to, temporary and permanent employees, retirees, and other former employees as well as dependents of such employees.

d. Personal Data. (“Personally Identifiable Data”). “Personal Data” means any information or set of information in any form that relates to a Data Subject.

e. Processing of “Personal Data”. Processing of “Personal Data” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

f. Sensitive Personal Data. “Sensitive Personal Data” means Personal Data that reveals a natural person’s race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, any information that concerns a natural person’s sex life or health, or information relating to the commission of a criminal offense.

g. Third Party Agent. “Third Party Agent” shall mean any natural or legal person that is not a subsidiary, employee or director of Chrome River or its subsidiaries.

Principles

a. Notice. Chrome River shall inform Data Subjects that it participates and adheres to the Principles of the Privacy Shield program, the purpose for which it collects and uses Personal Data and the types (or identity) of Third Party Agents to whom the Company discloses or may disclose that Personal Data. Chrome River will provide notice in clear and conspicuous language when Data Subjects are first asked to provide Personal Data to the Company, or as soon as practicable thereafter, and in any event before the Company uses or discloses the Personal Data for a purpose other than that for which it was originally collected.

b. Choice. Chrome River collects Personal Data about its employees for human resources or compliance related functions, including, without limitation, recruiting, onboarding, performance appraisals and payroll or benefit distribution. If Chrome River intends to use Personal Data for purposes outside of the Company’s human resources related functions (such as marketing communications) and (i) discloses Personal Data to a Third Party or (ii) uses the Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject, the Company will offer the Data Subject the opportunity to affirmatively or explicitly consent (opt-out) whether their Personal Data is (1) to be disclosed to a Third Party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.

c. Accountability for Onward Transfers. Prior to disclosing Personal Data to a Third Party, Chrome River shall notify the Data Subject of such disclosure and allow the Data Subject the choice to opt-out of such disclosure unless the disclosure meets an employment requirement or is made to an Agent. Chrome River shall enter into contracts to ensure that any Third Party to whom Personal Data may be disclosed is aware of and adheres to the Principles or is subject to law providing the same level of privacy protection as is required by the Principles and agrees to provide an adequate level of privacy protection. The Company shall also, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing by Third Party Agents and agrees to provide a summary or a representative copy of the relevant privacy provisions of its contracts with agents to the DOC upon request.

The storage by Company of Personal Data on servers and/or on software made available or hosted by Third Party vendors shall not be considered disclosures of Personal Data to a Third Party so long as the Third Party vendor does not have direct access to the Personal Data stored or hosted. In all events, Chrome River shall ensure by contract that any such Third Party vendor (a) is aware of the Principles or (b) is subject to laws providing the same level of privacy protection as is required by the Principles or (c) has contractual safeguards in place to protect the Personal Data.

Chrome River is not required to identify the sources of Personal Data when such identification is not possible through reasonable efforts, or where the rights of persons other than the affected Data Subject would be violated. If there are compelling grounds to doubt the legitimacy of a Data Subject’s request for rectification, amendment or deletion of his or her Personal Data, Chrome River may require further justifications before performing the Data Subject’s request. Chrome River is not required to notify Third Parties to whom the Personal Data has been disclosed of any rectification, amendment or deletion when such notification involves a disproportionate effort or unreasonable burden.

d. Security. Chrome River takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. Chrome River shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

e. Data Integrity and Purpose Limitation. Chrome River limits the collection, use and retention of Personal Data to that which is germane for the intended purposes for which it was collected or authorized by the Data Subject and takes reasonable steps to ensure that all Personal Data is reliable, accurate, complete and current. Chrome River depends on its employees to keep Personal Data reliable, accurate, complete and current and will rely on its employees to maintain the integrity of all Personal Data they provide to the Company. The Company shall also adhere to the Principles for as long as it retains such Personal Data.

f. Access. Chrome River allows Data Subjects to access their Personal Data and to correct, amend or delete inaccurate information or information that is processed against the Principles, except (i) where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Data Subject in the case in question, (ii) for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature.

g. Recourse, Enforcement, and Liability. Chrome River uses a self-assessment approach or outside compliance review to assure compliance with this Policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, is disseminated to its employees, is completely implemented and accessible and is in conformity with the Principles set forth in this Policy. Chrome River encourages interested persons to raise any concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles. In addition, Chrome River has agreed to cooperate with the European Data Protection Authorities (http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm) for the purpose of handling any unresolved complaints regarding Personal Data concerns. Data Subjects (employees) may engage their local Data Protection and/or Labor Authority concerning adherence to the Principles and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints.

5. Limitation on Scope of Principles

Chrome River adheres to the Principles except, as required or allowed by law, to meet legal, governmental, law enforcement or national security obligations, or to protect the health or safety of an individual.

6. Changes to this Policy

This Policy may be amended consistent with the requirements of Privacy Shield. When Chrome River updates the Policy, it will also revise the “Last Updated” date at the top of this document. Any material changes to this Policy will also be posted on the Chrome River website or intranet.

7. Contact Information

Questions, comments or complaints regarding this Policy or Chrome River Personal Data processing practices can be mailed or emailed to:

Office of the Privacy Officer
Chrome River Technologies, Inc.
Suite 270
5757 Wilshire Blvd.
Los Angeles, CA 90036
privacy@chromeriver.com

Share this