Cronos Europa Privacy Statement

Table of Contents

1. Who implies “we”?

2. Privacy statement summary

3. Your data

3.1. Personal data information we collect and process

3.2. How do we use your information?

3.3. When do we collect your personal data?

3.4. What are our commitments in terms of processing your personal data?

3.5. How long do we store your information?

4. Access and sharing of your personal data

4.1. Who can access your personal data?

4.2. Is your personal data transferred to third parties?

4.3. How do we protect your data for transfers outside the European economic area?

5. Your choices and rights concerning your information

5.1. What are your rights?

5.2. How can you exercise your rights?

6. Security – How do we protect your data?

6.1. Technical Measures

6.2. Organisational Measures

7. How to contact us?

8. Changes to our privacy statement

1. Who implies “we”?

“We” or “our” implies Cronos Europa registered offices as listed in our website: Cronos Europa

If you have any questions, comments or complaints regarding this privacy statement or the processing of your personal data, or if you wish to exercise any of your rights, please contact us by email to privacy@cronoseuropa.com.

2. Privacy statement summary

We are committed to collect and process your personal data in a transparent manner.

We control the access and sharing of your data.

We ensure that you can exercise your rights in the best conditions.

We ensure the security of the data you entrust to us.

We process your personal information for the following reasons:

• Business processing: when you apply for a position, we process your personal data for recruitment and selection for open or future vacancies. The data is processed with your consent.

• Compliance with regulations and laws.

3. Your data

3.1. Personal data information we collect and process

‘Personal data’ refers to information that does or can identify you as an individual, directly, or indirectly.

The types of personal data that we collect include:

• Identification data: full name

• Contact data: email address, phone number, address

• Profession related data:

o Experience:

 Work History – Company, Job title, Summary

 Experience summary

o Education history: School, Field of study, Summary

o When applicable, references check result

• Job application:

o Desired salary

o Resume: your document as attachment

o Cover letter

o Work permit requirement

o Luxembourg Employment Agency registration (ADEM)

o Your answers to additional questions related to specific positions, that maybe asked during the interview with the recruitment team

• LinkedIn profile data (upon acceptance)

o Full name

o Photo

o Email address

o Candidate’s LinkedIn link

• Criminological data: a check can be made on a later stage if required by the job position or a contractual necessity (requested by the customers, most of the time European institutions)

• Consent to Privacy Statement.

3.2. How do we use your information?

We use your personal data for the following objectives:

• Evaluate applications for employment

• Propose the candidate to a client and record the feedback

• If needed during the recruitment process, verification of the references to previous employments and education

• Fulfil legal obligations.

3.3. When do we collect your personal data?

We collect your data throughout our recruitment relationship with you.

Most of the collection is done at the time you apply to an open position at the company.

3.4. What are our commitments in terms of processing your personal data?

We have established a Personal Data Processing Policy outlining the data protection measures we have taken, including your rights in this regard.

3.5. How long do we store your information?

The data will be retained for no longer than necessary to achieve the aims for which they were collected and subsequently processed or required by law.

The retention period for your personal data is up to a maximum of 1 year after your consent.

The data storage is a cloud solution from the tool provider, ISMS certified ISO/IEC 27001:2013.

4. Access and sharing of your personal data

4.1. Who can access your personal data?

The hiring Team: team responsible for posting the job vacancy and the recruitment team.

Only the services whose mission requires it are authorized to access your data (for example, our employees in charge of the recruitment processes, those in charge of the service management or hiring managers).

Access to your data is strictly limited to persons authorized by reason of their function and these persons are bound by a strict obligation of confidentiality. We continuously raise awareness and train our employees and partners on the protection of your personal data.

We outsource the development and administration of the tool to a subcontractor who signed an agreement to fulfil to the GDPR regulation.

4.2. Is your personal data transferred to third parties?

We may transfer your data, whether as part of our legal obligations or as part of the provision of services with trusted partners.

Thus, we may transfer your data to our customers or to external service providers whose intervention is necessary in connection with the services we provide to you (for example, our IT provider).

4.3. How do we protect your data for transfers outside the European economic area?

Your personal data is stored in the European Economic Area.

We will only transfer your data outside the European Economic Area if we are required to do so by a legal or regulatory obligation.

We will always ensure that appropriate safeguards are in place before transferring your data outside the European Economic Area, such as the adoption of standard contractual clauses or an adequacy decision by the European Commission.

5. Your choices and rights concerning your information

5.1. What are your rights?

We ensure that all your rights in relation to your personal data are respected. You can thus request access to your data or their rectification if the data is incomplete or inaccurate.

We respect your rights to limit the processing of this data, to oppose its use, to request for erasure, under the conditions and within the limits provided for by data protection legislation. We are using the strict minimum set of data in this tool to be able to process our business. Without your consent to record and process your data, or if you request to restrict the processing of your data, we will not be able to work with you, and will need to stop our collaboration.

We are also committed to respecting your right to the portability of personal data, i.e., the right to receive data about you directly or to request its communication to another organization.

5.2. How can you exercise your rights?

All requests for access to your personal information must be submitted in writing by the means of your choice:

• By email to privacy@cronoseuropa.com, specifying “Personal data Protection – Request to exercise my rights”

• By letter to Cronos: c/o DPO 89A rue Pafebruch L-8308 Capellen - Luxembourg

Please be sure to include your full name and contact details.

If the response received did not provide you complete satisfaction, you have the possibility to refer it to our Data Protection Officer. You can also lodge a complaint with the National Data Protection Authority (DPA). You can find the contact details by European country here: Our Members | European Data Protection Board (europa.eu).

6. Security – How do we protect your data?

We work every day to protect your confidential data against malicious attempts and misuse. The technical solutions we use to store and process your personal data are subject to enhanced monitoring because security is our priority.

6.1. Technical Measures

 BreezyHR specific measures can be found here: https://breezy.hr/security

 Antivirus installed on all PC/servers with regular updates

 Measures against the loss of personal data and regular back-ups

 Systematic and automatic update of software

 Secured https connection on hosted software

 Firewalls and authentication system

 Physical security of servers (reception, lockable premises, access restricted to authorised personnel)

 Access to system with unique identifier (login) for each user and authentication mechanism

 Configuration of new and existing material to limit vulnerabilities

 Limited access to personal data stored on the IT infrastructure

 Appropriate passwords (secured and regularly updated) and system to detect unauthorised or suspicious access

 Encryption of communications on public networks and database backups

 Closure of accounts ex-employees.

6.2. Organisational Measures

 Internal security policy

 Create awareness with personnel and management involved in the processing of personal data

 Training of personnel and management involved in the processing of personal data

 DPO appointed

 No real personal data is used during development cycle, only fake situations are created

 Access to personal data limited on a « need-to-know » basis

 Personnel bound by professional secrecy or confidentiality clause

 Prevention, detection, and processing of physical treats (fire, flood, etc.)

 Recovery plan in case of disaster or emergency (Continuity plan).

7. How to contact us?

All requests for access to your personal information must be submitted in writing to: privacy@cronoseuropa.com.

Please be sure to include your full name and contact details.

8. Changes to our privacy statement

Just as our business changes constantly, this Statement may also change. To assist you, this Statement is dated and has an associated version number on the front page and footer of this document.

Paper copies of this document are to be considered outdated. Only the electronic version published on the application represents the last updated version.

In the occasion of major changes to our Privacy Statement, Cronos will make reasonable efforts to inform all data subjects by e-mail.