INFORMATION THAT WE COLLECT
CXG collets your personal data to achieve the purposes set out in the following point (“Why we process data?”) of this policy. We only collect data that is adequate, relevant and limited to what is strictly necessary for the purposes to which they are processed.
In particular, the following data categories are being processed via the Website:
Identification Data: name, maiden name, last name, username or similar identifier, unique personal identifiers, marital status, title, date of birth and gender.
Contact Data: billing address, delivery address, email address and telephone numbers.
We do not collect any Special Categories of Personal Data (details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data), nor do we collect any information about criminal convictions and offences.
WHY DO WE PROCESS DATA?
The purposes and uses of your personal information will depend on the use of the website and the personal information provided. We process your personal information for multiple purposes:
1) Establish a contact with potential new joiners and initiate the recruitment or application assessment process;
2) Raise awareness of CXG’s services through various marketing approaches:
-Informing you about updates to the service and notifying you about other products and services offered by CXG that may be of interest to you, including information regarding publications and events;
-Tailoring your experience on the website with relevant CXG materials;
-Understanding the website’s user population, identifying subject’s areas of interest, and determining whether the website is designed to work with the computer settings of a majority of our visitors;
-Measuring and improving the effectiveness of CXG marketing programs across different channels;
-Improving our web content and navigation;
3) Ensure that customer or partners’ requests sent through the Website are handled quickly and efficiently;
4) Raise in particular awareness of our Measurement service and developing our database of (actual or potential) evaluators by establishing a first link with them.
LEGAL BASIS FOR PROCESSING
Legal bases for our data processing activities are established within the strict limits of the applicable data protection legislation, including but not limited to purposes and conditions of articles 6, 9 and 10 of the GDPR.
Legal bases on which we rely for processing of data through the Website are the following:
1) All data collected through webforms or contact forms are based on your explicit consent. You can at any time withdraw your consent by sending such request to us (Data Subject Request Form);
2) Data collected through cookies are processed based on CXG’s legitimate interest by keeping the Website up-to-date, secured and accurate as well as improving it based on statistics;
3) More generally, your data are also used to demonstrate compliance with several legal obligations including, without limitation, anti-fraud, social and tax legislation.
HOW WE MIGHT SHARE YOUR INFORMATION
We will not sell, share, rent or make available your personal information with any third party outside of our organization, other than as necessary to fulfil your request. Please note that we may process your personal data, in compliance with the above rules, where this is required or permitted by law.
The third parties with whom we may need to share personal information to help us provide services and products to you and to run our Website include:
- our subsidiaries or affiliates;
- our advisors;
- our third party service providers who process information on our behalf to help run some of our internal business operations including email distribution, IT services and marketing and events services;
- our business partners for publications and events co-organized by CXG and them;
- law enforcement bodies in order to comply with any legal obligation or court order.
Your data shared with partners are processed by them as “Joint-controller” or as “Processor”. This communication of personal data is undertaken within the scope of the legal basis used for concerned processing activity, with appropriate contractual safeguards ensuring security and confidentiality of data.
Because CXG is a global organization we need to transfer personal information which is collected on the website or through other means across the CXG group of companies to help operate our business efficiently. This also includes third parties located in different countries around the world, including outside of the EEA. These arrangements may involve your personal information being located in various countries around the world where privacy laws differ. We only make these arrangements or transfers where adequate levels of protection are in place to protect information held in that country. In addition, the Website may be viewed and accessed anywhere in the world including countries that may not have laws regulating the use and transfer of personally identifiable information. By using the Website, submitting information through this site, or submitting personal information to CXG through other means, you acknowledge and accept to such international (but still internal) transfer and hosting of such information to those countries and parties.
Your data may also be communicated to competent judicial or administrative authorities, and generally any other authority entitled by law or other applicable legislation.
RETENTION OF YOUR PERSONAL INFORMATION
We will only retain your personal data for a duration reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
YOUR RIGHTS AS DATA SUBJECT
According to the applicable data protection legislation, including but not limited to GDPR, you as a Data Subject have the following rights:
- To request access to all your personal data processed by us. Subsequent requests for access addressed to us that are manifestly submitted for causing nuisance or harm to us, will not be dealt with;
- To ask that any personal data pertaining to you that are inaccurate, are corrected free of charge. If a request for correction is submitted, such request shall be accompanied by proof of the flawed nature of the data for which correction is asked;
- To withdraw your earlier given consent for processing your personal data. You can withdraw your consent at any time by completing the Data Subject Request Form;
- Instead of deletion, you can also ask that we limit the processing of your personal data if and when (a) you contest the accuracy of that data, (b) the processing is illegitimate or (c) the data are no longer needed for the purposes listed but you need them to defend yourself in judicial proceedings;
- To oppose the processing of personal data if you are able to prove that there are serious and justified reasons connected with particular circumstances that warrant such opposition. However, if the intended processing qualifies as direct marketing, you have the right to oppose such processing free of charge and without justification;
- Where your personal data is processed based on consent or on a contract and the processing is carried out by automated means, you will have the right to receive the personal data concerning yourself, which you provided to us, in a structured, commonly used and machine-readable format and, where technically feasible, you will have the right to directly transmit those data to another service provider.
If you wish to submit a request to exercise one or more of the rights listed above, you can complete the Data Subject Request Form. Such request should clearly state which right you wish to exercise and the reasons for it if such is required. It should also be dated, signed and accompanied by a digitally scanned copy of your valid identity card proving your identity.
We will promptly inform you of having received this request. If the request proves valid, we shall honour it as soon as reasonably possible and at the latest thirty (30) days after having received the request.
If you have any complaint regarding the processing of your personal data by us, you may always contact us via the following form Data Subject Request Form. If you remain unsatisfied with our response, you are free to file a complaint with the competent data protection authority.
CXG ensures at any time and in all circumstances that an adequate level of technical and organizational security is taken, in order to protect you from data leaks, including loss, destruction, public disclosure, unauthorised access or misuse. For security reasons, the list of security measures implemented by us is available on first request by the data subject.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. The computers/servers in which we store personally identifiable information are kept in a secure environment. However, if you become aware of a data breach or suspect one, we ask you to report it immediately by contacting us.
For any further information relating to personal data protection, you can find below useful links:
- Integral text of GDPR (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679)
- European Data Protection Board website (https://edpb.europa.eu/edpb_en)
- China: Personal Information Protection Law of the People’s Republic of China (http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml)
- Hong Kong: The Personal Data (Privacy) Ordinance (Cap. 486) (https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html) UAE:
- Federal Decree Law No.5 on Combating Cybercrimes (https://elaws.moj.gov.ae/UAE-MOJ_LC-En/00_COMBATING%20CYBERCRIMES/UAE-LC-En_2012-08-13_00005_MarKait.html?val=EL1)
- The Penal Code (https://elaws.moj.gov.ae/UAE-MOJ_LC-En/00_PENALTIES%20AND%20CRIMINAL%20MEASURES/UAE-LC-En_1987-12-08_00003_Kait.html?val=EL1)
- South Korea: Personal Information Protection Act (https://www.pipc.go.kr/cmt/english/functions/infoCommunication.do)
- Taiwan: Personal Data Protection Act (https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021)
- Singapore: Personal Data Protection Act and related regulations: (https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act)
- Federal Law 152-FZ of 27 July 2006 on Personal Data (https://pd.rkn.gov.ru/)
- The Amendment on the Personal Data Law (http://publication.pravo.gov.ru/Document/View/0001202012300044?_sm_au_=iVV4RHMPRSWDPHTsvMFckK0232C0F)
- Japan: Act on the Protection of Personal Information (https://www.ppc.go.jp/en/legal/)
- UK: The Data Protection Act (https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted)
- Australia: The Privacy Act (https://www.legislation.gov.au/Series/C2004A03712)
- Tunisia: Law n° 2004-63 dated July 27, 2004, on the Protection of Personal Data (http://www.inpdp.nat.tn/ressources/loi_2004.pdf) US:
- New York Privacy Act (https://www.nysenate.gov/legislation/bills/2021/s6701)
- California Consumer Privacy Act (https://oag.ca.gov/privacy/ccpa)
- South Africa: Protection of Personal Information Act (https://www.gov.za/documents/protection-personal-information-act#:~:text=The%20Protection%20of%20Personal%20Information,by%20public%20and%20private%20bodies%3B&text=to%20regulate%20the%20flow%20of,provide%20for%20matters%20connected%20therewith)
- Kuwait: Data Privacy Protection Regulation (https://www.citra.gov.kw/sites/en/Pages/regulations.aspx)
- KSA: Personal Data Protection Interim Regulations (https://www.my.gov.sa/wps/portal/snp/content/dataprotection#header2_0)
- Bahrain: Law No. 30 of 2018 with respect to Personal Data Protection (http://www.pdp.gov.bh/en/regulations.html)
- India: Information Technology Act (https://www.meity.gov.in/content/cyber-laws)
- Lebanon: Law No.81 on Electronic Transactions and Personal Data (https://www.bdl.gov.lb/laws/index/5/32/Laws.html)
- Qatar: Law No. (13) of 2016 on Protecting Personal Data Privacy (https://compliance.qcert.org/en/library/privacy)