We are very proud to be UKAS ISO 27001 and ISO 9001 certified. Please call us if you would like to review our documentation.
To protect your privacy:
We do not share your data with anybody outside your company.
We keep your data encrypted on UK servers, unless directed otherwise by your company.
The ONLY sensitive personal data we use for our 360° Feedback and Opinion surveys are your name and your company email address.
Your company may wish to include other data.
We are proud to be GDPR compliant and all our staff are trained to treat your personal data with care and confidentiality. Please feel free to download our GDPR Summary statement.
… or read more on our blog post “We care about your data!”
CR Systems are registered on the UK Data Protection register ZA066642.
“Cookies” are small data files that are written to and stored on your hard drive when you visit a web site. They do not read files on your hard drive.
Most web browsers allow the user to be notified upon the proposed installation of a cookie and the user can then decline the cookie. Even if you decline the cookie, you may continue to use our entire web site.
We use data and information received from our cookies for marketing purposes and to improve our on-line offering of services and products. We may also do so to evaluate our site’s technical capacity and to review the navigational structure of our site, e.g., to revise or restructure our web site for easier and more intuitive movement throughout.
Currently, the data and information we collect with cookies is only reviewed in an aggregated form, which is not personally identifiable. In the future, however, we may correlate the data and information received from cookies with personally identifiable information, to identify specific users and track their web site usage. This personally identifiable information will be limited to contact information, such as the user’s name, address, phone number, fax number, and e-mail address. Our use of this combined information will continue to be solely for the purposes stated above with respect to information collected through cookies.
We also review data and information contained in log files located on our web server, which record the date and time of each visit to our web site, the user’s IP (internet protocol) address, the referring IP address or domain (the prior web site visited), and the files viewed on our web site (including HTML pages, graphics, etc.). We use log file information to analyze data in the aggregate to determine the trends and usage of our site. We can not correlate the log data to identify specific users.
We do not, and will not, disclose, sell, rent or share any information derived from log files with any third parties.
Voluntarily Provided Information
Voluntarily provided information is used to send you announcements of new products, updates, and promotional information, as well as to provide the services or goods that you request and give you better customer service. We share personally identifiable information with our Affiliates, as well as with our third-party business partners, sales representatives and distributors (collectively, “Partners”) who may provide the requested goods or services to you directly or otherwise contact you directly. Moreover, we rely on various third-party service companies (“Service Companies”) to provide certain services (e.g., shipping, credit card billing) for which it is necessary to provide users’ personally identifiable information.
Collection of Data & Information by Our ISP
Our Internet Service Provider (ISP) also collects certain information about your visit. It is the same information contained in a log file that we collect and analyze, i.e., the date and time of the visit, the user’s IP (internet protocol) address, the referring IP address or domain, and the files viewed on our web site (including HTML pages, graphics, etc.). In addition, our ISP has access to back-up files containing the personally identifiable information that you voluntarily provide (even if your input fails). The ISP does not disclose, share, release, publish, disseminate, rent, or sell any personally identifiable information to any third parties, but does use the log files to analyze data in an aggregate form, which is not personally identifiable information.
Links to Third-Party Web Sites
Through our web pages, you may connect to third parties’ web sites via hyperlinks, and the connections may or may not be obvious. We are not responsible for the collection, use, maintenance, sharing, or disclosure of data and information by such third parties. We encourage our users to be aware of the varied privacy policies of web sites that they visit.
Required Disclosures of Data & Information
Maintenance & Transmission of Data & Information
Although we use reasonable efforts to maintain the privacy of your personally identifiable data and information, due to technological limitations, and the risk of unlawful interceptions and accessing of transmissions and/or data, we cannot completely assure you, and you should not expect, that your personally identifiable data and information, and any other electronically communicated information, will be absolutely confidential.
For all e-commerce transactions, we use industry-standard commercial encryption technology to protect the data and information that you transmit to us via our web site. Although this technology is not flawless, we believe that it provides reasonable protection for your data and information. We will endeavor to update our protective devices as encryption technology develops further.
Once received, personally identifiable information is protected from outside CR360 by “firewalls,” and access within CR360 is generally limited to the sales, marketing, and information technology departments. We also seek to require our Affiliates, Partners and Service Companies to exercise reasonable efforts to maintain the confidentiality of your information.
Your Right to Review & Modify Data & Information
You have the right, at any time, to review and/or modify any of your personally identifiable information that you provide during registration, or any other voluntarily provided information. You may also remove yourself from our active databases of e-mail lists. To do so, you should send an e-mail to [email protected] requesting that (a) we provide a copy of your profile of personally identifiable information, (b) we update or modify certain personally identifiable information, or (c) you be removed from our databases of active e-mail lists. We will endeavor to comply with your request as soon as reasonably possible. To protect your confidentiality, we can only send a requested profile to the e-mail address listed in the profile. In any event, our back-up files will maintain copies of your personally identifiable information. We reserve the right to contact former customers or users of the web site from time to time.
Users Under 13
This web site is not directed at children under the age of 13. If you are younger than 13, please do not provide any personally identifiable information in connection with your use of the web site.
We reserve the right to transfer any and all information that we collect from our visitors to a third party in the event that we sell or transfer substantially all of our assets related to the web site to such third party.
GDPR Summary Statement
We process data specifically for our clients’ internal use. We do not process or share any of our clients’ data for any other purpose or with any other source unless directed by the client. We hold very little personal data, usually the minimum level in terms of sensitivity.
The level of personal data that we need to maintain our service is generally considered to be among the lowest of categories in terms of sensitivity. To be specific we hold:
Core Data (360° Feedback only. Opinion based surveys this data is optional)
• Individual name
• Individual email address
• Working relationship to some other members of the client organisation
• Raw scores and written feedback Optional Data (depending entirely on client requirement)
• Other demographics as defined by client need
Data Location and Security
We hold the data on secure, encrypted databases within the UK.
The data is duplicated in geographically separate locations and replicated in real time to ensure the fastest possible restoration of availability in cases of significant breakdown.
The client has the option to define and locate the data servers to wherever they wish based on their operational requirements. Raw data and processed data (360 Reports etc) are held on separate databases.
Data is exported only to those countries specifically requested by the client as part of their operating remit.
Processed data is deleted automatically after use. Report files (pdf files) that are generated from the processed data are either deleted immediately after delivery unless specifically requested by the client.
Raw data is held for a period of 12 months on our operational servers, and then archived for a time period agreed with the client but no longer than seven years. Our default position is to delete any reports/analysis immediately from our database upon delivery to the client. The raw data is kept for 12 months and then deleted.
The data collected is assumed to be authorised by the individual as part of the contract of employment between the individual and the client. It is the clients’ responsibility to inform the individual how their data will be used (different clients’ use the data in different ways).
In addition we can support this by adding an option (client decision) for each individual to be informed both online and in any correspondence of the use of their data and then given the option to actively opt in to the process before providing any data.
It is a mute point as to whether 360° Feedback is a form of Data Profiling. It does not predict any future behaviours from the individual concerned, and in terms of analysis it simply reports and compares the views of others.
It should always be remembered that 360° Feedback has very limited validity and reliability beyond its Face Validity. It is therefore the responsibility of the client to manage appropriately any data profiling processes that may ensue from the collection and analysis of the data.
In opinion based surveys there is a greater degree of profiling, however all personal data is always agglomerated and minimum levels of display are agreed with the client to protect the anonymity and confidentiality of the individual personal data involved.
All our staff are trained twice a year and are aware of their responsibility in terms of individual data protection and the processes we use to protect both individual and corporate data. As from April 2018 the training will specifically include a GDPR update section so that staff are kept updated of any material changes in their obligation to the protection of our clients’ and their employees’ personal data.
Data Controllers and Processors
The Data Protection Officer (DPO) for CR Systems is the Managing Director. All Data Processors are vetted by either the DPO or appointed Data Controller who also takes responsibility for all training of Data Processors.