Charles River EU/Swiss-US Safe Harbor Privacy Policy
Last Revised: October 1, 2012
This Safe Harbor Privacy Policy ("Policy") sets forth the privacy principles Charles River Systems, Inc. ("Charles River" or the "Company") and its affiliates follow with respect to covered personal information identified below that is transferred from its offices in the European Union ("EU"), European Economic Area ("EEA") and Switzerland to the United States ("US"):
(i) Personal Information of European-based current and former Charles River employees and prospective employees, maintained by Charles River in its databases and files;
(ii) Personal Information of Charles River's customers' European-based employees, customers, or other parties that have communicated such Personal Information to the customers, contained in electronic records maintained and processed by Charles River on behalf of its customers.
Safe Harbor Privacy Principles
The U.S. Department of Commerce and the European Commission have agreed on a set of data protection principles and FAQs ("Safe Harbor Principles") to enable U.S. companies to satisfy the requirement under European Union law that adequate protection be given to personal data of data subjects transferred from EU countries to the U.S. The U.S. Department of Commerce and the Federal Data Protection and Information Commission of Switzerland also agreed on a U.S.-Swiss Safe Harbor Framework ("Safe Harbor Framework"). As explained below, Charles River complies with these Safe Harbor Principles and the U.S.-Swiss Safe Harbor Framework with respect to Personal Information to the extent it is the "controller" of such Personal Information under the EU Data Protection Directive and the Swiss Federal Law on Data Protection ("FDLP"):
- Notice: Charles River will notify data subjects about the purposes for which it collects and uses their Personal Information. Individuals may contact Charles River's Risk Manager using the contact information provided below with any inquiries or complaints or to request information about the types of third parties (other than third-party processors) to which it discloses the Personal Information and the choices and means it offers for limiting use and disclosure of Personal Information.
- Choice: Charles River will give data subjects the opportunity to choose (opt-out) whether their Personal Information may be disclosed to a third party (other than third-party processors) or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
- Transfers to Third Parties: When Charles River transfers Personal Information to a third-party processor, it will ensure that the third party: (a) subscribes to the Safe Harbor Principles, (b) is subject to the EU Data Protection Directive, another EU finding, or the FDLP that its privacy practices are adequate, or (c) enters into a written agreement with Charles River requiring that the third party provide at least the same level of privacy protection as is required by the Safe Harbor Principles and the Safe Harbor Framework.
- Access: Data subjects are given access to their Personal Information held by Charles River and are able to correct, amend, or delete that information where it is inaccurate, except (a) where the burden or expenses of providing access would be disproportionate to the risks to the individual's privacy in the case in question, (b) where the rights of persons other than the individual would be violated, or (c) as otherwise permitted by the Safe Harbor Principles, the Safe Harbor Framework precedent or FAQs of the U.S. Federal Trade Commission or U.S. Department of Commerce, or any other applicable law, rule, or regulation. Individuals seeking to access their Personal Information held by Charles River should contact Charles River's Risk Manager using the contact information provided below.
- Security: Charles River takes reasonable precautions to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
- Data Integrity: The Personal Information Charles River collects is relevant for the purposes for which it is to be used. Charles River takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current.
- Enforcement: Charles River conducts annual self-assessments of its relevant privacy practices to ensure adherence to this Policy. Any questions or concerns regarding the use or disclosure of Personal Information should be directed to Charles River's Risk Manager using the contact information provided below. Charles River will investigate and attempt to resolve complaints and disputes regarding processing and disclosure of Personal Information in accordance with the principles contained in this Policy. For complaints resolved internally, Charles River's remedy or, if necessary, sanctions will be reasonable and sufficient corrective action to resolve the complaint, including correcting any Personal Information, using Personal Information consistent with the Safe Harbor Principles and the Safe Harbor Framework, reversing or correcting the effects of non-compliance, and assuring that future processing of Personal Information will be in conformity with the Policy, including the Safe Harbor Principles and the Safe Harbor Framework. Complaints that cannot be resolved between Charles River and a European-based employee or prospective employee regarding his or her Personal Information will be handled either by an independent dispute resolution provider, such as BBB EU Safe Harbor program, the relevant EU or Swiss Data Protection Authority, a panel established by the European Data Protection Authorities, or the U.S. Federal Trade Commission, as appropriate consistent with the Safe Harbor Principles and the Safe Harbor Framework. Any employee that Charles River determines to be in violation of this Policy is subject to disciplinary action, up to and including termination of employment.
Data Processor and Other Limitations
In some cases, Charles River may process Personal Information on behalf of its customers and in accordance with their instructions, such as when Charles River is providing hosting services for its customer. In such cases, the customer, not Charles River, is acting as the data controller and is therefore the entity that is subject to compliance with European data protection requirements with respect to such Personal Information; Charles River's obligation to adhere to the Safe Harbor Principles and the Safe Harbor Framework in such instances would be correspondingly limited. For details concerning Charles River's customers' policies regarding this Personal Information and details of how to access the information, please refer to the privacy policy of the Charles River customer on whose behalf the data is being processed by Charles River.
Charles River may disclose such Personal Information (a) to a customer on whose behalf the Personal Information is processed; (b) to the customer's authorized affiliates; (c) to third parties designated by the customer or by an authorized affiliate; (d) as otherwise authorized by the customer; (e) in compliance with any applicable law, rule, regulation, or government or court order; or (f) if Charles River determines in its good faith judgment that such disclosure is necessary to provide its services to a customer or to an authorized affiliate of a customer.
Charles River's adherence to the Safe Harbor Principles and the Safe Harbor Framework may be further limited to the extent required to respond to a legal or ethical obligation and to the extent permitted by any applicable law, rule, or regulation.
Contact Information:
Questions or comments about this Policy should be directed to:
Charles River Risk Manager
Email:
riskmanager@crd.com
7 New England Executive Park
Burlington, MA 01803
USA
Changes to the Policy
This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles and the Safe Harbor Framework. Changes to this Policy will be effective upon posting to this web site.