General Privacy statement CRANIUM

Last update: May 23, 2024

1. Identification of the controller

Your personal data is collected and processed by CRANIUM International Holding NV with registered office at Excelsiorlaan 43/3, 1930 Zaventem, BELGIUM, registered with company number 0666.909.642, including its branches:

  • CRANIUM Belgium NV, with registered office at Excelsiorlaan 43/3, 1930 Zaventem, BELGIUM, registered with company number 0645.867.372;
  • CRANIUM Luxembourg with registered office at 28 Rue de l’Ecole, L-8466 Eischen, registered with company number Luxembourg B 256211
  • CRANIUM UK, with registered office at 8 Northumberland Avenue, London WC2 5BY, registered with company number 13129701
  • CRANIUM Nederland with registered office at Goeman Borgesiuslaan 77, 3515 ET Utrecht, registered with company number: 68949979
  • CRANIUM USA, with registered office at 100 Connell Drive 2nd Floor, Berkeley Heights NJ 07922, registered with company number 0101-0470-89
  • Cingulum Belgium NV, with registered office at De Kleetlaan 4, 1830 Machelen, BELGIUM, registered with company number 1013.844.295

The CRANIUM entities are hereinafter together referred to as “CRANIUM”, “we”, ”us” or “our”.

CRANIUM specialises in mitigating privacy, security and data management risks and provides various services in this regard. In providing these services and, more generally, in our course of business and during our interaction with applicants, prospects, customers, partners and website visitors, whether via the website or via other ways, we may process personal data of natural persons (hereinafter “data subject”, you” or “your”).

CRANIUM commits to process your personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), including any current or future national or international act or regulation in execution or replacement of the GDPR such as the Belgian act of 30 July 2018 on the protection of natural persons concerning the processing of personal data (hereinafter together referred to as “Applicable Data Protection Law”).

2. Scope of the Privacy Statement

This Privacy Statement is applicable to the following data subjects:

  • Applicants
  • Prospects;
  • Customers;
  • Partners; and
  • Website visitors.

This Privacy Statement contains essential information on, inter alia, how CRANIUM, as the data controller, collects and processes your personal data, for what purposes, on what legal basis and it explains your rights as a data subject.

3. Processing of Personal Data

3.1 The reason and legal ground behind processing your personal data

We may process your personal data in the context of the following activities, for the corresponding purposes and based on the stated legal grounds:
Purpose Categories of Personal Data Legal Ground
Managing job applications. Please note that, once you’re hired, the CRANIUM employee privacy statement applies, which will be provided to you in a timely manner. Name, e-mail address, CV, motivation for the job application, content of correspondence and if applicable answers to the quiz. Legitimate interest during the recruitment process Once we’ve made a positive hiring decision: in order to take steps at your request prior to entering into an employment contract
Responding to your request via the website contact form, via e-mail, telephone or letter Name, request, and as applicable: e-mail address, telephone number and/or other contact details or address Necessary for the performance of a contract
Sending out newsletters via e-mail, in order to provide you with relevant information and to keep you up to date with our latest news. Name and email address, interests For existing customers: our legitimate interest (soft opt-in in line with the E-Privacy requirements) For others: consent
Sales and marketing campaigns: informing you about promotions with regard to the products and services CRANIUM provides, and/or providing you with targeted offers via e-mail Name and e-mail address, interests For existing customers: our legitimate interest (soft opt-in in line with the E-Privacy requirements) For others: consent
LinkedIn Document Ads: providing you with the document you requested and informing you about promotions with regards to the products and services CRANIUM provides, and/or providing you with targeted offers via email Name and e-mail address, interests, company name, seniority, job title and location Legitimate interest (soft opt-in in compliance with the ePrivacy directive)
Survey / feedback: assessing, evaluating and improving the services offered to you Name and e-mail address, feedback Our legitimate interests to process your feedback about our services to assess, evaluate and improve them
Events: registering you and allowing you to participate Name, e-mail address, function and organisation, if applicable food preference, food allergies and/or picture/image. Necessary for the performance of a contract Your explicit consent for food allergies Your consent for pictures/image  
Providing our products and services and managing our (customer) relations Name, e-mail address or other contact details. Necessary for the performance of a contract
Managing supplier or partner relations or collaborations Name, email address or other contact details Necessary for the performance of a contract
When the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, you are obliged to provide the personal data. In those cases, if you do not provide (certain) personal data, we may not be able to provide our services or otherwise perform our contractual relation with you.

4. Your Rights as a Data Subject

In certain cases, in accordance with and, where applicable, subject to the restrictions under Applicable Data Protection Law, the data subject may exercise the following rights:

4.1 Right of access

You have the right to obtain from CRANIUM confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to obtain access your personal data, specific information and to request a copy of this personal data.

4.2 Right to rectification

You have the right to have incorrect personal data corrected, or incomplete personal data completed.

4.3 Right to erasure (“right to be forgotten”)

In certain cases, you have the right to obtain from CRANIUM the erasure of personal data concerning you.

4.4 Right to object

You have the right to object to the processing of your personal data if the processing takes place on the ground of the legitimate interest of CRANIUM or on the ground of the public interest. We will stop the processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can also object to the processing of your personal data of direct marketing purposes, including profiling to the extent that it is relate to such direct marketing, in which case the personal data will no longer be processed for these purposes.

4.5 Right to withdraw consent

You can withdraw your consent at any time for the processing of your personal data by CRANIUM on the basis of your consent. However, the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4.6 Right to restriction of processing

In certain cases, you are entitled to obtain the restriction of the processing of his or her personal data. In such cases, with the exception of storage, your personal data will only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

4.7 Right to data portability

In certain cases, the data subject has the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.

These rights can be exercised free of charge by sending an e-mail to privacy@cranium.eu. We commit to answering your request within the deadlines prescribed by Applicable Data Protection Law.

4.8 Right to lodge a complaint

If you believe that CRANIUM infringes your  data protection rights, you have the right to lodge a complaint with the Belgian Data Protection Authority: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels, Tel +32 (0)2 274 48 00, e-mail: contact@apd-gba.be.

5. Disclosure to Third Parties

CRANIUM will refrain from disclosing personal data of data subjects to third parties as well as publicly disclosing data subjects’ personal data, unless in the following specific cases:

  • Personal data can be shared between the different branches of CRANIUM for e.g. the performance of our contract or for legitimate business purposes;
  • Personal data can be shared with third party service providers to which CRANIUM outsourced certain processing activities such as cloud or mailing services. To the extent that these third-party service providers act as our processor, they only process your personal data in accordance with our documented instructions and the data processing agreement concluded with them.
  • If and to the extent it is required by applicable law or to comply with a judicial request.

6. International transfers of personal data

In principle, your personal data are only transferred outside the EER in case an adequacy decision applies for this country or recipient. In other cases when we transfer personal data outside the EER, we ensure to have appropriate safeguards and, to the extent required, supplementary measures in place which ensure the adequate protection of your personal data. For more information on these international transfers and/or to obtain a copy of the safeguards in place, please contact privacy@cranium.eu.

7. Retention of your Personal Data

Generally, CRANIUM does not retain your personal data longer than strictly necessary for the realisation of the purposes for which we received the data. The retention periods differ with regards to the type of processing activity and the purpose for which the personal data were collected.

In particular,

  • We process personal data for your job application only as long as required to process your application. In case of a negative hiring decision, your personal data will be removed unless you consent to us retaining your personal data for one year. In case of a positive decision, the CRANIUM employee privacy statement will provide you with more information on the retention periods.
  • We keep personal data about our contract/collaboration for as long as necessary to execute our contract, to comply with our legal obligations (such as accounting and tax obligations) and to resolve disputes or enforce contracts. Therefore, this personal data is retained for the duration of our contractual relationship and for 10 years thereafter.
  • The personal data that we collect on the basis of your consent will be kept as long as your consent remains valid and is not withdrawn.

For more information on the retention periods that we apply, please contact us via the details provided in section 8 below.

8. Contact us

If you have comments, questions, concerns or complaints about this Privacy Statement, or any other issues relating to the processing of your personal data by CRANIUM, please contact us via privacy@cranium.eu.

In the event you prefer to contact us by post, you can do so on the following address: Excelsiorlaan 43/3, 1930 Zaventem, BELGIUM.

9. Updates to our Privacy Statement

We may amend or update this Privacy Statement from time to time to reflect changes in our practices with respect to the processing of your personal data, or changes in applicable law including but not limited to Applicable Data Protection Law. We will be doing this by posting the updated version on the CRANIUM website and by actively informing you to the extent required by applicable law. When we publish changes to our Privacy Statement, we will always change the date and version number of the “last update” of our Privacy Statement. Significant changes will also be reported on our homepage. Nevertheless, we encourage you to read our Privacy Statement periodically.