Privacy & Cookies

Understand how we collect and use personal data.


 

Group Employee Data Privacy

LR RiskSpectrum AB (Subject to change) (“RiskSpectrum”) with registered offices at Stockholm, Sweden is committed to maintaining the principles of integrity and trust with respect to the privacy of Personal Data of their Employees and to comply with all related applicable laws and regulations in particular but not limited to:

The European Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the EU Data Protection Directive” (the “GDPR”) and any implementing legislation enacted by the member states of the European Union (“European Laws”).

As a main principle, employees of RiskSpectrum employed by a RiskSpectrum entity in the European Economic Area (“EEA”) are subject to the GDPR and to local data protection laws. Employees who are employed by a LR RiskSpectrum entity outside the EEA are subject to the data protection laws of the relevant country where they are employed.

RiskSpectrum complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union and Switzerland to the United States. RiskSpectrum has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. 

As part of this commitment, RiskSpectrum shall protect the privacy of Personal Data disclosed to its Employees (whether about themselves or their household), as well as Personal Data received by RiskSpectrum from other sources, at all times before, during and after employment.

Subject to all applicable laws and regulations, this Employee Data Privacy General Instruction describes:

  • The nature of Personal Data that Employees generally disclose to RiskSpectrum or that RiskSpectrum may receive from other sources before, during or after employment
  • How RiskSpectrum collects and uses the Personal Data received
  • The rights of Employees regarding their Personal Data

Definitions

“Personal Data” and “Personal Information” are used interchangeably herein and refer to any information that can be used to identify an individual either on its own or in combination with other readily available data (e.g., the individual’s name, title, work location, home address, date of birth, compensation, benefits, or family members).

“Sensitive Data” means Personal Data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or data which concern health, sex life or sexual orientation.

Please note that Personal Data and Sensitive Data may have different definitions depending on your country.

Personal Data Collected

RiskSpectrum does not collect, use, or disclose Personal Data without the knowledge of the individual from whom the information is collected unless a lawful basis to do so exists.

Personal Data collected by RiskSpectrum is required as a consequence of the contractual relationship with its Employees, to enable RiskSpectrum to carry out its contractual obligations to its Employees. Failure to provide this information may prevent or delay the fulfillment of these obligations.

Subject to applicable laws and regulations, Personal Data collected by RiskSpectrum on Employee(s) may include the following:

  • Name, date of birth, gender, marital status, dependents, nationality, and identification numbers including social security, driver’s license, tax identification and passport numbers, etc.
  • Home and office addresses, phone numbers (home, office and mobile), home and office e-mail addresses, etc.
  • Background information, including education (schools and dates attended, degrees or diplomas obtained), training, work history (names of former employers, dates of employment, and compensation information), military and veteran status, etc.
  • Medical information, including personal contact, health information, etc.

RiskSpectrum work history, experience, competences, training, compensation information (including salary, bonus, options, and benefits), employment performance, etc.

 

Use of Personal Data


 

3.1. Purpose and Lawful Basis of the Processing

RiskSpectrum collects and uses the Personal Data disclosed by the Employees, or received from other sources, in the context of their employment within RiskSpectrum.

RiskSpectrum collects and uses the Personal Data of its Employees for the execution of their employment contract, to comply with its legal obligations, and for the purposes of the legitimate interests of RiskSpectrum.

Failure to provide Personal Data may prevent or delay the fulfillment of these obligations.

RiskSpectrum collects and uses Personal Data about Employees prior to and throughout employment for the following purposes: to carry out and manage business operations, for staffing assessment and career development purposes (e.g., talent management), to provide remuneration, benefits, and other services such as international mobility, traveling arrangements, and more generally to comply with its legal obligations in its quality of employer.

Sensitive Data shall be processed only where required by local law and only where there is a legitimate purpose for RiskSpectrum in doing so.

3.2. Recipients of Personal Data

To fulfill the purposes mentioned in Article 3.1. of the Employee Data Privacy General Instruction, RiskSpectrum may disclose Personal Data collected on an Employee to other Employees who reasonably need to receive such Personal Data to perform their duties. In addition, RiskSpectrum may disclose Personal Data to third parties on a limited and as-needed basis, including without limitation and for example, third parties who advise RiskSpectrum on compensation and benefit programs and/or administer such programs for RiskSpectrum, or as otherwise required by law or detailed in this Employee Data Privacy General Instruction.

RiskSpectrum has implemented a Third-Party Data Privacy Policy that requires such third parties to sign a written agreement that requires them to maintain the confidentiality of Personal Data and prohibits them from disclosing Personal Data to any other person or entity or using such data for any purpose other than that which RiskSpectrum has engaged them to provide as described in the said agreement, except with certain licensed professionals, such as doctors and lawyers, or in the circumstances below mentioned or in case specific laws and/or regulations do not require so.

In certain circumstances, RiskSpectrum may be requested or required to disclose Personal Data in response to valid legal process or under applicable laws and/or regulations. Such circumstances may include a search warrant, subpoena, court order or other request from a government or regulatory authority or agency, including to meet national security or law enforcement requirements. RiskSpectrum reserves the right to disclose such information in response to any such legitimate government or regulatory request or requirement.

RiskSpectrum may also disclose Personal Data during emergency situations, including without limitation if the physical safety of an Employee or others is believed to be at risk, or to notify family members or government agencies of the location or condition of the Employee.

RiskSpectrum does not disclose Personal Data to any person or entity for marketing purposes, and absolutely does not sell, rent, or license Personal Information to others.

3.3. International Transfer of Personal Data

Subject to applicable laws and/or regulations, Personal Data may be transferred to any country in the world where RiskSpectrum does business, including countries where privacy laws may be more or less protective than the privacy laws where an Employee lives or works.

In particular, RiskSpectrum may transfer Personal Data of Employees located in the EEA to countries located outside the EEA. Where appropriate, RiskSpectrum will ensure that Employees are informed of such transfer and that appropriate transfer mechanisms are in place.

3.4. Onward Transfer and Choice

RiskSpectrum does not intend to disclose or use Personal Data in a manner not described herein. However, should at any time RiskSpectrum have a need to disclose or use Personal Data in a way that is incompatible with the purpose for which it was collected, RiskSpectrum will provide Employees with information relating to this purpose and will offer each Employee a choice whether or not to allow such disclosure or use of that Employee’s Personal Data.

In this situation, Employee’s consent must be received in writing (or a legally equivalent electronic form) before RiskSpectrum disclosure or use of Personal Data in this manner. If an Employee does not consent to such disclosure or use, RiskSpectrum shall take reasonable measures to remove that individual’s Personal Data before the data is disclosed or used in such a manner.

When the processing of Personal Data is outsourced to a third party, RiskSpectrum will select reliable third parties and processing will be subject to written agreements between RiskSpectrum and said relevant third parties. In addition to the provisions provided in Article 3.1. of the Employee Data Privacy General Instruction, the written agreements shall specify that the third party has at least the same adequate level of security measures in place as those implemented by RiskSpectrum and will only process personal data as per the specific written instructions of RiskSpectrum and only for the purpose(s) described in the said agreement. RiskSpectrum shall be held liable in case the third party does not process the Personal Data in an appropriate manner.

3.5. Personal Data Security

RiskSpectrum maintains appropriate technical and organizational measures to process Personal Data on Employees in a secure-access environment and in a manner that complies in all material respects with applicable laws and/or regulations and industry standards to guard Personal Data against loss, destruction, misuse, improper disclosure, and unauthorized access or modification (e.g., encryption, server backups, System Architecture Validation process in place).

3.6. Personal Data Retention Period

Personal Data is not kept for longer than necessary to fulfill the purpose for which it was collected. Personal Data will generally not be retained longer than the term of your employment relationship with RiskSpectrum unless there is any legal or regulatory provision requiring otherwise.

3.7. Personal Data Accuracy

RiskSpectrum relies on the accuracy and integrity of its Employees Personal Data in order to comply with its business obligations. RiskSpectrum expects its Employees to inform it of any changes to their Personal Data such as changes to contact information, address, marital status, or any information affecting benefits or services provided by RiskSpectrum.

3.8. Rights Over Personal Data

Employees have a right to request access to their Personal Data and to request the rectification of any incorrect or incomplete data. Employees also have the right to data portability, to request the erasure of their Personal Data, to restrict the processing of their Personal Data, as well as to object to their processing by RiskSpectrum, unless RiskSpectrum demonstrates compelling legitimate grounds. Employees who are not satisfied with the way RiskSpectrum processes their Personal Data have the right to lodge a complaint with the competent data protection authority.

Should the Employees have any request for assistance regarding the exercise of their rights as above mentioned, the Employees shall contact their HR manager and/or use the following internal e-mail address: RiskSpectrum. RiskSpectrum will allow Employee to review his/her Personal Data. However, in certain limited circumstances, RiskSpectrum may not be able to provide Employees with access to all their Personal Data where such refusal is permitted or required by applicable law or regulation.

Subject to all applicable laws and regulations, should any Personal Data concerning an Employee be found no longer needed, to be inaccurate or incomplete, or if the Employee has withdrawn consent, RiskSpectrum will take reasonable steps to erase, correct or update the information it maintains unless RiskSpectrum has a legitimate reason not to do so.

These rights can vary depending on your country. Please consult your local HR manager for a list of your rights under applicable data protection and employment law.

Enforcement and Recourse

As a general principle, RiskSpectrum is committed to resolve complaints about collection and/or use of Personal Information.

Any inquiry or complaint regarding this Employee Privacy General Instruction can be referred to Sales.riskspectrum@lr.org, to the Group VP Compliance Officer, to the Ethics Committee, or to the local Privacy Officer in the country where it is mandatory to have one, who shall alert the Group VP Compliance Officer.

In compliance with the European Laws, RiskSpectrum will strive to acknowledge any complaint or enquiry and to take all appropriate action to remedy any such issue within one (1) month of receipt. However, if RiskSpectrum is unable to satisfactorily resolve the issue, RiskSpectrum will inform the Employee of the reasons preventing the implementation of measures to resolve such issue. As mentioned above in Article 3.8, the Employee has also the possibility to lodge a complaint to the EU local data protection authorities (DPAs). To contact the DPAs directly, please visit: ec.europa.eu/newsroom/article29/

  • Under the GDPR, Employees who consider that the processing of their Personal Data infringes their rights have the right to an effective judicial remedy.
  • In the context of the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework Certification with the Department of Commerce, RiskSpectrum is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Pursuant to Privacy-Shield Frameworks, an individual has the possibility under certain circumstances to invoke binding Arbitration.

Changes to this Group Employee Privacy General Instruction

RiskSpectrum reserves the right to make changes to this Employee Data Privacy General Instruction from time to time in order to reflect changes in legal or regulatory obligations, or changes in the manner in which the Personal Data are managed.

 

Third-Party Privacy Policy


 

Summary

This Third-Party Privacy Policy describes the manners in which RiskSpectrum and all LR RiskSpectrum AB (Subject to change) affiliates (“RiskSpectrum”), as the data controller, collect, use, and protect Personal Data received from Third Parties and/or Personal Data from its Employees transferred to Third Parties.

RiskSpectrum agrees to comply in all material respects with all applicable privacy laws, rules, and regulations, including but not limited to: (i) the European Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the EU Data Protection Directive” (the “GDPR”) and any implementing legislation enacted by the member states of the European Union (“European Laws”).

RiskSpectrum complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union and Switzerland to the United States. RiskSpectrum has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Affiliates (and their employees) shall not be considered as Third Parties for the purpose of this Third-Party Policy. A separate Group Employee Data Privacy General Instruction applies to RiskSpectrum employees (including the third-party employees subcontracted to RiskSpectrum, “the Employees”).             

Third Parties include applicants, clients, subcontractors, vendors/suppliers, investors, insurers, and visitors to RiskSpectrum website (such parties referred to herein individually as a “Third Party” or collectively as “Third Parties”).

By providing Personal Data as below defined to RiskSpectrum, Third Parties consent to the disclosure and/or collection and use of information as set forth herein unless otherwise required.       

Definition 

“Personal Data” and “Personal Information” are used interchangeably herein and refer to information that can be used to identify a Third Party either on its own or in combination with other readily available data (e.g., the individual’s name, title, work location, home address, date of birth, compensation, benefits, or family members).

“Sensitive Data” means Personal Data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or data which concern health, sex life or sexual orientation.

Please note that Personal Data and Sensitive Data may have different definitions depending on your country.

Personal Data Collected

RiskSpectrum collects Personal Data entered by Third Parties on RiskSpectrum website or through cookies used by RiskSpectrum as specified below, or given in any other way, such as writings or phone calls during any transactional or administrative communications.

Subject to applicable laws and regulations, Personal Data and/or Personal Information collected may include, but is not limited to, the following:

  • Personal Data such as date of birth, gender, marital status, and identification numbers including social security, driver’s license, tax identification, passport numbers and resume.
  • Contact information such as name, company name, address, phone number, fax number and e-mail address
  • Financial and billing information such as billing name and address, payment information (which might include credit card and/or bank account information)
  • Additional information such as title, department name, fax number and additional company information, such as shareholder names, annual revenues, number of employees or industry
  • Intended Use of Personal Data

Purpose and Legal Basis of the Processing

RiskSpectrum uses Personal Information collected from Third Parties for the purposes of RiskSpectrum operations and activities management, training programs, and recruiting job applicants.

RiskSpectrum collects and uses the Personal Data of Third Parties for the execution of its contracts with them, to comply with its legal obligations, on the basis of Third Parties’ consent and for the purposes of the legitimate interests of RiskSpectrum.

Failure to provide this information may prevent or delay the fulfillment of these obligations.

RiskSpectrum processes Third Parties’ Personal Data on the following legal basis:

  • Performance of a contract – the use of Third-Party Personal Data may be necessary to perform the contract that you have with us
  • Legitimate interests – RiskSpectrum may use Third-Party Personal Data for its legitimate interests, as for example to improve our products and services
  • Consent – RiskSpectrum will rely on Third Parties’ consent to use Personal Data for marketing purposes
  • Legal obligation – to comply with RiskSpectrum legal obligations

Sensitive Data shall be processed only where required by local law and only where there is a legitimate purpose for RiskSpectrum in doing so.

Recipient of Personal Data

To fulfill the purposes mentioned in Article 4.A of the Third-Party Privacy Policy, RiskSpectrum may disclose Personal Data to Third Parties on a limited and as-needed basis, including without limitation for example, services providers who advise RiskSpectrum on compensation and benefit programs or administer such programs for RiskSpectrum, insurers, or as otherwise required by law or detailed in this Third-Party Privacy Policy.

In the event that RiskSpectrum or any portion of its assets are acquired, sold, or transferred, RiskSpectrum may disclose Personal Data with the company involved to perform the operation and complete the transition, on a limited basis in compliance with applicable law.

In certain circumstances, RiskSpectrum may be requested or required to disclose Personal Data in response to valid legal process or under applicable laws and/or regulations. Such circumstances may include a search warrant, subpoena, court order or other request from a government or regulatory authority or agency, including to meet national security or law enforcement requirements. RiskSpectrum reserves the right to disclose such information in response to any such legitimate government or regulatory request or requirement.

RiskSpectrum does not disclose or sell any Personal Data received from a Third Party (individual or legal entity) for marketing or any other commercial purpose.

International Transfer of Personal Data

Subject to applicable laws and/or regulations, Personal Data may be transferred to any country in the world where RiskSpectrum does business, including countries where privacy laws may be more or less protective than the privacy laws where a Third Party is located.

In particular, RiskSpectrum may transfer Personal Data of Third Parties located in the European Economic Area to countries located outside the European Economic Area. Where appropriate, RiskSpectrum will ensure that Third Parties are informed of such transfer and that appropriate transfer mechanisms are in place.

Onward Transfer and Choice “Opt In – Opt Out”

RiskSpectrum does not intend to disclose or use Personal Data received from a Third Party in a manner not described herein. However, should at any time RiskSpectrum need to use Personal Data for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent Third Party, RiskSpectrum will provide individuals with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: Sales.riskspectrum@lr.org

If Personal Data that qualifies as Sensitive Data is to be used for a new purpose that is different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a Third Party, RiskSpectrum will obtain the Third Parties’ explicit consent prior to such use or disclosure, except if the use or disclosure is in the vital interests of the Third Party or another person; necessary for the establishment of legal claims or defenses; required to provide medical care or diagnosis; necessary to carry out RiskSpectrum obligations in the field of employment law; or related to data that are manifestly made public by the individual.

If the Third Party does not consent explicitly to such disclosure or use, RiskSpectrum will take all reasonable measures to remove the Third Party’s Personal Data from the intended disclosure or use.

The same principles apply for the Personal Data received from Employees that is anticipated to be disclosed and/or used to a Third Party as described in the Employee Privacy General Instruction above referred to.

When the processing of Personal Data is outsourced to a Third Party processor, RiskSpectrum will select reliable Third Parties, and data processing will be subject to a written agreement between RiskSpectrum and the relevant Third Party processor. This written agreement will require that the Third Party processor: (i) has at least the level of security measures in place as those implemented by RiskSpectrum, and (ii) will process Personal Data in strict compliance with RiskSpectrum specific written instructions only for the purpose(s) mentioned in the said agreement. RiskSpectrum shall be liable in case the Third Party does not process the Personal Data in an appropriate manner.

Personal Data Security

RiskSpectrum maintains appropriate technical and organizational measures to process Personal Data collected from Third Parties in a secure-access environment and in a manner that complies in all material respects with applicable laws and industry standards to guard Personal Data against loss, destruction, misuse, improper disclosure, and unauthorized access or modification. These safeguards are routinely tested internally and periodically audited by outside firms.

Personal Data Retention Period

Personal Data is not kept for longer than necessary to fulfill the purpose for which it was collected. Personal Data will generally not be retained longer than the term of Third Parties’ contractual relationship with RiskSpectrum unless there is any legal or regulatory provision requiring otherwise.

Personal Data Accuracy

RiskSpectrum relies on the accuracy and integrity of Third Parties’ Personal Data in order to comply with its business obligations. RiskSpectrum expects Third Parties to inform it of any changes to their Personal Data, such as changes to contact information, address, or any information affecting benefits or services provided by RiskSpectrum.

RiskSpectrum makes reasonable efforts to ensure that the Personal Data it collects and maintains is reliable for its intended use, and is accurate, complete for the purposes for which it was collected.

Rights Over Personal Data

Third Parties have a right to request access to their Personal Data and to request the rectification of any incorrect or incomplete data. Third Parties also have the right to data portability, to request the erasure of their Personal Data, to restrict the processing of their Personal Data, as well as to object to their processing by RiskSpectrum, unless RiskSpectrum demonstrates compelling legitimate grounds. Third Parties which are not satisfied with the way RiskSpectrum processes their Personal Data have the right to lodge a complaint with the competent data protection authority.

Should a Third Party have any request for assistance regarding the exercise of their rights as above mentioned, the Third Party shall use the following e-mail address: Sales.riskspectrum@lr.org

RiskSpectrum will allow a Third Party to review the Third Party’s Personal Data that RiskSpectrum stores and maintains about that Third Party in his or her personnel file, including information relevant to the use and disclosure of that person’s Personal Data. However, in certain limited circumstances RiskSpectrum may not be able to provide a Third Party with access to all of his or her Personal Data where such refusal is permitted or required by applicable law or regulation.

Subject to all applicable laws and regulations, should any Personal Data concerning a Third Party be found to be no longer needed, to be inaccurate or incomplete, or if a Third Party has withdrawn consent, RiskSpectrum will take reasonable steps to erase or correct or update the information it maintains unless applicable laws or regulations exempt RiskSpectrum from doing so.

These rights can vary depending on your country.

Website

An individual can access RiskSpectrum website without providing any Personal Data. However, should you choose, you may provide us with certain Personal Data. RiskSpectrum may use this information:

  • To correspond with you
  • To allow you to participate in features or services we offer on this website
  • To provide you with a subscription or newsletter
  • To transmit your resume within RiskSpectrum for possible employment opportunities

If you subscribe to any service provided by RiskSpectrum through RiskSpectrum website or otherwise, and you wish to terminate that subscription and have all Personal Data about you removed from any list we maintain, please contact RiskSpectrum by sending an e-mail to Sales.riskspectrum@lr.org, informing us of your request. We will promptly make reasonable efforts to remove all Personal Data about you from our data banks. In addition, e-mail communications from RiskSpectrum inform the recipient how to stop receiving further communication.

RiskSpectrum does not automatically log Personal Data about visitors to our website. RiskSpectrum does not use cookies to store Personal Data, nor does RiskSpectrum link non-Personal Data stored in cookies with Personal Data about specific individuals. We may collect certain non-Personal Data from a visitor to our website such as what browser was used, what pages were accessed, and the Internet address of the service provider in order to compile statistics and analyze this data for trends.

Use of Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.

Email us to request deletion of personal information or update your contact preferences: Sales.riskspectrum@lr.org 

RiskSpectrum website uses the following cookies to understand how the site is being used in order to improve the user experience.