Privacy Policy
Cision Ltd. Global Data Protection Policy
1 Introduction
1. Cision is a global communications group of companies that enables our customers to identify and connect with influencers, distribute meaningful marketing communications to those influencers, and measure the impact of those communications. Our products and services operate under a number of different brands, including Cision, Gorkana, PR Newswire, Hors Antenne, Data Presse, Argus De La Presse, CEDROM, Profnet, HARO and Prime. Details about the products and services can be found at www.cision.com
1.1 At Cision we firmly believe that everyone has the right to ensure that their personal data is treated correctly. As an international organization we are committed to ensuring that we comply with the European General Data Protection Regulation 2018 ("GDPR") and other regulations of the countries in which we operate, and that all of our staff, customers, and influencers can expect high standards when it comes to looking after their personal data.
1.2 This policy sets out some general principles that we expect all our staff (including employees, contractors, interns and temporary staff) to follow whenever they handle personal data. It should be read together with more specific policies and guidance listed at section 18 of this policy.
1.3 This policy explains:
1.3.1 The status of the policy and who you should speak to if you have any questions about it or are concerned about how any personal data is being handled.
1.3.2 The key terms that are used in data protection law that we refer to in the policy and other policies.
1.3.3 The principles that we will follow when processing personal data.
2 Scope
2.1 Cision Ltd., is made up of different legal entities, details of which can be found here . This policy applies to all entities within Cision Ltd.
2.2 All Cision Group employees are obliged to comply with this policy when processing personal data on Cision's behalf. Any breach of this policy may result in disciplinary action.
2.3 This policy applies to all processing of personal data by Cision, whether that processing is electronic (including e-mail and electronic documents) or where it is held in manual files that are structured in a way that allows ready access to information about particular individuals.
2.4 This policy has been designed to establish a worldwide standard for the processing and protection of personal data by all entities within the Cision Ltd. Where national law imposes a requirement which is stricter than imposed by this policy, the requirements in national law must be followed. Where national law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to.
3 Who to contact about data protection
3.1 The Data Protection Officer is responsible for ensuring compliance with data protection laws and with this policy. The Data Protection Officer may be contacted at Privacy@cision.com.
3.2 If you consider that the principles set out in this policy have not been followed in respect of any personal data Cision processes you should raise the matter with the Data Protection Officer.
3.3 For the purposes of data protections laws, the Data Controller will be the relevant Cision Ltd., entity that determines the purposes and means of processing of the personal data concerned.
4 Definition of Data Protection Terms
|
Personal Data |
Means data relating a living individual who can be identified from that data (or from that data and other information in our possession) by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
|
Data Subject |
Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. Data subjects will include our own employees, the influencers in our media database, and the individual account contacts at our customers. |
|
Data Controller |
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The relevant Cision entity is the data controller of personal data related to its employees and its customers, and also of the personal data of the influencers on the Media Database. Our customers will be the data controller of any influencer personal data that they entrust to us in the course of providing services to them, and we are a data processor of such data. |
|
Process, Processed and Processing |
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. Operations performed may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
|
Data Processors |
A natural or legal person, public Authority, agency or other body which processes personal data on behalf of a data controller. Cision is a data processor of any influencer personal data that our customers entrust to us in the course of providing services to them. We process that personal data on their behalf. |
|
Consent |
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
|
Special Categories of Data |
Personal data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data |
|
Third Country |
Any country not recognized as having an adequate level of legal protection for the rights and freedoms of data subjects in relation to the processing of personal data. |
|
Third Party |
An external organization or individual with which/whom Cision conducts business |
|
Profiling |
Any form of automated processing of personal data where personal data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location or movement. |
|
Personal Data Breach |
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
|
Encryption |
The process of converting information or data into code, to prevent unauthorized access. |
|
Pseudonymisation |
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a "key" that allows the data to be re-identified. |
|
Anonymisation |
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person. |
5 Data Protection Principles
5.1 All Cision staff processing personal data (and that is likely to be most staff to some degree or other) must comply with the data protection principles set out below. Ultimately, where a Cision Ltd. entity is the data controller, it that entity's responsibility to ensure that this happens, but to ensure that it does, all of Cision's employees are expected to follow these principles whenever they are dealing with somebody's personal data, whether that is personal data about an employee, customer, supplier, influencer, other media contact, or anyone else.
5.2 The following data protection principles govern Cision's collection, use, retention, transfer, disclosure and destruction of personal data:
|
Principle 1 |
Lawfulness, Fairness and Transparency |
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
|
Principle 2 |
Purpose Limitation |
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
|
Principle 3 |
Data Minimization |
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
|
Principle 4 |
Accuracy |
Personal data shall be accurate and, kept up to date. |
|
Principle 5 |
Storage Limitation |
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. |
|
Principle 6 |
Integrity & Confidentiality |
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage. |
|
Principle 7 |
Accountability |
The data controller shall be responsible for, and be able to demonstrate compliance with the principles set out above. |
Principle 1: Lawfulness, Fairness & Transparency
5.3 Under principle 1, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means that Cision must tell the data subject what processing will occur (transparency), the processing must match the description given to the data subject (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
5.4 In general, 'transparency' and 'fairness' requires Cision to be clear and open with data subjects about how their personal data will be used. If a data subject knows at the outset what information will be used, what for, and how, they will be able to make an informed choice about whether they are happy for us to be processing their personal data in this way. Assessing whether personal data is processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then its use is unlikely to be fair.
5.5 We tell data subjects what processing will occur by providing them with privacy notices. See section 8, the Privacy Notice section below.
5.6 Processing will only be 'lawful' if one of the following requirements are met:
5.6.1 Consent: the data subject has given consent to the processing of their personal data for one or more specific purposes.
5.6.2 Contract: Processing is necessary for the performance of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract. Note that this only applies where there is a contract with the individual data subject. It will not apply to the majority of our customer contracts as these are with companies, not with individuals.
5.6.3 Legal Obligation: Processing is necessary for compliance with a legal obligation to which the data controller is subject.
5.6.4 Vital interests: Processing is necessary in order to protect the vital interest of the data subject or of another natural person. It is unlikely that this will apply to Cision.
5.6.5 Public function: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. It is unlikely that this will apply to Cision.
5.6.6 Legitimate interests: processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child). Cision's legitimate interests include amongst other things our interests in providing our products and services to customers, supporting our business functions (such as finance, sales and marketing) ensuring information security, the prevention of fraud and the integrity and support of its staff.
5.7 For the processing of special categories of personal data (also known as sensitive personal data) additional requirements must be met for such processing to be considered lawful. See the Special Categories of Personal Data section below for more information.
Principle 2: Purpose limitation
5.8 Under principle 2, personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that personal data must not be collected for one purpose and then used for another. For example, if we collect information from a journalist who wishes to sign up for our media alerts, that information should not then be made available to our corporate customers via our Media Database unless the journalist has permitted us to do so. If it becomes necessary to change the purpose for which the personal data is processed, the data subject should be informed of the new purpose before any processing occurs.
Principle 3: Data Minimization
5.9 Under principle 3, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
5.10 This means that personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject, and any personal data which is not necessary for that purpose should be collected in the first place. For example, there is no need to collect information about whether or not an employee has a driving licence if the employee is not required to drive as part of their role. What is necessary will vary depending on the reasons why the personal data is collected and what it is being used for. More expansive information will very likely be appropriate for an influencer profile than it would be for a customer account contact. Staff should always question what information is being collected and why. Cision will build such considerations into the development of existing and new products and services. See the Privacy by Design section below for further information.
5.11 This also means that Cision must not store any personal data longer than strictly necessary. For more information go to the Data Retention section below.
Principle 4: Accuracy
5.12 Under principle 4, personal data shall be accurate and, kept up to date. personal data which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection. Depending on the nature of the personal data, it should be checked at regular intervals to ensure it is up to date. Inaccurate or out of data should be destroyed. Cision will take steps to update information contained in our Media Database and to ensure that all influencer, customer, employee and other personal data are kept up to date.
Principle 5: Storage Limitation
5.13 Under principle 5, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means that Cision must, wherever possible, store personal data in a way that limits or prevents identification of the data subject. If data is still required for a legitimate reason, but could, for example, be aggregated, anonymized or pseudonymized, careful consideration should be given to whether or not such actions could be taken.
Principle 6: Integrity & Confidentiality
5.14 Under principle 6, personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. This means that Cision must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained at all times. For more information, see the Information Security section below.
Principle 7: Accountability
5.15 Under Principle 7, the data controller shall be responsible for, and be able to demonstrate compliance. This means that Cision must be able to demonstrate that the six data protection principles outlined above are met for all personal data for which Cision is responsible. We do this through the provision of information in this policy, through providing clear information to our data subjects via privacy notices, keeping records of the data we keep and how it is processed, through training our staff and a number of other practices and procedures.
6 Processing in line with data subject's rights
6.1 Data subjects have a number of rights to help them ensure that their personal data is being correctly looked after. These rights include the right to:
6.1.1 Be informed: Data subjects have the right to be informed about the collection and use of their personal data. See the privacy notices section below for more information.
6.1.2 Access: Data subjects have the right to access their personal data and other supplementary information from what is commonly known as a "Data Subject Access Request".
6.1.3 Rectification: Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
6.1.4 Erasure: Data subjects have the right to have their personal data deleted where there is no compelling reason for its continued processing.
6.1.5 Restrict processing: Data subjects have the right to block or suppress processing of personal data. When processing is restricted, Cision is permitted to store the personal data, but not further process it. Cision can retain just enough information about the data subject to ensure that the restriction is respected in future.
6.1.6 Right to data portability: the right to data portability only applies to personal data an individual has provided to Cision; where the processing is based on that individual's consent or for the performance of a contract; and, when processing is carried out by automated means. This right enables individuals to obtain and reuse their personal data for their own purposes across different services. To the extent that data subjects are entitled to exercise this right, Cision must provide their personal data in a commonly used, machine-readable format, and send it directly to another data controller if requested to do so by the data subject. This may be appropriate when an influencer profile is based on information provided by the influencer themselves (rather than through our research).
6.1.7 Right to object: Data subjects have the right to object to processing based on (amongst other things) legitimate interests (including profiling) and direct marketing (including profiling); and, processing for purposes of scientific/historical research and statistics. data subjects must have an objection on "grounds relating to his or her particular situation". To the extent that data subjects are entitled to exercise this right, Cision must stop processing the relevant personal data unless Cision can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or, the processing is for the establishment, exercise or defence of legal claims.
6.2 If a request is received by a data subject in respect of any of the above data subject rights, then you must follow the procedures set out in the responding to data subject requests procedure. If you have any concerns or questions about any of the above rights, or anything containing in the responding to data subject requests procedure, then you must contact the data protection officer. Please be conscious that members of staff may not recognise a request as a data subject request, or what is required, so it is very important that such requests are referred to the data protection officer.
7 Privacy Notices
7.1 Data subjects have the right to be informed about the collection and use of their personal data. Cision will, when required by applicable law, contract, or where it considered that it is appropriate to do so, provide data subjects with the following information by way of privacy notice: the name and contact of our organization and our data protection ffficer; the purposes of the processing; the legal basis for the processing; the legitimate interests for the processing (if applicable); the source and the categories of personal data obtained (if personal data is not obtained from the individual it relates to); the recipients or categories of recipients of the personal data; the details of transfers of the personal data to any third countries or international organisations (if applicable); the retention periods for the personal data; the rights available to data subjects in respect of the processing; the right to withdraw consent (if applicable); the right to lodge a complaint with a supervisory authority; the details of whether data subjects are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected form the individual it relates to); and, the details of the existence of automated decision-making, including profiling (if applicable).
7.2 Cision has prepared the following privacy notices that contain the applicable information outlined above, and which have been tailored to be relevant to the different categories of Data Subject concerned: Influencer Privacy Notice, Customer Privacy Notice, Employee Privacy Notice, Candidate Privacy Notice and Website Privacy Notice . Cision will regularly review its Privacy Notices, and where necessary, update them.
7.3 The relevant privacy notice must be supplied to the data subject at the time Cision collects their personal data from them. If Cision obtains personal data from other sources (such as from desktop research using the internet), Cision must provide individuals with the relevant privacy notice within a reasonable period of obtaining the personal data and no later than one month.
8 Special categories of personal data
8.1 Cision will only process special categories of personal data where the data subject expressly consents to such processing or where one of the following conditions applies:
8.1.1 The processing relates to personal data which has already clearly been made public by the data subject themselves.
8.1.2 The processing is necessary for the establishment, exercise or defence of legal claims.
8.1.3 The processing is specifically authorised or required by law.
8.1.4 The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically of legally incapable of giving consent.
8.1.5 Further conditions, including limitations, based upon national law relating to the processing of genetic data, biometric data or data concerning health.
9 Children's data
9.1 Children require particular protection when collecting and processing their personal data because they may be less aware of the risks involved (the age by which an individual is designated a child varies between 13 and 16 in accordance national law).
9.2 Cision's Media Database is not intended for children and so influencers should not be added to Cision's Media Database if they are under the age of 16. If Cision becomes aware that an influencer in the Media Database is under the age of 16, then that influencer shall be removed from the Media Database as soon as possible.
9.3 Similarly, Cision shall not sign up a prospect to one of Cision's products or services if that prospect is under the age of 16.
10 Data transfers
International Data Transfers
10.1 The GDPR imposes restrictions on the transfer of personal data outside the European Union, to Third Countries, or international organizations. These restrictions are in place to ensure that the level of protection of data subjects afforded by GDPR is not undermined when the data leaves the EEA. Cision may transfer personal data outside of the EEA (which comprises the countries in the European Union and Iceland, Liechtenstein and Norway) to organizations in third countries provided that one of the approved mechanisms has been followed. There are a number of such mechanisms including:
10.1.1 Standard data protection clauses in the form of template transfer clauses adopted by the European Commissioner by a data protection supervisory authority and approved by the European Commission.
10.1.2 Compliance with an approved code of conduct approved by a supervisory authority.
10.1.3 Certification under an approved certification mechanism as provided for in the GDPR.
10.2 For data transfers to the US it may be possible to rely on 'Privacy Shield'. At present Cision relies on having in place contractual arrangements containing the model contractual clauses.
Transfer between Cision Group Entities
10.3 In order for Cision to carry out its operations effectively across its various international entities, it will frequently be necessary to transfer personal data from one Cision entity to another, or to allow access to the personal data from an overseas location. To facilitate this where there is a transfer of personal data outside the EEA and protect the rights of Data Subjects, all Cision entities have entered into an intra-group Data Transfer Agreement.
Transfers to Third Parties
10.4 Cision will only transfer personal data to, or allow access by, Third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. Where third party processing takes place, Cision will first identify if, under applicable law, the third party is considered a data controller or a data processor of the personal data being transferred.
10.5 Where the third party is deemed to be a data processor, Cision will enter into an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with Cision's instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches. Cision has in place template data processing agreements which should be considered whenever Cision is engaging with a third party to process data on Cision's behalf. In some cases Cision will rely on the third parties own data processing agreements. A copy of the data processing template is available from the DPO.
10.6 When Cision is outsourcing services to a third party (including Cloud Computing services), Cision will identify whether the third party will process personal data on its behalf and whether the outsourcing will entail any third country transfers of personal data. In either case, it will make sure to include adequate provisions in the outsourcing agreement for such processing and third country transfers.
11 Data retention
11.1 To ensure fair processing, Cision will not retain personal data for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed.
11.2 The length of time for which Cision needs to retain personal data is set out in Cision's Data Retention Policy. This takes into account the legal and contractual requirements that influence the retention periods set out in that policy. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need for it. Wherever possible, encryption, pseudonymisation and anonymisation should be built into any new and/or revised systems or processes.
12 Information security
12.1 Each Cision entity will adopt physical, technical, and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorized alteration, access or processing, and other risks to which it may be exposed by virtue of human action of the physical or natural environment.
13 Breach reporting
13.1 If you know or suspect a personal data breach has occurred or may occur you must immediately refer to the personal data breach policy and follow the procedure set out therein. The most important thing is that you notify the DPO and the Information Security Department if you suspect anything. This may be because you think that something you or one of your colleagues has done or not done may have resulted in data being lost or compromised (e.g. losing a lap top or a memory stick or mobile device, or sending an email to the wrong person), or you believe that your computer may have been compromised by a virus, or anything else that you think is suspicious. Cision is under an obligation to report personal data breaches within a strict (and short) timeframe so it is vital that all staff report anything suspicious as soon as possible.
14 Privacy by design
14.1 Cision is under a general obligation to implement technical and organizational measures to show that it has considered and integrated data protection into all of its processing activities.
14.2 To ensure that all data protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing.
14.3 Each Cision entity must ensure that for all new and/or revised systems or processes for which it has responsibility those revised systems or processes are first approved by the Data Protection Officer. Where applicable, the Information Security Department will cooperate with the relevant Cision entity and the Data Protection Officer to assess the impact of any new technology uses on the security of the personal data. Wherever possible, encryption, pseudonymisation and anonymisation should be built into any new and/or revised systems or processes.
15 Data Protection Training
15.1 All Cision employees that have access to personal data will have their responsibilities under this policy outlined to them as part of their staff induction training. In addition, each Cision entity will provide regular data protection training and procedural guidance for their staff. Such training and procedural guidance will consist of, at a minimum, the following elements:
15.1.1 The data principles set out in section 5 above.
15.1.2 Each employee's duty to use and permit the use of personal data only by authorised staff and for authorized purposes.
15.1.3 The need for, and proper use of, the forms and procedures adopted to implement this policy.
15.1.4 The correct use of passwords and other access mechanisms.
15.1.5 The importance of limiting access to personal data, such as by using password protected screen savers and logging out when systems are not being attended by an authorized person.
15.1.6 Securely storing manual files, print outs, and electronic storage media.
15.1.7 The need to obtain appropriate authorisation and use appropriate safeguards for all transfers of personal data outside of the internal network and physical office premises.
15.1.8 Proper disposal of personal data by using secure shredding facilities.
15.1.9 Any special risks associated with particular departmental activities or duties.
16 Policy Maintenance
16.1 All enquiries about this policy should be directed to the Data Protection Officer via Privacy@cision.com
16.2 This policy shall be made available to all Cision employees through internal communications mediums and/or alternative means as deemed appropriate by the Data Protection Officer.