PRA is committed to respecting and protecting your privacy.
We may collect personal information data that is associated to or identifies with you when you access PRA’s websites, blogs, mobile sites, social networks, applications, surveys, and when you register to attend an event or program created, managed or hosted by PRA. We may also collect personal information data when we market our services or provide event/program services to you, your employer or any other person who has authorized us to communicate with them regarding the fulfillment of our contracted services to them.
PRA is committed to protecting your privacy.
On May 25, 2018, the European Union (“EU”)’s new data protection legislation, the General Data Protection Regulation (GDPR), took effect. This statement is made in light of the requirements of the GDPR to alert users to PRA’s data processing practices which will govern the “processing” of your “personal data” (see definitions section 2(c) & 2(a)).
GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU “data subjects” (see definitions section 2(b)). It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Whilst we understand this means it does not include non-EU citizens, we believe at PRA it is important to protect individual’s personal data regardless of their nationality and therefore we look to apply the same standards across all individual’s personal data regardless of their nationality.
As the controller (see definitions section 2(f)), PRA has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g., by telephone.
We reserve the right to amend this privacy statement. If we do so, we will post notice of the change on our website and you will be deemed to have accepted such changes.
This data protection declaration of PRA is based on the terms used by the European legislator for the adoption of the GDPR. Our data protection declaration should be legible and understandable for the general public, as well as our clients and business partners. To ensure this, we would like to first explain the terminology used.
In this data protection declaration, we use, among others, the following terms:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
f) Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
i) Third party
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
j) Legitimate Interest
Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party or party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
3) Data controller
PRA acts as a data controller (Art. 24) for (i) the personal data relating directly to its clients and (ii) for its own employee management purposes.
4) Data processor
PRA will from time to time act as a data processor (Art. 28) and may supply personal data to third party service providers, contractors and agents that provide services to us, to support the completion of projects and events (in which case our client is the controller).
5) Legal basis for processing personal data
Art. 6.1(a) serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. Art. 6(b) serves as the legal basis if the processing of personal data is necessary for the performance of a contract to which the data subject is a party, for example, when processing operations are necessary for the supply of goods or to provide any other service. Art. 6.1(b) further applies to processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Art. 6.1(c) serves as the legal basis if PRA is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations. Art. 6.1(d) serves as the legal basis when the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, for example, if a data subject were injured and his name, age, health insurance data or other vital information need to be provided to a doctor, hospital or other third party. Finally, Art 6.1(f) serves as the legal basis for processing operations which are not covered by any of the above-mentioned legal grounds, nonetheless, processing is necessary for the purposes of the legitimate interests pursued by PRA or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are permissible because they have been specifically mentioned by the European legislator, which considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
6) Legal basis for processing personal data – Legitimate Interest
We believe that we have a “Legitimate Interest” in the processing of your personal data, which is to carry out our business, including to grow and improve our services and support our clients, provided those interests are not outweighed by your rights and interests. We have conducted a Legitimate Interest Assessment (LIA) to arrive at this decision, if you wish to receive a copy of this LIA, please contact email@example.com to request a PDF of the LIA.
7) Data Processing of Special Category data
We may be required to process special category data which includes such items as medical history, passport information etc. (Art. 9) to facilitate the successful completion of projects, in this case we will only undertake this processing following explicit consent being obtained by the individual data subjects either by ourselves directly, or via our clients who have commissioned us to undertake the specific project. (Art. 9.2(a))
8) What information do we collect and why?
We will obtain personal information from you when you inquire about our activities, register with us, attend one of our events or otherwise provide us with personal information.
The types of information collected might include name, e-mail address, postal address, telephone number, mobile phone number, credit/debit card details and dietary or access requirements.
9) What do we do with the information?
We will use the information you provide to:
- fulfill your requests – such as provision of information about our services
- process sales transactions, or other payments and verify financial transactions
- handle event/service orders, deliver products and communicate with you about
- provide a personalized service to you when you visit our websites – this could include
customizing the content and/or layout of our pages for individual users
- record any contact we have with you
- prevent or detect fraud or abuses of our websites and enable third parties to carry
out technical, logistical or other functions on our behalf
- communicate with our supplier partners, supporters and collaborators to fulfill our
- provide you with information that we think may be of interest to you
We may use generic photographs taken at our events for promotional purposes. In the event we use identifiable images of individuals, we will have sought and obtained written consent.
10) Sharing your information
We will only share your information if:
- We are legally required to do so, e.g., by a law enforcement agency legitimately exercising a power or if compelled by an order of the Court.
- We believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites.
- Our contractual obligations with our clients require us to do so to fulfill our program operations. We are working with carefully-selected partners that are carrying out work on our behalf. These partners may include event organizers, supplier partners and venues, marketing agencies, accountants and IT specialists. The kind of work we may ask them to do include sending emails, event registration and organization, processing card payments, etc.
We only choose partners we can trust and we only share data with such recipients where appropriate standards and safeguards are in place. Whenever we share or transfer your personal information, we comply with the standards set by the GDPR and this privacy statement at a minimum.
11) Storing your information
We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal data under our control. For example, only authorized personnel can access user information. While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur while it is under our control, we use our best efforts to try to prevent this.
12) Retaining your information – data retention policy
Where we hold subject data to facilitate the successful completion of business activities PRA will hold this information for a maximum period of 10 years from the last interactive or successful contact with you unless you request removal of this information under your right to erasure (Art.17).
13) Children’s Privacy
From time to time we may be required to process children’s personal data (Art. 8), as part of completing an event or project, we understand the sensitively around the processing of children’s data and we take very seriously the responsibility for identifying the risks and consequences of the processing. For purposes of this policy, persons under the age of 16 are considered children.
We believe we have a legitimate interest in processing children’s data and we balance our own (or a third party’s) legitimate interest in processing the personal data against the interests and fundamental rights and freedoms of the child. We take appropriate measures, where necessary, to safeguard against those risks when processing a child’s personal data.
14) Website cookies policy
If you do not agree to the processing of data about you by Google LLC in the manner and for the purposes set out above, you can select ‘disable cookies’ on your browser.
15) Data protection provisions about the application and use of Google Analytics
On this website, the controller has integrated the component of Google Analytics. Google Analytics is a web analytics service. Web analytics is the collection of, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, among others, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and to carry out a cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, among others, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site for us.
Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyze the use of our website. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for online advertising and the settlement of commissions to Google. During this technical procedure, the enterprise Google gains knowledge of personal information, such as the IP address of the data subject, which serves Google, among others, to understand the origin of visitors and clicks, and subsequently create commission settlements.
The cookie is used to store personal information, such as the access time, the location from which the access was made, and the frequency of visits of our website by the data subject. With each visit to our Internet site, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.
16) Data protection provisions about the application and use of Google-AdWords
On this website, the controller has integrated Google AdWords. Google AdWords is a service for Internet advertising that allows the advertiser to place ads in Google search engine results and the Google advertising network. Google AdWords allows an advertiser to pre-define specific keywords with the help of an advertisement on Google’s search results then displayed; when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google Advertising Network, the ads are distributed on relevant web pages using an automatic algorithm, considering the previously defined keywords.
The operating company of Google AdWords is Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
The purpose of Google AdWords is the promotion of our website by the inclusion of relevant advertising on the websites of third parties and in the search engine results of the search engine Google and an insertion of third-party advertising on our website.
If a data subject reaches our website via a Google advertisement, a conversion cookie is filed on the information technology system of the data subject through Google. The definition of cookies is explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. If the cookie has not expired, the conversion cookie is used to check whether certain sub-pages, e.g., The request for a proposal from our website, was called up on our website. Through the conversion cookie, both Google and the controller can understand whether a person who reached an AdWords advertisement on our website generated an inquiry that was, executed or canceled.
The data and information collected using the conversion cookie is used by Google to create visit statistics for our website. These visit statistics are used to determine the total number of users who have been served through Google AdWords advertisements to ascertain the success or failure of each Google AdWords and to optimize our Google AdWords advertisements in the future. Neither our company nor other Google AdWords advertisers receive information from Google that could identify the data subject.
The conversion cookie stores personal information, e.g., the Internet pages visited by the data subject. Each time we visit our Internet pages, personal data, including the IP address of the Internet access used by the data subject, is transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, at any time, prevent the setting of cookies by our website, as stated above, by means of a corresponding setting of the Internet browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie set by Google AdWords may be deleted at any time via the Internet browser or other software programs.
The data subject has a possibility of objecting to the interest-based advertisement of Google. Therefore, the data subject must access from each of the browsers in use the link www.google.de/settings/ads and set the desired settings.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/.
17) Data protection provisions about the application and use of Facebook
On this website, the controller has integrated components of the enterprise Facebook. Facebook is a social network.
A social network is a place for social meetings on the Internet, an online community, which usually allows users to communicate with each other and interact in a virtual space. A social network may serve as a platform for the exchange of opinions and experiences; or enable the Internet community to provide personal or business-related information. Facebook allows social network users to include the creation of private profiles, upload photos, and network through friend requests.
The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
With each call-up to one of the individual pages of this Internet website, which is operated by the controller and into which a Facebook component (Facebook plug-ins) was integrated, the web browser on the information technology system of the data subject is automatically prompted to download display of the corresponding Facebook component from Facebook through the Facebook component. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/. During this technical procedure, Facebook is made aware of what specific sub-site of our website was visited by the data subject.
If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-site of our Internet page was visited by the data subject. This information is collected through the Facebook component and associated with the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our website, e.g., the “Like” button, or if the data subject submits a comment, then Facebook matches this information with the personal Facebook user account of the data subject and stores the personal data.
Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our website is made.
The data protection guideline published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there what setting options Facebook offers to protect the privacy of the data subject. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by the data subject to eliminate a data transmission to Facebook.
18) Data protection provisions about the application and use of LinkedIn
The controller has integrated components of the LinkedIn on this website. LinkedIn is a web-based social network that enables users with existing business contacts to connect and to make new business contacts. Over 400 million registered people in more than 200 countries use LinkedIn. Thus, LinkedIn is currently the largest platform for business contacts and one of the most visited websites in the world.
With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a LinkedIn component (LinkedIn plug-in) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to the download of a display of the corresponding LinkedIn component of LinkedIn. Further information about the LinkedIn plug-in may be accessed under https://developer.linkedin.com/plugins. During this technical procedure, LinkedIn gains knowledge of what specific sub-page of our website was visited by the data subject.
If the data subject is logged in at the same time on LinkedIn, LinkedIn detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-page of our Internet page was visited by the data subject. This information is collected through the LinkedIn component and associated with the respective LinkedIn account of the data subject. If the data subject clicks on one of the LinkedIn buttons integrated on our website, then LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores the personal data.
LinkedIn receives information via the LinkedIn component that the data subject has visited our website, provided that the data subject is logged in at LinkedIn at the time of the call-up to our website. This occurs regardless of whether the person clicks on the LinkedIn button or not. If such a transmission of information to LinkedIn is not desirable for the data subject, then he or she may prevent this by logging off from their LinkedIn account before a call-up to our website is made.
19) Data protection provisions about the application and use of Twitter
On this website, the controller has integrated components of Twitter. Twitter is a multilingual, publicly-accessible microblogging service on which users may publish and spread so-called ‘tweets,’ e.g., short messages, which are limited to 140 characters. These short messages are available for everyone, including those who are not logged on to Twitter. The tweets are also displayed to so-called followers of the respective user. Followers are other Twitter users who follow a user’s tweets. Furthermore, Twitter allows you to address a wide audience via hashtags, links or retweets.
The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, United States.
With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a Twitter component (Twitter button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding Twitter component of Twitter. Further information about the Twitter buttons is available under
https://about.twitter.com/de/resources/buttons. During this technical procedure, Twitter gains knowledge of what specific sub-page of our website was visited by the data subject. The purpose of the integration of the Twitter component is a retransmission of the contents of this website to allow our users to introduce this web page to the digital world and increase our visitor numbers.
If the data subject is logged in at the same time on Twitter, Twitter detects with every call-up to our website by the data subject and for the entire duration of their stay on our Internet site which specific sub-page of our Internet page was visited by the data subject. This information is collected through the Twitter component and associated with the respective Twitter account of the data subject. If the data subject clicks on one of the Twitter buttons integrated on our website, then Twitter assigns this information to the personal Twitter user account of the data subject and stores the personal data.
Twitter receives information via the Twitter component that the data subject has visited our website, provided that the data subject is logged in on Twitter at the time of the call-up to our website. This occurs regardless of whether the person clicks on the Twitter component or not. If such a transmission of information to Twitter is not desirable for the data subject, then he or she may prevent this by logging off from their Twitter account before a call-up to our website is made.
The applicable data protection provisions of Twitter may be accessed under https://twitter.com/privacy?lang=en.
20) Data protection provisions about the application and use of Disqus
On our website we offer you the opportunity to post comments about individual blog articles. The operating company of Disqus is Disqus, Inc., 301 Howard Street, Suite 300, San Francisco, CA 94105, United States.
Disqus is an interactive comment service that allows users to post comments on all websites that use the Disqus service with a single sign-on to the provider. Users can also sign-up and sign-in with existing accounts with Facebook (via Facebook Connect), Twitter, Yahoo, and OpenID. Posting comments is also possible without registration and sign-in (as “Guest”). More information about Disqus and its service can be found at www.disqus.com.
If you sign-in to Disqus using your Facebook, Twitter, Yahoo or OpenID account, these providers may also collect, process, and store data. Please refer to the privacy policies of the respective provider for further information. We reserve the rights to delete inappropriate comments or spam.
21) Mailing lists
If you subscribe to our mailing list, you will be automatically subscribed to receive email updates.
You can change your email marketing preferences at any time, by clicking ‘unsubscribe’ on any of our emails or by contacting: firstname.lastname@example.org.
22) Your rights
By providing us with your personal data, you consent to the collection and use of any information you provide in accordance with the above purposes and this privacy statement. You have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected.
If you want to exercise these rights or update your personal details, please contact email@example.com.
23) Data subject rights
As an individual whose personal data is processed by PRA. you have the following rights:
- the right to access the data we hold about you
- the right to object
- to direct marketing – either use the ‘unsubscribe’ button on our emails or contact us
- to processing carried out based on legitimate interests
- the right to erasure (in some circumstances)
- the right of data portability
- the right to have your data rectified if its inaccurate
- the right to have your data restricted or blocked from processing
- related to automated decision making including profiling
To exercise any of these rights, please email firstname.lastname@example.org to get in touch.
24) Employees and job applicants
If you apply to work at PRA, we will only use the information you give us to process your application and to monitor recruitment statistics. If we need to disclose information to someone outside PRA – for example, if we need a reference, or need to get a ‘disclosure’ from the Criminal Records Bureau – we will make sure we tell you beforehand, unless we are required to disclose this information by law.
If you are unsuccessful in your job application, we will hold your personal information for 12 months after we finish recruiting the post you applied for. After this date we will destroy or delete your information.
If you begin employment with us, we create a file about your employment. We keep the information in this file secure and will only use it for matters that apply directly to your employment.
Once you stop working for us, we will keep this file according to our record retention guidelines. You can contact us, email@example.com, to find out more about this.