Privacy Policy

PRA is committed to respecting and protecting your privacy.

We collect data from guests, users and visitors to our websites, blogs, mobile sites, social networks and/or applications; from our clients and/or their employees, agents, and representatives; and from individuals who attend events and programs created, managed or hosted by PRA. We do not sell your personal data to any third parties. We don’t share your personal data to third parties except for those noted in our Privacy Policy. You can review our full Privacy Policy below.

We may collect personal information data that is associated to or identifies with you when you access PRA’s websites, blogs, mobile sites, social networks, applications, surveys, and when you register to attend an event or program created, managed or hosted by PRA. We may also collect personal information data when we market our services or provide event/program services to you, your employer or any other person who has authorized us to communicate with them regarding the fulfillment of our contracted services to them.

Before accessing, using or receiving services from PRA, please ensure you have read and understand our Privacy Policy which details how we collect, store, process, share and use your personal information.

If you have any questions related to PRA’s Privacy Policy, please contact privacy@pra.com.

1) Introduction

PRA is committed to protecting your privacy.

On May 25, 2018, the European Union (“EU”)’s new data protection legislation, the General Data Protection Regulation (GDPR), took effect. This statement is made in light of the requirements of the GDPR to alert users to PRA’s data processing practices which will govern the “processing” of your “personal data” (see definitions section 2(c) & 2(a)).

GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU “data subjects” (see definitions section 2(b)). It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Whilst we understand this means it does not include non-EU citizens, we believe at PRA it is important to protect individual’s personal data regardless of their nationality and therefore we look to apply the same standards across all individual’s personal data regardless of their nationality.

As the controller (see definitions section 2(f)), PRA has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g., by telephone.

We reserve the right to amend this privacy statement. If we do so, we will post notice of the change on our website and you will be deemed to have accepted such changes.

2) Definitions

This data protection declaration of PRA is based on the terms used by the European legislator for the adoption of the GDPR. Our data protection declaration should be legible and understandable for the general public, as well as our clients and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, among others, the following terms:

a) Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject

Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

c) Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

f) Controller or controller responsible for the processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

g) Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

h) Recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

i) Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

j) Legitimate Interest

Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party or party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

3) Data controller

PRA acts as a data controller (Art. 24) for (i) the personal data relating directly to its clients and (ii) for its own employee management purposes.

4) Data processor

PRA will from time to time act as a data processor (Art. 28) and may supply personal data to third party service providers, contractors and agents that provide services to us, to support the completion of projects and events (in which case our client is the controller).

Where we share personal data with a third party, we will ensure that they only process this information in accordance with this Privacy Policy.

5) Legal basis for processing personal data

Art. 6.1(a) serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. Art. 6(b) serves as the legal basis if the processing of personal data is necessary for the performance of a contract to which the data subject is a party, for example, when processing operations are necessary for the supply of goods or to provide any other service. Art. 6.1(b) further applies to processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Art. 6.1(c) serves as the legal basis if PRA is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations. Art. 6.1(d) serves as the legal basis when the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, for example, if a data subject were injured and his name, age, health insurance data or other vital information need to be provided to a doctor, hospital or other third party. Finally, Art 6.1(f) serves as the legal basis for processing operations which are not covered by any of the above-mentioned legal grounds, nonetheless, processing is necessary for the purposes of the legitimate interests pursued by PRA or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are permissible because they have been specifically mentioned by the European legislator, which considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

6) Legal basis for processing personal data – Legitimate Interest

We believe that we have a “Legitimate Interest” in the processing of your personal data, which is to carry out our business, including to grow and improve our services and support our clients, provided those interests are not outweighed by your rights and interests. We have conducted a Legitimate Interest Assessment (LIA) to arrive at this decision, if you wish to receive a copy of this LIA, please contact privacy@pra.com to request a PDF of the LIA.

7) Data Processing of Special Category data

We may be required to process special category data which includes such items as medical history, passport information etc. (Art. 9) to facilitate the successful completion of projects, in this case we will only undertake this processing following explicit consent being obtained by the individual data subjects either by ourselves directly, or via our clients who have commissioned us to undertake the specific project. (Art. 9.2(a))

8) What information do we collect and why?

We will obtain personal information from you when you inquire about our activities, register with us, attend one of our events or otherwise provide us with personal information.

The types of information collected might include name, e-mail address, postal address, telephone number, mobile phone number, credit/debit card details and dietary or access requirements.

9) What do we do with the information?

We will use the information you provide to:

  • fulfill your requests – such as provision of information about our services
  • process sales transactions, or other payments and verify financial transactions
  • handle event/service orders, deliver products and communicate with you about
    event/service orders
  • provide a personalized service to you when you visit our websites – this could include
    customizing the content and/or layout of our pages for individual users
  • record any contact we have with you
  • prevent or detect fraud or abuses of our websites and enable third parties to carry
    out technical, logistical or other functions on our behalf
  • communicate with our supplier partners, supporters and collaborators to fulfill our
    contractual obligations
  • provide you with information that we think may be of interest to you

We may use generic photographs taken at our events for promotional purposes. In the event we use identifiable images of individuals, we will have sought and obtained written consent.

10) Sharing your information

We will only share your information if:

  • We are legally required to do so, e.g., by a law enforcement agency legitimately exercising a power or if compelled by an order of the Court.
  • We believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites.
  • Our contractual obligations with our clients require us to do so to fulfill our program operations. We are working with carefully-selected partners that are carrying out work on our behalf. These partners may include event organizers, supplier partners and venues, marketing agencies, accountants and IT specialists. The kind of work we may ask them to do include sending emails, event registration and organization, processing card payments, etc.

We only choose partners we can trust and we only share data with such recipients where appropriate standards and safeguards are in place. Whenever we share or transfer your personal information, we comply with the standards set by the GDPR and this privacy statement at a minimum.

11) Storing your information

We take appropriate measures to ensure that the information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal data under our control. For example, only authorized personnel can access user information. While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur while it is under our control, we use our best efforts to try to prevent this.

12) Retaining your information – data retention policy

If you have received marketing communications from PRA under our privacy policy and have not unsubscribed, you will be on our marketing communications mailing list for a maximum of 5 years from the last interactive or successful contact with you (henceforth “your period of marketing contact”) unless you unsubscribe during this time.

Where we hold subject data to facilitate the successful completion of business activities PRA will hold this information for a maximum period of 10 years from the last interactive or successful contact with you unless you request removal of this information under your right to erasure (Art.17).

13) Children’s Privacy

From time to time we may be required to process children’s personal data (Art. 8), as part of completing an event or project, we understand the sensitively around the processing of children’s data and we take very seriously the responsibility for identifying the risks and consequences of the processing. For purposes of this policy, persons under the age of 16 are considered children.

We believe we have a legitimate interest in processing children’s data and we balance our own (or a third party’s) legitimate interest in processing the personal data against the interests and fundamental rights and freedoms of the child. We take appropriate measures, where necessary, to safeguard against those risks when processing a child’s personal data.

14) Website cookies policy

We may use cookies to provide accurate monitoring reports to help us understand our users’ interests and preferences, to ensure that our website is as user friendly as possible.

Our website may use Google Analytics, a service provided by Google LLC that uses cookies to help the website analyze how users use this site. The cookies will generate information about your use of the website, and this along with your IP address will be stored on servers in the United States by Google LLC. This information is retained for the purposes of evaluating and compiling reports on website activity and for other services relating to internet usage. This information may be transferred to third parties by Google LLC where required to do so by law, or where such third parties process the information on their behalf. Your IP address will not be associated with any other data held by Google LLC.

If you do not agree to the processing of data about you by Google LLC in the manner and for the purposes set out above, you can select ‘disable cookies’ on your browser.

15) Data protection provisions about the application and use of Google Analytics

On this website, the controller has integrated the component of Google Analytics. Google Analytics is a web analytics service. Web analytics is the collection of, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, among others, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and to carry out a cost-benefit analysis of Internet advertising.

The operator of the Google Analytics component is Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, among others, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site for us.

Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyze the use of our website. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for online advertising and the settlement of commissions to Google. During this technical procedure, the enterprise Google gains knowledge of personal information, such as the IP address of the data subject, which serves Google, among others, to understand the origin of visitors and clicks, and subsequently create commission settlements.

The cookie is used to store personal information, such as the access time, the location from which the access was made, and the frequency of visits of our website by the data subject. With each visit to our Internet site, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.

The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.

In addition, the data subject has the possibility of objecting to a collection of data that are generated by Google Analytics, which is related to the use of this website, as well as the processing of this data by Google and the chance to preclude any such. For this purpose, the data subject must download a browser add-on under the link https://tools.google.com/dlpage/gaoptout and install it. This browser add-on tells Google Analytics through a JavaScript, that any data and information about the visits of Internet pages may not be transmitted to Google Analytics. The installation of the browser add-ons is considered an objection by Google. If the information technology system of the data subject is later deleted, formatted, or newly installed, then the data subject must reinstall the browser add-ons to disable Google Analytics. If the browser add-on was uninstalled by the data subject or any other person who is attributable to their sphere of competence, or is disabled, it is possible to execute the reinstallation or reactivation of the browser add-ons.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.

16) Data protection provisions about the application and use of Google-AdWords

On this website, the controller has integrated Google AdWords. Google AdWords is a service for Internet advertising that allows the advertiser to place ads in Google search engine results and the Google advertising network. Google AdWords allows an advertiser to pre-define specific keywords with the help of an advertisement on Google’s search results then displayed; when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google Advertising Network, the ads are distributed on relevant web pages using an automatic algorithm, considering the previously defined keywords.

The operating company of Google AdWords is Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

The purpose of Google AdWords is the promotion of our website by the inclusion of relevant advertising on the websites of third parties and in the search engine results of the search engine Google and an insertion of third-party advertising on our website.

If a data subject reaches our website via a Google advertisement, a conversion cookie is filed on the information technology system of the data subject through Google. The definition of cookies is explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. If the cookie has not expired, the conversion cookie is used to check whether certain sub-pages, e.g., The request for a proposal from our website, was called up on our website. Through the conversion cookie, both Google and the controller can understand whether a person who reached an AdWords advertisement on our website generated an inquiry that was, executed or canceled.

The data and information collected using the conversion cookie is used by Google to create visit statistics for our website. These visit statistics are used to determine the total number of users who have been served through Google AdWords advertisements to ascertain the success or failure of each Google AdWords and to optimize our Google AdWords advertisements in the future. Neither our company nor other Google AdWords advertisers receive information from Google that could identify the data subject.

The conversion cookie stores personal information, e.g., the Internet pages visited by the data subject. Each time we visit our Internet pages, personal data, including the IP address of the Internet access used by the data subject, is transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.

The data subject may, at any time, prevent the setting of cookies by our website, as stated above, by means of a corresponding setting of the Internet browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie set by Google AdWords may be deleted at any time via the Internet browser or other software programs.

The data subject has a possibility of objecting to the interest-based advertisement of Google. Therefore, the data subject must access from each of the browsers in use the link www.google.de/settings/ads and set the desired settings.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/.

17) Data protection provisions about the application and use of Facebook

On this website, the controller has integrated components of the enterprise Facebook. Facebook is a social network.

A social network is a place for social meetings on the Internet, an online community, which usually allows users to communicate with each other and interact in a virtual space. A social network may serve as a platform for the exchange of opinions and experiences; or enable the Internet community to provide personal or business-related information. Facebook allows social network users to include the creation of private profiles, upload photos, and network through friend requests.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

With each call-up to one of the individual pages of this Internet website, which is operated by the controller and into which a Facebook component (Facebook plug-ins) was integrated, the web browser on the information technology system of the data subject is automatically prompted to download display of the corresponding Facebook component from Facebook through the Facebook component. An overview of all the Facebook Plug-ins may be accessed under https://developers.facebook.com/docs/plugins/. During this technical procedure, Facebook is made aware of what specific sub-site of our website was visited by the data subject.

If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-site of our Internet page was visited by the data subject. This information is collected through the Facebook component and associated with the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated into our website, e.g., the “Like” button, or if the data subject submits a comment, then Facebook matches this information with the personal Facebook user account of the data subject and stores the personal data.

Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our website is made.

The data protection guideline published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. In addition, it is explained there what setting options Facebook offers to protect the privacy of the data subject. In addition, different configuration options are made available to allow the elimination of data transmission to Facebook. These applications may be used by the data subject to eliminate a data transmission to Facebook.

18) Data protection provisions about the application and use of LinkedIn

The controller has integrated components of the LinkedIn on this website. LinkedIn is a web-based social network that enables users with existing business contacts to connect and to make new business contacts. Over 400 million registered people in more than 200 countries use LinkedIn. Thus, LinkedIn is currently the largest platform for business contacts and one of the most visited websites in the world.

The operating company of LinkedIn is LinkedIn, 2029 Stierlin Court Mountain View, CA 94043, United States. For privacy matters outside of the United States LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible.

With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a LinkedIn component (LinkedIn plug-in) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to the download of a display of the corresponding LinkedIn component of LinkedIn. Further information about the LinkedIn plug-in may be accessed under https://developer.linkedin.com/plugins. During this technical procedure, LinkedIn gains knowledge of what specific sub-page of our website was visited by the data subject.

If the data subject is logged in at the same time on LinkedIn, LinkedIn detects with every call-up to our website by the data subject—and for the entire duration of their stay on our Internet site—which specific sub-page of our Internet page was visited by the data subject. This information is collected through the LinkedIn component and associated with the respective LinkedIn account of the data subject. If the data subject clicks on one of the LinkedIn buttons integrated on our website, then LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores the personal data.

LinkedIn receives information via the LinkedIn component that the data subject has visited our website, provided that the data subject is logged in at LinkedIn at the time of the call-up to our website. This occurs regardless of whether the person clicks on the LinkedIn button or not. If such a transmission of information to LinkedIn is not desirable for the data subject, then he or she may prevent this by logging off from their LinkedIn account before a call-up to our website is made.

LinkedIn provides under https://www.linkedin.com/psettings/guest-controls the possibility to unsubscribe from e-mail messages, SMS messages and targeted ads, as well as the ability to manage ad settings. LinkedIn also uses affiliates such as Eire, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame. The setting of such cookies may be denied under https://www.linkedin.com/legal/cookie-policy. The applicable privacy policy for LinkedIn is available under https://www.linkedin.com/legal/privacy-policy. The LinkedIn Cookie Policy is available under https://www.linkedin.com/legal/cookie-policy.

19) Data protection provisions about the application and use of Twitter

On this website, the controller has integrated components of Twitter. Twitter is a multilingual, publicly-accessible microblogging service on which users may publish and spread so-called ‘tweets,’ e.g., short messages, which are limited to 140 characters. These short messages are available for everyone, including those who are not logged on to Twitter. The tweets are also displayed to so-called followers of the respective user. Followers are other Twitter users who follow a user’s tweets. Furthermore, Twitter allows you to address a wide audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, United States.

With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a Twitter component (Twitter button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding Twitter component of Twitter. Further information about the Twitter buttons is available under
https://about.twitter.com/de/resources/buttons. During this technical procedure, Twitter gains knowledge of what specific sub-page of our website was visited by the data subject. The purpose of the integration of the Twitter component is a retransmission of the contents of this website to allow our users to introduce this web page to the digital world and increase our visitor numbers.

If the data subject is logged in at the same time on Twitter, Twitter detects with every call-up to our website by the data subject and for the entire duration of their stay on our Internet site which specific sub-page of our Internet page was visited by the data subject. This information is collected through the Twitter component and associated with the respective Twitter account of the data subject. If the data subject clicks on one of the Twitter buttons integrated on our website, then Twitter assigns this information to the personal Twitter user account of the data subject and stores the personal data.

Twitter receives information via the Twitter component that the data subject has visited our website, provided that the data subject is logged in on Twitter at the time of the call-up to our website. This occurs regardless of whether the person clicks on the Twitter component or not. If such a transmission of information to Twitter is not desirable for the data subject, then he or she may prevent this by logging off from their Twitter account before a call-up to our website is made.

The applicable data protection provisions of Twitter may be accessed under https://twitter.com/privacy?lang=en.

20) Data protection provisions about the application and use of Disqus

On our website we offer you the opportunity to post comments about individual blog articles. The operating company of Disqus is Disqus, Inc., 301 Howard Street, Suite 300, San Francisco, CA 94105, United States.

Disqus is an interactive comment service that allows users to post comments on all websites that use the Disqus service with a single sign-on to the provider. Users can also sign-up and sign-in with existing accounts with Facebook (via Facebook Connect), Twitter, Yahoo, and OpenID. Posting comments is also possible without registration and sign-in (as “Guest”). More information about Disqus and its service can be found at www.disqus.com.

When posting comments, your data is processed and stored with that provider. You can access the provider’s Privacy Policy at https://help.disqus.com/terms-and-policies/disqus-privacy-policy.

If you sign-in to Disqus using your Facebook, Twitter, Yahoo or OpenID account, these providers may also collect, process, and store data. Please refer to the privacy policies of the respective provider for further information. We reserve the rights to delete inappropriate comments or spam.

21) Mailing lists

If you subscribe to our mailing list, you will be automatically subscribed to receive email updates.

We use Constant Contact to manage our email marketing. Constant Contact operates as a business unit of Endurance International. Constant Contact stores their data in the US, they comply with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework. They do share data with third parties. Visit Constant Contact website for their privacy policy at https://www.endurance.com/privacy.

You can change your email marketing preferences at any time, by clicking ‘unsubscribe’ on any of our emails or by contacting: privacy@pra.com.

22) Your rights

By providing us with your personal data, you consent to the collection and use of any information you provide in accordance with the above purposes and this privacy statement. You have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected.

If you want to exercise these rights or update your personal details, please contact privacy@pra.com.

23) Data subject rights

As an individual whose personal data is processed by PRA. you have the following rights:

To exercise any of these rights, please email privacy@pra.com to get in touch.

24) Employees and job applicants

If you apply to work at PRA, we will only use the information you give us to process your application and to monitor recruitment statistics. If we need to disclose information to someone outside PRA – for example, if we need a reference, or need to get a ‘disclosure’ from the Criminal Records Bureau – we will make sure we tell you beforehand, unless we are required to disclose this information by law.

If you are unsuccessful in your job application, we will hold your personal information for 12 months after we finish recruiting the post you applied for. After this date we will destroy or delete your information.

If you begin employment with us, we create a file about your employment. We keep the information in this file secure and will only use it for matters that apply directly to your employment.

Once you stop working for us, we will keep this file according to our record retention guidelines. You can contact us, privacy@pra.com, to find out more about this.