Privacy Notice 2018


Performance Review Institute Inc. (“PRI”, “we”) knows that you care about how your personal information is collected and used, and we appreciate your trust in our commitment to do so carefully and thoughtfully. PRI continually considers the organizational and technical steps we need to take to protect your information against loss, misuse, unauthorized access, unauthorized disclosure, manipulation, or destruction. This privacy notice “Privacy notice” describes what personally identifiable information (“PII”) we collect including from our websites,,,,, ICIMS, and, how we collect and use it, how we protect that information and the rights that you have in relation to your PII.

In some cases, your PII is collected, processed and stored by PRI via third party websites. We do not control these third party websites and are not responsible for the content or the privacy practices employed by other sites. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

About Us

This Website is operated by PRI. Our registered office is 161 Thorn Hill Road, Warrendale, Pennsylvania 15086-7527, USA.

Except as otherwise described in this Privacy notice, we are the “controller” of the PII we collect about you from the Website for the purposes of the EU General Data Protection Regulation 2016/679 (the “Regulation”). This means that we determine the purpose for which, and the means by which, we process your PII and we are directly responsible for handling this data in accordance with the Regulation. For the purposes of this Privacy notice, our affiliates identified in the Affiliates section of this Privacy notice are joint controllers in respect of the PII (in that they jointly determine the purpose for which the PII is processed and the means by which the PII is processed), and this Privacy notice is issued by us on behalf of these affiliates.

Contact Person

PRI has appointed a Data Protection Officer to ensure that PRI follows its Data Protection Policy and its practices are consistent with those described in this Statement.  Please contact if you have any questions about your PII and PRI’s processing of it, or questions about this Privacy notice. Alternatively, you may write to:

Data Protection Officer
Performance Review Institute
1 York Street
London W1U 6PA
United Kingdom


PRI reserves the right to update this Privacy Statement at any time. The most current version is available at

What Information We Collect

PII means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of PII about you which we have grouped together as follows:

  • • Identity Data includes your name, username or similar identifier, employer, job title.
  • • Contact Data includes work address, work email address and work telephone numbers.
  • • Financial Data includes bank account and payment card details.
  • • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access this Website.
  • • Profile Data includes your username and password, purchases or orders made by youfeedback and survey responses.
  • • Usage Data includes information about how you use our website, products and services. Usage data may be provided voluntarily or involuntarily – see the section below on How we Collect Your PII.
  • • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How We Collect your PII

When you visit the Website, we collect information about you and your visit. This primarily takes three forms:

  • • Information you voluntarily provide when registering at PRI websites or when communicating with PRI: You may give us your PII by filling in forms or by corresponding with us by email. This includes PII you provide when you:
    • apply for our products or services;
    • create an account on our Website;
    • request a quote for our products or services;
    • download resource material;
    • request support;
    • participate in industry managed programs, training and more;
    • subscribe to our service or publications;
    • request marketing to be sent to you;
    • enter a survey; or
    • give us feedback or contact us
  • • Information you involuntarily provide: As you interact with our Website, our server automatically logs information about your visit. This information includes things like the website address you came from, the browser you are using, your numeric internet address, the date and time of your visit, and what pages you are viewing. Collection of these types of information is a common practice by websites.
  • • Information provided by you or your business associates, needed to execute business: In addition to collecting the information noted above, the Website provides a means to share information, including PII, required to comply with industry-managed program procedures. This includes company Website account management and the provision of objective evidence to support the capability assessment process, which may include PII.

PRI does not collect personal information from, or share information with, organizations that aggregate PII for purposes unrelated to PRI business.

How We Use Your PII

We have set out below, a description of all the ways we plan to use your PII and which of the legal bases we rely upon to do so.

  • Confirming your identity if we do not know you or your role at your organization

We may also need your PII to comply with a legal obligation relating to how we manage our business or our relationship with your organization.

  • To manage our relationship with you by asking you to take a survey

Necessary for our legitimate interests to keep our records updated and to study how customers use our products/services.

  • To process job applications submitted to PRI

Necessary for our legitimate interests in considering candidate applications for job vacancies and contacting you about them as well as retaining them for future opportunities.

  • To administer and protect our business and this Website (including troubleshooting, data analysis, testing, system, maintenance, support, reporting and hosting of data)

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise).

  • To make suggestions and recommendations to you about goods or services that may be of interest to you (e.g. programs and training).

Necessary for our legitimate interests in studying how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy.

  • To establish, exercise or defend against legal claims.

Necessary for our legitimate interests in establishing, exercising or defending against legal claims.

Where our or a third party’s legitimate interests is stated as being the legal basis for how we use your PII, we make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your PII for our legitimate interests. We do not use your PII for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we access our legitimate interests against any potential impact on you in respect of specific activities by contacting as at the contact address above.

Where we need to collect PII by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.


We strive to provide you with choices regarding certain PII uses, particularly around marketing communications. By sending an e-mail for the purpose of enquiring about how our services could help your organization to any individual with a domain or by submitting such an enquiry using the contact details in the ‘Contact Us’ section of the Website for this reason, you agree that we can contact you about the services that we may be able to provide to you, which may be the same or similar to those that you have enquired about or that your organization already receives from us. We will process your PII to contact you in this way and the legal basis for this processing will be our legitimate interest in marketing and communication about services that may be of interest to you or your organization.

You are entitled to object to us contacting you by email or by telephone for this reason at any time. If you subsequently decide that you do not want to hear from us about the services we could provide to your organization, please let us know by emailing us at with the subject heading “Unsubscribe” or please click the “unsubscribe” link at the bottom of any marketing email that we have sent to you. Objecting will not affect our use of the PII prior to objecting but it will mean that we will not be able to contact you about the services we may be able to offer your organization in the future.

Third-party Marketing

PRI does not share your personal data with any third parties. We do not envisage sharing your personal data with any third parties. In the event that this position changes, we will notify you in writing.

Data Protection and Security

PRI protects the security of your PII when you exchange that information with PRI websites. PRI uses industry-standard TLS (Transport Layer Security) and Secure Sockets Layer (SSL) technology when exchanging this information, which encrypts the information during transit. PRI also maintains firewall and other managed software, as well as physical and procedural safeguards, to protect systematically stored data.

PRI abides by the principles of privacy by design and default, and PRI retains data in accordance with the policies outlined in its company policies and program procedures.  PRI employees are bound by its Data Protection Policy, a copy of which can be obtained by emailing  PRI conducts regular training for its staff on data protection practices and policies, and PRI engages in annual cybersecurity and controls audits.

It is important that you protect your user ID and password for all applicable PRI websites. If you are logged in to any PRI website from a shared computer, be sure to log out when you are finished with a visit; a logout button can be found on nearly every page of our site.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will take appropriate measures to protect your PII, we cannot guarantee the security of the PII you provide to the Website and any transmission by you of it to us is at your own risk.

Data Retention Practices

We will only retain your PII for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your PII for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or your organization. Our approach to data retention is detailed in our Records Retention and Disposition Policy, which is available on request.

HTTP Cookies

PRI websites use HTTP cookies, which are small text files stored on your computer and used to identify your web browser and store text information that can be used to customize your website experience. Cookies collect information about your interaction with the Website such as your IP address, traffic data, clickstream information, time stamp, location data, web logs, other communication data and the resources that you access. Cookies are used on PRI websites to provide a more personalized experience, process transactions, maintain customer records, and obtain statistics and other analytics regarding website usage. For example, Cookies can help us to:

  • identify how much traffic various areas of the Website receive;
  • determine when we should schedule site maintenance;
  • determine demographic profiles of our visitors; and
  • optimise the site for common browsers used at the Website.

Some PRI cookies are used to save you time by remembering your login and maintaining your session. Other PRI cookies are used for personalizing your visit and allowing you access to customized website features. Cookies help the PRI servers identify who you are and your relationship with PRI, enabling us to provide you with appropriate access to various areas of the site.

To the extent the information we collect from you using cookies is PII, we use it to ensure that content from the Website is presented in the most effective manner for you and your device because it is in our legitimate interest to improve our customer’s online experience in relation to the Website.

PRI websites use both session and persistent cookies. Session cookies are stored in your browser’s memory and disappear when you shut down your browser or have no activity at a site for a defined period of time. Persistent cookies get written to your computer’s long-term memory and thus can stay on your computer to identify you for an extended period of time.

By continuing to use the Website you consent to our use of cookies as explained in this Notice.

The following table sets out the type of cookies used on our Website and provides details about what they are used for. When you use the Website for the first time, one cookie, which is essential to make our Website operate (see those identified as “essential cookies” below) will have been set but other cookies will not have been set unless you agreed to those cookies being set at that time. If you have agreed to accept cookies then the Website will remember this and continue to set cookies each time you visit.  If you do not want cookies to be stored, then you may turn off certain cookies listed below individually or you can select the appropriate options on your web browser. Most Internet browsers allow you to accept, block, or delete cookies (including essential cookies) as you see fit. You can consult the “Help” and other menu items of your particular browser to learn different ways to manage your cookies. Because certain our Website functions rely on cookies, the way you manage your cookies may impact your browsing experience or, in some cases, limit what the PRI websites can do for you. Depending on how you manage cookies, you may not be able to take advantage of personalization of the site or other site features and services.

  • Essential cookies

These are required for the operation of our Website.  They include, for example, cookies that enable you to log into secure areas of our website and to customize your account and news profile and cookies that allow us to recognize that you have agreed to conditions you must accept to view certain pages or documents or registered for alerts.

  • Analytical / Performance Cookies

These allow us to capture traffic and usage patterns, for example, to recognise and count the number, types and locations of visitors to our Website and to see how visitors move around our Website when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily, and to otherwise improve our users’ experience and understand the types and locations of visitors to our Website.

  • Functionality Cookies

These Cookies are used to recognize you when you return to our Website. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

  • Marketing or Targeting Cookies

These Cookies record your visit to our Website, the pages you have visited and the links you have followed. We may use this information to make our Website more relevant to your interests.

Third party cookies

Please note that Google and other third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies as a result of you visiting other websites, over which we have no control.


PRI does not knowingly collect information about children under age 13 through its Websites. PRI will not contact children under age 13 for marketing purposes, nor will PRI knowingly exchange with any third party information it stores about children under age 13.

Who we share PII with

We share aggregate demographic information with our business partners. This data is not linked to any PII.

PRI does not sell your PII to any parties that systematically collect PII for marketing purposes unrelated to PRI business.

We partner with third parties to provide specific services, such as those below:

  • Communication Tools

These are required to enable PRI to communicate effectively and efficiently with external stakeholders.

  • Recruitment Tools

To enable us to evaluate candidate applications

  • Affiliate organizations (SAE International)

For streamlined data hosting services

For you to successfully participate in associated activities, we share with the third party only that information which is necessary for the purpose of providing said services.  PRI communicates an expectation to all its partners and third parties providing such services that those partners maintain appropriate safeguards around your PII and comply with all applicable regulations.

PRI may be required to provide information about its customers or prospective customers to law enforcement or government agencies if requested or necessary.

International Transfer of PII

PRI may transfer your PII internationally, including to third party companies (designated Processors) insofar as this is expedient for the Data Processing described in this Privacy Statement. The recipients will be obliged to protect your PII to the same extent as ourselves. PRI will take appropriate measures to ensure and maintain oversight of our designated data processors activities with regard to protecting the PII entrusted to them, including establishing an Intra-Group Data Transfer Agreement including EU Standard Contractual Clauses. The PII that we process may be transferred to one or more countries outside the European Economic Area (“EEA”) which has not yet been deemed by the European Commission to offer adequate data protection. For example, the eAuditNet website is hosted on a server owned by PRI and housed in the USA whilst all other PRI websites are hosted outside of PRI and on servers around the world. With specific reference to the eAuditNet website, this is available regardless of user location; consequently, it may be accessed from any country in the world. We have taken the following steps to ensure an adequate level of data protection in the country of the recipient: Restricted staff access to personal information throughout our systems; Anonymization of personal information in eAuditNet after a specified period of time and in accordance with our industry managed program’s data retention policy; Deletion of PII from PRI website in accordance with our industry managed program’s data retention policy; Minimizing PII collection and storage duration.

If you wish to obtain a copy of these safeguards, please contact us at the contact address above.

Your Rights and Responsibilities

You maintain control of the personally identifiable information that PRI collects and stores about you. PRI provides means, through the “Edit Profile” pages on its Website and/or by contacting PRI staff, for you to correct, update, and delete/deactivate your personally identifiable information and preferences on our Website.

Your Rights

Under certain circumstances you have the right with respect to the PII that PRI collects about you from its Website:

  • to request access to that PII;
  • to receive a copy of the PII that you have provided to PRI in a structured, commonly used and machine-readable format so that you can share it with others;
  • whether that PII is inaccurate or incomplete, to ask for the PII to be rectified or completed;
  • to ask for that PII to be erased;
  • to object to us processing your PII by asking for the processing of that PII to be restricted or stopped; and
  • withdraw your consent to processing, in the limited circumstances where you may have provided your consent to the collection, processing and transfer of your PII for a specific purpose. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. Please note that the withdrawal of your consent will not affect the lawfulness of any processing of PII based on your consent before its withdrawal.

You have the right to exercise your data protection rights at any time and to request information as to whether and which PII relating to you has been processed by PRI. As stated above, if you want to update or delete your PII in relation to your profile on the Website, you can do so through the “Edit Profile” page on the Website. You may also request to exercise your above rights at any time in writing by contacting the following address: We reserve the right to exchange correspondence with you in this regard. Please note that PRI may be required to retain some or all of your PII even after a request for erasure where there is a lawful reason or obligation to do so.  You may object at any time by email to the processing of your PII for marketing purposes. In addition, you have the right to make a complaint concerning the data processing in question with the relevant supervisory authority. You can do this with the supervisory authority at your place of residence, at your place of work or at the place of the alleged data breach.

Our Affiliates

For the purposes of this Privacy notice, the following companies within the PRI Group will be joint data controllers of the personal data:

  • SAE International
  • Thorn Hill LLC