Credence Research Inc. – General Data Protection Regulation (GDPR)
Compliance Policy

1. Introduction

Credence Research Inc. (“the Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data. This policy outlines our commitment to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 and related data protection laws. This policy applies to all personal data processed by Credence Research Inc., regardless of where it originates.

2. Scope

This policy applies to all employees, contractors, consultants, and any other individuals or entities processing personal data on behalf of Credence Research Inc. It covers all personal data processed in electronic and physical formats.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Data Subject: The natural person to whom personal data relates. 
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Credence Research Inc. is the data controller.
• Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.
• Data Protection Officer (DPO): An expert appointed by the controller to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs), and act as a contact point with the Supervisory Authority.

4. Principles of Data Processing

Credence Research Inc. adheres to the following GDPR principles:

• Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: We will only collect personal data for specific, explicit, and legitimate purposes, and we won’t further process it in a way that conflicts with those purposes.
• Data Minimization: We will limit the amount of personal data we process to what is necessary, adequate, and relevant.
• Accuracy: Personal data will be accurate and, where necessary, kept up to date.
• Storage Limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and Confidentiality (Security): Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
• Accountability: Credence Research Inc. is responsible for and able to demonstrate compliance with the GDPR principles.

5. Lawful Bases for Processing

Credence Research Inc. will only process personal data when a lawful basis exists, including:

• Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract: Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Vital Interests: Processing is necessary to protect the vital interests of the data subject or of another natural person.
• Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

6. Data Subject Rights 

Credence Research Inc. respects the rights of data subjects, including:

• Right to Access: The right to obtain confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data.
• Right to Rectification: The right to obtain without undue delay the rectification of inaccurate personal data concerning them.
• Right to Erasure (‘Right to be Forgotten’): The right to obtain the erasure of personal data concerning them without undue delay in certain circumstances.
• Right to Restriction of Processing: The right to obtain restriction of processing in certain circumstances.
• Right to Data Portability: The right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
• Right to Object: The right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.
• Right not to be subject to automated decision-making, including profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
• Right to withdraw consent: Where the lawful basis of the processing is consent, the data subject can withdraw their consent at any time.

7. Data Protection Impact Assessments (DPIAs)

Credence Research Inc. will conduct DPIAs where processing is likely to result in a high risk to the rights and freedoms of natural persons.

8. Data Security

Credence Research Inc. implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption and pseudonymization of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• The process involves regular testing, assessment, and evaluation of technical and organizational measures to ensure the security of the processing.

9. Data Transfers Outside the EEA

Where personal data is transferred outside the European Economic Area (EEA), Credence Research Inc. will ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the European Commission.
• Standard contractual clauses (SCCs).
• Binding corporate rules (BCRs).

10. Data Breach Notification

Credence Research Inc. will notify the relevant Supervisory Authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Affected data subjects will also be notified without undue delay when the data breach is likely to result in a high risk to their rights and freedoms.

Management: Management is responsible for ensuring that all employees are aware of and comply with this policy.

Employees: All employees are responsible for adhering to this policy and reporting any potential breaches of data protection.