Caliper provides personality information to its clients for the purpose of determining whether prospective job candidates who exhibit personality profiles consistent with success in a given job role. This information is used by the client as a point of information, among others, in selection of potential employees and/or in determinations of future development potential and/or best methods for employee development. In doing so, Caliper acts as a Data Processor, who processes and scores the collected data on behalf of its client (the employer or prospective employer) who acts as the Data Controller and instructs Caliper as to the type of report or analysis that it wishes to receive as well as details related to ongoing ways to evaluate such data and data retention.
Caliper collects personal data from Caliper’s client that includes the candidate’s name, email address, which product is requested (which may include which job or job category for which the candidate is being considered), the questionnaire language to be used and a time for deletion, when appropriate. If the assessment is being administered by paper, then it may also include the candidate’s phone number. Upon taking part in Caliper’s assessment services, the candidate would be asked to provide:
- Preferred salutation and name
- Password or social media information used to access Caliper assessments
- If the questionnaire is “US English”, then Caliper assumes that the candidate is a resident of the U.S. and will ask for consent, which is optional with the candidate, to provide supplemental personal data, such as age category, race/ethnicity, and gender.
Caliper also collects the following data through use of the website:
- IP address used to access Caliper assessments
- Number of times logged in to Caliper assessments
- Time spent answering Caliper assessments
- Browser/Operating system used to take Caliper assessments
- Responses to questions in the assessment questionnaire, and
- Google Analytics, to understand how the site is being used
Caliper collects the above-mentioned personal data in order to:
- provide its personality assessment services to clients
- continually develop and improve its assessment services
- use the supplemental personal data for assurance that the assessment has no adverse impact as to the groups referenced.
- debug in the event of an issue answering or accessing our assessments
Data is used anonymously as extensively as possible. Only Caliper employees with appropriate access rights can view and/or analyze this data. In the event that age/gender/race has been provided, such information is only combined for internal research and legal compliance purposes. It is not used in any manner in report generation.
Personal data received by Caliper in the provision of our assessment and consulting services may be shared or provided as follows:
- with any member of the Caliper group, which means Caliper’s subsidiaries or Caliper’s ultimate holding company and its subsidiaries
As part of Caliper’s normal processes, Caliper does not share data with any third party for purposes that are outside the scope of our products and services. In addition, we will never share, sell, or rent your data for promotional use. Should such data be shared in contravention of these policies, then Caliper is subject to liability for such violation.
For secure storage, the personal data is stored and processed at a secure cloud storage facility outside of Caliper’s headquarters. Caliper currently uses AWS for such process and storage.
In most instances, Caliper is the “Data Processor” processing an individual’s data for our clients, the “Data Controller” or another “Data Processor”, pursuant to their direct written requests and instructions. Caliper will comply with the time limits or other terms agreed to with that customer Controller or Processor, unless we are compelled by applicable laws and regulations to delete such data sooner, or to retain it further. Caliper’s customer is the owner and Controller of the data that Caliper processes, and assumes the responsibilities and obligations to ensure that data is not processed for non-legitimate purposes. We will delete an individuals personal data at the direction of our client, or form a request from that individual in coordination with our client.
If applicable, for more information about how your Personal Data may subsequently be retained on a per product basis, please contact the DPO.
Assessment Results and Reports
Caliper’s assessment results, consultations, and written reports are provided under agreement with its client. Any sharing of such results or reports to a candidate, employee, or other party is entirely at the discretion of the client.
Service Development and Supplemental Research
For the purposes of Caliper’s own research and development, and with the agreement of our clients, Caliper may request the clear and express consent of assessment candidates to use their personal data in such research. Such consent will always be entirely optional to the candidate and/or employees and of no effect on the related assessment or consulting service.
Research-consenting candidates nevertheless have the right at any time to require Caliper to stop using their personal data in such research by email to Caliper at: firstname.lastname@example.org.
Access to Data
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:
- Request access to your personal data;
- Request correction of your personal data;
- Request erasure of your personal data;
- Object to processing of your personal data;
- Request restriction of processing your personal data;
- Request transfer of your personal data;
- Right to withdraw consent.
To exercise any of the above rights, please email your request to the company for which you had taken the assessment first. Such company controls the data and will be able to properly address your request.
Technical Security Measures:
Caliper’s IT operates under a strict security guideline. The IT systems that Caliper uses to store personal data are housed, maintained, and operated on cloud-based systems through Amazon Web Services (AWS). They are managed under strict security guidelines. Systems cannot be operated without compliance with these rules. The IT Department is responsible for enforcing the necessary measures and for educating staff regarding these measures. More information on AWS security guidelines can be found here: AWS Cloud Compliance Programs.
System Hardware and Application Access: Access to customer data and personal information is provided to employees whose roles require access to complete their job functions. All of these permitted individuals are Caliper employees and subject to the supervision and directive of IT Department management. Caliper does not provide direct access rights to any Caliper vendors or customers. The access is established only by secure connection. To establish a connection and to get access to a device, the user must be identified and confirmed as having the permissions to gain access. The identification management is operated by utilizing identification numbers, passwords, certificates, and two factor authentication. The password procedure requires a combination of numerals and letters that is between 8 and 20 characters, and it prohibits the use of ordinary words; the individual’s name, telephone number, or birth date; or any other easily guessed password. Periodic modification of users’ passwords is required, at a minimum of every 90 calendar days. Only a limited number of Caliper IT managers possess the administrative rights and knowledge to establish permissions and administrative rights for Caliper employees. A user who forgets a password shall apply to the IT Department for a new password, which the information systems manager shall issue upon confirming the identity of the requesting user.
Access Control (rights)
Only those with the established permissions can access and view the personal data (e.g. assessee name, month and date of birth, name of employer, and responses to Caliper Profile questionnaires). Permissions are determined by an employee’s job function and relationship to the customer and/or data. Only IT and Customer Service Department supervisors can make decisions about permissions for an employee, and only they can request that permissions be expanded or contracted. Caliper IT Department personnel will then reconfigure permissions as authorized and directed. Personal data obtained for the purpose of doing business are gathered via encrypted web pages that are completed by customers. Access to data requires a separate and unique set of permissions.
Every transfer of personal data between data subject, or the assessee, and Caliper is submitted via Caliper’s online assessment instrument, which captures the subject’s responses. When transferring personal data and storage media containing information assets between Caliper US and an international office, media is protected against theft and misuse or defacement either via an encrypted VPN connection or in a non-electronic manner utilizing mediums such as a courier service.
All information hosted through AWS is incorporated into a corporate data backup policy. This policy includes a daily backup of all critical and personal data. For business protection purposes a redundant backup is also maintained at another location with Google Cloud Storage. Their security protocols are described in https://cloud.google.com/security/compliance/. Neither AWS nor Google have any access rights to the data.
Only a limited number of Caliper IT staff control and record the changing of settings in configurations as well as the installation, changing, and erasing of access rights for the databases with personal data. These log files are stored for six months.
EU–US Privacy Shield & Swiss–US Privacy Shield:
When Caliper’s are offered in Europe directly or by our European subsidiary companies, personal data of European Community residents will be transferred outside the EU, the European Economic Area (“EEA”), or Switzerland to Caliper’s US offices for processing. The US Federal Trade Commission has jurisdiction over Caliper’s compliance with the Privacy Shield.
Caliper is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Inquiries or Complaints from EU/Swiss Individuals
In compliance with the Privacy Shield Principles, Caliper commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Caliper at:
Caliper’s Data Protection Officer (DPO)
Caliper Management, Inc.
500 Alexander Park Drive, Suite 200
Princeton, NJ 08540 USA
Caliper has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities/commissioners with regard to data transferred from the EU/EEA and/or Switzerland.
If a complaint is unresolved, individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, please reference Annex I, to the IDA’s Privacy Shield Framework, at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
For any questions or for further information, please contact:
Caliper Management, Inc.
500 Alexander Park Drive, Suite 200
Princeton, NJ 08540 USA