IDENTITY OF THE DATA CONTROLLER
Seqalis™ is a trademark of BIO.be S.A. set up in accordance with Belgian law, with registered offices at Avenue George Lemaître 25, 6041 Gosselies, Belgium and registered with the Crossroads Bank for Enterprises under number BE 861.738.595 (hereinafter referred to as “Seqalis™”, “we”, “us” “our”).
Our company primarily provides services in the fields of molecular biology, anatomical pathology, and genetic analysis.
This is an integral part of our terms and conditions (available at seqalis.com) and applies to you when you access or use our Services (as defined in these terms and conditions). If you choose not to provide the Data we request, we may not be able to provide you with all of our Services.
The Policy applies to any processing of your Data by Seqalis™. Please note that in some cases, we may conduct the activities mentioned in this Policy as a processor acting on behalf of our customers. This distinction is clearly made in the Policy.
COMMITMENT TO DATA PROTECTION
Seqalis™ undertakes to use its best efforts to make its data processing activities compliant with applicable data protection legislation, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and the Law of 30 July 2018 relating to the protection of natural persons with regard to the processing of personal data, as amended, supplemented or replaced from time to time (“Data Protection Legislation”).
HOW DO WE COLLECT YOUR DATA (SOURCES)?
Depending on the nature of your relationship with Seqalis™, we may collect your Data directly or indirectly in a number of ways:
- In the context of and during business, contractual and pre-contractual relationships with data subjects;
- In the course of providing our Services;
- When the Data is directly provided by you or collected with your permission;
- When you contact us directly by email, telephone, post, text message, via our Website, or in another manner;
We may also collect information on third party websites (e.g. LinkedIn, when you apply to us). Finally, we also collect information that we receive from other sources. We sometimes work closely with third parties (including, for example, business partners, outsourced technical services subcontractors) who may share information with us.
WHICH CATEGORIES OF DATA DO WE COLLECT AND FOR WHAT PURPOSES?
The majority of our business activities are carried out as a processor (Article 4(8), GDPR), as we process Data based on the instructions of our customers, who are therefore considered to be the data controller (Article 4(7), GDPR).
The Data we process includes:
In our role as processor
- Patient Data (e.g. patient ID, sample ID, gender, date of birth, date of collection, patient country) in the conduct of research on human subjects and developments (molecular biology, cytogenetics, anatomical pathology) and molecular biology, cytogenetics and anatomical pathology analysis (non-research);
In our role as data controller
- Personal identification data (e.g. name, first name, email address, business phone number) for the management of customer or prospective customer records, implementation of our customer support, IT support; contract management (e.g. order management, delivery, service execution or provision of goods, invoices and payments);
- Personal identification data (e.g. the identity of the physician-investigator) for the conduct of experiments on humans (e.g. for a research project);
Personal identification data (e.g. name, first name, address, email address, date of birth, criminal convictions, family data, marital status, bank account, national number, photos, gender, genetic data, data on sex life, ethnicity) for research requiring examination of genetic characteristics: paternity testing (ordered privately or by a court);
- Technical information (electronic data including the IP address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in type and versions, operating system and platform, device ID, etc. on each visit to our Website) for the purpose of implementing our IT support, detecting and preventing fraud and IT security vulnerabilities, improving our Website to ensure the content is presented in the most effective way for you and your computer/device;
- Video recordings (images) of you, processed solely in the context of monitoring our buildings using surveillance cameras (CCTV) and to the extent permitted by applicable law;
- Payment order information (for example, name and other data identifying the customer, destination country for payment transaction, amount and currency of payment transaction; International Bank Account Number (“IBAN”) when the bank account is identified using an IBAN, or the corresponding bank account code, as applicable) for invoice management;
- Data concerning your professional credentials (business function, business address, etc.), for managing supplier records and managing our relationships with our suppliers;
- Data relating to your use of our Website (pages visited, links clicked, time spent on a page, etc.), processed as aggregated and only for the purpose of improving user experience on our Website;
- Personal information of a professional nature (e.g. job responsibilities, name, workplace) in order to review and evaluate your application when applying through our Website or a third-party site (e.g. LinkedIn);
- General information about you based on messages you post on third-party sites, or via comments/opinions, or when you contact us by email, post, phone or any other communications channel, in order, for example, to answer any questions/requests from you;
- Any other information about you that needs to be processed in accordance with our terms and conditions of sale (available on seqalis.com).
We may process certain special categories of Data when, in general, their processing is necessary for the establishment, exercise or defence of legal claims, or specifically, for paternity testing based on your consent (Memorandum of Understanding) or an agreement when the request is issued by a court. Finally, we also collect your Data to conduct business restructuring operations; to carry out internal and external audits; and to manage disputes with customers, suppliers and other data subjects.
LEGITIMATE INTERESTS BASIS
The provision of your Data may be necessary:
- To execute a contract to which you are a party or to perform pre-contractual measures at your request;
- To comply with a legal obligation applicable to Seqalis™ (e.g. invoicing, fraud detection, taxation, etc.);
- Based on your consent (for example, as part of paternity test performed for an individual);
- For the purposes of legitimate interests pursued by Seqalis™ provided that such interests override your rights and fundamental freedoms (for example, for securing our IT systems, conducting corporate restructuring transactions, etc.);
Seqalis™ does not make decisions relating to data subjects based solely on automated processing which produce legal effects concerning them or similarly significantly affect them.
The possible consequences of not providing your Data may include our inability to fulfil our obligations under a contract or a breach by us of one or more obligations under applicable laws (e.g. accounting, taxation or financial laws).
If applicable, we will transmit your Data to the following recipients:
- Our internal services if and to the extent necessary to fulfil certain legal obligations or to safeguard our legitimate interests. This may be the case, for example, for internal administrative purposes. This includes coordinating services for our customers, the centralised provision of internal services, etc.;
- Our data controllers when Seqalis™ acts as a processor (e.g. IPG labs);
- Our legal advisers and/or lawyers (including debt collection agencies) in connection with business restructuring transactions or litigation;
- External service providers related to the operationalisation and maintenance of information systems processing your Data (such providers only have access to the Data to perform their roles);
- Recruitment service providers;
- Government entities authorised to access and/or obtain your Data in accordance with applicable law;
- Judicial courts and tribunals (for example in the case of dispute involving you);
- Law enforcement authorities in the event of a finding or suspicion of an offence involving you, in accordance with or as required by applicable law.
We will also disclose information to third parties:
- In the event that a company or asset is purchased or sold, we reserve the right to disclose your Data to the seller or purchaser of that company or asset; in such transactions, if Seqalis™ (or all of its assets) is purchased by a third party, the information concerning its customers will be part of the assets transferred;
- If we are required to disclose or share your Data to comply with a legal obligation or to protect the rights, property or safety of Seqalis™, our customers or others. This includes sharing information with public authorities (including judicial and police authorities) in the event, for example, of a cyber incident;
- If necessary to achieve any of the purposes described in Section 4 of this Policy.
We take appropriate steps to ensure that our processors process your Data in accordance with Data Protection Laws.
We also ensure that our processors undertake, amongst other things, to process your Data only in accordance with our instructions, not to engage another processor without our agreement, to take appropriate technical and organisational measures to ensure the security of your Data, to make sure that the persons authorised to access your Data are subject to confidentiality obligations, to return and/or destroy your Data at the end of their services, to comply with audits, and to provide us with assistance to ensure a response to your requests to exercise your rights in relation to your Data.
TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
Seqalis™ will not transfer your Data outside the European Economic Area (“EEA”). If this were to occur, however, Seqalis™ will ensure that your Data is protected as follows:
- The legislation of the country to which your data is transferred provides equivalent protection (Article 45 GDPR);
- Transfer of data will depend on approval of data protection clauses by the European Commission (Article 46 (2) GDPR);
- The transmission is based on binding corporate rules (Article 47 GDPR), an approved Code of Conduct (Article 40 GDPR), an approved certification mechanism (Article 42 GDPR), an approved transfer agreement (Article 46 (3) GDPR), data protection clauses adopted by the Supervisory Authority (Article 46 (2) GDPR).
STORING YOUR DATA
We ensure that your Data will only be kept for the period necessary with regard to the purposes (described in Section 4) for which they are processed.
Seqalis™ uses the following criteria to determine the storage periods of the Data based on the context and purpose of each processing:
- The date of the end of your business relationship with Seqalis™;
- Instructions given by data controllers in data processing agreements;
- The sensitivity of the Data;
- Security reasons (e.g. the security of our information systems);
- In connection with any pending or future judicial proceedings, including any request for disclosure issued by a court or competent authority;
- The guidelines issued by the competent authorities (e.g. the European Data Protection Supervisor, the Belgian Data Protection Authority, etc.);
- Our contractual rights and obligations in connection with the Data in question;
- Statutes of limitations under applicable law(s);
- Our legitimate interests in the context of processing when we have carried out balancing tests;
- The processing of your Data is necessary in connection with a real or potential dispute (e.g. we need this information to establish or defend rights), in which case we will keep your Data until the end of such litigation; and/or
- Storage is necessary to enable us to comply with any legal or regulatory obligations (e.g. for tax purposes), in which case we will keep your Data as long as necessary under this obligation.
RIGHTS WITH REGARD TO YOUR DATA
Subject to Data Protection Laws, you have certain rights in respect of the Data we hold about you. These rights may be exercised by contacting us in accordance with Section 14 below:
- The right to be informed. You have the right to be informed in a clear, transparent and easily understandable manner about how we use your Data and about your rights. For this reason, we provide you with all of this information in this Policy;
- The right of access. You have the right to access the Data we hold about you. Indeed, we would like you to be aware of the information we have about you and would like to give you the opportunity to check if we are processing your data in accordance with Data Protection Laws;
- The right to restrict processing. You have the right, in certain circumstances, to “block” or stop future use of your Data. When processing is restricted, we are still entitled to keep your Data, but we cannot use them;
- The right to rectification. If your Data are inaccurate or incomplete, you have the right to request rectification;
- The right to erasure. You have the right to have your Data erased. However, the right to erasure (or “right to be forgotten”) is not absolute and is subject to special conditions. We may retain your Data to the extent permitted by applicable law, including when processing is necessary for compliance with a legal obligation to which Seqalis™ is subject or for the establishment, exercise or defence of a legal claim;
- The right to make a complaint. You have the right to make a complaint regarding how we handle or process your Data with the national data protection authority (contact information for other national data protection authorities is available here). For Belgium this is: The Data Protection Authority, Rue de la Presse 35, 1000 Brussels, +32 (0)2 274 48 00, firstname.lastname@example.org, https://www.autoriteprotectiondonnees.be/ ;
- The right to withdraw your consent. If our processing of your Data is based specifically on your agreement, you have the right to withdraw your consent at any time;
- The right to data portability. In certain circumstances, you have the right to receive your data from us, in a structured, commonly used and machine readable format so that you may reuse them for your own purposes in connection with separate services;
- The right to object to processing. You have the right to object to the fact that your data are used for a specific purpose on “grounds relating to your particular circumstances”, except for direct marketing, to which you may object without grounds;
- The right not to be subject to automated individual decision-making. You have the right to object to a fully automated decision i.e. a decision where there is no human intervention that contributes (effectively) to the decision-making and therefore cannot change the decision. Seqalis™ makes no fully automated decisions regarding data subjects;
Please note, however, that we may retain certain information, for example for legal or administrative purposes.
To exercise the above mentioned requests, please email us at email@example.com indicating “data protection request” in the email subject line. We will respond to your request as soon as possible. In the event that we need more than one month to respond to your request (from date of receipt), we will keep you informed.
We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of your Data.
For example, Seqalis™ has taken reasonable technical and organisational precautions to protect the Data against unauthorised or unlawful access.
We follow industry best practices to ensure protection against accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to the Data.
Seqalis™ reserves the right to update this Policy from time to time. Any changes we make to our Policy in the future will be published on this page. Please check it regularly to track updates or changes. The continued use of this Website, following the publication of changes to the Policy, implies your acceptance thereof.
In the event of any conflict or inconsistency between any provision of this Policy and any other Seqalis™ policy or document relating to Data Processing, the provision of this Policy shall prevail.
This Policy was last updated on 10 December 2020.
HOW CAN YOU CONTACT US?
If you have any questions or comments regarding this Policy, you may send them in writing to the following address: For the attention of Seqalis™ Legal Department, Avenue George Lemaître 25, 6041 Gosselies, Belgium, or by email to: firstname.lastname@example.org