Privacy Policy

Version dated 22/11/2019

Print

1

Who are we?

  • Name: Fondation 101 Génomes ("we", "us/our")
  • Seat: Avenue de Sumatra 6, 1180 Uccle (Belgium)
  • Company number: 0684.609.172
  • Website: https://www.f101g.org/ or https://www.theimpatients.org/ (the "Website")
  • Contact details of the contact person for data protection matters: GDPR@f101g.org

2

Who are the data subjects?

2.1

We process personal data from:

  • participants (members of research cohorts (investigation or control) that we host);
  • data donors (persons who donate data to us or allow us access to their data);
  • donors (e.g. persons who donate money to us), fundraisers (e.g. persons who raise funds for us aka “impatients”) and sympathisers (e.g. persons who attend our events, etc.);
  • representatives of our partners organisations (e.g. research centres, associations and other organisations);
  • our suppliers' representatives;
  • candidates for employment with us;
  • visitors to our Website and work premises; and
  • other data subjects, (the "data subjects", "you/your").

2.2

This privacy policy (the "Policy") applies to any processing of your personal data by us.

3

What is our commitment regarding data protection?

3.1

We undertake to use our best efforts to bring our personal data processing activities into compliance with applicable data protection law including Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, as amended, supplemented or replaced from time to time (the "Applicable Data Protection Law").

4

For which purposes do we process your personal data?

4.1

If you are a participant or a data donor, we process:

  • certain data concerning your health and certain biometric data for purely scientific research purposes (including for development and training of bioinformatics tools essential for research and for providing data analysis services). An updated list of scientific researches conducted on your data is available at any time on our Website at https://www.f101g.org/recherches/;
  • with your consent, your personal identification data and your contact data to offer you to participate in additional further specific studies (we obtain your consent by means of a specific consent form);
  • with your consent, certain data concerning your health, your biometric data, your personal identification data and your contact data to allow scientific researchers with access to your data to contact your general practitioner in the event of incidental discovery of pathogenic mutations with actionable effect as reported in the scientific literature (your general practitioner assumes full responsibility to inform you, as the case may be, of this discovery in accordance with applicable legislation and ethical rules);
  • with your consent, certain data concerning your health, your biometric data, your personal identification data and your contact data to obtain a genetic status report as part of a genetic analysis service provided by one of our partner organisations (e.g. research centres, associations and other organisations);
  • with your consent, certain data concerning your health, your biometric data, your personal identification data and your contact data to allow the practitioner in charge of your healthcare to conduct medical investigations related to your (or your relatives) health (e.g. in the case of cancer, pregnancy, birth, etc.);
  • your personal identification data, contact data and bank account number when preparing documents offering a right to a tax deduction for donations.

4.2

If you are a donor, a fundraiser or a sympathiser, we process:

  • your personal identification data and your contact data to help us organising events to promote our activities and keep you informed about our activities;
  • as the case may be, your bank account number to prepare tax deduction forms.

4.3

If you are a representative of one of our partners, we process:

  • your personal identification data, your professional identification data, your contact data and, where applicable, data concerning your professional experience, for the activation, management and maintenance of your partnership;
  • where applicable, your personal identification data, professional identification data and contact data for communication purposes.

4.4

If you are a representative of one of our suppliers, we process your personal identification data, professional identification data and contact data for the management of our commercial relationship with our suppliers.

4.5

If you are a candidate for employment with us, we process your personal identification data, professional identification data, contact data, data relating to your professional life (skills, qualifications, experience, etc.) and personal data contained in your curriculum vitae to assess your profile in relation to our recruitment needs.

4.6

If you visit our Website we may process your electronic identification data in aggregate form to measure the frequency on our Website, improve your browsing experience and to detect and prevent fraud and computer security breaches.

4.7

If our workplaces are equipped with surveillance cameras, we are able to request access to images about you only when such access is necessary to pursue our legitimate interest in detecting offences or incivilities and to the extent permitted by applicable law.

4.8

We may also process some of your personal data for the following purposes:

  • conduct operations to restructure our activities;
  • carry out internal and external audits;
  • manage disputes with data subjects and where processing is necessary for the establishment, exercise or defence of a legal claim.

4.9

We do not subject the data subjects to decisions based exclusively on automated processing that produces legal effects concerning them or that affect them in a similarly significant way.

5

In what capacity do we process your personal data?

5.1

We process your personal data in a capacity of data controller. In this context, we determine the purposes and means of the processing of your personal data.

6

On which basis do we process your personal data?

6.1

The provision of your personal data may be necessary:

  • for the performance of a contract to which the data subject is a party or for the performance of pre-contractual steps taken at your request (for example, in the event of a request to work with us);
  • for compliance with a legal obligation applicable to us (e.g. accounting, taxation, etc.) or with police solicitations;
  • to pursue our legitimate interests (or those of a data recipient) provided that these interests prevail over your fundamental rights and freedoms.

6.2

We ask for your prior, free and informed consent before processing some of your personal data (for example, whenever the processing of your data involves a transfer of your image rights).

6.3

The provision of some of your personal data (e.g. your personal identification data, etc.) may be a condition to enable us to provide you with our service or perform our activities.

6.4

The possible consequences of not providing your personal data may include our inability to provide you with our service or perform our activities or a breach by us of one or more obligations under applicable laws (e.g. accounting and tax laws).

7

Where do your personal data come from?

7.1

The personal data we process come from the following sources:

  • directly from you (e.g. during the first contact we make with you);
  • via our partners (research centres, associations and other organisations);
  • via the general practitioner, specialist or other caretaker in charge of your healthcare (and authorised staff working under their supervision);
  • from publicly available information (on the Internet), e.g. when we check the profile of candidates for employment with us.

8

Who has access to your personal data?

8.1

The following recipients may receive or have access to some of your personal data (only if necessary for the performance of their tasks):

  • the members of our operational staff have access to certain data concerning your health and certain biometric data;
  • the members of our administrative staff have access to the personal identification data, professional identification data and contact data of the representatives of our partners;
  • research centres, associations and other organisations working in collaboration with us (the "Research Organisations") process certain data concerning your health and certain biometric data (your "Research Data");
  • certain practitioners in charge of your healthcare and organisations whom you authorised to access your data (e.g. as part of a genetic analysis service);
  • the members of our staff tasked with monitoring our suppliers have access to personal identification data, professional identification data and contact data of our suppliers' representatives;
  • our legal advisors and lawyers have access to certain personal data of data subjects in the context of the restructuring of our activities or litigation.

8.2

We entrust the processing of some of your personal data to processors only to the extent necessary to carry out their tasks and in accordance with our written instructions and with Applicable Data Protection Law.

8.3

In the case of a restructuring of our activities (e.g. a financing operation), we may transfer certain personal data concerning a limited number of data subjects to a third party involved in the operation (e.g. a bank) in accordance with Applicable Data Protection Law.

9

How do we manage our processors?

9.1

We take appropriate measures to ensure that our processors process your personal data in accordance with Applicable Data Protection Law.

9.2

Among other things, we ensure that our processors undertake to process personal data only on our instructions, not to hire subprocessors without our prior authorisation, to take appropriate technical and organisational measures to guarantee the security of personal data, to ensure that persons authorised to access personal data are subject to adequate obligations of confidentiality, to return and/or delete the personal data they process at the end of their services, to comply with audits and to provide us with assistance in following up requests from data subjects for the exercise of their rights regarding their personal data.

10

Where do we process your personal data?

10.1

We ensure that the health data and biometric data of participants and data donors are hosted exclusively on servers located in the territory of the European Economic Area ("EEA"). However, some recipients of personal data may be organisations whose statutory seat is located in a country outside of the EEA.

10.2

In the event that certain of your personal data are transferred to countries outside the EEA, we will ensure that we take the following safeguards:

  • the country where the personal data are transferred to has benefitted from an adequacy decision from the European Commission pursuant to article 45 of the GDPR and the transfer falls within the scope of such adequacy decision;
  • we have concluded a contract with the recipient of personal data that contains the standard data protection clauses adopted by the European Commission pursuant to Article 47 of the GDPR; or
  • in the event of a transfer to the United States, the recipient of personal data has been certified under the EU-US Privacy Shield programme established pursuant to Article 45 of the GDPR and the transfer falls within the scope of the EU-US Privacy Shield programme.

11

What are the applicable retention periods?

11.1

We ensure that your personal data are only kept for as long as necessary for the purposes for which they are processed.

11.2

We keep invoices and other accounting documents (which may include some of your personal data) for a period of seven (7) years from the date of their issue in accordance with accounting laws. These invoices contain the personal identification data, professional identification data and contact data of our customers' representatives.

11.3

We also use the following criteria to determine the retention periods of personal data according to the context and purposes of each processing activity:

  • the date of our last contact;
  • security reasons (for example, the security of our information systems);
  • any current or potential dispute or litigation with a data subject;
  • any legal obligation to retain or delete personal data (for example, a retention obligation imposed by accounting or tax laws).

12

What are your rights?

12.1

Subject to Applicable Data Protection Law, you have the right to be informed, the rights of access, rectification and erasure of your personal data, the right to object to or limit the processing of your personal data, the right to data portability and the right to withdraw your consent.

12.2

Please see below a table describing each of your rights in more detail:

RightDescription
Right to be informedYou have the right to obtain clear, transparent and understandable information about how we process your personal data and how to exercise your rights. This information is contained in the Policy. If such information is not clear enough, we invite you to contact us (via our contact details set out in the Policy).
Right of accessYou have the right to obtain confirmation that we process your personal data and, if affirmative, the right to access such personal data. You have the right to obtain a copy of your personal data, unless the exercise of this right infringes on the rights and freedoms of other data subjects.
Right to rectificationYou have the right to have your personal data rectified if they are inaccurate. You also have the right to have your personal data completed if they are incomplete.
Right to erasure ("right to be forgotten")You have the right to have your personal data erased. However, the right to erasure (or the "right to be forgotten") is not absolute and is subject to certain conditions. We may retain some of your personal data to the extent permitted by applicable law and in particular when their processing remains necessary for us to comply with a legal obligation applicable to us or for the establishment, exercise or defence of a legal claim.
Right to objectYou have the right to object to certain types of processing (e.g. when the processing is based on our legitimate interests and, considering your particular situation, your interests or fundamental rights and freedoms prevail).
Right to object processing for marketing purposesYou have the right to object at any time to the processing of your personal data when we process such data for marketing purposes.
Right to restriction of processingYou have the right to obtain the restriction of processing in certain circumstances (e.g. when we no longer need your personal data but they are still necessary for the establishment, exercise or defence of a legal claim).
Right to data portabilityYou have the right, in certain circumstances, to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller.
Right to withdraw consentIf you have given us your consent for the processing of your personal data, you have the right to withdraw it at any time.

12.3

Please forward any request relating to the exercise your rights regarding your personal data that we process in our capacity as controller to our contact person for data protection matters using his or her contact details as set out in the Policy. We undertake to respond to your request as soon as practically possible and always within the timeframes set forth by Applicable Data Protection Law. Please note that we may retain your personal data for certain purposes when required or permitted by law. Finally, please note that we may, in the event of doubt as to your identity, ask you for proof of identity in order to prevent any unauthorised access to your personal data.

12.4

Please note that we may charge a reasonable fee based on technical and administrative costs to comply with your request to access your data and your right to data portability (for participants and data donors this contribution to costs includes the integral reimbursement of sequencing, collection and storage costs that we exposed).

12.5

The Research Organisations process your Research Data anonymously, i.e. in such a way that such data may not be linked to your personally identifiable data. We are the only organisation who can link your Research Data back to your personally identifiable data. You therefore understand that, in case you make a request, we will validly comply with your request to exercise (i) your right to object to the processing of your Research Data, (ii) your right to withdraw consent to the further processing of your Research Data and (iii) your right to delete your Research Data by irreversibly erasing the link between your Research Data and your personally identifiable data.

13

What level of security do we ensure?

13.1

We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of your personal data.

13.2

We follow industry best practices to ensure that personal data are not accidentally or unlawfully destroyed, lost, altered, altered, disclosed in an unauthorized manner or accessed in an unauthorized manner.

14

Do you have any questions or complaints?

14.1

If you have any questions or complaints about the way we process your personal data, please contact our contact person for any data protection questions in advance using the contact details provided in the Policy.

14.2

You have the right to lodge a complaint with the competent supervisory authority. The competent authority for Belgium is: Data Protection Authority, rue de la presse/drukpersstraat 35, 1000 Brussels, +32 (0)2 274 48 00, contact@apd-gba.be.

15

Anything else?

15.1

We reserve the right to update the Policy from time to time. We inform you of any changes we may make to the Policy.

15.2

In the event of a conflict or inconsistency between a provision of the Policy and a provision of another policy or document relating to the processing of personal data, the provision of the Policy prevails.

Other questions?

At Fondation 101 Génomes, we strive to be as transparent as possible when it comes to legal matters. Please contact us anytime with your questions.

Contact us