Version 02 | Date: 16/01/2020 | Ref: ICO03-000-120
This notice explains how we do this and tells you about your privacy rights and how the law protects you.
THE IDENTITY OF THE DATA CONTROLLER
The Personal Data collected on the website (io.veracyte.com) are processed by Veracyte SAS at 163 Avenue de Luminy, 13009 Marseille, France, registered under the number 805 269 271 RCS Marseille, duly represented by its President Vincent FERT.
OUR PRIVACY COMMITMENT
In order to preserve the confidentiality and security of your Personal Data, whether you are a patient, a client, a business partner, an employee, a candidate for a post or any other person whose Personal Data are processed, we take the following engagements:
- We respect your privacy and your choices;
- We will send you marketing communications unless you decide to be removed from our database. In this case, we are committed to do so as soon as possible;
- We will not Process your Personal Data in ways that we have not told you about;
- We will never sell your Personal Data;
- Your Personal Data, including your Health Data, will be stored on secured servers and only transferred to authorized persons;
- We collect Personal Data strictly necessary for the realization of the contracted services or the purposes;
- We store your Personal Data which are the subject of a computer processing on a secured and confidential server;
- We are committed to keep your Personal Data safe and secured with technical and organizational measures in accordance with the Applicable Regulation;
- We are committed to being transparent about how we collect and use information from you;
- We respect your rights and will always try to accommodate your requests as far as possible, in line with our own legal and operational responsibilities;
- We have appointed two Data Protection Officer responsible for ensuring safety and protection of Personal Data;
THE PERSONAL DATA COLLECTED AND PROCESSED, LEGAL BASIS AND WHY WE NEED THEM
The collection and Processing of Personal Data is based on appropriate legal basis:
- Agreement: the Processing of Personal Data is necessary for the execution of the agreement to which you have agreed;
- Consent: you agree with the Processing of your Personal Data through an express consent;
- Legitimate interest: Veracyte has a commercial interest to Process your Personal Data. This interest is balanced and legitimate. Subject to exceptions, you can oppose to the Processing of your Personal Data based on this legal basis by writing to the addresses included in the contact section.
- Law: the Processing of your Personal Data is required by a law.
Therefore, we collect and Process the Personal Data relating to communication and marketing, as part of our legal and contractual obligations, as part of human resources and as part of our health activities.
SECTION 1: COMMUNICATION AND MARKETING
We collect business and professional information to be used in our direct marketing, emails, E-newsletters, phone calls in order to market Veracyte’s products and services. Moreover, we use this information internally in Veracyte to improve customer experience, our website, marketing, sales and social media efforts.
In the paragraphs below, we explain in what context your Personal Data are collected and how we Process them: we explain what activity you are involved in when we Process your Personal Data and what types of Personal Data we may collect when you are involved in this same activity.
When visiting our website, your Personal Data are collected automatically by cookies (For information about cookies, please read the Cookies paragraph).
Personal Data related to your use of our websites include:
- Where you came from;
- Pages you looked at: The titles and the URLs of the pages you are viewing;
- Duration of your visit: Date and time of visit;
- Your IP address (computer’s address);
- And visitor ID which is given to each visitor and the expiration date of the ID.
Social media browsing
We collect your Personal Data when you submit content on one of our social media platforms. Moreover, we gather social media statistics from the social media software platforms where Veracyte is present. Currently, this is LinkedIn, Twitter and Vimeo. The information is used for analytics views: numbers of visitor, impressions, visits, mentions, numbers of like and followers.
Web-page contact forms / enquiries
We collect your Personal Data when you ask questions related to our products or activities or when we manage your enquiries from our websites contact forms.
Personal Data related to your enquiries are:
- First name and Last Name
- Email address
- Company/Institution name
- Other information you have shared with us about yourself in relation with your enquiry
When you register for live or recorded Veracyte webinars, we ask you to provide your contact information (First Name, Last Name, Email, Country, City, Organization, Job Title, Field of activity and specific questions related to the webinar topic). In addition, we collect and track webinar performance by analyzing the numbers of participants, the length of participation, the numbers of views and the questions that were asked). Your consent is required while registering to webinars.
Events (like symposium)
When you register for our events, like symposium during congress, we collect and store your participation data (e.g. contact and event participation details). Your consent is required while registering to symposiums.
E-newsletters & press releases
When you are registered in our database, you receive news about Veracyte like E-newsletters or Press Releases. This means that you accept to receive information by e-mail. Veracyte sends newsletters and emailing only to people listed in its database.
We collect and track newsletter performance by analyzing the opening rates, click rates etc. Your consent is required while registering to our E-newsletters and press releases. If you decide not to receive our emailing anymore, you can at any time opt out with the “unsubscribe” link at the foot of any email from Veracyte.
SECTION 2: OUR LEGAL AND CONTRACTUAL OBLIGATIONS
The collection of your Personal Data may be necessary for the execution of the agreement we have entered into or to respect our legal obligations. Therefore, we collect several Personal Data such as your civil status, your name, gender, postal address, professional email address, phone number, banking and financial information, identification documents.
SECTION 3: HUMAN RESOURCES
Veracyte collects and Processes its employees’ Personal Data, as well as the Personal Data of applicants for a job in the company.
The Personal Data collected under this process are, in particular, the civil status, the surnames and family names, gender, address, banking data, identification document and social security number.
SECTION 4: HEALTH DATA
Veracyte Processes Health Personal Data as part of its activity.
We strictly respect the Application Regulation relating to Personal Data and apply all technical and organizational security measures to the protection of your Personal Data.
Veracyte ensures to pseudo anonymize Heath Data while Processing them.
We don’t use your Personal Data except if:
- You have given explicit consent to the Processing of your Personal Data except where the Applicable Regulation to Health Data forbids such Processing;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Veracyte in the field of employment law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards;
- Processing is necessary to protect your vital interests where you are incapable of giving consent;
- You manifestly made public your Personal Data;
- Processing is necessary for the establishment, exercise or defense of legal claims; and
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to an obligation of professional confidentiality.
WHAT DO WE USE YOUR PERSONAL DATA FOR?
We collect your Personal Data in order to comply with our legal and regulatory obligations but also for the following purposes:
- Organize our contractual exchange;
- Security of our exchanges;
- The management and the execution of agreements entered into between Veracyte and its clients;
- Personalize your experience by being able to respond to your individual requirements;
- Improve our service by evaluating your feedback and information;
- Improve our customer service and technical support;
- Send periodic emails including marketing emails – you can unsubscribe from any emailing through the “unsubscribe” link at the bottom of each email;
- Invite you to an event;
- The fight against fraud;
- The security of our internet websites.
LENGTH OF CONSERVATION OF YOUR PERSONAL DATA
As for the Personal Data necessary for the operational management of the agreement and invoicing of services, the information included in the contractual documentation will be kept for the duration of the agreement and ten years after the termination of this agreement due to our accounting and tax obligations.
As for the Personal Data collected as part of our operations of commercial prospection, they will be kept for a period of three years before being definitely deleted except in the event of a new contact from you.
- As Veracyte contacts, your Personal Data are stored in our database system as long as your subscription to the newsletter or email services is active. Any recipient may request at any time to be removed from our contact database by writing an email to firstname.lastname@example.org with “I wish to be removed from your contact Database” in your subject line and we will comply with that request.
- As Veracyte customers, your Personal Data are stored in our database system as long as we need them to provide you with requested products and/or service(s). At the end of the customer relationship, your Personal Data will be kept in our database system as a contact and your subscription to the newsletter or email services will remain active as long as you do not unsubscribe.
As for the Personal Data collected on the basis of the legitimate interest, Veracyte has a commercial interest to Process your Personal Data. This conservation of Personal Data will be time limited and not excessive. You can oppose at any moment to the Processing of your Personal Data collected on the basis of the legitimate interest by sending a message to the addresses mentioned in the contact section.
As for the Personal Data collected on the basis of a legal obligation or when the Personal Data are necessary for Veracyte to assert or defend his rights, Veracyte will only keep these Personal Data as long as necessary or until the claims and procedures are resolved.
As for the Personal Data collected on the basis of a consent, you can remove your consent at any moment by simply sending a message to the company to the addresses mentioned in the contact section.
HOW DO WE PROTECT AND SAFEGUARD YOUR PERSONAL DATA?
All the information collected on the Veracyte websites are subject to confidential computer Processing and are stored in secure environments.
Health Data collected and Processed by Veracyte are stored on secured servers in accordance with the Personal Data Applicable Regulation.
This information is not public. However, as part of our activity we may share your Personal Data with trusted third parties such as: legal counsel, financial institutions (banks, etc.), experts, suppliers, service providers, medical personnel or technical contractors. We are committed to take all necessary organizational and technical security measures to ensure that our service providers effectively protect your Personal Data.
SHARING OF PERSONAL DATA
We do not sell your Personal Data to third parties.
YOUR RIGHT AS A DATA SUBJECT
Veracyte respects your right to privacy and you have the right, at any time:
To be informed and to request access: You can request to receive information from Veracyte about your Personal Data we have in our database and how we use it. You can also receive a copy of this Personal Data.
To ask for rectification and / or completion: You have the right to ask for Personal Data rectification if these data are incorrect or completion if they are incomplete.
To ask for erasure (‘to be forgotten’): In some cases, your Personal Data can be erased or deleted. This might be the case:
- If you withdraw your consent.
- If you think that your Personal Data are no longer necessary for the purpose for which they have been collected, you can request their deletion.
- If your Personal Data were processed unlawfully, contrarily to other legal obligations or for a purpose that differs from what has been initially explained to you
- If you object to the Processing of your personal data
To require restriction of Processing: You have the right to require the restriction of your Personal Data Processing if one of the following conditions, set out in the General Data Protection Regulation, is met:
- The accuracy of the Personal Data is contested by you for a period which allows us to verify the accuracy of this information;
- The Processing is unlawful and you refuse the deletion of the Personal Data and request that we restrict them instead;
- We no longer need your Personal Data for Processing purposes, but you required them for the establishment, exercise or defense of legal claims.
- You object your Personal Data processing being based on our legitimate interests, and it is not yet clear whether our legitimate reasons prevail over yours.
To object to the Processing: You have the right to object to the Processing of your Personal Data on the ground of compelling legitimate grounds relating to your particular situation. You may also object to our transfer of your Personal Data for direct marketing purposes, including any processing based on our legitimate interests. If your objection is justified, we will stop to Process your Personal Data.
To request data portability: You have the right to move, copy or transfer Personal Data from our database to another or to transmit those data to another person without hindrance. You can also request to receive your Personal Data, which you have provided to us, in a structured, common and machine-readable format.
To revoke your consent: You have the right to withdraw your consent to our Processing of your Personal Data when such processing is based on consent. The revocation of your consent does not affect the lawfulness of our processing until the consent revocation.
To lodge a complaint with a supervisory authority: You have the right to complain to a supervisory data protection authority (In France, the Commission Nationale de l’Informatique et des Libertés (CNIL), website: www.cnil.fr) of your country about our data protection and privacy practices.
Nationale de l’Informatique et des Libertés (CNIL), website: www.cnil.fr) of your country about our data protection and privacy practices.
Please note that there are exceptions to the various rights listed above. For example, we have a legal obligation to keep some of your Personal Data.
We shall respond to your request within a period of a month. When your request is particularly complex, we have two additional months for a response.
Veracyte has two Data Protection Officers in charge of the protection of your Personal Data.
You can contact them at the following addresse email@example.com
THE TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
Your Personal Data may be transferred for various purposes listed above to third countries in the European Economic Area.
Outside EEA, Veracyte undertakes to only transfer your Personal Data to countries with an adequate security level or to use mechanisms ensuring the protection of your Personal Data (Standard Contractual Clauses, BCR, Privacy Shield, etc.)
Veracyte will take all technical and organizational measures necessary to secure these transfers of Personal Data. Transfers of Personal Data to third countries (for example, in the United States of America) can be achieved especially when Veracyte due to its contractual obligations, works with counterparties located outside the European Economic Area.
The transfer of Personal Data to a subsidiary
Transfers of Personal Data to other Data Controllers, Subcontractors or Sub-processors
Veracyte has concluded or will conclude appropriate written agreements with its contractors, to ensure that they Process your Personal Data in accordance with the instructions of Veracyte and they apply and maintain a level of appropriate security to the Personal Data. The transfer is done using mechanisms recognized as compliant by the European Commission.
Transfers to third parties
Veracyte may need to disclose some Personal Data to third parties.
These disclosures of Personal Data may intervene to respect the Applicable Regulation to Personal Data.
Veracyte may also be required to disclose your Personal Data to protect the rights that it is granted by the law.
THE COLLECTION OF CHILDREN'S PERSONAL DATA
Legally in Europe, minors under 13 years cannot, in no case, give themselves their own consent to the processing of their Personal Data. In France, a minor under 15 years may not consent to the treatment of his Personal Data.
VERACYTE COOKIES POLICY
WHAT ARE COOKIES?
Cookies are small pieces of text sent by your web browser to a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be "persistent" or "session" cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.
When you use and access the Service, we may place a number of cookies files in your web browser.
- Essential cookies: We may use essential cookies to authenticate users and prevent fraudulent use of user accounts.
- Google analytics cookies: Veracyte likes to understand how visitors use its websites by using web analytics services. They count the number of visitors and tell us things about the visitors’ behavior overall – such as identifying the search engine keywords that lead the user to the site, the typical length of stay on the site or the average number of pages a user views. For this purpose, we use Google Analytics to track web statistics. In this case, Google will place a “3rd party cookie” on your computer. This is also the case when we use Google Maps.
WHAT ARE YOUR CHOICES REGARDING COOKIES?
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
- For the Chrome web browser, please visit this page from Google: https://support.google.com/accounts/answer/32050
- For the Internet Explorer web browser, please visit this page from Microsoft: http://support.microsoft.com/kb/278835
- For the Firefox web browser, please visit this page from Mozilla: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
- For the Safari web browser, please visit this page from Apple: https://support.apple.com/kb/PH21411?locale=en_US
- For any other web browser, please visit your web browser's official web pages.
WHERE CAN YOU FIND MORE INFORMATION ABOUT COOKIES?
You can learn more about cookies and the following third-party websites:
- All AboutCookies: http://www.allaboutcookies.org/
- CNIL: https://www.cnil.fr/fr/cookies-les-outils-pour-les-maitriser
- Address: Veracyte SAS, 163 Avenue de Luminy, 13009 Marseille, France
- Email address: firstname.lastname@example.org
"Applicable Regulation" means the GDPR, the law n° 78-17 dated 6 January 1978 relating to “l'informatique, aux fichiers et aux libertés”, as amended by the law n°2018-493 dated 20 June 2018 and the related regulations dated 1 August 2018 and 12 December 2018.
"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
"Data Subjects" means persons whose Personal Data are processed.
“European Economic Area” means the European economic area including, on the date of the DPA, the European Union, Norway, Island and the Liechtenstein.
"GDPR" or "General Data Protection Regulation" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and any related law and regulation.
"Heath Data" means the Personal Data relating to the physical or mental health of a natural person, including the service delivery of health care, which reveal information about the health of this natural person under GDPR. The Health Data are Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Process(ing)" means any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means.
"Subprocessor" means any data processor acting on behalf and for the account of a Data Controller which is used by another Data Processor to process the Personal Data of this Data Controller. It being specified that the Data Processor remains liable toward the Data Controller for the Processing of the Personal Data.