Who is the responsible of processing your personal data?
Postal address: Parque Tecnológico de Álava Central Building, Calle Hermanos Lumiere nº 11, office 3 01510 Vitoria- Gasteiz (Álava)
Telephone: 945 14 14 45
Delegado de Protección de Datos: firstname.lastname@example.org
If you have any questions, complaints or claims about the processing of your data, you can submit them directly to our DPD at this address: email@example.com before, if applicable, submitting it at the protection agency of data. We will answer you within a maximum of two months from the receipt of the claim.
2. How have we obtained your data?
2.1. Obtained directly from the interested person
If you are a client (current or potential) or a relative or legal representative of the latter (in case of minor), or if you send us a curriculum to work with us, or if you participate in a research project with biological samples, clinical trials and observation studies that we promote, you have provided us, either offline or online when requesting our services in order to maintain relationship with you.
By providing us with your data, you guarantee that you are enabled to do so, and that the information is true, up-to-date, and that it does not infringe any contractual restrictions or rights of third parties. You have the responsibility to keep your personal data and your profile correct and updated, declining BAIGENE all responsibility in case of not doing so. You promise not to impersonate other users by using their registry data to different services and/or content on the Website.
2.2. Obtained automatically when visiting our website
When you visit our website or any other of our platforms (social networks, phone applications, etc.), we collect information; for example, when you log in the webpage, when you fill in a questionnaire with personal data, when you buy in our shop, when you sign up, etc. We also collect information using cookies and other monitoring technologies and web analysis. This means that data is sent from your navigator to our servers to optimize our services and improve your experience as a user. This data can be collected and stored automatically by us or by third parties on our behalf. You can consult our cookies policy.
2.3. Communication by a third party of the data of the interested party
It is possible that your data has not been directly provided to us by you, but it has been provided to us by a third party, to whom you have previously provided that data. For example: a relative, guardian, or legal agent of the interested person, or a sports club in case that it has agreed with its members to use our services. In the event that it is not the interested person the one that has provided us with the data, but a third party, it is the third party who expressly guarantees that they have the authorization of the interested person for that use. So, they exonerate us from any responsibility in case of any claim by the interested person, responsibility assumed only and exclusively by those who have provided us with the data on their behalf.
2.4. Communicated by the interested person of third-party data
With respect to the data of other people, you must respect their privacy, taking particular care when communicating or publishing their personal data. Only its owner can authorize the processing of their personal data. In addition to infringing the legislation on data protection, the publication of third-party data without consent also infringes the legislation related to the right to honor, privacy or self-image of third parties.
3. What type of data do we use?
The categories of data that we process can be:
- Obtained from the interested person: identification data (name and surname, NIF), contact information (phone number, postal address, email address, invoice or delivery address), commercial and economic data (information about the products requested, client history, and the necessary data for payment: bank, credit card, etc.), personal data: anthropometric data, age, physiological and morphological data and sports, nutritional, training, and leisure habits, etc. This includes images in photo and video, necessary for monitoring the training and nutritional services, morpho functional evaluation and postural and general progression evaluation.
- Obtained automatically when visiting our website: IP address of the user, the day and hour of the visit, the URL of the site from which that user comes, the paged visited on our website, information of the browser used (type and version of the browser, operating system, etc.)
We treat special categories of data: such as health and genetic data.
4. What do we use your data for?
The data you provide us with, as well as all the data generated during the development of the relationship, we maintain with you, can be used for different purposes, such as:
- If you are a current or potential client: to maintain contact and communication with you, and manage the contractual and / or commercial relationship, derived from our services::
- Completing the genetic analysis corresponding to the genetic kit you have acquired (which implies carrying out a genetic profile, allowing us to use your saliva samples obtained in the buccal smear with the swabs provided in the kit, which does not imply any health risk, for the extraction and analysis of DNA contained therein).
- Completing genetic analysis for biomedical research purposes (which also means to carry out your genetic profile).
- Using any of our services: training and nutrition monitoring. Assessment of training and nutrition services imply images of the customer (photos and videos).
- If you are a user of our website, or sender or recipient of an email: to manage the requests you make to us online, and to get in touch with you.
- To carry out opinion and / or satisfaction surveys.
- If you have authorized it, to carry out research projects with biological samples, clinical trials and observational studies and maintain contact and communication during the follow-up of the study, project, or trial. In the case of taking samples, we elaborate a genetic profile, but automated decisions will not be made on this, but with human intervention.
- To send you, through electronic communications, information about our activities, products and / or similar services to those requested, including advertising and / or commercial communications for the purposes of article 21 LSSICE 34/2002. If we already have a previous contractual relationship, those communications will be sent based on our legitimate interest. In the event of not having a previous contractual relationship, we will only send you these types of communications, if you authorize us by marking the option that is expressly included in the corresponding forms. The communications we send you will include, in the communication itself, the option to stop receiving them. If you choose to do so, we will stop sending you this type of communication in the future.
5. How long will we keep your data?
We will keep the personal identification data you provide us as long as the contractual, pre-contractual or commercial relationship is maintained, and, once these are finished, as long as the interested person does not request its deletion. Even if their deletion is requested, we can keep them for the necessary time, limiting their processing only to::
- Obey the legal / contractual obligations to which we are subject.
- And / or the legal periods established for the prescription of any responsibility on our part.
- And / or the exercise or the defense of claims derived from the relationship maintained with the interested person.
The genetic data, in accordance with article 5 of LAW 14/2007, of July 3, on biomedical research, will be kept for a minimum of five years from the date they were obtained, after which you can request their cancellation. If no such request is made, data will be kept during the period necessary to preserve the health of the person from whom they come or of third parties related to it. Apart from these assumptions, data will only be kept for research purposes, anonymously, without the identification of the source subject being possible.
In the case of research projects with biological samples, clinical trials and observational studies, the personal data you provide us will be kept for the duration of the observational study or clinic investigation, and once finished, as long as the interested person does not request its deletion, and even requested, during the necessary period to comply with the legal obligations that affect us and / or those provided for the prescription of any responsibilities on our part and / or the exercise or defense of claims derived from the relationship between the parties.
The Researcher and Promoter are obliged to keep the data collected for the study for at least 25 years after finishing it. Afterwards, your personal data will only be kept by the center for your health care and by the promoter for other scientific research purposes if you gave your consent for this, where permitted by law and under the applicable ethical requirements.
In coordination with the previous criteria, the deletion of personal data either in computer records or on paper, may be carried out, at the discretion of the organization, depending on the logistical and / or storage space needs that make it advisable to delete information or documentation.
6. What is the legitimation for processing your data?
The legal basis that legitimizes us for processing your data can be diverse:
- Compliance with the existing legal relationship, contractual or commercial, if you are already a current or potential client. Assessment of training and nutrition services imply taking images of the customer (photos and videos).
- The provision of the required data is mandatory as it is essential to formalize and / or maintain the contractual or pre-contractual relationship, and comply with the legal obligations derived from it; if you do not provide them, we will not be able to provide the service derived from said relationship.
- Consent: it can also be your consent if you yourself have given it to us for a specific purpose: For example: to send commercial communications if you are not yet a client or if you have made a request through our website in the case of being a mere user or if you have sent us your curriculum.
- You will be able to withdraw that consent at any moment by sending us an email in this regard to firstname.lastname@example.org. That withdrawal does not condition the processing of your data for the rest of the purposes described, but it can mean that we will not be able to answer your request.
- The legitimacy to process the special categories of data that we process (genetic, health or biometric data) is your express consent. You give us that consent unequivocally when providing us your data, considering that facilitation as a clear affirmative action that shows consent. The provision of the requested data is mandatory as they are essential to provide our services; if you do not provide them to use, we will not be able to carry them out.
- Compliance with a legal regulation or obligation: such as those stablished in the regulation of consumers and users, biomedical investigation, etc.
- Our legitimate interest as an organization oes also constitute a legal basis for processing your data. In accordance with the recital 47 of the RGDP, we are interested in:
- Informing you of our activities, products and / or services, including through electronic communications.
- If we already have a previous contractual relationship, we will send those communications based on our legitimate interest. In the opposite case, we will only send you these types of communications if you authorize us by marking the option that is expressly included in the corresponding forms.
- In any case, we consider that the indicated processing of your data is proportionate and implies a minimum impact on your privacy, but your interests, rights or freedoms will always prevail over our legitimate interest; so, if you do not want us to process your data for these purposes, send us an email in this regard to email@example.com, and we will do so.
- Carrying out opinion and / or satisfaction surveys.
7. To which recipients can we communicate your data?
We inform you that the data you provide us can be communicated to third entities to fulfill purposes directly relationed with legitimate functions of conveyer and cessionary, such as:
- To banks and savings banks for the management of collections and payments.
- To the transport companies in charge of the logistics of shipping and delivery of the genetic kits.
- To the entities or organizations to which there is a legal obligation to make data communications (for example, Tax Administration for compliance with fiscal and tax obligations).
- In the case of analysis by external laboratories, the sample will be sent anonymously to the subcontracted laboratories by BAIGENE, so that confidentiality is guaranteed.
- In the case of being an athlete belonging to a Sports Club, and being the latter who requests our services, we will communicate the report to the medical staff or the specific specialist of the Club, so that they analyze it and can take the pertinent measures to improve your sports performance.
- In the case of investigation projects with biological samples, clinical trials and observational studies, the data you provide us, or any other data derived from the study, can be communicated to third parties, for the fulfillment of purposes directly related to legitimate conveyer and cessionary functions, but only and exclusively within the framework of the investigation project, specifically: to external laboratories for the fulfillment of the analysis (the sample will be sent anonymously), to the assigned staff to the study, to the main researcher, participating researchers, to the Center on whose clients the study is carried out, to instructors, to auditors and collaborators, to the Clinical Research Ethics Committee and authorized stuff by the promoter, when needed to check the data and procedures of the study, but always maintaining the confidentiality in accordance with current legislation. Access to your medical history will only be related to the study. In addition to the staff belonging to the study, the instructor designated by the promoter of the study will also have access to your medical history, in order to be able to contrast the data collected, and, when appropriate, the health authorities. Access to "raw" data is also allowed to the statistician who completes the analysis, of course maintaining the anonymity of the participants. Access to your personal information will be restricted to such people or entities. By signing the informed consent, the interested person is authorizing such access.
- To other entities that may have franchise agreements with BAIGENE, for the development of the franchise relationship
8. International Transfers of Data
We will ensure that personal data is always processed and located in the European economic area. However, in certain circumstances, we may make international transfers of data if they are necessary for the conclusion or execution of a contract, in the interest of the interested person, between BAIGENE and another natural or legal person (for example, our franchises outside Europe); or in the event that it is necessary for the execution of a contract between the interested person and BAIGENE, or it is necessary for compelling legitimate interests of BAIGENE over which the interests or rights and freedoms of the interested party do not prevail, always that is not repetitive, and effects only a limited number of stakeholders, for example:
- In the event that the interested party requests our services from a country outside from the European Economic Area, and / or personal data derived from our services must be sent to the interested party, or to third parties on behalf or in his / her interest (sports clubs, doctors, etc.,) to those countries.
- By using service providers located outside the European Union, who may have access to personal data, to offer auxiliary services to our activity (accommodation, housing, SaaS, remote back-up copies, computer support or maintenance services, email managers, email sending and email marketing, file transfer, etc.) or to execute the pre-contractual measures adopted at the request of the interested person.
These entities can be different and vary over time, but we will try to choose entities either belonging to countries that have a level of protection equivalent to the European one in terms of data protection, or that have the appropriate guarantees to reach that level, or they will be made on the basis of any of the exceptions provided in the RGPD.
At present, we work with the following entities or entity categories of the following countries:
- GOOGLE (country: USA): we use its virtual infrastructure on the cloud to store information.
- TRAINING PEAKS (country: USA): we use its virtual infrastructure to track our clients' trainings.
- WHATSAPP (country: USA): we use its virtual infrastructure to communicate with our clients.
In any case, we inform you that in the event of having to make international data transfers to countries that may not have equivalent guarantees to the European ones regarding the personal data processing, for example, because they do not have an authority or data protection regulation that protects the rights of the interested parties, this may imply a risk for the processing of the data, and by accepting this data protection policy, you expressly and unequivocally authorize that transfer by giving your consent to it.
9. Social networks and instant messaging applications
- Use of social networks:
Keep in mind that, if you want to participate, publish or share content through our official page on a social network, that content will be public, and it will be exclusively your responsibility that the content complies with the legal regulations.
You can avoid that your personal data associated with that participation appears by configuring your privacy, or pseudonymizing your data (for example: using a nickname or an alias).
We remind you that, with respect to the data of other people, you must respect their privacy, taking particular care when communicating or publishing their personal data. Only its owner can authorize the processing of their personal data.
The user will only be able to publish on this page, or on our official page on social networks, personal data, photos and information or other content of his / her ownership or for which he / she holds the authorization of third parties. If you provide us or publish third party data, it is your responsibility to have previous and express consent to use, communicate to us and publish them, and it is your responsibility to inform them of the processing we are going to carry out with their data or of your publication. In addition to infringing the legislation on data protection, the publication of third-party data without consent also infringes the legislation related to the right to honor, privacy or self-image of third parties.
The Social Networks are not directly hosted on our Services. Your interactions with them are regulated by their policies and not by ours. Read the privacy policies of those social networks for detailed information on the collection and transfer of personal data, your rights, and your privacy settings.
- Data we collect through social networks:
We collect data through these applications, and specifically, through functional and analytical cookies to allow them function properly. These cookies may collect information about your IP address, or your browsing.
Moreover, if you log into one of these social networks during your visit of one of our websites or phone applications, the social network will be able to add that information to your profile, and that information will be transferred to the social network. If you do not want that data transfer to take place, exit your session in the social network before accessing to our websites or phone applications, as it is not in our power to influence this collection and transfer of data through the social connectors.
10. What are your rights when you provide us your data?
- Right of access: You can ask us what personal data we are processing and even ask us a copy of it.
- Right of rectification: You can ask us to rectify inaccurate personal data, or to complete those which are incomplete, including by means of an additional statement.
- Right of elimination (right to forget): You can request us to delete your personal data when: they are not necessary for the purpose they were collected for, you withdraw your consent, they have been unlawfully processed or to comply with legal obligation.
- Right to limitation of processing: You can request us to limit the processing of your personal data, in which case we will only keep them for asserting or defending claims.
- Right of objection: You can object to the processing of your data if such processing is based on the legitimate interest of the person responsible for the file or it is for advertising purposes.
Once any of the above-mentioned requests have been received, we will respond you within the legally stablished deadlines. You can make a complaint at the Spanish Data Protection Agency. If you wish more information about the right you can exercise and to request models of forms of exercise of rights, you can visit the webpage of the Spanish Agency for Data Protection, www.aepd.es.