BioMire, a simplified joint-stock (SAS) company with a share capital of 80,835.41 euros, headquartered 11, rue de l'Académie - 67000 STRASBOURG, FRANCE, registered in the Trade and Companies Register of STRASBOURG under No. 878 220 375, in its role as data controller, attaches great importance to the protection and respect of privacy. It is committed to its customers and users of the nomad Solution (hereinafter the 'Nomad Solution'), the nomad Mobile Application (hereinafter the 'nomad Mobile Application'), and the SaaS services (hereinafter the 'SaaS Services'), to respect the principles of personal data protection in accordance with the General Data Protection Regulation ('GDPR') and the French law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms as amended.
nomad Mobile Application: application usable on Android and iOS systems that collects contextual information and information on the conduct of samples collection, measures this data and carries out microbiological counting.
Web Application: online application that uses the information provided by the nomad Mobile Application to organize it, interpret the results and provide other SaaS services.
BioMire: the company that developed and operates the nomad Solution and the nomad Mobile Application and Web Application, as well as the associated SaaS Services.
Customer: legal entity or natural person of legal age, having opened an account to access the Web Application and the SaaS Services, responsible for the implementation of procedures and actions allowing to control contamination and subscribing within the framework of one’s professional activity.
User Account: personal account created by the Customer in order to access the SaaS Services.
Personal Data: any information relating to a Data Subject, an identified or identifiable individual.
Profile: all the parameters registered by the Customer under a User Account to use or benefit from the SaaS Services.
Services: all services, whether or not subject to payment, offered by BioMire through the nomad Solution to detect viruses and bacteria and more generally microorganisms in liquids, on surfaces or in the air, and if necessary to count them (microbiological enumeration), and to analyze them in order to allow the implementation of appropriate solutions.
SaaS Services: services offered by BioMire, accessible through an internet platform or a web application, allowing to measure and quantify the microbiological level of a surface or a liquid, to analyze it in order to set up the adequate prevention measures or any other more fully defined services.
nomad Solution: a solution designed to assist manufacturers in detecting viruses and bacteria and more generally microorganisms in liquids, on surfaces or in the air and present in their production environments in order to enable them to better control the level of microbial contamination. It consists of i) a microbiological testing device, ii) a Mobile Application and iii) SaaS Services based on a web Application.
Processing: any operation or set of operations, whether or not carried out using automated processes and applied to personal data or sets of data (i.e. collection, recording, storage, modification, extraction, etc.).
User: person using the nomad Mobile Application to take a sample.
3. LEGAL FRAMEWORK
The Data Controller declares that it processes Personal Data in accordance with the GDPR and the French law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms as amended.
4. DATA CONTROLLER
The Data Controller is the company BioMire, a simplified joint-stock company with a share capital of 80,835.41 euros, having its registered office at 11, rue de l'Académie - 67000 STRASBOURG, FRANCE, registered in the STRASBOURG Trade and Companies Register under the number 878 220 375, represented by Mr. Christopher PEASE as President.
Address: 11, rue de l'Académie - 67000 STRASBOURG
Email: [email protected]
Telephone number: +33 367 670 458
The representative of the Data Controller is Mr Christopher PEASE.
5. PERSONAL DATA COLLECTED, PURPOSES AND BASIS OF COLLECTION
- User Account creation form
- Profile personalization settings
- nomad Mobile Application, etc...
Within the framework of our activity and your access to our services, we are likely to collect and process the following Personal Data:
PROCESSING PURPOSES PERSONAL DATA COLLECTED LEGAL BASIS
Customer relationship management (processing, management and follow-up of the contractual relationship, user account creation, billing, accounting, collection of receivables) - civil status (last name, first name);
- Professional contact details (telephone number, postal address, email address); Fulfillment of pre-contractual and contractual obligations
Compliance with legal or regulatory obligations
Management of the identification of the sample (identity of the mobile device, position, voice recordings) - Civil status (last name, first name of the User*)
- Personal contact details* (telephone number, IP address, personal email address),
- Professional contact details*: company name and postal address, GPS location of the sample collection, professional postal address, professional telephone number, IP address, professional email address,
- Nature of the production
- Company equipment
- Images: images of the production environment (including, potentially, the person on site)
- Voices: voice recordings, commentary by the User. Fulfillment of pre-contractual and contractual obligations
Compliance with legal or regulatory obligations
Customer information (newsletter and promotional offers) - Email address Legitimate interest pursued by the data controller (to develop its activity)
Consent (beyond three (3) years after the contract)
Non-client information (sending newsletters and promotional offers) - Email address Consent by the Data Subject
GDPR Request Management - Last name
- First name
- Telephone number
- Email address
- Copy of personal identification Compliance with legal or regulatory obligations
*: If the Customer has chosen to associate the identity of the mobile device with a telephone number, the User's name, the User's professional or personal email address.
In order to enable the Data Controller to fulfil its obligation to ensure that the Personal Data is accurate and up to date, the Data Subjects undertake to inform the Data Controller of any changes to their Personal Data.
In the event that the Data Controller wishes to further process Personal Data for a purpose other than the one mentioned above and for which the Data Subject has been informed and/or consented to, the Data Controller undertakes to provide the Data Subject with all relevant information about this new purpose and any other relevant information in advance.
6. RETENTION PERIOD OF PERSONAL DATA
PURPOSES RETENTION PERIOD
Client relationship management Duration of the contractual relationship plus six (6) years from the end of the contractual relationship.
Management of sample identification Duration of the contractual relationship plus six (6) years from the end of the contractual relationship.
With respect to IP addresses, 90 days except in the case of location at the Customer's address.
Prospective client information Three (3) years after the end of the contractual relationship.
Beyond three (3) years after the end of the contractual relationship, the data will be kept, with the consent of the Data Subject, for a further period of three (3) years from the date of the express consent of the Data Subject or from the date of withdrawal of consent.
Non-client information Three (3) years from the date of consent given by the Data Subject or from the date of withdrawal of consent.
GDPR Request Management Personal Data will be kept for as long as is necessary for the Data Controller to fulfil its legal and regulatory obligations, without prejudice to retention obligations or limitation periods.
7. STORAGE OF PERSONAL DATA
All personal data collected and processed are stored on servers located within the European Union, in compliance with the regulations in force.
8. RECIPIENTS OF PERSONAL DATA
The Data is never made available or transferred to third parties for their own commercial purposes.
The Data Controller ensures that access to personal data is strictly limited to employees and agents of the Data Controller, authorized to process them by virtue of their functions and in accordance with the purposes of the processing.
The information collected may be communicated, to the extent strictly necessary, to third parties linked to the Data Controller by contract (partners, service providers or subcontractors) for the performance of subcontracted tasks, without the Data Subject's authorization being necessary.
The Data Controller will require its carefully selected Personal Data processors, all of whom are located within the European Union, to process the Data exclusively in the context of the tasks entrusted to them and in accordance with applicable law.
- Hosting provider for platform
- Provider of platform and web application creation
- Marketing provider
The possible recipients of the data are entirely located in France or, failing that, in a member country of the European Union.
It is specified that, within the framework of the execution of their services, third parties have only limited access to the data and are obliged to use them in compliance with the provisions of the applicable legislation on the protection of personal data.
Apart from the cases set out above, the Data Controller undertakes not to sell, rent, transfer or give access to third parties to the data without the prior consent of the Customers, unless compelled to do so for a legitimate reason (legal obligation, fight against fraud or abuse, exercise of the rights of defense, etc.).
9. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Data Controller does not intend to transfer personal data to a third country or to an international organization.
10. RIGHTS OF DATA SUBJECTS
The Data Subject has the right to:
Right of Access (article 15 of the GDPR) In any case
Right to rectification (article 16 of the GDPR) In any case
Right to erasure (“right to be forgotten”, article 17 of the GDPR) Only for processing that is not justified by the fulfilment of a legal obligation, the performance of a public interest mission, for archival purposes, or necessary for the establishment, exercise or defense of legal claims
Right to restriction of processing (article 18 of the GDPR) In any case
Right to object (article 21 of the GDPR) Only for processing that does not have a legal basis in the performance of the contract or the exercise of a legal obligation
Right to data portability (article 20 of the GDPR) Only for processing based on consent, on the execution of a contract or if the processing is carried out with the help of automatic processes
File a complaint to the CNIL (French National Commission on Information and Liberty) In any case
Withdraw consent at any time, without affecting the lawfulness of the processing based on the consent given before the withdrawal of consent Only when the processing is based on the Data Subject's consent to the processing of his/her personal data for one or more specific purposes
Data Subjects can exercise all the rights mentioned above by sending a formal request to the Data Controller, accompanied by a copy of a proof of identity to the following address
- Email: [email protected] ;
- Mail: BioMire - 11, rue de l'Académie - 67000 STRASBOURG, FRANCE.
Data Subjects also have the right to lodge a complaint with the French supervisory authority, the French National Commission on Information and Liberty (Commission Nationale Informatique et Libertés - CNIL) via its website (www.cnil.fr) or by mail (3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07).
Finally, the Data Subject, noting that a violation of the GDPR has been committed, has the possibility of mandating an association or an organization mentioned in item IV of Article 43 ter of the 1978 Data Protection Act (France), in order to obtain compensation against the Data Controller or processor before a civil or administrative court or before the CNIL.
11. AUTOMATED DECISION MAKING AND PROFILING
Unless otherwise stated in the specific provisions, no profiling within the meaning of Article 22 of the GDPR will be carried out and more generally no automated decision will be taken on the basis of Personal Data.
Pursuant to the GDPR, the Data Controller undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others, when appropriate:
- pseudonymization of personal data;
- means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
- a procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.