PRIVACY POLICY
Last amended 25 November 2021, v.01
Personal Data Controller:
Company name: UAB “BIO1”
Company code: 304457362
Registered address: Konstitucijos pr. 7, Vilnius, Lithuania
Operational office: Santariskiu str. 2, Vilnius, Lithuania
Telephone number: +370 687 95933
E-mail address: info@bio1trials.com
DPO e-mail address: data.protection@bio1trials.com
Website: www.bio1trials.com
1. PURPOSE
1.1. This Privacy Policy sets out the main principles followed by BIO1 when processing Personal Data and provides general information on personal data processing performed. Detailed rules on personal data processing are set forth in a separate document – the Rules on Personal Data Processing (“Rules”) which contribute to BIO1 compliance with the General Data Protection Regulation (“GDPR”) and other applicable data privacy legislation.
1.2. The Rules applies to BIO1, their employees and associated contractors and third-party service providers acting on behalf of and under instruction of BIO1.
1.3. Data protection regulations differ in countries where BIO1 operates. BIO1 follows the country specific Personal Data protection regulations and in case of discrepancies or inconsistencies among data privacy regulatory requirements comply with the requirement which is more stringent.
2. DEFINITIONS
2.1. The Definitions used in this Privacy Policy have the following meanings:
2.1.1. “Breach” – means a breach of Personal Data security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
2.1.2. “Controller” – means any BIO1 acting as Personal Data controller as defined in the GDPR, which, alone or jointly with others, determines the purposes and means of Data Processing.
2.1.3. “Data Processing” – means any automated or non-automated operation performed with regard to Personal Data, e.g., collection, recording, organization, structuring, storage, adaptation or alteration, consultation, use, disclosure, restriction, erasure or destruction.
2.1.4. “Data Subject” – means any natural person, whose Personal Data is being processed, e.g., research subject, investigator, representative of the Sponsor or any other natural person.
2.1.5. “GDPR” – means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2.1.6. “Personal Data” – means any information about a natural person who is identified or whose identity is directly or indirectly identifiable (data subject), e.g., by name and surname, a personal identification number, location data and an online identifier or by physical, physiological, genetic, mental and other features.
2.1.7. “Processor” – means any natural or legal person, which processes Personal Data on behalf of the Controller, i.e., which assists the Controller and performs the Controller’s instructions, including but not limited to BIO1 as well as Contractors (acting as subprocessors as a rule) thereof. BIO1 may act as the Processor under the agreement with the client (e.g., under agreement with the sponsor for the services related to clinical trials).
2.1.8. “Responsible Person” – means a person responsible for the protection of Personal Data and appointed by BIO1, including a data protection officer (the “DPO”) (as defined under the GDPR). Email of the DPO appointed for BIO1: data.protection@bio1trials.com.
2.1.9. “Rules” – means the Rules on Personal Data Processing that are in effect in BIO1.
2.1.10. “Supervisory Authority” – means an independent public authority, established to supervise compliance of BIO1 with requirements for Data Processing, as well as to perform other rights and duties stated in the GDPR. The lead Supervisory Authority for BIO1 is the State Data Protection Inspectorate of the Republic of Lithuania (ada.lt).
3. PERSONAL DATA PROTECTION PRINCIPLES
3.1. When processing Personal Data, BIO1 complies with the following GDPR principles: purpose limitation (Data Processing only in a manner that is compatible with the purposes originally determined); data minimization (Data Processing only Personal Data which is needed for particular purposes); lawfulness, fairness and transparency; accuracy; storage limitation (Personal Data retained for no longer than is necessary for the particular Data Processing purpose); integrity and confidentiality, as well as the principle of accountability (BIO1 shall be able to demonstrate compliance with its obligations).
3.2. BIO1 adopts the Personal Data protection principles of data protection by default and design.
3.3. The implementation of the Rules and compliance with the above-mentioned Personal Data protection principles are ensured by the CEO of BIO1 together with the Responsible Persons, including the DPO, by establishing appropriate technical and organizational measures and supervising, whether proper measures are ensured.
3.4. All employees and contractors of BIO1 complies with Personal Data Processing requirements foreseen under the Rules while performing their functions. Personal Data may be processed by BIO1 employees and contractors, who need Personal Data to fulfil their functions.
3.5. Employees and contractors of BIO1 must maintain confidentiality of Personal Data of which they have been made aware of while performing their functions, unless according to the applicable legal acts: such information is publicly accessible, or the Data Subject has consented to such disclosure, or, where it is necessary for the prevention of criminal or other illegal acts, as well as in other cases. This obligation remains in effect also after the termination of the employment contract or any other type of contract between BIO1 and its employee or contractor. For this purpose, agreements on confidentiality may be signed with the employees and/or contractors.
3.6. BIO1 establishes a training program on the GDPR to create awareness and to ensure compliance. Training conforms with BIO1 employees’ roles and responsibilities.
3.7. Employees’ obligations foreseen hereunder apply to BIO1 contractors (natural persons) engaged for client service (to the extent applicable).
4. GENERAL PROVISIONS ON PROCESSING
4.1. Personal Data is processed by BIO1 in pursuance of legitimate purposes and in the manner specified on each Controller’s internal rules and information addressed to Data Subjects.
4.2. Detailed information about Data Processing streams is specified in Records on Personal Data Processing and accessible in the internal database only to Responsible Persons, employees and the contractors (when access to internal database is provided for performance of the agreement concluded with the contractor) of BIO1 companies.
4.3. In the cases, in which special categories of Personal Data are processed, e.g., criminal records, health information, membership in trade unions, etc., employees of BIO1 will verify additionally, whether all required actions and protection measures are exercised and will perform additional actions (e.g., will get a separate consent for Data Processing) and implement more stringent measures (e.g., avoid excessive storage in the Controller’s database or any other programs used), should this be necessary.
4.4. Personal Data may be obtained directly from Data Subjects and third parties by automatic or non-automatic means as specified in Records on Personal Data Processing. Where Personal Data is provided by non-automatic means, employees or contractors of BIO1 will enter the collected Personal Data manually into the database of BIO1.
4.5. The Controller may use Processors. The Processor’s activities and obligations are governed by the contract between the Controller and the Processor, except in cases, in which Data Processing is performed in accordance with legal act, that is binding on the Processor. At the discretion of the Controller, Data Processing issues may also be regulated in an Annex to the master agreement on service provision or any other type of contract concluded between the Controller and the Processor (i.e., signing a separate agreement is optional). The same rules apply to Data Processing performed in the course of the Processor engaging the subprocessor (including cases, where BIO1 is acting as the Processor).
4.6. BIO1 implements all appropriate technical (use of antivirus programs, installation of indoor alarms, physical control of persons’ access to the property, etc.) and organizational (e.g. adoption of the Rules, control of its implementation, password-secured access to computers, to the computer-network and to the database) measures to ensure the principles of Personal Data protection are embedded into Data Processing of all Personal Data, and to fully integrate the necessary safeguards to meet the minimum Personal Data protection requirements of the GDPR and to protect the rights of Data Subjects.
4.7. While performing their activities, all BIO1 employees constantly consider the existing risks and seek to reduce or to avoid such risks to the extent possible.
5. NOTICES ON DATA PROCESSING
5.1. Information on Data Processing established under the GDPR is provided to Data Subjects in a simple form, including but not limited to information on Personal Data categories, purposes, legal basis for the Data Processing, categories of Data Subjects, storage term, Processors and Personal Data recipients, also other information if required (e. g. sources of Personal Data; if Personal Data is transferred to third country outside the EEA; consequences, where Personal Data is not provided).
5.2. Specific cases of the Data Processing and detailed information to the Data Subjects, whose Personal Data is processed by BIO1 are available below.
5.3. Notices to particular Data Subjects (if required and not mentioned below notices will be provided on case-by-case basis directly to Data Subjects):
5.3.1. Employee Data Protection Information Notices and Contractor Data Protection Information Notices are provided to respective Data Subjects directly;
5.3.2. Potential Business Partner Data Protection Information Notice;
5.3.3. Vendor Data Protection Information Notice;
5.3.4. Clinical Trial Volunteer Data Protection Information Notice and Consent Form (in English) (lietuvių kalba) .
5.4. The Controller of this website requests consent of Data Subject to use or store cookies on Data Subject’s device (computer, tablet, smartphone or any other) when entering the website for the first time. More information about cookies and their use is available under Cookie Policy.
6. RIGHTS OF DATA SUBJECTS
6.1. BIO1 will ensure that the rights of the Data Subjects under the GDPR are fully respected and will use reasonable measures to comply with them. These rights include following Data Subject’s right:
6.1.1. to be informed or notified of the intended Data Processing activity;
6.1.2. to access Personal Data;
6.1.3. to request rectification;
6.1.4. to request erasure;
6.1.5. to restrict Data Processing in certain circumstances;
6.1.6. to Personal Data portability;
6.1.7. not to be subject to a decision based solely on automated processing which may have a legal or similarly significant effect on the Data Subject;
6.1.8. to object to Data Processing;
6.1.9. to lodge a complaint with Supervisory Authority or, when appropriate, the court.
6.2. Employees and contractors of BIO1 directly engaging with Data Subjects, to the extent required, informs them about Data Processing and implementation of their rights.
6.3. When the Personal Data is no longer necessary for the Data Processing purposes or when Data Subject submits a valid request (in set form available via link below) to erase Personal Data and in the absence of any regulatory requirements to keep processing Personal data, BIO1 erases Personal Data according to the procedure established by BIO1 in a way that securely precludes restoration or recognition of the content.
6.4. The Data Subject may at any time exercise his/her rights (in a manner complaint with the GDPR) by filing the request in a form, submitted in person, via post to BIO1 operational address or via electronic means (via data.protection@bio1trials.com to DPO of BIO1). Such request upon receipt by Responsible Persons is handled free of charge within 30 days (term extensions possible under specific circumstances) and either satisfied (if BIO1 finds that the request is justified) or rejected with reasons. BIO1 will have to verify your identity before implementing your data subject right.
6.5. If the Data Subject believes that his/her rights related to Data Processing were violated, he/she can lodge a complaint with the lead Supervisory Authority. In any case, with regard to the violation of his/her rights, a Data Subject may also address the concerned Supervisory Authority at his/her state of residence, which will transfer the claim to or investigate it together with the lead Supervisory Authority following the procedure established under the GDPR.
7. PERSONAL DATA TRANSFER
7.1. Personal Data is transferred when it is required in order to service clients, to protect BIO1 or third-party legitimate interests (e.g., to prevent or to facilitate investigation of criminal or illegal acts) as well as in other cases foreseen by legal acts.
7.2. BIO1 may provide Personal Data to courts, law enforcement authorities, bailiffs, notary offices, lawyers, state and municipal authorities, companies, institutions and organizations and to other similar recipients.
7.3. Personal Data may be also provided to service providers (e.g., financial and/or legal advice, IT servicing).
7.4. Personal Data is transferred only to the extent it is necessary.
7.5. Processed Personal Data may be transferred to other parties only according to the procedure set out in the GDPR, other applicable legal acts, and to the extent specified under the Rules.
7.6. Personal Data may be transferred outside the European Union or the European Economic Area only if a sufficient level of Personal Data protection is ensured in the destination country.
7.7. The Controller may use Processors for the Data Processing, including contractors, which can operate outside the boundaries of the European Union and the European Economic Area. Accordingly, Personal Data may be transferred to third countries to the extent necessary for performance of Data Processing functions assigned to the Processor.
8. FINAL PROVISIONS
8.1. Controllers may also perform video surveillance and record telephone conversation. You will be notified whenever your Personal Data is processed in the mentioned manner.
8.2. DPO oversees BIO1 compliance with the Rules.
8.3. BIO1 will occasionally update this Privacy Policy to reflect changes in BIO1 practices and services. When changes to this Privacy Policy are posted, we will revise the “Last amended” date at the top of this Privacy Policy. In case of any material changes in the way BIO1 processes Personal Data, a notice of the changes will be posted on the website to notify website users and visitors. Please check our website regularly to be aware of any changes in this Privacy Policy.
8.4. If you have questions about the Privacy Policy (or in relation to Data Processing performed by any BIO1 company), please contact the DPO at data.protection@bio1trials.com.
—
