This Charter is currently in force and up to date as of 06 October 2022.
For BIONEXT S.A., established and having its registered office in L-3364 Leudelange, 2-4, rue du Château d'Eau, registered with the RCS Luxembourg under the number B 140641, represented by Mr. Jean-Luc Dourson, in his capacity as CEO (hereafter the "Company").
Scope of application of this Charter :
- To patients and their representatives, if any;
- To health professionals;
- Candidates applying to the Company
- Any other person who uses the applications, the website or has a relationship with the Company (including representatives of third party suppliers or service providers);
In its capacity as data controller, it processes information and Data about you and/or any person connected to you (the "connected person(s)") and it does so primarily in the context of the relationship (the "Relationship").
A related person is a person or entity about whom you or a third party provides the Company with information and/or of whom the Company otherwise becomes aware in connection with the Relationship. A Related Person may be, for example, a patient, an employee, a spouse, a child, another relative, or another external referent.
In this respect, you are requested to contact the persons related to you and to transmit this Charter to them so that they can be validly informed.
As a health professional, the Company is already subject to a context of confidentiality in the processing of your personal data. The purpose of this Charter concerning the protection of privacy and the processing of personal data is to inform you about the processing of your personal data (hereinafter the "Data") and about your rights under the European General Data Protection Regulation (hereinafter the "GDPR Regulation") and Luxembourg national laws on the protection of privacy and personal data.
The so-called "GDPR Regulation" is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available on the European Union's secure legislative website (eur-lex.europa.eu), entered into force on 25 May 2018.
It applies only to the processing of Data relating to natural persons.
When you enter into a relationship with the Company in any way by visiting one of the Company's collection centres or through any means of communication made available to you by the Company (for example if you contact the Company by telephone, or if you browse the Company's website or use its applications and services for individuals or professionals), the Company will only collect the Data necessary for the purposes for which it is to be processed, the Data being data relating to you and/or any connected person and enabling you/them to be identified directly or indirectly.
You are invited to read the information contained in this Policy carefully so that you understand the purposes for which the Company uses your Data.
Table of contents
- DEFINITIONS
- THE COMPANY IS RESPONSIBLE FOR PROCESSING YOUR DATA
- HOW AND WHEN IS YOUR DATA COLLECTED?
- WHAT ARE THE PURPOSES AND THE LEGITIMATE BASIS FOR PROCESSING THIS DATA?
- WHAT CATEGORIES OF DATA ARE COLLECTED?
- If you are a patient
- If you are a health professional
- If you are an applicant
- If you are any other natural person with a professional contact or relationship on your own behalf or on behalf of the company that employs you
- THE COMPANY MAY USE SUBCONTRACTORS
- THE COMPANY MAY TRANSFER YOUR DATA
- COMPANY WEBSITE AND APPLICATIONS
- THE COMPANY TAKES ALL MEASURES TO ENSURE THE SECURITY OF YOUR DATA
- IN THE EVENT OF A BREACH OF YOUR DATA
- HOW LONG IS YOUR DATA KEPT?
- WHAT ARE YOUR RIGHTS REGARDING YOUR DATA AND THEIR PROCESSING?
- CHANGES TO THE POLICY
- CONTACT INFORMATION - QUESTIONS AND COMPLAINTS
"Personal data": any information relating to a natural person that enables that person to be identified directly or indirectly. This may include, but is not limited to, first and last name, date of birth, personal address, email, photograph, telephone number, medical information, bank details.
"Sensitive data" means medical data.
"Data subject": any natural person who can be identified, directly or indirectly, by an identifier (e.g. name, identification number or location data) or by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
"Processing" means any operation performed manually or by means of automated processes on personal data. This may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Company is responsible for processing your Data. It determines the purposes and means of processing for which your Data is collected and protects it in accordance with the regulations in a fair, transparent and secure manner.
The Company, its staff, co-contractors and suppliers are subject to certain obligations of confidentiality and/or secrecy, for example arising from data protection, contracts or professional secrecy. The Data processed is subject to these obligations.
This Policy describes how the Company processes (i.e. collects, uses, stores, transmits or otherwise deals with) the Data.
The Company may process Data directly or indirectly, using third parties who process personal data on its behalf (hereinafter "processors"). The Company is only responsible for the processing of Data within the framework of this Policy.
If you have any questions about this Policy or, more generally, the processing of your Data or that of related persons, you are invited to contact the Company at the following email address: dpo@bionext.lu.
In its capacity as Data Controller, the Company collects your Data mainly when you enter into a relationship with it (e.g. by visiting one of its collection centres or through one of its Applications or its website, or by telephone or by post, or even directly at your home or workplace) and then throughout your relationship with it. However, this Data may also be collected from third parties other than you/the Data Subject (for example from partner medical analysis laboratories, third party care networks, a doctor if you are a patient or a recruitment agency if you are a candidate).
This data is recorded in the Company's and/or its third party providers' information systems.
In addition, electronic data may also be collected when you log on to the Company's website or applications ("server-log-files" and "cookies").
The Company collects and processes your Data for one or more of the purposes described below. It determines these purposes alone, for the needs of its activities and the management of its tools (application(s) and website), and ensures that only data that is necessary, adequate, relevant and not excessive with regard to a specific purpose is processed:
- To enable the proper performance of the mission for which the Company has been mandated
- To record your Data in your electronic file
- To answer your questions, requests for information and/or advice
- To ensure the follow-up and management of your file
- Allow the transmission of your Data to health professionals in accordance with the rules established with the Company, to the doctors mentioned on the prescription and to the doctors indicated by you.
- Allow the transmission of the Data to the referring doctors.
- Allow the transmission of this Data, after anonymisation, to health structures for research and statistical purposes
- Allow the transmission of your connection and navigation data for the purpose of managing your file
- To ensure the proper technical functioning of the Company's facilities (e.g. the management and maintenance of its website or other communication channels)
- Ensure the invoicing of the Company's services and the proper follow-up by its accounting department
- Ensure the implementation of the Company's recruitment operations and the management of application files
- Send you any electronic communications and invitations
- Make appointments and manage notifications
- Ensure compliance with legal obligations
- Enable the management of possible disputes and conflicts
- To work towards the security and protection of its organisation and activities
The Company processes Data by ensuring that one of the following legitimate bases exists
- compliance with legal and regulatory provisions to which the Company is subject;
- the performance of the relationship between you and the Company;
- the preservation of the legitimate interests of the Company;
- your express, free, specific, informed and unambiguous consent (obtained for example in the contact form on the Company's website)
The Company is required to comply with certain legal and regulatory obligations which impose a particular processing of your Data. This processing may require the communication of your Data to certain authorities, whether national, European or foreign, as well as to third parties. We ensure that your Data is only disclosed if and insofar as we are required to do so.
5.1 If you are a patient :
- Your identification data such as your name and surname(s), date of birth, national identification number, relationship,
- Your contact data such as telephone number and/or mobile phone number, e-mail address, private or business postal address, language of contact;
- Financial information such as bank account number;
- Medical data: medical test results, prescription, medical questionnaire
5.2 If you are a health professional :
- Your identification data such as your name and surname(s), profession, speciality, CNS number, name of the company/cabinet/hospital, function within the structure
- Your contact data such as landline and/or mobile phone number, e-mail address, professional postal address, language of contact.
5.3 If you are an applicant:
- Your identification data such as surname and first name(s), gender, date and place of birth, postal address, nationality, national identification number, tax residence, as well as the data contained in your electronic identity card
- Your contact data such as landline and/or mobile phone number, e-mail address.
- Your personal situation: marital status, family or professional situation and its developments or key moments, information relating to your training and your level of study (CV).
5.4 If you are any other natural person with a professional contact or relationship on your own behalf or on behalf of the company that employs you:
- Your identification data such as your first and last name(s), company name, position within the organisation
- Your contact data such as telephone number and/or mobile phone number, e-mail address, business postal address
The Company may use subcontractors to process your Data, such as, but not limited to, partner laboratories, healthcare providers, an IT services company or an external recruitment consultancy.
It only uses subcontractors who offer sufficient guarantees as to the lawfulness, transparency and security of the processing of the Data. It only sends them the Data strictly necessary for their services.
The data collected may only be communicated by the Company to its service provider to the extent strictly necessary for the performance of its service under the Company's responsibility.
The purpose of these communications may, for example, be to ensure the security of computer networks and transmissions, to meet legal obligations for which the Company is liable or to allow the distribution of a multi-mailing (direct mail) on the Company's initiative.
The Company communicates any analysis results by any means to the prescribing doctor and to the health professionals mentioned on the prescription or requested by you.
The Company may communicate to another doctor at the request of the prescriber any test results that allow the proper management of the patient.
The Company, in its capacity as a healthcare establishment as defined by the Luxembourg E-santé Agency ("AeS"), being in a therapeutic relationship, accesses your Shared Care File ("DSP") in order to
- Transmit test results
- Consult your authorised data, the definition of which is provided in the AeS empowerment matrix.
The Company may also transfer your Data to public or judicial authorities, its lawyers, advisers or third parties, if required to do so by law or if it believes in good faith that such disclosure is necessary to protect its rights, property or safety. For example, in connection with an investigation, to comply with a legal obligation or legal process.
The Company does not transfer your Data outside the European Economic Area. If, however, such a transfer is necessary, it will carefully check that the country to which the data is transferred provides an adequate level of protection or that appropriate contractual safeguards have been put in place.
These provisions are in addition to the provisions relating to the respective terms and conditions of use of the Company's website and applications when you use them. For the website, they are available at the following link: https://www.bionext.lu/p/gdpr and for the applications, they are available on the applications when you download the relevant applications.
Certain other Data is automatically collected and saved by the browsers ("Server-log-files") and the Company's applications when you use them. This data may be freely transferred for statistical analysis, system security and stability purposes or for the purpose of improving the services offered by the Company and its partners to ensure the proper functioning of the website and its optimal use.
This Data is not merged with other data sources. This includes the following information:
- Browser type/version
- Operating system used
- Reference URL of the page visited
- Host name of the accessing computer or IP address, in the form of IPv4 or IPv6, which is the globally recognised identification of your computer at the time it is assigned by your internet service provider.
Indirectly nominative data for statistical purposes may also be collected for the purpose of managing your connections and browsing on the Company's website.
In addition, electronic data may also be collected and/or deposited on your computer system for the purpose of managing your connection and navigation on the Application and/or the Website. You may refuse the use of these files (also known as "cookies") via the configuration of your Internet browser.
Under no circumstances may this data be used for commercial purposes.
For the sake of transparency, we inform you that the "myDSP" function of the Mylab service allows you to access your DSP and that this access is traced under the name "Bionext".
The Company takes the necessary measures, including organisational and technical measures, to ensure the confidentiality, integrity, availability and resilience of the Data, systems and processing services under its control and the security of their processing in accordance with legal requirements.
Its staff in charge only access your Data if it is relevant to the performance of their duties. They are therefore subject to strict professional discretion and must respect the confidentiality of your Data. Access to physical Data or to servers and networks is strictly protected and the Company takes particular care in the choice of its suppliers and partners to ensure that any transfer or processing of Data by them is fully secure.
The technical protection measures put in place offer an optimal level of security for your Data. They consist in particular in the installation of firewalls or antivirus software.
In accordance with Regulation (EU) No. 611/2013, the Company must notify the Commission Nationale pour la Protection des Données du Grand-Duché du Luxembourg (the "CNPD") of the breach of your data within 24 hours of becoming aware of a breach of security and confidentiality of personal data. In addition, the Company undertakes to inform you provided that the incident is likely to adversely affect the level of protection of your privacy and your data.
The Company retains your Data for as long as is necessary to fulfil the specific purposes for which it was collected and also to fulfil, for example, its legal obligations or for evidential purposes.
The length of time we keep your Data depends primarily on the type of data concerned.
For example
- Data that can be qualified as chronological and nominative analysis results must be kept for a legal period of ten years but without any legal obligation.
- Unless the applicant has given express consent for the Company to retain their data for a longer period, Applicant Data is retained for a maximum of two years after the applicant has been informed that their application has been unsuccessful before being destroyed.
Throughout the period of retention of the Data, the Company undertakes to put in place all the necessary means to ensure their confidentiality and security, so as to prevent their damage, deletion or access by unauthorised third parties.
At the end of the Relationship, the archived Data is kept by the Company for as long as there are legal obligations on the Company (e.g. accounting data must be legally kept for 10 years).
During the archiving period, you may, at your own expense, consult or take a copy of all or part of the archived file.
You have the right, subject to applicable data protection legislation, to:
- request access to the Data held by the Company and to receive a copy free of charge within reasonable limits;
- where appropriate, to request rectification or erasure of inaccurate Data;
- to request the deletion of Data where its processing is no longer necessary to achieve the purposes, or is not or is no longer lawful for other reasons or where you withdraw your consent to the processing subject, however, to the applicable retention periods;
- to request a restriction on the processing of Data whose accuracy is disputed, if the processing is unlawful or if you have objected to the processing;
- to object to the processing of the Data, in which case the Company will no longer process your Data, unless it has compelling legitimate grounds to do so (e.g., to establish, exercise or defend a legal claim);
- to receive your Data, re-use it and pass it on to another controller;
- to obtain, where applicable, a copy of, or access to, the appropriate or adequate safeguards that the Company undertakes to implement in order to transfer Data outside the European Economic Area;
- to lodge a complaint with the Company and/or its Data Protection Officer regarding the processing of the Data and, if the matter is not satisfactorily resolved, to lodge a complaint regarding the processing of the Data with the relevant data protection authority.
Please note that in some cases, even if you object to the processing of all or part of your Data, the Company may be permitted to continue processing if it is (i) legally required, (ii) necessary for the performance of a task carried out in the public interest or (iii) necessary for the purposes of the Company's legitimate interests, including the establishment, exercise or defence of legal claims.
You also have the right to refuse to provide certain of your Data to the Company, but you understand that such refusal may prevent the Company from entering into the relationship or even from being able to perform some of its services or to maintain the relationship.
The Company regularly reviews the Charter and modifies its content if necessary to ensure that it complies at all times with the applicable regulations in force.
The Company uses the data in order to offer you personalised services with high added value and quality in order to provide you with all the elements to help you make the best decisions. The Company is committed to expressing in full transparency, if you so wish, what is being done with your data.
To this end, it can be contacted by the following means:
By e-mail: dpo@bionext.lu
By post: Laboratoire BioneXt LAB
For the attention of the Data Protection Officer
2-4, rue du Château d'eau / L-3364 Leudelange
You may also, by the same means, exercise your rights, within the limits permitted by the GDPR and national laws, at any time, by sending a simple e-mail or a simple letter to the attention of the Data Protection Officer.
In addition, at any time, you may lodge a complaint directly with the National Commission for Data Protection ("CNPD") if you consider that the processing of your personal data constitutes a breach of the GDPR:
Commission Nationale pour la Protection des Données
15, boulevard du Jazz
L-4370 Belvaux
Tel: (+352) 26106026
Fax: (+352) 2610602
You can also contact a supervisory authority of your choice directly.
You can consult and print it at any time on the Company's website at: https://www.bionext.lu/p/gdpr
MYLAB
Payment