INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA

Foreword

• Pursuant to the European Regulation of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), the Endowment Fund bioMérieux is required to gather personal data for business purpose.

The protection of natural persons with regard to the processing of personal data is a fundamental right.

Accordingly, the aforementioned European Regulation aims to strengthen and specify the rights of data subjects, and the obligations of those who perform and determine the processing of personal data. 

• The purpose of this information is to inform the data subjects about the processing of their personal data, and to determine the procedures for exercising their rights in that context. 

Article 1.  Definition

The following meaning has been assigned to the terms below, within the meaning of this information memo: 

• “Personal data”: any information that relates to an identified or identifiable natural person; an identifiable natural person is considered as a "natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity";
• “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “Company”: Endowment Fund bioMérieux, hereinafter referred to as the “Data Controller”  
• “Data Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
• “Recipient”: the natural person or legal entity, the public authority, the department or any other organisation that receives disclosure of personal data, regardless of whether that person is a third party, and which is referred to in Article 6 below.

It is specified for all intents and purposes that where personal data have not been gathered directly from the person concerned, the data-gathering will be limited to the identification data for the persons concerned.

Article 2. Legal basis for the processing

In accordance with Article 6 of the GDPR, any processing of the data subject’s Personal data performed using the applications identified by the Endowment Fund will be based either on a contract or a legitimate interest to do business. Accordingly, the processing of Personal data will be based on the performance of the non-profit organization contract, the compliance with legal obligations to which the Endowment Fund is subject, and the legitimate interests pursued by the Endowment Fund.

Article 3. Purposes of the processing of personal data

Company acts as Data Controller where the processing of the non-profit organization’s members’ Personal data is specifically intended to: 

- collect data given by nonprofit organizations, entering the international call for projects, to decide what financial support the Endowment Fund will bring to the projects submitted by the nonprofit organizations.

Article 4.  Company’s details 

4.1 Contact details for the Data Controller: 

The Endowment Fund bioMérieux is the Data Controller for the purposes mentioned in Article 3.1, and is registered on the Lyon Trade and Companies Register under no. 892 294 166, and has its registered office at Marcy L’étoile.

4.2. Contact details for the person representing Company in its function of Data Controller 

The person representing the Data Controller is Alexandre Mérieux, in his capacity as Chairman and CEO of bioMérieux SA, First President of the board of directors of the ENDOWMENT FUND, and whose contact details are as follows: Campus de L’étoile, 100 Allée Louis Pasteur, 69280 Marcy L’étoile.

Article 5. Contact details

In case of issues related to the processing of personal data or to exercise his/her rights, the data subject can contact the Endowment fund at [email protected]

Article 6.  Retention period for Personal data

6.1. Regarding the processing of Personal Data as Data Controller (as mentioned in Article 3.1), Personal data will be retained for a period that does not exceed the period required for the purposes for which they are processed. 

Unless prior requesting deletion is sent to [email protected], the Data Controller will hold Personal Data on the Endowment Fund’s systems for the longest of the following retention periods: 

1. 3 years after the end of the contractual relationship
2. any retention period that is required by law; 
3. the end of the limitation period in which litigation or investigations might arise in respect of the relevant activity or services.

Article 7.  Data subject’s rights regarding the processing of their Personal data 

▪ Data subjects enjoy the rights referred to in the following articles.

In the context of a request relating to exercising their rights, the Data Controller undertakes to uphold those rights as soon as possible, and within a period of one month as from receipt of the request by the Endowment Fund, in any event. 

This timeframe may be extended by two months in view of the complexity or number of requests, if necessary.

The Data Controller will inform the data subjects concerned about this extension and the reasons for the delay within a period of one month as from receipt of their request, in that regard. 

Where the request is submitted in electronic format, the information will be provided electronically by default, where possible, and unless the employee concerned expressly requests for it to be provided in another manner (hard-copy paper format).

If the Data Controller does not follow up the request submitted by the data subject, they will inform the latter about the reasons for their failure to take action, and the data subjects’ option to lodge a claim with CNIL and/or to lodge a legal appeal without delay, and within a period of one month as from receipt of the request at the latest.

                  7.1    Right of access by the data subject concerned

All the data subjects have the right to obtain a confirmation from the Data Controller regarding whether the Personal data regarding them is processed by the Data Controller, as well as access to said data.

To do so, the data subject concerned may submit their request to the dedicated email address mentioned in Article 5 above.

Article 7.2     Right to rectification 

Any data subject have the right to ensure that the Data Controller rectifies any Personal data concerning them that are inaccurate as soon as possible. 

To do so, the data subject concerned may submit their request to the dedicated email address mentioned in Article 5 above.

Furthermore, any data subject have the right to ensure that incomplete Personal data concerning them are completed, as long as this information is required for the purpose of the data processing, by providing an additional statement addressed to the dedicated email address mentioned in Article 5 above.

Article 7.3     Right to erasure (“Right to be forgotten”)

Any data subject have the right to ensure that the Data Controller erases Personal data regarding them as soon as possible: the Data Controller will be under an obligation to erase these Personal data as soon as possible, in the following cases: 

• the Personal data are no longer required for the purposes for which they were gathered or processed in another way;
• the data subjects concerned are exercising their right to object to the processing of their data;
• the Personal data have been the subject of unlawful processing;
• the Personal data must be erased in order to comply with a legal obligation provided for by European Union law, or by the domestic law that governs the Data Controller;

However, the right to erasure cannot apply in the following cases:

• their processing is required to exercise the right to freedom of expression and information;
• their processing is required in order to comply with a legal obligation provided for by European Union law, or by the domestic law that governs the Data Controller;
• their processing is required to record, exercise, or defend rights in court.

To exercise this right, the data subject concerned may submit their request to the Data Protection Officer mentioned in Article 5 above.

7.4 – Right to restriction of processing 

Any data subject have the right to ensure that the Data Controller restricts the processing of their data in the following cases: 

• the accuracy of the Personal data is disputed by the data subject concerned for a period that enables the Data Controller to check the accuracy of the Personal data;
• the processing is unlawful and the data subject objects to the erasure of the data, and is requiring the restriction of their use instead;
• the Data Controller no longer requires Personal data for processing purposes, although these data are still required by the data subject concerned in order for the establishment, exercise, or defence of legal rights.

To exercise this right, the data subject concerned may submit their request to the dedicated email address mentioned in Article 5 above.

Article 7.5  Right to object

Any data subject have the right to object to the processing of Personal data regarding them based on the legitimate interests pursued by the Data Controller at any time, for reasons relating to their specific situation. 

To exercise this right, the data subject concerned may submit their request to the dedicated email address mentioned in Article 5 above.

The Data Controller will no longer be able to process the Personal data, unless they prove that there are compelling legitimate grounds for processing that data, which take precedence over the interests, rights, and personal freedoms of the data subject, or for the establishment, exercise or defence of rights in court. 

Article 7.6     Right to data portability

As long as the data-processing in question has been carried out using automated processes, any data subject have the right to receive the Personal data regarding them that have been provided to the Data Controller in a structured, commonly-used, machinereadable format, and have the right to transmit these data to another Data Controller without the first Data Controller objecting.

Furthermore, any data subject have the right to ensure that the Personal data regarding them are directly transmitted to another party by the Data Controller, where technically feasible.

To exercise this right, the data subject concerned may submit their request to the dedicated email address mentioned in Article 5 above.

                  7.7    Right to lodge a claim with a supervisory authority

Notwithstanding any other administrative or legal recourse, any data subject who believes that Personal data regarding them were processed in a manner that breached the GDPR and the principles set out in this information memo has the right to lodge a claim with CNIL.

To assert their rights, any contractors/prospects may also appoint a body, an organisation, or a not-for-profit organisation that has been validly and legally incorporated, the statutory goals of which are in the public interest, and which is active in the protection of the rights and freedoms of the individuals concerned as part of the protection of the Personal data regarding them, in order for the data subject to lodge a claim in their name with CNIL, or exercise an effective legal recourse against a Data Controller or processor.

* * *

This memo has been read attentively by the data subject via the Endowment fund website.

Endowment Fund bioMérieux 

The representative of the Data Controller  Christine Hostache.

Last update – July 2022 – V1