Version 04 of April 26, 2023
- Who are we?. 1
- Who are the people involved?. 2
- What is our commitment to data protection?. 2
- What personal data do we process and for what purposes?. 2
- In what capacity do we process your personal data?. 4
- On what basis do we process your personal data?. 4
- Where does your personal data come from?. 5
- Who has access to your personal data?. 5
- How do we manage our subcontractors?. 6
- Where do we process your personal data?. 6
- What are the applicable retention periods?. 7
- What are your rights?. 7
- What level of security do we provide?. 9
- Do you have any questions or complaints?. 9
- Anything else?. 9
- Name : Fondation 101 Génomes (" we», « our/our ")
- Headquarters : Avenue de Sumatra 6, 1180 Uccle (Belgium)
- Company number :609.172
- Website : https://www.f101g.org (the " Web Site")
- Our contact person for questions about data protection: dpoAT101gDOTorg.
2.1 We process personal data relating to:
- participants in our research projects (such as the Genome4Good and the study GEMS) ;
- Participants in specific research projects who entrust us with the hosting of data;
- Funders (e.g. people who give us money), fundraisers (e.g. people who raise money for us) and supporters (e.g. people who attend our events, etc.);
- representatives of our partner organisations (e.g. research centres, associations and other organisations);
- representatives of our suppliers;
- to candidates applying for a job with us;
- to visitors to our website and workplaces;
Hereinafter: the " persons concerned », « you », « your/our ".
3.1 We are committed to using our best efforts to make our personal data processing activities compliant with applicable data protection legislation, including Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation") (the " RGPD ") and the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, as amended, supplemented or replaced from time to time (the " Applicable Data Protection Legislation ").
4.1 If you are a participant in one of our projects or in a specific research project of a group that entrusts us with the hosting of data, we process:
- your contact details and address to send you your saliva sample collection kit;
- certain health and biometric data for scientific research purposes (including the development and training of bioinformatics tools necessary for research and the provision of data analysis services). An up-to-date list of scientific research carried out on your data is available at any time on our website at https://www.f101g.org/recherches and via your dedicated portal;
- with your consent, your personal identification and contact data in order to offer you the opportunity to participate in specific additional studies (we obtain your consent for this by means of a specific consent form);
- with your consent and the opinion of our Data Access Committee, certain data concerning your health, your biometric data, your personal identification data requested by your doctor or a genetic analysis expert that you have mandated to enable them to carry out medical investigations related to your health (for example in the case of cancer, diagnostic odyssey, etc.)
- with your consent, certain data concerning your health, your biometric data, your personal identification data and your contact data with your referral physician in the event that information relevant to your health should be incidentally discovered by a researcher previously authorized to consult your data in an anonymized form. After consultation with our Data Access Committee, your referring physician will take a position on the potentially health-relevant information disclosed and may, if appropriate, decide to share it with you within an appropriate ethical framework, taking into account the preferences indicated in your consent and in accordance with the applicable laws and ethical rules;
- your personal identification data, contact details and bank account number when preparing documents giving entitlement to a tax deduction for financial donations.
4.2 If you are a donor or a fundraiser or a supporter, we process ;
- your personally identifiable information and contact details to help us organise events to promote our activities and inform you of our activities;
- if applicable, your bank account number to prepare the tax deduction forms.
4.3 If you are a representative of one of our partners, we process :
- your personal identification data, your professional identification data, your contact data and, if applicable, data concerning your professional experience, for the activation, management and maintenance of your partnership;
- where applicable, your personal identification data, your professional identification data and your contact data for communication purposes.
4.4 If you are a representative of one of our suppliers, we process your personal identification data, your professional identification data and your contact data for the management of our business relationship with our suppliers.
4.5 If you apply for a job with us, we process your personal identification data, your professional identification data, your contact data, data relating to your professional life (skills, qualifications, experience, etc.) and personal data contained in your curriculum vitae to assess your profile in relation to our recruitment needs.
4.7 If you use the free online version of our variant classification tools, we keep the variant entered for statistical purposes and to improve our prediction tools.
4.8 If our workplaces are equipped with surveillance cameras, we may request access to images of you only where such access is necessary to pursue our legitimate interest in detecting crime or disorder and to the extent permitted by applicable law.
4.9 We may also process some of your personal data for the following purposes
- Conducting restructuring operations in our businesses;
- Conducting internal and external audits;
- managing disputes with data subjects and where the processing is necessary for the establishment, exercise or defence of legal claims;
- to maintain the security of our information services.
As a general rule, we never subject data subjects to decisions based exclusively on automated processing that has legal effects on them or affects them in a similarly significant way.
5.1 We process your personal data in our capacity as data controller. In this context, we determine the purposes and means of processing your personal data.
6.1 The provision of your personal data may be necessary:
- the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at your request (e.g. in the event of an application for a job with us);
- to comply with a legal obligation applicable to us (e.g. accounting, tax, etc.) or to comply with requests from law enforcement authorities or courts;
- in pursuit of our (or a data recipient's) legitimate interests provided that those interests override your fundamental rights and freedoms (for example, to maintain the security of our information systems).
6.2 We ask for your prior, free and informed consent before processing some of your personal data (for example, in the situations referred to in point 4.1 above).
6.3 The provision of some of your personal data (e.g. your personal identification data, etc.) is a condition for our ability to allow you to participate in our actions.
6.4 Possible consequences of not providing your personal data could include our inability to allow you to participate in our actions or a breach by us of one or more obligations under applicable laws (for example, accounting and tax laws).
7.1. The personal data we process comes from the following sources:
- directly from you, for example, during the first contact we make with you (possibly through a third party (such as itsme) ;
- via our partners (research centres, associations and other organisations) whom you authorise us to contact to provide us with the data to which you authorise us to have access;
- through the general practitioner, specialist or other person responsible for your care (and staff authorised to work under their supervision, including in hospital settings) whom you authorise us to contact to provide us with the data to which you authorise us to have access;
- from publicly available information (on the Internet), for example when we check the profile of applicants for a job with us.
8.1 The following recipients may receive or have access to some of your personal data (only if necessary for the performance of their duties):
- Members of our operational team have access to some of your health data and some of your biometric data;
- our administrative staff have access to the personal identification data, professional identification data and contact data of our partners' representatives;
- the sequencing service providers we work with;
- certain people in charge of your health care and experts whom you have authorised to access your data (for example in the context of your medical follow-up or a genetic analysis service);
- groups of researchers working on specific projects that would require additional data from you if you have consented to be contacted again to participate in specific studies that require the collection of additional information;
- Groups of researchers (academic and industrial) whose research projects have been approved by an ethics committee and who have been authorized after consultation with our data access committee to have access to your data anonymized or at least pseudonymized (i.e. so that these data are not linked to your personal identification data) may process certain data relating to your health and certain biometric data;
- IT groups wishing to access data to improve the predictive capabilities of their bioinformatics tools;
- our research teams and consultants commissioned by us to conduct research on our behalf and/or to enable and monitor access by other groups;
- Members of our supplier monitoring team have access to the personal identification data, professional identification data and contact data of our suppliers' representatives;
- Our legal advisors and lawyers have access to certain personal data of data subjects in the context of restructuring our activities or litigation;
- Our legal counselors and genetic counselors have access to certain personal data to allow for personalized online information consultations;
- our expert security consultants and network architecture auditors;
- our other advisors (such as our accounting, financial and tax experts);
- external service providers (such as service providers related to the operation and maintenance of information systems processing your personal data);
- the service provider who provides us with the online dialogue and support service (in particular via a conversational agent or "chatbot") when consulting our websites;
- law enforcement or regulatory authorities (e.g. tax, health or data protection authorities, ethics committees) or courts and tribunals where we are required to disclose or share your personal data to comply with a legal obligation or to protect our rights, property or safety or those of others.
8.2 We entrust the processing of some of your personal data to subcontractors only to the extent necessary to perform their tasks and in accordance with our written instructions and the Applicable Data Protection Legislation.
8.3 In the case of a restructuring transaction (e.g. a financing transaction), we may transfer certain personal data relating to a limited number of data subjects to a third party involved in the transaction (e.g. a bank) in accordance with the Applicable Data Protection Legislation.
9.1 We take appropriate steps to ensure that our processors process your personal data in accordance with the Applicable Data Protection Legislation.
9.2 We ensure, among other things, that our subcontractors undertake to process personal data only on our instructions, not to engage another subcontractor without our prior authorisation, to take adequate technical and organisational measures to ensure the security of personal data, to ensure that persons authorised to access personal data are subject to adequate confidentiality obligations, to return and/or destroy the personal data they process at the end of their services, to comply with audits and to provide us with assistance in following up on data subjects' requests to exercise their rights in relation to their personal data.
10.1 We ensure that we host the health and biometric data of our project participants (including Genome4Good) exclusively on servers located within the European Economic Area ( EEE ").
The data collected is processed under our control to be accessible in biological format in our "BioB" and in electronic format in our "Genomic Cloud".
- BioB. We have created our own biobank called "BioB". Our BioB is hosted in France by CryopAL Biobank Solutions which holds ISO 9001:2015 (N°181277/1415F) and ISO 20387:2018 (N°211277/1415F) certifications. The creation of BioB was approved on April 5, 2022 by the Ethics Committee of the Erasmus Hospital (Brussels - Belgium). It then received the notification number BB220008 from the Belgian Agency for Medicines and Health Products (FAMHP) on 9 June 2022.
- Genomic Cloud. We have created our own bioinformatics biobank called "Genomic Cloud". Our Genomic Cloud is built in Azure (ISO 27001:2013, Defender 100% Secure score) and is FAIR compliant.
10.2 In the very unlikely event that your personal data is transferred to countries outside the EEA, we will ensure that we take the following safeguards:
- the country to which the personal data is transferred has received an adequacy decision from the European Commission under Article 45 of the GDPR and the transfer falls within the scope of that adequacy decision;
- we will carry out an impact assessment of the transfer, adopt additional measures if necessary and enter into a contract with the recipient of the personal data containing the standard contractual clauses for the protection of personal data adopted by the European Commission under Article 47 of the GDPR.
10.3 Should your personal data be transferred to a country that does not have a level of protection equivalent to that provided by the GDPR, appropriate safeguards will be put in place to ensure a level of security and protection appropriate to the nature of the data transferred. You will be informed of the safeguards put in place via your dedicated portal and/or by email and if you require further information you can always contact the Data Protection Officer at Fondation 101 Génomes via the address dpoAT101gDOTorg.
11.1 We ensure that your personal data is kept for no longer than is necessary for the purposes for which it is processed.
11.2 We retain accounting records (which may include some of your personal data) for a period of seven (7) years from the date of issue in accordance with the Accounting Act. These documents contain the personal identification data, the professional identification data and the contact data of our clients' representatives.
11.3 We keep the data to which you have given us access for the duration of the projects in which you participate (such as Genome4Good). In all cases, your personal data is kept for the time required by the regulations.
11.4 We also use the following criteria to determine the length of time we keep personal data depending on the context and purposes of each processing operation:
- the date of our last contact;
- security reasons (e.g. the security of our information systems);
- any actual or potential dispute or litigation with a data subject;
- any legal obligation to retain or erase personal data (for example, a retention obligation imposed by accounting or tax law).
12.1 Subject to the limitations contained in the Applicable Data Protection Legislation, you have a right to information, a right of access to, rectification and erasure of your personal data, a right to object to or restrict the processing of your personal data, a right to portability of personal data and a right to withdraw your consent.
12.2 Below is a table describing each of your rights in more detail:
|The right to information
|You have the right to clear, transparent and understandable information about how we process your personal data and how to exercise your rights. This information is contained in the Policy. If this information is not clear enough, please contact us (via our contact details in the Policy).
|The right of access
|You have the right to obtain confirmation as to whether or not your personal data are being processed and, where they are, access to such personal data. You have the right to obtain a copy of your personal data, unless the exercise of this right would infringe the rights and freedoms of others.
|The right of rectification
|You have the right to have your personal data corrected if it is found to be inaccurate. You also have the right to have your personal data completed if they are incomplete.
|The right to erasure (the "right to be forgotten")
|You have the right to have your personal data erased. However, the right to erasure (or the "right to be forgotten") is not absolute and is subject to specific conditions. We may retain some of your personal data to the extent permitted by Applicable Data Protection Legislation, including where processing remains necessary to comply with a legal obligation to which we are subject or for the establishment, exercise or defence of legal claims.
|Right to object to processing
|You have the right to object to certain types of processing (where the processing is based on our legitimate interests and, taking into account your particular circumstances, your interests or fundamental rights and freedoms prevail).
|Right to object to processing for the purpose of canvassing
|You have the right to object at any time to the processing of your personal data where we process such data for marketing purposes.
|The right to restrict processing
|You have the right to have the processing restricted in certain circumstances (e.g. where we no longer need your personal data but it is still necessary for the establishment, exercise or defence of legal claims).
|The right to portability of personal data
|You have the right, in certain circumstances, to receive your personal data provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller.
|The right to withdraw your consent
|If you have given us your consent to process your personal data, you have the right to withdraw it at any time.
12.3 Please address any requests relating to your rights in relation to your personal data that we process in our capacity as data controller to our contact person for all data protection matters using the details set out in the Policy. We undertake to respond to your request as soon as reasonably practicable and always within the time limits set out in the Applicable Data Protection Legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law. Please note that we may, if we are in doubt as to your identity, ask you for proof of identity to prevent unauthorised access to your personal data.
12.4 Please note that we may charge a reasonable fee based on technical and administrative costs for responding to your request for access to your data and your right to portability of your data (this contribution shall at a minimum cover the full costs incurred by us in collecting, sequencing, processing and storing the data).
12.5 Groups authorized to have access are only permitted access to your anonymized or at least pseudonymized data (i.e., so that it is not linked to your personally identifiable information). Only we can link your Research Data to your personally identifiable information. You acknowledge that, upon your request, we will validly comply with your request to exercise (i) your right to object to the processing of your Research Data, (ii) your right to withdraw your consent to the further processing of your Research Data, and (iii) your right to delete your Research Data by irreversibly deleting the link between your Research Data and your personally identifiable information.
13.1 We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with processing your personal data.
Our BioB (biobank) in which biological samples are stored is hosted in France by CryopAL Biobank Solutions which holds ISO 9001:2015 (N°181277/1415F) and ISO 20387:2018 (N°211277/1415F) certifications, was approved on April 5, 2022 by the Ethics Committee of the Erasmus Hospital (Brussels - Belgium) and received the notification number BB220008 from the Belgian Agency for Medicines and Health Products (AFMPS) on June 9, 2022
Our Genomic Cloud in which data is stored is built in Azure and has achieved ISO 27001:2013 certification (+Defender 100% Secure score). After consultation with our Data Access Committee (DAC), bioinformatics researchers may be granted access to a query interface of our Genomic Cloud to conduct their research. The electronic data we collect does not leave the instance where it is stored in our Genomic Cloud. Researchers authorized to query the data can conduct their analyses on copies of the data, but they cannot extract or save the data locally. Only the results of the searches are repatriated and belong to the researchers.
13.2 We follow industry best practice to ensure that personal data is not accidentally or unlawfully destroyed, lost, altered, disclosed or accessed in an unauthorised manner.
14.1 If you have any questions or complaints about the way we process your personal data, please address them in advance to our data protection contact person using the contact details listed in the Policy.
14.2 You have the right to lodge a complaint with the competent supervisory authority. The competent authority for Belgium is the Data Protection Authority, rue de la presse 35, 1000 Brussels, +32 (0)2 274 48 00, email@example.com.
15.1 We reserve the right to update the Policy from time to time. We will notify you of any changes we make to the Policy.
15.2 In the event of a conflict or inconsistency between a provision of the Policy and a provision of another policy or document relating to the processing of personal data, the provision of the Policy shall prevail.