Data Protection Policy

Stago, when acting as a controller, is responsible for the personal data that you provide to us or that we collect.

In order to protect your privacy and your personal data as effectively as possible, we have appointed a data protection officer. This person, who is the point of contact for the Information Commissioner’s Office (the UK’s data protection supervisory authority), is responsible for ensuring that we process your data in accordance with applicable law.

You can contact our data protection officer at the following address: dpo@nullstago.com

Personal data is information relating to an identified or identifiable natural person, such as an email address, your first and last name, your IP address, etc.

We collect your personal data as part of our sales, after-sales service, distribution and promotion. We also process personal data when we proposing to employ or engage a person to work for or with us and then if they do eventually become employed or engaged by us. 

In some cases, we collect your personal data directly from you. In other cases, your personal data is communicated to us by a third party (our customers, our suppliers, etc.).

The personal data that we are likely to process are, for example:

• Identification data, such as your first and last name, your address, your telephone number, your e-mail address, your profession;
• Application data, such as your CV, diplomas, professional experience, if you wish to apply to work for or with Stago (either direct or via a third party);
• Data relating to us engaging or employing you to work with or for us e.g. your bank account details, your date of birth, emergency contact details, etc.
• Data relating to an order or a service provided to us, if you are a supplier or service provider to Stago.

Processing has a wide meaning and includes obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it. Processing information also includes transmitting or transferring personal information to third parties

The processing of personal data carried out by Stago has an explicit, legitimate and determined purpose.

Your personal data may for example be processed for the following purposes:

• If you are a customer or a prospect, we may process your personal data for the following purposes:
  • managing our relationship with you;
  • organisation, registration and invitation to events, trainings and webinars;
  • management and follow-up of customer, supplier and third-party files;
  • prevention of money laundering and terrorist financing and the fight against corruption;
  • invoicing;
  • accountability.
• If you apply to work with or for Stago, whether direct or indirectly e.g. via a recruitment agency, we may process your data in order to manage your application and also to demonstrate, if required, that we have carried out any recruitment exercise in a fair, transparent and legally compliant way.
• If you have subscribed to our newsletter, we may also process your personal data in order to send you the said letter by e-mail. You can opt out of our newsletter any time by contacting us at dpo@stago.com .
• If you are one of our suppliers or service providers, we may process your data for the management of our relationship with you.
• If you are our employee, or other person who provides personal services to us e.g. a consultant, then we process your data to  perform the contract we have with you and it may be necessary for us to process your data in order to comply with a legal obligation which we are subject to. There may also be other purposes for our processing and we will inform you of what this is before we process your data. We may also process more sensitive categories of data e.g. details about your health (called ‘special category data’) but, again, we will inform you of what data we process and why before we process it.   

The purpose of the processing will be communicated to you on a case-by-case basis, for each type of processing that we carry out on your personal data.

We always ensure, when we process your personal data, that the processing is based on a "legal basis".

We always process your personal data on one of the following:

• When you have personally entered into a contract with Stago, and the performance of this contract requires us to process your personal data, the legal basis for the processing is the performance of the contract. For example, this could be the case if you are a Stago employee.
• When processing is necessary for the execution of pre-contractual measures taken at your request, our legal basis is based on these pre-contractual measures. For example, this is the case when you submit an application for a position to us, which requires us to review your CV in order to make a decision on your application.
• When the processing is necessary for the purposes of the legitimate interests which we pursue and your interests and fundamental rights do not override those interests, our legal basis for carrying out the processing is  these legitimate interests. For example, the processing of your personal data for prospecting purposes as part of the management of the contract of the company for which you work, as part of our clinical studies which are of a public interest nature and are necessary for the development of our medical devices.
• We may also process your personal data by relying on another of the legal bases listed in legislation or regulations that are applicable to Stago as an employer or private company based in the United Kingdom. For example: compliance with a legal obligation to which Stago is subject or your consent to processing.

Authorised persons within Stago and, in some cases, third parties who process personal data in order to provide us with services  (our “trusted providers” which includes Diagnostica Stago SAS ), may access and process your personal data. We do our best to ensure that the number of such persons accessing and processing your data is kept as small as possible and to maintain the confidentiality and security of your personal data.

We only provide our trusted providers with the information they need in order to provide the service we require them to carry out and do not allow them to use your personal data for other purposes. We require all of our trusted providers with whom we work to maintain the integrity, availability, confidentiality and security of your data. We also ensure that when our relationship with a trusted processor comes to an end, that processor deletes your personal data without delay.

We select our trusted providers with great care, ensuring that they provide sufficient guarantees, particularly in terms of expertise, reliability and resources, to implement the technical and organisational measures to meet the requirements of the applicable legislation, in particular the security of the processing. In this regard, we instruct  our trusted providers to process personal data only in accordance with our documented instructions. We also require the trusted providers to ensure that t their staff are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality.

We may ask our trusted processors to provide a service that requires the processing of your personal data, for example in the following cases:

• hosting our website;
• administering of our pension scheme;
• the storage of your personal data;
• maintenance of our hardware/software.

Where applicable, we take appropriate steps to ensure that the use of these trusted providers does not infringe our obligation of confidentiality.

Your data is stored in the UK by Stago and in the EU by our trusted providers.

When transferring data outside of the UK, we ensure that the data is transferred securely and in accordance with applicable law. When the country where the data is transferred does not have an adequacy decision, we use "appropriate safeguards".

These appropriate safeguards are a way to ensure that the protection of your personal data is ensured even when they leave the UK. These appropriate safeguards may, for example, consist of using standard contractual clauses.

Depending on the processing operations to which your data is subject, you may have the following rights: 

• The right to obtain confirmation from us whether or not we process your personal data (right of access). If we process your data then you can access your personal data and obtain information such as how it is processed, the purpose of the processing and the categories of personal data concerned;
• The right to request correction of inaccurate or incomplete personal data concerning you (right of rectification);
• The right to request erasure of  your personal data if it is no longer necessary for the purpose for which it was originally collected/processed, (right of erasure). You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • The right to request we suspend   processing your personal data (right to restriction of processing) in the following circumstances; If you want us to establish the data's accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • If you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• The right to request transfer of your data to you or a third party when the processing is based on consent or a contract and the processing carried out using automated processes;
• The right to object, for reasons relating to your particular situation, to certain processing of personal data (right of objection). This includes where we are relying on a legitimate interest of ours (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
• The right not to be the subject of a decision based exclusively on automated processing including profiling except in cases which allow it.
• The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

To exercise these rights, you can contact us at the following address: dpo@nullstago.com 

In order for us to process your request satisfactorily, you will need to prove your identity, by whatever means. If we are not satisfied that what you have provided proves your identity then we may ask you for additional information, including e.g. the secure transmission of a copy of an identity document, signed by you.

We will do our best to meet your demands satisfactorily. Whatever our response, we will get it to you within one month, unless we need to extend the time for our response when we may extend the time for us to respond by up to an additional two months, depending on the complexity of and the number of requests.

We will not charge you for responding to any right set out above if your request is legitimate and not excessive. However, if any requests are unfounded or repetitive, we may require the payment of reasonable fees for dealing with your request which take into account the administrative costs incurred in providing the information, making communications or implementing the measures requested by you.

If you have any questions about this policy or how we process your data, please contact our data protection officer at the following address: dpo@nullstago.com. You also have the right at any time to lodge a complaint with the Information Commissioner’s Office (ICO) – see www.ico.gov.uk. We would appreciate the opportunity to resolve any concerns before you contact the ICO so please get in touch 

Whenever Stago processes or proposes to process your personal data, it will inform you of: 

• The identity of the controller and the contact details of the data protection officer;
• The source from which the data comes when the data has not been collected from you;
• The purpose of the processing as well as the legal basis for the processing;
• When the processing is based on legitimate interests, the justification of these interests
• The recipients or categories of recipients of the data
• If applicable, the intention to make a transfer outside the UK and the terms and conditions authorising this transfer
• The period that we will retain the  data or the criteria used to determine this period
• The rights you have regarding this processing;
• Information on whether the requirement to provide data is regulatory or contractual in nature or whether it is a condition of the conclusion of a contract and whether you are required to provide such data as well as the possible consequences of not providing of this data;
• If applicable, the existence of automated decision-making, the reason for using it, its importance and the expected consequences;
• When Stago intends to carry out further processing for a different purpose, information about the other purpose.

This information will be made available to you as soon as possible and, in the case of collection of your data from you, at the time of collection.

Stago attaches great importance to the protection of your personal data and takes all reasonable precautions to this end. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We ask our trusted providers who process your data on our behalf to do the same.

We are constantly doing our best to protect your personal data. Upon receipt of your data, we apply strict procedures and security measures (technical and organisational) to prevent unauthorised access.

This policy does not form a part of any contract or agreement that we have with you and we amend, update or supplement it from time to time.

This policy was last updated on December 04, 2020.