Diagnostica Stago UK Ltd, hereinafter “Stago” may, during its activities, process your personal data, in accordance with applicable data protection legislation. This policy provides you with information on how your personal data may be processed by Stago. This policy, which is accessible in particular on our website, is updated regularly in order to take into account legislative and regulatory developments, and any change in the Stago organisation or in the processing it performs. This policy will, where necessary and if the relevant information is not detailed in this policy, be accompanied by a specific information statement for each processing operation carried out on your personal data, which will be made available to you as soon as possible and, in the event that we collect your data directly from you, at the time of this collection.
I - Stago Data Controller
Stago, when acting as a controller, is responsible for the personal data that you provide to us or that we collect.
In order to protect your privacy and your personal data as effectively as possible, we have appointed a data protection officer. This person, who is the point of contact for the Information Commissioner’s Office (the UK’s data protection supervisory authority), is responsible for ensuring that we process your data in accordance with applicable law.
Click here to contact our data protection officer.
II – What are our commitments?
We are committed to ensuring the highest possible level of protection for the persons whose personal data we process ("data subjects"). The protection of personal data, in particular those of our own employees and staff (current and former), job applicants, those of our suppliers, our customers, our potential customers, and any other third party is important to us.
We will comply with the applicable regulations for all the processing of personal data that we carry out. We are, therefore, committed to respecting the following principles:
- We process your personal data in a lawful, fair and transparent manner;
- We collect your personal data for specific, explicit and legitimate purposes and will not process it in a way incompatible with these purposes (Limitation of purposes);
- We ensure that the personal data processed is adequate, relevant and limited to what is necessary for the purposes for which it is processed (data minimisation);
- We do our best to ensure that personal data is accurate and, if necessary, kept up to date. We will take all reasonable measures to ensure that inaccurate personal data, having regard to the purposes for which it is processed, is deleted or rectified without delay (Accuracy);
- We keep your personal data (where it is in a form that allows your identification) only for the time necessary for the purposes of the processing (Storage limitation)
- We process your personal data in such a way as to ensure an appropriate level of security against illegitimate or unauthorised access, alteration, or destruction for the said data using technical and organisational measures (integrity and confidentiality).
- We are able to demonstrate our compliance (accountability)
These commitments are manifested as follows:
- We respect your privacy and your rights;
- We ensure that the protection and security of your personal data is the focus of our concerns;
- We consider each processing operation taking into account the principles of data protection, in order to satisfy the principle of data protection by design;
- We review the purpose of the processing activity and select the most appropriate lawful basis (or bases) for that processing;
- We satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose);
- We will not use your personal data for purposes that have not been brought to your attention;
- We will not store personal data for an unlimited period;
- We only share your data within Stago, and with our processors. We do not sell your personal data to third parties;We are committed to securing and protecting your personal data. To this end, we only work with trusted partners (our processors ) who provide appropriate levels of guarantees for the protection of personal data;
- Where we process particularly sensitive data, we will provide you with further information about why we are doing it and the special condition that we are relying upon to process that information.
- We respect your rights and will do our best to satisfy your requests, if they are justified.
III – What personal data are we processing?
Personal data is information relating to an identified or identifiable natural person, such as an email address, your first and last name, your IP address, etc.
We collect your personal data as part of our sales, after-sales service, distribution and promotion. We also process personal data when we proposing to employ or engage a person to work for or with us and then if they do eventually become employed or engaged by us.
In some cases, we collect your personal data directly from you. In other cases, your personal data is communicated to us by a third party (our customers, our suppliers, etc.).
The personal data that we are likely to process are, for example:
- Identification data, such as your first and last name, your address, your telephone number, your e-mail address, your profession;
- Application data, such as your CV, diplomas, professional experience, if you wish to apply to work for or with Stago (either direct or via a third party);
- Data relating to us engaging or employing you to work with or for us e.g. your bank account details, your date of birth, emergency contact details, etc.
- Data relating to an order or a service provided to us, if you are a supplier or service provider to Stago.
Processing has a wide meaning and includes obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it. Processing information also includes transmitting or transferring personal information to third parties
IV – For what purpose is your personal data processed?
The processing of personal data carried out by Stago has an explicit, legitimate and determined purpose.
Your personal data may for example be processed for the following purposes:
- If you are a customer or a prospect, we may process your personal data for the following purposes:
- managing our relationship with you;
- organisation, registration and invitation to events, trainings and webinars;
- management and follow-up of customer, supplier and third-party files;
- prevention of money laundering and terrorist financing and the fight against corruption;
- invoicing;
- accountability.
- If you apply to work with or for Stago, whether direct or indirectly e.g. via a recruitment agency, we may process your data in order to manage your application and also to demonstrate, if required, that we have carried out any recruitment exercise in a fair, transparent and legally compliant way.
- If you have subscribed to our newsletter, we may also process your personal data in order to send you the said letter by e-mail. You can opt out of our newsletter any time by contacting our data protection officer.
- If you are one of our suppliers or service providers, we may process your data for the management of our relationship with you.
- If you are our employee, or other person who provides personal services to us e.g. a consultant, then we process your data to perform the contract we have with you and it may be necessary for us to process your data in order to comply with a legal obligation which we are subject to. There may also be other purposes for our processing and we will inform you of what this is before we process your data. We may also process more sensitive categories of data e.g. details about your health (called ‘special category data’) but, again, we will inform you of what data we process and why before we process it.
The purpose of the processing will be communicated to you on a case-by-case basis, for each type of processing that we carry out on your personal data.
V – How do we ensure the lawfulness of our processing operations?
We always ensure, when we process your personal data, that the processing is based on a "legal basis".
We always process your personal data on one of the following:
- When you have personally entered into a contract with Stago, and the performance of this contract requires us to process your personal data, the legal basis for the processing is the performance of the contract. For example, this could be the case if you are a Stago employee.
- When processing is necessary for the execution of pre-contractual measures taken at your request, our legal basis is based on these pre-contractual measures. For example, this is the case when you submit an application for a position to us, which requires us to review your CV in order to make a decision on your application.
- When the processing is necessary for the purposes of the legitimate interests which we pursue and your interests and fundamental rights do not override those interests, our legal basis for carrying out the processing is these legitimate interests. For example, the processing of your personal data for prospecting purposes as part of the management of the contract of the company for which you work, as part of our clinical studies which are of a public interest nature and are necessary for the development of our medical devices.
- We may also process your personal data by relying on another of the legal bases listed in legislation or regulations that are applicable to Stago as an employer or private company based in the United Kingdom. For example: compliance with a legal obligation to which Stago is subject or your consent to processing.
VI – How long do we keep your personal data?
Stago will keep your personal data only as long as reasonably necessary to fulfil the purposes we collected it for, and in accordance with applicable legislation. Thus, the retention period of your personal data depends on the purpose of the processing to which the personal data is subject, according to the provisions below:
- Management of the relationship with our clients: 5 years from the end of the relationship with the client;
- Organisation, registration and invitation to Stago events: 3 years from the end of the relationship with the person concerned if they are a client and 3 years from the last contact if the person concerned is a prospect;
- Prevention of money laundering and terrorist financing and fight against corruption: until the legal or regulatory obligation to which we are subject is satisfied;
- Invoicing: 6 years from the end of the financial year concerned;
- Accounting: 6 years from the end of the financial year concerned;
- Considering and management of candidates for a position: 2 years from the last contact with the candidate;
- Sending our newsletter: the duration of the newsletter subscription;
- Management of relationships with service providers and suppliers: 5 years from the end of the relationship;
- Response to requests sent to us through the contact form on our websites: the time required to respond to the request concerned.
Authorised persons within Stago and, in some cases, third parties who process personal data in order to provide us with services (our “trusted providers” which includes Diagnostica Stago SAS ), may access and process your personal data. We do our best to ensure that the number of such persons accessing and processing your data is kept as small as possible and to maintain the confidentiality and security of your personal data.
We only provide our trusted providers with the information they need in order to provide the service we require them to carry out and do not allow them to use your personal data for other purposes. We require all of our trusted providers with whom we work to maintain the integrity, availability, confidentiality and security of your data. We also ensure that when our relationship with a trusted processor comes to an end, that processor deletes your personal data without delay.
We select our trusted providers with great care, ensuring that they provide sufficient guarantees, particularly in terms of expertise, reliability and resources, to implement the technical and organisational measures to meet the requirements of the applicable legislation, in particular the security of the processing. In this regard, we instruct our trusted providers to process personal data only in accordance with our documented instructions. We also require the trusted providers to ensure that t their staff are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality.
We may ask our trusted processors to provide a service that requires the processing of your personal data, for example in the following cases:
- hosting our website;
- administering of our pension scheme;
- the storage of your personal data;
- maintenance of our hardware/software.
Where applicable, we take appropriate steps to ensure that the use of these trusted providers does not infringe our obligation of confidentiality.
VIII – Where do we store your personal data?
Your data is stored in the UK by Stago and in the EU by our trusted providers.
When transferring data outside of the UK, we ensure that the data is transferred securely and in accordance with applicable law. When the country where the data is transferred does not have an adequacy decision, we use "appropriate safeguards".
These appropriate safeguards are a way to ensure that the protection of your personal data is ensured even when they leave the UK. These appropriate safeguards may, for example, consist of using standard contractual clauses.
IX – What are your rights as a data subject and how to exercise them?
Depending on the processing operations to which your data is subject, you may have the following rights:
- The right to obtain confirmation from us whether or not we process your personal data (right of access). If we process your data then you can access your personal data and obtain information such as how it is processed, the purpose of the processing and the categories of personal data concerned;
- The right to request correction of inaccurate or incomplete personal data concerning you (right of rectification);
- The right to request erasure of your personal data if it is no longer necessary for the purpose for which it was originally collected/processed, (right of erasure). You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- The right to request we suspend processing your personal data (right to restriction of processing) in the following circumstances; If you want us to establish the data's accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- If you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- The right to request transfer of your data to you or a third party when the processing is based on consent or a contract and the processing carried out using automated processes;
- The right to object, for reasons relating to your particular situation, to certain processing of personal data (right of objection). This includes where we are relying on a legitimate interest of ours (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
- The right not to be the subject of a decision based exclusively on automated processing including profiling except in cases which allow it.
- The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
To exercise these rights, you can contact our data protection officer.
In order for us to process your request satisfactorily, you will need to prove your identity, by whatever means. If we are not satisfied that what you have provided proves your identity then we may ask you for additional information, including e.g. the secure transmission of a copy of an identity document, signed by you with a specific mention across the copy "for the exclusive purpose of the exercise of rights from Stago", with the date.
We will do our best to meet your demands satisfactorily. Whatever our response, we will get it to you within one month, unless we need to extend the time for our response when we may extend the time for us to respond by up to an additional two months, depending on the complexity of and the number of requests.
We will not charge you for responding to any right set out above if your request is legitimate and not excessive. However, if any requests are unfounded or repetitive, we may require the payment of reasonable fees for dealing with your request which take into account the administrative costs incurred in providing the information, making communications or implementing the measures requested by you.
If you have any questions about this policy or how we process your data, please contact our data protection officer.
You also have the right at any time to lodge a complaint with the Information Commissioner’s Office (ICO) – see www.ico.gov.uk. We would appreciate the opportunity to resolve any concerns before you contact the ICO so please get in touch
X – What information do we need to provide to you?
Whenever Stago processes or proposes to process your personal data, it will inform you of:
- The identity of the controller and the contact details of the data protection officer;
- The source from which the data comes when the data has not been collected from you;
- The purpose of the processing as well as the legal basis for the processing;
- When the processing is based on legitimate interests, the justification of these interests
- The recipients or categories of recipients of the data
- If applicable, the intention to make a transfer outside the UK and the terms and conditions authorising this transfer
- The period that we will retain the data or the criteria used to determine this period
- The rights you have regarding this processing;
- Information on whether the requirement to provide data is regulatory or contractual in nature or whether it is a condition of the conclusion of a contract and whether you are required to provide such data as well as the possible consequences of not providing of this data;
- If applicable, the existence of automated decision-making, the reason for using it, its importance and the expected consequences;
- When Stago intends to carry out further processing for a different purpose, information about the other purpose.
This information will be made available to you as soon as possible and, in the case of collection of your data from you, at the time of collection.
XI – How do we take care of the security of your personal data?
Stago attaches great importance to the protection of your personal data and takes all reasonable precautions to this end. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We ask our trusted providers who process your data on our behalf to do the same.
We are constantly doing our best to protect your personal data. Upon receipt of your data, we apply strict procedures and security measures (technical and organisational) to prevent unauthorised access.
This policy does not form a part of any contract or agreement that we have with you and we amend, update or supplement it from time to time.
This policy was last updated on July 11, 2022.