Confidentiality – Personal Data protection
The Company is a Tissue Bank authorised by the Health Authorities, specialised in the production of virus-inactivated allografts and more generally in bone regeneration products. It places a high value on honesty and is committed to building a strong relationship with its Customers based on trust and mutual interest.
OST DEVELOPPEMENT, a simplified joint stock company with a share capital of €457,200, registered in the Trade and Companies Register under SIREN number 389 472 465, with its registered office at Biopôle Clermont-Limagne 13 Rue Henri Mondor CS 30030 63360 Saint-Beauzire, France, acts as Data Controller.
GENERAL PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
The Company undertakes to comply with the requirements set out in European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), while respecting the following fundamental principles (Article 5 of the GDPR):
- The principle of lawfulness, fairness, transparency: the personal data are collected in a lawful, fair and transparent manner.
- The principle of purpose limitation: personal data are collected for specified, explicit and legitimate purposes.
- The principle of data minimisation: data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- The principle of accuracy: data processed must be accurate and up to date.
- Principle of storage limitation: personal data must be kept for a time not exceeding that necessary to achieve the purposes for which the personal data were processed.
- The principle of integrity and confidentiality: appropriate technical or organisational measures must be implemented to ensure the security of the personal data processed.
In addition, as Data Controller, the Company is committed to protecting personal data by informing the Customer of any rectification or deletion of its data or if their integrity or confidentiality is compromised.
PERSONAL DATA COLLECTION
Personal Data refers to “any information relating to an identified or identifiable natural person (“data subject”) under article 4, 1) of GDPR.
As part of the Site, the persons concerned are the Customers, the users of the Site.
As a result of the use of the website, the collection and processing of his/her personal data are agreed by any data subject.
Any Customer is required to provide the Company with personal data, as part of the following steps:
- Creation of a customer’s account online (using the Site)
- Online purchasing, order confirmation (order forms);
- Return of a product
- Filling in an information entry form;
- Contact with Customer Service by any means of communication made available
Personal data that may be collected by the Company are as follows:
- The Customer’s identification data: surname, first name, RPPS (Shared Directory of Health Professionals) number, company name, SIREN number, intra-community VAT number, language, country, email address, postal address, etc.
- The identification data of the recipient patient: surname, first name, date of birth…
- Connection, geolocation and navigation data: IP address, connection identifiers (username and password), browser type, server and time requests, referrer URL, cookies, tracers, navigation data, Internet audience measurements, connection terminals, browser software version, pages visited, content viewed…
- Economic and payment data: payment or payment card data, payment method used….;
- Data relating to online purchasing: information on purchases, orders and returns, order amount, invoices, customer journey, commercial information, date of purchase…
Telephone conversations between a Customer and a Company’s Customer Service Advisor may be recorded, of which the Customer will be informed in advance.
The Company may have to collect and process so-called “sensitive” data (special categories of data), such as those concerning the health of individuals, on the basis of the explicit consent of the data subjects to the processing of such personal data for one or more specified purposes, as authorised by Article 9, 2. a) of the GDPR.
PURPOSES OF THE PROCESSING OF PERSONAL DATA
The Company shall process the data collected in a transparent and secure manner for the purposes detailed below. These processing operations are based on one of the legal bases provided for by Article 6 of the GDPR.
Site visit management
The data collected allow the Site to be displayed correctly on the Customer’s terminal. This collection is based on the performance of the agreement between the Customer and the Company, formalised by the general terms and conditions of use of this Site.
If the Customer has expressly consented to the use of the corresponding cookies, as described below and in the “COOKIES MANAGEMENT” tab on the Site, the Company may also collect personal data relating to the User’s navigation on the Site, in accordance with the Company’s legitimate interest in better understanding the use and audience of the Site.
Customer account management
Due to the performance of the agreement signed between the Company and the Customer at the time of registration on the Site, through the acceptance of the General Terms and Conditions of Use, the Company shall collect and use the Customer’s personal data, thus allowing the management of its Customer account on this Site.
Order, delivery and return management
Due to the performance of the agreement signed between the Company and the Customer, through the General Terms and Conditions of Sale, the Company shall collect and use the Customer’s personal data, thus making it possible to manage his/her registration, purchases and orders, delivery and possible returns of the Products.
Data relating to payment transactions are also collected.
Administrative management of the traceability of bone graft materials.
After the patient’s explicit prior consent has been obtained, the Company may collect and process personal data as part of the traceability of bone graft material (graft).
Customer Service Management
In order to improve the quality of service, the Company may legitimately collect and retain personal data to communicate with the Customer on his/her complaints, requests. The Customer shall agree that the Company may collect these data so that it can provide a response if necessary.
Administrative and financial management
Due to a legitimate interest of the Company, the latter may be required to disclose certain personal data of the Customer in the event of legitimate requests from Public Authorities, in order to meet national security, fight against and prevention of fraud or law enforcement requirements.
As part of the fight against fraud, the Company shall reserve the right to verify the personal data provided by the Customer when placing the order, so as to avoid any fraudulent payment.
The Customer’s personal data may also be sent to the Company’s debt collection service provider in the event of non-payment.
The Company shall be required to process and retain certain of the Customers’ personal data in order to comply with tax and accounting obligations, pursuant to its legal obligation.
In the event of a type of processing other than those previously described in details, the Customer will be notified in advance by the Company.
DATA RETENTION PERIOD
The processed data shall be kept by the Company, only for the period necessary for the fulfilment of the purposes previously described, and necessary for the proper management of the relationship with the Customer.
|Categories of personal data||Retention period|
|Customer account data||5 years from the end of the commercial relationship with the Customer (from the last order, the last internet account connection, the last call to customer service, the date when an email was sent to the customer service, date when the Products were placed in the shopping cart without a purchase or a positive response to an email asking if the Customer wishes to continue receiving commercial prospecting|
|Customer / Prospect data||5 years from the end of the commercial relationship with the Customer / Prospect|
|Credit card data||1 year|
|Cheque data||1 week|
| Banking information
(RIB / IBAN), invoices
|10 years from the end of the commercial relationship with the Customer|
|Purchase data||5 years from the end of the commercial relationship with the Customer|
|Data relating to commercial actions||3 years from the last contact or termination of the business relationship with the Customer|
|Patient health data||30 years after clinical use|
|After-sales service for Products||5 years from the closing date of the Customer’s request for assistance|
|Data sent to the delivery service provider||1 year after delivery of the order|
|Identity document in connection with the exercise of the rights of query, access, rectification and opposition||1 year from the date of receipt by the Company|
|Cookies||13 months from their deposit on the user’s terminal|
At the end of these legal periods, personal data must in principle, be deleted. However, they may also be archived or subject to an anonymisation process, in order to make it impossible to identify individuals.
Consequently, they will no longer be considered as personal data and may be stored freely.
The Company shall ensure that only persons who need to process the data in order to fulfil their legal and contractual obligations, have access to it.
The personal data thus collected shall be sent to Users, i.e., surgeons, medical office assistants or other medical personnel, as well as to the IT department, Customer Service, Internal Logistics service or the Company’s administrative and financial management.
However, some of the Company’s service providers and subcontractors may receive personal data if they are strictly necessary for the performance of their services, which is particularly the case for Site hosting, order fulfilment, deliveries and returns, and secure online payment.
In this respect, the Company shall undertake to use only subcontractors who provide sufficient guarantees and comply with personal data protection commitments.
In addition, operations with a service provider receiving personal data shall be subject to an agreement in order to ensure data protection and compliance with the rights of Customers.
The Company may also provide personal data to supervisory authorities such as tax and customs authorities, the police and other statutory bodies.
Finally, these data shall not be sent outside the European Union.
DATA SECURITY AND CONFIDENTIALITY MEASURES
The Company shall undertake not to sell, rent or share the personally identifiable information of Customers of this Site with third parties, except for binding legal reasons (transmission to external services such as supervisory or criminal prosecution authorities).
The Company has also made efforts to take all reasonable and necessary precautions to preserve the confidentiality and security of the personal data processed, in order to prevent any damage, distortion or destruction of these data.
In accordance with Article 32 of the GDPR, technical and organisational security measures have been put in place to protect the data against any malicious intrusion, loss, destruction, alteration or access by unauthorised persons, such as:
- Encryption of personal data: in particular by systematic encryption during the exchange of data between the Customer and the Site, via the use of the HTTPS transmission protocol;
- Ensuring the confidentiality, integrity, availability and resilience of treatment services;
- Availability and access of personal data within appropriate time limits;
- Procedure to analyse and assess the effectiveness of such measures taken to ensure the security of the processing.
- Storage of all data in a HADS-certified digital safe (certified health data host)
The Company also urges Customers to exercise caution to prevent unauthorized access to their personal data by protecting their terminals with a strong password and changing it on a regular basis.
In compliance with the Laws in force, any person whose personal data are collected and processed by the Company enjoys several rights:
- The right of access: this right allows any user to obtain confirmation that personal data concerning him/her are in the Company’s possession and to know which ones. The nature of the processing can also be explained. A copy of all the information concerning him/her may be issued upon his/her request.
- The right to data portability: any user may obtain that his/her personal data transferred to the Company is provided in a readable and structured format that is technically usable. He/she may also request that they be transferred to another personal data controller of his/her choice, provided that this is technically feasible.
- The right of rectification: any user may request and obtain the rectification, correction of any error contained in his/her personal data that would be inaccurate, incomplete or outdated. This update shall apply regardless of the basis of the processing operation concerned.
- The right to erasure (‘right to be forgotten’): any user has the right to request and obtain the erasure of some of personal data concerning him or her, before their deletion at the end of the storage period initially provided for, when such data are processed, based on the Customer’s consent or on the legitimate interest of the Company, provided that a minimum period of 30 years is observed by the Customer after clinical use of the product.
- The right to restrict processing: any user may request the Company to restrict or interrupt the processing of his or her personal data, in certain circumstances.
- The right to object: any user concerned by the collection of his/her data has the right to object at any time to their processing, on grounds relating to his or her particular situation and if such processing is no longer necessary to the legitimate interest of the Company or its public interest mission.
- The right to determine the fate of data after death: under Article 40-1 of the Data Protection Act, any data subject may give instructions relating to the storage, erasure and communication of personal data concerning him or her after death, provided that a minimum period of 30 years is observed after clinical use of the product by the User.
In addition, the Company shall not use any decision-making process that is totally automated to make a decision and no profiling shall be performed based on the data collected.
Finally, the consent given by a Customer to the processing of personal data concerning him or her is not definitive. He/she can withdraw it at any time.
As these rights are purely personal, and can therefore only be exercised by the person concerned, the Customer must attach to his/her request, in addition to legitimate reasons, a copy of his/her identity document. The latter will only be kept for the time necessary to verify the Customer’s identity.
EXERCISE OF RIGHTS – CONTACT PERSON
Any Customer may obtain information from or exercise these rights with the Company’s Personal Data Processing Manager:
- By electronic mail: firstname.lastname@example.org
- By postal mail: OST Développement, Biopôle Clermont-Limagne 13 Rue Henri Mondor CS 30030 63360 Saint-Beauzire
The Company shall undertake to answer to any request from a Customer within a reasonable period of time, no exceeding one (1) month from the receipt of such request.
If the Customer considers that the Company is not complying with its obligations with regard to personal data concerning his/her, the Customer may address a complaint or make a claim with the competent authority:
- By postal mail: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS Cedex 07
- Via the website: (see details at https://www.cnil.fr/fr/agir)
When visiting this Site, the Customer shall be informed of the possible automatic installation of cookies on his/her browser software, whether on a computer, tablet or mobile.
Cookies are files containing information about the browsing and viewing habits of any user. They do not make it possible to identify users as individuals but only the terminal used.
Cookies strictly necessary for providing a service expressly requested by the Customer shall be exempt from his/her consent. This is the case for operating cookies, which allow the use of the main functions of the Site such as managing the shopping cart and maintaining identification.
However, the prior consent of the Customer shall be required in the event of the installation of cookies which are not strictly necessary, such as those related to advertising operations, those making it possible to receive offers from the Company, or those of customisation, making it possible to find offers, previous purchases (for example) more quickly.
The consent thus obtained shall be valid for no more than thirteen (13) months from the day of deposit on the user’s terminal.
Any Customer can decline to accept the storage of cookies, which he/she may disable by configuring the settings of his/her computer for this purpose.
The Customer can therefore configure his/her browser software so that he/she may choose to accept or reject, on an ad hoc basis, before a cookie may be stored or to systematically oppose this storage of cookies on his/her computer.
In the latter instance, the Company shall not assume any liability in the event of negative consequences on downturn in its services.