INFORMATION ON PERSONAL DATA PROCESSING for clients
Prepared in conformity to the General Data Protection Regulation (GDPR)
The company provides information on the processing of personal data that have been or will be provided by the Data Subject to the Controller of data as part of conducting activities relating to the performance of a contractual agreement:
(1) Purpose of processing:
The Controller/Processor of personal data will process personal data of Data Subjects for the purposes of performing an agreement pertaining to genetic testing, including related activities.
(2) Legal basis:
- Consent of Data Subject: Consent is granted for the processing of a genetic sample, which constitutes a special category of personal data.
- Performance of or entry into an agreement: Personal data are processed for the purposes of delivering ordered services so as to allow, for example, delivering a set of samples or testing a sample properly.
- Legal duty: (Act No. 89/2012 Coll., Civil Code; Act No. 499/2004 Coll. on Archiving and Records Management; Act No. 455/1991 Coll., Trade Licensing Act; Act No. 563/1991 Coll. on Accounting; Act No. 235/2004 Coll. on Value Added Tax, the Singapore Companies Act (Chapter 50); Singapore Income Tax Act (Chapter 134); Singapore Goods and Services Tax Act (Chapter 117A), and other statutory requirements for information collection and records retention under applicable laws
- Legitimate interest: Personal data maintained in the internal system may be kept for the purposes of record management, traceability, and defense of the Controller's legal claims. For the purposes of providing information and news related to the ordered service, e-mail may be used for the distribution of newsletters.
(3) Processors and other recipients of personal data:
To allow the delivery of the ordered sample taking set to you, we will provide your delivery data to verified contracted logistics partners.
The genetic sample will be tested by an accredited laboratory within the EU, to which we will send the sample in an anonymized form under a unique code. It means that the contracted laboratory will be unable to assign a genetic sample and the outcome of its analysis to any specific person.
As part of performing the agreement, the Controller/Processor of data may provide personal data for further processing to external providers of accounting, audit, or legal services. Information on the specific categories of such providers will be provided to Data Subjects upon request.
In securing technical means for the conduct of the process, the Controller/Processor of data may, based on the existence of legitimate interest or the performance of an agreement, make available provided personal data to contractual partners in such areas as IT services and technologies, marketing services, consulting services, and certification services. Information on the specific categories of such providers will be provided to Data Subjects upon request.
Throughout the process, none of your personal data, whether in electronic or physical form, will leave the European Union. All Processors involved in the process strictly comply with the GDPR.
(4) Other third parties:
The Controller/Processor of data provides personal data to relevant government authorities and other entities authorized to process personal data for reasons including government supervision, prevention, investigation, detection, and prosecution of crime or the administration of sentences, including protection from and prevention of threats to public security.
(5) Other purposes of processing:
The Controller/Processor may use provided personal data for business and marketing purposes if legitimate interest exists or if consent is granted to that effect.
(6) Personal data storage term:
The Controller/Processor of data stores provided personal data during the term of the agreement and thereafter for a term conforming to legal requirements or legitimate interests.
Immediately after being tested, the provided genetic sample will be discarded by the accredited laboratory; it will not be retained by the company.
(7) Automated processing of personal data:
No automated processing of personal data takes place within the company.
(8) Controller of personal data:
The Controllers or Processors of personal data are companies from the CHROMOZOOM Group (CHROMOZOOM PTE. LTD., Chromozoom UK Ltd.).
(9) Data protection officer:
The data protection officer is PRO-CERT LLC, with registered office at Tehovska 1290/64, 100 00 Prague, ID No. 29042798, represented by David Zahradnicky, e-mail: [email protected]
(10) Rights of the Data Subject:
Right to access to personal data – The Data Subject has the right to access his/her personal data. The Controller of data must provide a copy of processed personal data.
Right to rectification and addition to personal data – The Data Subject has the right to request the Controller of data to promptly make corrections or additions to inaccurate personal data that concern the Data Subject.
Right to erasure – The Data Subject has the right to request the Controller of data to promptly erase personal data that concern the Data Subject if:
- personal data are not needed for the purposes for which they were processed,
- the Data Subject withdraws consent to the processing of personal data,
- the Data Subject objects the processing of personal data,
- personal data have been processed unlawfully,
- keeping personal data is not required under other relevant laws or regulations,
- public interest does not exist in relation to public health, archivation, scientific or historic research, or statistics,
- data do not concern the exercise or defense of legal claims.
Right to restrict processing – The Data Subject has the right to request the Controller to restrict the processing of personal data in substantiated cases.
Right to portability of personal data – The Data Subject has the right to obtain his/her personal data in a structured, commonly used, and machine-readable format and the right to provide such data to another Controller, provided that processing is automated and based on the performance of an agreement or on consent.
Automated individual decision making – The Data Subject has the right to be excluded from any decision based solely on automated processing, including profiling, unless necessary for the performance of an agreement.
Right to file complaint with supervisory authority – The Data Subject has the right to file a complaint with the supervisory authority, i.e. the Office for Personal Data Protection.
Right to object – The Data Subject has the right to object the processing of personal data, where the Controller of data must refrain from the further processing of such data unless processing is substantiated. An objection may be raised at any time against processing for direct marketing purposes.
(11) Failure to provide personal data:
The Data Subject must provide personal data due to reasons laid down in the law or reasons stated in the agreement; a failure to do so prevents the performance of the agreement. In addition, consent needs to be granted for the processing of the DNA sample; a failure to do so will prohibit the provision of the ordered genetic testing service.
(12) Other provisions:
If the Data Subject fails to grant the Controller of data consent to disposing of personal data or fails to enter into an agreement with the Controller/Processor and if no other reasons exists for processing, the his/her personal data in paper form will be discarded and his/her personal data in electronic form will be deleted.