Data Policy

Diagnostica Stago, hereinafter “Stago” may, during its activities, process your personal data, in accordance with applicable legislation.
This policy provides you with information on how your personal data is processed by Stago.
This policy, accessible in particular on our website, is updated regularly in order to take into account legislative and regulatory developments, and any change in the Stago organization or in the processing it performs.
This policy is accompanied by a specific information statement for each processing operation carried out on your personal data, which will be made available to you as soon as possible and, in the event that we collect your data directly from you, at the time of this collection.

I - Stago Data Controler

Stago, when acting as a controller, is responsible for the personal data that you provide to us or that we collect.
In order to protect your privacy and your personal data as effectively as possible, we have appointed a data protection officer. This person, who is the privileged point of contact for the supervisory authority, is responsible for ensuring that we process your data in accordance with applicable law.
Click here to contact our data protection officer

II – What are our committements ?

We are committed to ensuring the highest possible level of protection for the persons whose personal data we process ("data subjects"). The protection of personal data, in particular those of our own employees, those of our suppliers, our customers, our potential customers, and any other third party.
We undertake to comply with the applicable regulations for all the processing of personal data that we carry out. We are therefore committed to respecting the following principles:

•  We process your personal data in a lawful, fair and transparent manner;
• We collect your personal data for specific, explicit and legitimate purposes and will not process it in a way incompatible with these purposes (Limitation of purposes);
• We ensure that the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation);
• We do our best to ensure that personal data is accurate and, if necessary, kept up to date. We will take all reasonable measures to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are deleted or rectified without delay (Accuracy);
• We keep your personal data in a form allowing your identification only for the time necessary for the purposes of the processing (Storage limitation)
• We process your personal data in such a way as to guarantee an appropriate level of security against illegitimate access, unauthorized alteration, or destruction) for said data using technical and organizational measures (integrity and confidentiality).
• We make sure to be able to demonstrate our compliance (accountability)
These commitments are manifested as follows:
• We respect your privacy and your rights;
•  We ensure that the protection and security of your personal data are at the center of our concerns;
• We consider each processing operation taking into account the principles of data protection, in order to satisfy the principle of data protection by design;
• We will not use your personal data for purposes that have not been brought to your attention;
• We do not consider that your personal data should be stored for an unlimited period;
• We only share your data within Stago, our affiliate companies and with our processors. We do not sell your personal data to third parties;
• We are committed to securing and protecting your personal data. To this end, we only work with trusted partners (our processors ) who provide appropriate levels of guarantees for the protection of personal data;
• We respect your rights and will do our best to satisfy your requests, if they are justified.

III – Which personal data are we processing ?

We remind you that personal data is information relating to an identified or identifiable natural person, such as an email address, your first and last name, your IP address, etc.
We collect your personal data as part of our design, production, sales, after-sales service, distribution, promotion, clinical studies ... In some cases, we collect your personal data directly from you. In other cases, your personal data is communicated to us by a third party (our customers, our suppliers, etc.).

The personal data that we are likely to process are, for example:
• Identification data, such as your first and last name, your address, your telephone number, your e-mail address, your profession;
• Application data, such as your CV, diplomas, professional experience, if you wish to apply to Stago;
• Data relating to an order or a service provided to us, if you are a supplier or service provider to Stago.
• Pseudonymized health data such as your age, sex, weight, height, test results, therapies taken, history, associated illnesses, if the laboratory performing your laboratory tests has conducted a clinical study on behalf of Stago.
Note: directly identifying data related to patients are only known and processed by our processors authorized to process them as part of their own activity (Clinical medical laboratory).

IV – For what purposes are your personal data processed?

The processing of personal data carried out by Stago has an explicit, legitimate and determined purpose.
Your personal data may for example be processed for the following purposes:
- If you are a customer or a prospect, we may process your personal data for the following purposes:
• managing our relationship with you;
• organization, registration and invitation to events, trainings and webinars;
• management and follow-up of customer, supplier and third party files;
• prevention of money laundering and terrorist financing and the fight against corruption;
• invoicing;
• accountability.
- If you submit an application for a position within Stago, we may process your data in order to manage your application.
- If you have subscribed to our newsletter, we may also process your personal data in order to send you said letter by e-mail.
- If you are one of our supplier or service provider or distributor, we can finally process your data for the management of our relationship with you.
The purpose of the processing will be communicated to you on a case-by-case basis, for each processing that we carry out on your personal data.

V – How do we ensure the lawfulness of our processing operations?

We always ensure, when we process your personal data, that the processing is based on a "legal basis".
We always process your personal data on one of the following :
- When you have personally entered into a contract with Stago, and the performance of this contract requires us to process your personal data, the legal basis for the processing is the performance of the contract. For example, this could be the case if you are a Stago employee.
- When processing is necessary for the execution of pre-contractual measures taken at your request, our legal basis is based on these pre-contractual measures. For example, this is the case when you submit an application for a position to us, which requires us to review your CV in order to make a decision on your application.
- When the processing is necessary for the purposes of the legitimate interests which we pursue, our legal basis is constituted by these legitimate interests. For example, the processing of your personal data for prospecting purposes as part of the management of the contract of the company for which you work, as part of our clinical studies which are of a public interest nature and are necessary for the development of our medical devices.
- We may also process your personal data by relying on another of the legal bases listed in local and / or European legislation or regulations that are applicable to Stago as an employer or private company based in the European Union. For example: compliance with a legal obligation to which Stago is subject, your consent to processing.

VI – How long do we keep your personal data?

Stago will keep your personal data only for the time necessary for the purposes for which they are processed, and in accordance with applicable legislation. Thus, the retention period of your personal data depends on the purpose of the processing to which they are subject, according to the correspondences below:
• Management of the relationship with our clients: 5 years from the end of the relationship with the client;
• Organization, registration and invitation to Stago events: 3 years from the end of the relationship with the person concerned if they are a client and 3 years from the last contact if the person concerned is a prospect;
• Prevention of money laundering and terrorist financing and fight against corruption: until the legal or regulatory obligation incumbent on us is satisfied;
• Invoicing: 10 years from the end of the financial year concerned;
• Accounting: 10 years from the end of the financial year concerned;
• Management of candidates for a position: 2 years from the last contact with the candidate;
• Sending our newsletter: the duration of the newsletter subscription;
• Management of relationships with service providers and suppliers: 5 years from the end of the relationship;
• Response to requests sent to us through the contact form on our websites: the time required to respond to the request concerned.
• Clinical study for the CE marking file for our medical devices: until the study report is signed and then transferred to an intermediate archive database for a period of at least ten years from the placing of the last device on the market. covered by the EU declaration of conformity.

VII – Who can access your personal data?

Authorized persons within Stago and its affiliate companies  and, in some cases, processors (our “trusted providers”), may access your personal data. We do our best to ensure that the number of such persons is kept as small as possible and to maintain the confidentiality and security of your personal data.
We only provide our trusted processors with the information they need in order to provide the service and ask them not to use your personal data for other purposes. We always do our best to ensure that all of our trusted processors with whom we work maintain the integrity, availability, confidentiality and security of your data. We also ensure that when our relationship with a trusted processor comes to an end, that processor deletes your personal data without delay.

We select our trusted processor with great care, ensuring that they provide sufficient guarantees, particularly in terms of expertise, reliability and resources, to implement the technical and organizational measures to meet the requirements of the applicable legislation, in particular the security of the processing. In this regard, we ensure that our trusted processors process personal data only on our documented instructions. We also ensure that their staff are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality.

We may ask our trusted processors to provide a service that requires the processing of your personal data, for example in the following cases:
• hosting our website;
• the storage of your personal data;
• maintenance of our hardware / software.
• Carrying out a clinical study.
• Where applicable, we ensure that the use of these trusted providers does not infringe our obligation of confidentiality.

VIII – Where do we store your personal data?

Your data is stored in the European Union (EU) and the European Economic Area (EEA) by Stago and processors.
When transferring data outside of the EU and EEA, we ensure that the data is transferred securely and in accordance with applicable law. When the country where the data is transferred does not have an adequacy decision from the European Commission, we use "appropriate safeguards".
These appropriate safeguards are a way to ensure that the protection of your personal data is ensured even when they leave European territory. These appropriate safeguards may, for example, consist of using standard contractual clauses adopted by the European Commission.
On a case-by-case basis, we will inform you of our intention to transfer personal data to a third country, of the existence or not of an adequate decision of the Commission and, where appropriate, of the reference to the appropriate safeguards and the means of obtaining a copy or the place where they have been made available.

IX – What are your rights as a data subject and how to exercise them?

Depending on the processing operations to which your data is subject, you may have the following rights:

  • The right to obtain confirmation from us whether or not personal data concerning you is being processed (right of access). If this is the case, you can access your personal data and obtain information such as the purpose of the processing, the categories of personal data concerned, etc. ;
  • The right to obtain from us the rectification of inaccurate personal data concerning you (right of rectification);
  • The right to obtain the erasure of your personal data, provided that one of the reasons justifying this right applies (right of erasure);
  • The right to obtain restriction of processing, when one of the reasons justifying the exercise of this right applies (right to restriction of processing);
  • The right to data portability when the processing is based on consent or a contract and the processing carried out using automated processes;
  • The right to object, for reasons relating to your particular situation, to certain processing of personal data (right of objection);
  • The right not to be the subject of a decision based exclusively on automated processing including profiling except in cases which allow it.

To exercise these rights, you can contact our data protection officer.

In order for us to process your request satisfactorily, you will need to prove your identity, by whatever means. If in doubt on our part, we may ask you for additional information, including the secure transmission of a copy of an identity document, signed by you.

We will do our best to meet your demands satisfactorily. Whatever our response, we will get it to you within one month, but our response time may be extended by an additional two months depending on the complexity and number of requests.
Under no circumstances can the response to the exercise of a legitimate and non-excessive right be charged. However, if the requests are unfounded or repetitive, we may require the payment of reasonable fees which take into account the administrative costs incurred in providing the information, making communications or implementing the measures requested by the data subject.

If, for any reason whatsoever, you consider that our response is not satisfactory, we inform you that you can lodge a complaint with the CNIL.

X – What information do we need to provide to you?

Whenever Stago carries out processing operations on your personal data, it brings to your attention:
• The identity of the controller and the contact details of the data protection officer;
• The source from which the data comes when the data has not been collected from you;
• The purpose of the processing as well as the legal basis for the processing;
• When the processing is based on legitimate interests, the justification of these interests
• The recipients or categories of recipients of the data
• If applicable, the intention to make a transfer outside the EU and the terms and conditions authorizing this transfer
• The retention period of the data or the criteria used to determine this period
• The rights you have regarding this processing;
• Information on whether the requirement to provide data is regulatory or contractual in nature or whether it conditions the conclusion of a contract and whether you are required to provide such data as well as the possible consequences of not providing of this data;
• If applicable, the existence of automated decision-making, the underlying logic, importance and expected consequences;
• When Stago intends to carry out further processing for a different purpose, information about the other purpose.

This information will be made available to you as soon as possible and, in the case of direct collection of your data, at the time of collection.

Some of our obligations may limit your right to information: if the personal data concerning you is covered by confidentiality with regards to an obligation of professional secrecy incumbent on us, and if we have obtained it by means of an indirect collection, it is possible that we do not process your information.

XI – How do we take care of the security of your personal data?

Stago attaches great importance to the protection of your personal data and takes all reasonable precautions to this end. We ask our partners who process your data on our behalf to do the same.

We are constantly doing our best to protect your personal data. Upon receipt of your data, we apply strict procedures and security measures (technical and organizational) to prevent unauthorized access.

This policy was last updated on September 10, 2020.