INFORMATION ON PERSONAL DATA PROCESSING
(PURSUANT TO THE COMMUNITY REGULATION (EU) 679/2016 AND THE FEDERAL ACT ON DATA PROTECTION OF 19.06.92)
GenomSys SA (herewith defined as “GenomSys”), provides herewith information on the processing of personal data of “GenomSys” services’ Customers: (i) that are provided directly by Customer to GenomSys or its representatives when subscribing the contract(s) to activate “GenomSys” service(s) or later during said service(s) fruition; (ii) that are acquired by GenomSys while providing the service(s) requested by Customer and that are needed to provide such service(s). GenomSys is processing personal data with the appropriate measures to protect Customer privacy, in full compliance to applicable norms on personal data processing in Switzerland and Europe.
Data controller
Data controller is GenomSys SA, Fondation EPFL, Bâtiment C, 1015 Lausanne, Switzerland, acting through its respective pro tempore legal representative.
Processing purposes and approach
Personal data will be processed by the holder, located in Switzerland, subject to this consent, for the underlying purpose and will process in paper form or via electronic or automated means for the time strictly required to achieve the purposes for which said data has been collected.
Personal data processed by data controller are (i) personal data and other customer-specific data (such as name, surname, email address, postal address, fixed or mobile telephone number), (ii) potentially data related to payment method used to purchase service and also (iii) sensitive data, concerning Customer’s health, (such as: digital sequenced DNA, information on requested genetic tests, health reports provided to Customer by third-party physicians, geneticists and other entities) and wellness and lifestyle data needed by GenomSys to provide the service. There are also other sensitive data that GenomSys could get to know, only by chance and by involuntary association with others; for sensitive data we mean, in addition to data pertaining to health status, also data apt to reveal racial or ethnic origin, religious, philosophical or other convictions, political opinions, association to political parties, trade unions, associations or organizations with religious, philosophical, political or union purposes, and data apt to reveal sexual propensity and activity. GenomSys applies additional cautionary provisions as foreseen by applicable norms and requests specific consent to Customer to process sensitive data.
Customer personal data as of items (i), (ii), and (iii) are processed for the following purposes:
a) completion, execution, and management of the contract completed with the Customer, and Service provision, including potentially billing and compliance to accounting and tax obligations, sending technical service communications, managing complaints or disputes if any; The legal basis of this processing is the execution of the contract of which the interested party is a member and the consent.
b) compliance to legal and regulatory obligations in all countries involved; The legal basis of this processing is the fulfillment of legal obligations.
c) for statistical purposes, clinical epidemiological analyses (it’s stipulated that said data will be anonymized and processed in anonymous forms in all cases required by applicable laws and norms), for scientific research on DNA variants and their association to clinical traits and inherited disease, provided Customer consent. The legal basis of this processing is the consent and safeguard of vital interests of other people.
d) name, surname, and email may be processed, via email, for marketing purposes or to allow GenomSys to carry out market analysis and research aimed to optimize the services, sending information and advertising materials for GenomSys services or products and services of partner companies or third party entities related to GenomSys, which may occur following the transfer of data. The legal basis for this treatment is user consent.
Provision of data referred to at items (i) and (ii) for the purposes at letters a) and b) is required for the there listed purposes: Customer consent is required to process data for these purposes. Refusing data provision will prevent GenomSys from executing the active contracts as well as the provision of services requested.
Provision of data referred to items (i) and (ii) is optional for the purpose listed under the letter c) and Customer is free to give or refuse his or her consent. Refusing to provide the consent (that is fully under Customer’s discretion) will prevent GenomSys from using such data for the purpose listed under the letter c). In such case, contract execution and service provision will not be affected.
Provision of data listed in items (i) and (ii) is optional for the purpose indicated under the letter d) and the Customer is free to give or deny his or her consent: refusing to provide data or related consent (which is to the entire discretion of the Customer) will make it impossible for GenomSys to use that data for the purposes indicated under letter d), and GenomSys will not contact the Customer for analysis or market research, nor for the provision of informative and advertising material. In this case, the execution of the contract and the provision of the services will not be affected. Personal data may be transferred to the United States for this purpose.
Customer personal data, wellness and lifestyle data, and health-related sensitive data as of item (iii) are processed for the following purposes:
e) completion, execution, and management of the contract completed with the Customer, and Service provision, including potentially billing and compliance to accounting and tax obligations, sending technical service communications, managing complaints or disputes if any; The legal basis of this processing is the execution of the contract of which the interested party is a member and the consent;
f) compliance to legal and regulatory obligations in all countries involved; The legal basis of this processing is the fulfillment of legal obligations.
g) for statistical purposes, clinical epidemiological analyses (it’s stipulated that said data will be anonymized and processed in anonymous forms in all cases required by applicable laws and norms), for scientific research on DNA variants and their association to clinical traits and inherited disease, provided Customer consent. The legal basis of this processing is the consent and safeguard of vital interests of other people.
Provision of data referred to at item (iii), i.e., sensitive health-related data, is required for the purposes of letters e) and f). In any event, consent to process such data is requested. Refusing to provide data or related consent for such purposes will prevent GenomSys from executing the active contracts as well as the provision of services requested.
Provision of data referred to at item (iii) is optional for the purposes listed under letter g) and Customer is free to give or refuse his or her consent. Refusing to provide data or related consent (that is fully under Customer’s discretion) will prevent GenomSys from using such data for the purposes listed under letter g). In such case, contract execution and service provision will not be affected.
Sharing of personal data and subjects entitled to processing
For contractual purposes and to manage services provided to Customer, as well as to abide to applicable laws and norms (purposes listed at letters a) e b)), GenomSys could share personal data listed under points (i) and (ii) in the previous section (titled “Processing purposes and approach”) to its own advisors on legal, accounting or other matters, to its bank or payment service processor, or to companies or other third parties which would have a contractual relationship with GenomSys to manage services provided to Customer (call center that collects service activations or otherwise handles customer calls, physicians within or supporting the Medical Center to provide the Service, telecom or cloud service companies that enable service management or provision even electronically, its subsidiaries potentially charged of the management of the technological platforms and provision of some service component). Those subjects will act as personal data autonomous controllers or data processors and will have access solely to the data required to satisfy its own obligations towards GenomSys. GenomSys employees and consultants as data processors could also process those data.
For the purpose listed under letter g) in the previous section (titled “Processing purposes and approach”), GenomSys could share personal data listed under point (i) to companies focused on statistical or epidemiological analyses which will act as personal data autonomous controllers or data processors and will have access solely to the data required to satisfy its own obligations towards GenomSys. GenomSys employees and consultants as data processors could also process those data.
For contractual purposes and to manage services provided to Customer, as well as to abide to laws and domestic and EU norms, GenomSys could share personal and health-related sensitive data listed under point (iii) in the previous section (titled “Processing purposes and approach”) to physicians that will act as data processors. The activation of GenomSys Service requires the review of the DNA variation by a physician or a geneticist if the analysis is aimed to support a diagnosis, data related to DNA sequencing and variation analysis will be shown to the indicated physician or geneticist, who will have a contractual relationship with GenomSys to allow service provision. Data under point (iii) could also be potentially treated in case of dispute or complaint by legal or medical advisors. All so-listed subjects will act as data processors and will have access solely to the data required to satisfy its own obligations towards GenomSys. GenomSys employees and consultants as data processors could also process those data. A full list of data processors is available at GenomSys’s legal headquarters and can be requested by email at info@genomsys.com.
For the purpose listed under letters c) and g) in the previous section (titled “Processing purposes and approach”), GenomSys could share personal and health-related data listed under point (iii) to companies focused on statistical or epidemiological analyses, which will act as personal data autonomous controllers or data processors and will have access solely to the data required to satisfy its own obligations towards GenomSys, after anonymization of the data. GenomSys employees and consultants as data processors could also process those data.
Location of processing and data storage
Personal and health-related sensitive data will be processed and stored pursuant to applicable laws and norms and on cloud servers located inside the UE (or Switzerland, whose legal framework has been reputed suitable by the European Commission).
The retention of data for the purposes referred to letters a), b), e) and f) will take place for the time strictly necessary and established to comply with contractual and fiscal obligations established by law, not longer than 10 years after the termination of the contract, apart from subject to judicial and non-judicial defense requirements that may require longer retention periods. Data retention for the purposes referred to in subparagraphs c) and g) will take place for the time strictly necessary to perform the statistical and epidemiological research and, in any case, strictly in anonymous form. The data will be stored for the purposes listed in letter d) for a continuous period of two years from receipt of consent to GenomSys, except for the possibility for the Customer to revoke this consent even before the expiry of such period and at any time by emailing info@genomsys.com.
Right of Access to personal data and other rights
In relation to the processing of the mentioned data, you may exercise the rights referred to in art. 13 GDPR 679/16 as better expressed in articles 15-16-17-18-20-21 and 22 GDPR 679/16 and specifically, you will be entitled to:
1) obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
2) ask the Data Controller for access to personal data, in addition to the right to data portability;
3) obtain updating and rectification or, when interested, integration of data;
4) to object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning yourself, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning yourself for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.
5) obtain the cancellation and transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
6) revoke the consent at any time without prejudice to the lawfulness of the treatment based on the consent given prior to the revocation, in the cases provided for by law;
7) propose a complaint to a supervisory authority;
8) obtain the attestation that the operations referred to in the upper numbers 4 and 6 have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the case where such fulfillment it proves impossible or involves a use of means manifestly disproportionate to the protected right.
The Privacy Officer of GenomSys is the Lawyer Michela Maggi, located in Piazza del Liberty n. 8, Milano, fax 02.47977003.
Any such requests could be sent to the data controller address, or, by email, to the following email address: info@genomsys.com.
Changes
Given the continuous evolution of technology and legal frameworks, we may revise this information from time to time – the most current version will always be available on our website. If a revision meaningfully changes your rights, we will visibly notify you and/or send an email notifying you with the changes to the email address on record for the Customer. We commit not to reduce the protections and rights of Customers listed in the present document without their consent.