AIBILI- Association for Innovation and Biomedical Research on Light and Image (hereinafter "AIBILI"), values the relationship it maintains with its Beneficiaries and makes the best efforts in implementing technical and organizational measures designed to guarantee data protection, privacy and respect for rights and freedoms in processing personal data.
This Privacy and Data Protection Policy provides information on how AIBILI processes Personal Data and guarantees its privacy, security and integrity in the development and execution of its activities.
1. Responsibility for the processing of Personal Data
AIBILI performs the processing of Personal Data as a Controller. AIBILI provides services and / or supplies products, by determining for this purpose and without limiting:
• Personal Data that must be processed in the context of the provision of services and / or product supply;
• The Purposes for which Personal Data is processed; and,
• The means to be applied for the treatment of Personal Data.
2. Principles applicable to the processing of Personal Data
The processing of personal Data is carried out in accordance with the general principles set forth in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016) and other legislation related to data protection, namely:
· In the context of the relationship with the Data Subject, AIBILI ensures that Personal Data will be processed in a lawfully, fairly and transparent manner ("Lawfulness, Fairness and Transparency Principle");
· AIBILI collects the Personal Data for specific, explicit and legitimate purposes and does not subsequently treat the same Data in a incompatible manner with those purposes ("Purpose Limitation Principle");
· AIBILI ensures that only process Personal Data that are adequate, relevant and limited to what is strictly necessary for the purposes for which they are processed ("Data Minimisation Principle");
· AIBILI adopts the appropriate measures so that Personal Data qualified as inaccurate, taking into account the purposes for which they are processed, are erased or rectified without delay ("Accuracy Principle");
· AIBILI maintains the Personal Data in a way that allows it to be identified for no longer than is necessary for the purposes for which it is processed ("Storage Limitation Principle");
· AIBILI ensures that Personal Data is processed in a way that guarantees its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by adopting appropriate technical or organizational measures (Integrity and Confidentiality Principle').
3. Personal Data, Treatment of Personal Data and Data subject
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In the context of activities developed by AIBILI, "Data Subject" may include, without limitation: current, past and future clients, partners, clinical research volunteers, job applicants, employees and former employees, collaborators of subcontractors, suppliers and service providers and their collaborators, applicants and claimants, visitors and all those individuals who maintain a relationship with AIBILI and to whom the Personal Data relates.
AIBILI may collect personal data concerning under 18 years old and incapable persons, when provided by the parents or a legal representative, when expressly consents to this collection, for the pursuit of one of the purposes identified in the scope of this Policy, or when it arises from legal obligation.
4. Categories of Personal Data processed by AIBILI
In the development of its activities, AIBILI process Personal Data of a significant set of categories of Data Subjects.
The personal data that AIBILI collects always depends on the nature of the interaction, but may include the following Data Categories:
ü Identification data;
ü Personal contact details;
ü Bank identification data;
ü Payment data;
ü Access to the Website data;
ü Security credentials data;
ü Data on preferences;
ü Data on the use of information technology;
ü Health data;
ü Genetic data;
ü Biometric Data;
ü Commercial data for the provision of services and / or product supply.
5. Lawful Basis
By reference to the “Lawfulness Principle" enshrined in the current data protection laws, in the development and execution of its activities, AIBILI only processes Personal Data when there is lawful basis that legitimates the treatment.
These are lawful basis:
• Consent: When the Data Subject has given his / her consent to the processing of personal data, through a free, specific, informed and explicit manifestation of will, by means of a statement (in writing or orally) or an unequivocal positive act (by completing an option).
• Pre-contractual formalities or performance of a contract: When processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
• Compliance with a legal obligation: Where the processing of Personal Data is necessary to ensure and guarantee compliance with legal obligations to which the Controller is subject under the legislation of a Member State and / or the European Union.
• Defence of vital interests of the Data Subject: Where the processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
• Legitimate Interests: When processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that on this treatment the interests or rights and fundamental freedoms of the data owner do not prevail.
6. Storage of Personal Data
AIBILI storage the Personal Data only for no longer than is necessary for the purposes for which the personal data are processed. However, AIBILI may be obliged to storage some Personal Data for a longer period, taking into account factors such as:
• Legal obligations, under current laws, to keep personal data for a certain period;
• Limitation periods, under the laws in force;
• Judicial and Administrative Proceedings and Procedures; and,
• Guidelines issued by the data protection supervisory authorities.
7. Sharing of Personal Data
• Processors (Subcontractors): Personal Data may be shared with companies that provide services to AIBILI. The service providers are linked to AIBILI by means of a written agreement, only being able to process the Personal Data for the specifically established purposes and are not authorised to process the Personal Data, directly or indirectly, for any other purpose, for the benefit of its own or a third party.
• Other Responsible and / or Third Parties: Personal Data may be shared internally with other AIBILI member entities that will comply with data protection rules applicable to the processing purposes.
• Upon request and / or with the consent of the Data Subject (Owner), Personal Data may be shared with other entities.
• In compliance with legal and / or contractual obligations, Personal Data may also be shared with judicial, administrative, supervisory or regulatory authorities, as well as entities that lawfully perform data collection actions, fraud prevention and anti-fraud actions, market or statistical studies.
8. Rights and Exercise of Rights
• Right to get information: The Data Subject has the right to obtain clear, transparent and easily understandable information about how AIBILI uses its Personal Data and what are its rights.
• Right of access: The Data subject has the right to obtain information about the Personal Data that AIBILI process (if it actually process it) and certain information about how the Data is processed. This right allows to know and confirm the handling of the Data in accordance with data protection laws. However, AIBILI may refuse to provide the requested information whenever, in order to do so, it must disclose Personal Data of another person or the information requested damages the rights of another person.
• Right of rectification: The Data Subject has the right to request AIBILI to take reasonable steps to the rectification of inaccurate or incomplete personal data concerning the Data Subject.
• Right to erasure/(to be forgotten) This right allows the Data Subject to request the erasure of his/her data, as long as there are no valid legal grounds for AIBILI to continue to use them or when their use is illegal.
• Right to restriction of processing: The Data Subject has the right to "block" or prevent future use of his Personal Data while AIBILI evaluates a request for rectification or an alternative to erasure.
• Right to Data Portability: The Data Subject has the right to obtain and reuse certain Personal Data for its own purposes. This right only applies to personal data provided by the Data Subject to AIBILI and that AIBILI deals with his/her consent and those that are handled by automated means. Data will be exported as is, and without any kind of format transformation.
• Right to object: In the terms expressly provided for in the General Data Protection Regulation and other applicable legislation, the Data Subject has the right to object to certain types of treatment, for reasons related to his particular situation, at any time in treatment.
• Right to submit a complaint: The Data Subject has the right to complain to the competent supervisory authority, the National Data Protection Commission (CDPC), if he / she considers that the processing carried out on Personal Data violates his / her rights and / or applicable data protection laws.
The Data Subject may, at any time and by writing, exercise the rights enshrined in the Law of Protection of Personal Data and other applicable legislation through the email email@example.com.
9. Security and Integrity
Personal Data will be treated by AIBILI only in the context of the purposes identified in this Policy, in accordance with the internal policies of AIBILI and using technical and organizational measures designed according to the risks associated with the specific treatment of Personal Data. The technical and organizational measures designed ensure, to the maximum extent possible, the security and integrity of Personal Data, in particular in relation to unauthorized or unlawful treatment and its accidental loss, destruction or damage.
Whenever the lawful sharing of data through the Internet is verified, AIBILI will ensure the transmission in a safe way, using secure protocols, whenever this is technically possible. However, it may not guarantee subsequent sharing by the third parties to whom this information has been assigned, in a bidding and substantiated manner.
AIBILI acknowledges that the information it provides may be confidential. In the scope of its activity, AIBILI does not sell, rent, distribute or otherwise make available the Personal Data to any third party, except in cases where it needs to share information with the Service Providers for the purposes established in this Policy or Third parties for the purpose of fulfilling their legal obligations.