Last amended 1 October 2021, v.05
Personal Data Controller:
|Registered address||K. Donelaicio str. 60, Kaunas, Lithuania|
|Telephone number||+370 37 366 307|
|DPO e-mail firstname.lastname@example.org|
1.2. The Rules applies to Biomapas Group, their employees and associated contractors and third-party service providers acting on behalf of and under instruction of any of Biomapas Group company.
1.3. Data protection regulations differ in countries where Biomapas Group operates. Biomapas Group follows the country specific Personal Data protection regulations and in case of discrepancies or inconsistencies among data privacy regulatory requirements comply with the requirement which is more stringent.
2.1.1. “Biomapas Group” is formed by associated companies listed below:
22.214.171.124. Biomapas OOO; company code: 7703810308/770301001; registered address: 10 Vozdvizhenka str., 125009, Moscow, Russia;
126.96.36.199. Biomapas LLC; company code: 405042190; registered address: 27b Mickiewicz str, 0160, Tbilisi, Georgia;
188.8.131.52. Biomapas LLC; company code: 40219120; registered address: Darnytskyi district, Kharkivske shosse str., 164, office 2, 02091, Kyiv, Ukraine;
184.108.40.206. Biomapas SARL; company code: CHE-203.202.251; registered address: Biopole Park, Route de la Corniche 4, 1066 Epalinges, Switzerland;
220.127.116.11. Biomapas Nordic AB; company code: 559166-1797; registered address: Wallingatan 34,111 24 Stockholm, Sweden;
18.104.22.168. Biomapas POLAND; company code: 385263340; registered address: Atrium Plaza, 29 Jana Pawla II str., 00-867 Warsaw, Poland;
22.214.171.124. Biomapas KZ, company code: 751410000; registered address: 16 Pirogov str., Bostandyk District, 050040 Almaty, Kazakhstan;
126.96.36.199. Signam UAB; company code: 304458044; registered address: Konstitucijos pr. 7, LT-09308 Vilnius, Lithuania;
188.8.131.52. BIO1 UAB; company code: 304457362; registered address: Konstitucijos pr. 7, LT-09308 Vilnius, Lithuania;
184.108.40.206. VVB UAB, company code 302458298; registered address: 9-ojo Forto g. 70, LT- 48179 Kaunas, Lithuania.
2.1.2.“Breach” – means a breach of Personal Data security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed;
2.1.3. “Controller” – means any Biomapas Group company acting as Personal Data controller as defined in the GDPR, which, alone or jointly with others, determines the purposes and means of Data Processing. This definition refers, depending on the context, to any single company of Biomapas Group or to all Biomapas Group companies.
2.1.4. “Data Processing” – means any automated or non-automated operation performed with regard to Personal Data, e.g. collection, recording, organization, structuring, storage, adaptation or alteration, consultation, use, disclosure, restriction, erasure or destruction.
2.1.5. “Data Subject” – means any natural person, whose Personal Data is being processed, e.g. research subject, investigator, representative of the Sponsor or any other natural person.
2.1.6. “GDPR” – means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2.1.7. “Personal Data” – means any information about a natural person who is identified or whose identity is directly or indirectly identifiable (data subject), e. g. by name and surname, a personal identification number, location data and an online identifier or by physical, physiological, genetic, mental and other features.
2.1.8. “Processor” – means any natural or legal person, which processes Personal Data on behalf of the Controller, i.e. which assists the Controller and performs the Controller’s instructions, including but not limited to Biomapas Group companies as well as Contractors (acting as subprocessors as a rule) thereof. Any Biomapas Group companies may act as the Processor under the agreement with the client (e.g. under agreement with the sponsor for the services related to clinical trials).
2.1.9. “Responsible Person” – means a person responsible for the protection of Personal Data and appointed by Biomapas Group (one or several Biomapas Group companies), including a data protection officer (the “DPO”) (as defined under the GDPR). Email of the DPO appointed for Biomapas Group: email@example.com.
2.1.10. “Rules” – means the Rules on Personal Data Processing of Biomapas Group.
2.1.11. “Supervisory Authority” – means an independent public authority, established to supervise compliance of any of Biomapas Group company with requirements for Data Processing, as well as to perform other rights and duties stated in the GDPR. The lead Supervisory Authority for Biomapas Group is the State Data Protection Inspectorate of the Republic of Lithuania (ada.lt).
- PERSONAL DATA PROTECTION PRINCIPLES
3.1. When processing Personal Data, Biomapas Group complies with the following GDPR principles: purpose limitation (Data Processing only in a manner that is compatible with the purposes originally determined); data minimization (Data Processing only Personal Data which is needed for particular purposes); lawfulness, fairness and transparency; accuracy; storage limitation (Personal Data retained for no longer than is necessary for the particular Data Processing purpose); integrity and confidentiality, as well as the principle of accountability (Biomapas Group shall be able to demonstrate compliance with its obligations).
3.2. Biomapas Group adopts the Personal Data protection principles of data protection by default and design.
3.3. The implementation of the Rules and compliance with the above-mentioned Personal Data protection principles are ensured by the CEO of each Biomapas Group company together with the Responsible Persons, including the DPO, by establishing appropriate technical and organizational measures and supervising, whether proper measures are ensured.
3.4. All employees and contractors of Biomapas Group complies with Personal Data Processing requirements foreseen under the Rules while performing their functions. Personal Data may be processed by Biomapas Group employees and contractors, who need Personal Data to fulfil their functions and who have been familiarized with the Rules.
3.5. Employees and contractors of each Biomapas Group company must maintain confidentiality of Personal Data of which they have been made aware of while performing their functions, unless according to the applicable legal acts: such information is publicly accessible, or the Data Subject has consented to such disclosure, or, where it is necessary for the prevention of criminal or other illegal acts, as well as in other cases. This obligation remains in effect also after the termination of the employment contract or any other type of contract between any of Biomapas Group companies and its employee or contractor. For this purpose, agreements on confidentiality may be signed with the employees and/or contractors.
3.6. Biomapas Group establishes a training program on the GDPR to create awareness and to ensure compliance. Training conforms Biomapas employees’ roles and responsibilities.
3.7. Employees’ obligations foreseen hereunder apply to Biomapas Group contractors (natural persons) engaged for client service (to the extent applicable).
- GENERAL PROVISIONS ON PROCESSING
4.1. Personal Data is processed by Biomapas Group companies in pursuance of legitimate purposes and in the manner specified on each Controller’s internal rules and information addressed to Data Subjects.
4.2. Detailed information about Data Processing streams is specified in Records on Personal Data Processing and accessible in the internal database only to Responsible Persons, employees and the contractors (when access to internal database is provided for performance of the agreement concluded with the contractor) of Biomapas Group companies.
4.3. In the cases, in which special categories of Personal Data are processed, e.g. criminal records, health information, membership in trade unions, etc., employees of each Biomapas Group company will verify additionally, whether all required actions and protection measures are exercised and will perform additional actions (e.g. will get a separate consent for Data Processing) and implement more stringent measures (e.g. avoid excessive storage in the Controller’s database or any other programs used), should this be necessary.
4.4. Personal Data may be obtained directly from Data Subjects and third parties by automatic or non-automatic means as specified in Records on Personal Data Processing. Where Personal Data is provided by non-automatic means, employees or contractors of any Biomapas Group company will enter the collected Personal Data manually into the Biomapas Group database.
4.5. The Controller may use Processors. The Processor’s activities and obligations are governed by the contract between the Controller and the Processor, except in cases, in which Data Processing is performed in accordance with legal act, that is binding on the Processor. At the discretion of the Controller, Data Processing issues may also be regulated in an Annex to the master agreement on service provision or any other type of contract concluded between the Controller and the Processor (i.e. signing a separate agreement is optional). The same rules apply to Data Processing performed in the course of the Processor engaging the subprocessor (including cases, where any company of Biomapas Group is acting as the Processor).
4.6. Biomapas Group implements all appropriate technical (use of antivirus programs, installation of indoor alarms, physical control of persons’ access to the property, etc.) and organizational (e.g. drafting of the Rules, control of its implementation, password-secured access to computers, to the computer-network and to the database) measures to ensure the principles of Personal Data protection are embedded into Data Processing of all Personal Data, and to fully integrate the necessary safeguards to meet the minimum Personal Data protection requirements of the GDPR and to protect the rights of Data Subjects.
4.7. While performing their activities, all Biomapas Group companies and their employees constantly consider the existing risks and seek to reduce or to avoid such risks to the extent possible.
- NOTICES ON DATA PROCESSING
5.1. Information on Data Processing established under the GDPR is provided to Data Subjects in a simple form, including but not limited to information on Personal Data categories, purposes, legal basis for the Data Processing, categories of Data Subjects, storage term, Processors and Personal Data recipients, also other information if required (e. g. sources of Personal Data; if Personal Data is transferred to third country outside the EEA; consequences, where Personal Data is not provided).
5.2. Specific cases of the Data Processing and detailed information to the Data Subjects, whose Personal Data is processed by the companies of Biomapas Group are available below.
5.3. Please note, that in cases, where Personal Data is processed based on the consent (as legal ground for Data Processing) as a rule, consent will be received from Data Subject via email (e.g. in signed and scanned consent form or as an email response “I agree” (“I disagree”) to information on the Data Processing).
5.4. Notices to particular Data Subjects (if required and not mentioned below notices will be provided on case-by-case basis directly to Data Subjects):
5.4.1. Employee Data Protection Information Notices and Contractor Data Protection Information Notices are provided to respective Data Subjects directly;
- RIGHTS OF DATA SUBJECTS
6.1. Biomapas Group will ensure that the rights of the Data Subjects under the GDPR are fully respected and will use reasonable measures to comply with them. These rights include following Data Subject’s right:
6.1.1. to be informed or notified of the intended Data Processing activity;
6.1.2. to access Personal Data;
6.1.3. to request rectification;
6.1.4. to request erasure;
6.1.5. to restrict Data Processing in certain circumstances;
6.1.6. to Personal Data portability;
6.1.7. not to be subject to a decision based solely on automated processing which may have a legal or similarly significant effect on the Data Subject;
6.1.8. to object to Data Processing;
6.1.9. to lodge a complaint with Supervisory Authority or, when appropriate, the court.
6.2. Employees and contractors of Biomapas Group companies directly engaging with Data Subjects, to the extent required, informs them about Data Processing and implementation of their rights.
6.3. When the Personal Data is no longer necessary for the Data Processing purposes or when Data Subject submits a valid request (in set form available via link below) to erase Personal Data and in the absence of any regulatory requirements to keep processing Personal data, Biomapas Group erases Personal Data according to the procedure established by Biomapas in a way that securely precludes restoration or recognition of the content.
6.4. The Data Subject may at any time exercise his/her rights (in a manner complaint with the GDPR) by filing the request in a form, submitted in person, via post to Biomapas registered address or via electronic means (via firstname.lastname@example.org to DPO of Biomapas Group). Such request upon receipt by Responsible Persons is handled free of charge within 30 days (term extensions possible under specific circumstances) and either satisfied (if addressed Biomapas Group company finds that the request is justified) or rejected with reasons. Biomapas will have to verify your identity before implementing your data subject right.
6.5. If the Data Subject believes that his/her rights related to Data Processing were violated, he/she can lodge a complaint with the lead Supervisory Authority. In any case, with regard to the violation of his/her rights, a Data Subject may also address the concerned Supervisory Authority at his/her state of residence, which will transfer the claim to or investigate it together with the lead Supervisory Authority following the procedure established under the GDPR.
- PERSONAL DATA TRANSFER
7.1. Personal Data is transferred when it is required in order to service clients, to protect Biomapas Group or third-party legitimate interests (e.g. to prevent or to facilitate investigation of criminal or illegal acts) as well as in other cases foreseen by legal acts.
7.2. Biomapas Group may provide Personal Data to courts, law enforcement authorities, bailiffs, notary offices, lawyers, state and municipal authorities, companies, institutions and organizations and to other similar recipients.
7.3. Personal Data may be also provided to service providers (e. g. financial advice, IT servicing).
7.4. Personal Data is transferred only to the extent it is necessary.
7.5. Processed Personal Data may be transferred to other parties only according to the procedure set out in the GDPR, other applicable legal acts, and to the extent specified under the Rules.
7.6. Personal Data may be transferred outside the European Union or the European Economic Area only if a sufficient level of Personal Data protection is ensured in the destination country.
7.7. The Controller may use Processors for the Data Processing, including companies of Biomapas Group and the contractors, which can operate outside the boundaries of the European Union and the European Economic Area. Accordingly, Personal Data may be transferred to third countries to the extent necessary for performance of Data Processing functions assigned to the Processor.
- FINAL PROVISIONS
8.1. Controllers may also perform video surveillance and record telephone conversation. You will be notified whenever your Personal Data is processed in the mentioned manner.
8.2. DPO oversees Biomapas Group compliance with the Rules.