Data protection policy

Go to FR version

ARTICLE 1: PREFACE

The GDPR and you…

The protection of personal data is one of our major concerns. Our privacy policy falls within a legal context defined by the European Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016), applicable since 25 May 2018 and the French Data Protection Act No 78-17 of 6 January 1978, as amended, relating to data processing, files and freedoms.

The purpose of this data protection policy is therefore to present you with:

  • The personal data controller

  • How your data is collected and processed. Personal data is data allowing a natural person to be identified.

  • Your rights regarding the use of your personal data

  • The recipients to whom your data is transmitted

  • The website's cookie management policy

This privacy policy supplements the legal notices present on the website and the general conditions of use .

ARTICLE 2: GLOSSARY

We promise you'll understand us!

Personal Data is any information relating to an identified or identifiable person, that is to say allowing them to be identified directly (e.g. surname and first name) or indirectly (e.g. cookies).

Data Processing is any operation or set of operations (automated or not) applied to personal data or sets of data, such as for example: collection, recording, organisation, storage, transmission of data, etc.

The Data Controller determines the purposes (the objectives of the processing) and the means of processing.

The Data Processor processes personal data on behalf of the Data Controller and under its instructions.

ARTICLE 3: GENERAL PRINCIPLES

We have legal obligations!

In accordance with the provisions of Article 5 of the General Data Protection Regulation (GDPR), the collection and processing of your personal data complies with the following principles:

  • Legality, loyalty and transparency: the collection and processing of personal data can only take place on a legal basis defined beforehand (performance of a contract, legal obligation, consent, legitimate interest, preservation of vital interests)

  • Limited purposes: the collection and processing of personal data can only be carried out to meet one or more defined objectives

  • Minimisation of data collection and processing: only the data strictly necessary for the proper execution of the objectives pursued will be collected

  • Data retention limited in time: the data controller is obliged to define retention periods concerning the personal data processed

  • Integrity and confidentiality of the data collected and processed: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

ARTICLE 4: DATA CONTROLLER

We are responsible for the data entrusted to us!

As data controller, CYTOO undertakes to comply with the obligations arising from the Regulation and the amended French Data Protection Act concerning the collection and processing of personal data. In accordance with Article 32 of the GDPR, we implement all technical and organisational measures to ensure the protection of your personal data.

ARTICLE 5: PERSONAL DATA COLLECTED AND PROCESSED: WHAT DATA?

What do we know about you?

In accordance with the principle of minimization, we only collect the data necessary to carry out our missions. Thus, as part of our activity, CYTOO may collect and process the following information:

As part of our scientific research and development assignment, alone or with third-party partners, we are made aware of sensitive data such as medical or genetic data.

Being aware of the level of sensitivity of this information, we are committed to guaranteeing you a maximum level of confidentiality, and we also commit to complying with our legal and regulatory obligations. All the data collected is therefore strictly necessary for the accomplishment of the assignment you have entrusted to us.

ARTICLE 6: PERSONAL DATA COLLECTED AND PROCESSED: FOR WHAT REASONS?

We would like to explain it to you!

In all these situations, CYTOO acts as a "Data Controller" within the meaning of the GDPR.

DATA COLLECTED

REASONS FOR COLLECTION

LEGAL BASIS

RETENTION TIME

CONSULTATION OF THE WEBSITE

  • ID

  • Personal life

  • Professional life

  • Login details

  • Localisation

  • Internet

We use this data to:

- Send you marketing communications (if you have made a request)

- Send you our quotes (if you have made a request)

- Contact you when you fill out the contact form

- Conduct audience analyses or prepare statistics (if agreed)

Consent

Your browsing data on our website is kept for a maximum period of 13 months

 

The data collected through the form is kept for 3 years from the collection or last contact from the prospective client

- Offer you customised services

- Monitor and improve our websites and applications

- Secure our websites/applications and ensure our and your protection against fraud.

Legitimate interest

CUSTOMER AND PARTNER RELATIONSHIP MANAGEMENT

  • ID

  • Personal life

  • Professional life

  • Economic information

  • Login details

  • Localisation

  • Internet

We use this data to:

- Manage the business relationship

- Manager your orders

- Manage payments, invoices, etc.

- Process and track your order, including delivery

- Answer your questions and interact with you in any other way

- Send you offers matching your needs

 

Execution of a contract

Retention for the duration of the commercial relationship, and 10 years after the end of the relationship.

 

Retention of invoices for 10 years.

NEWSLETTER SUBSCRIPTION AND MARKETING COMMUNICATIONS

  • ID

  • Personal life

  • Professional life

 

We use this data to:

- Send you marketing communications (if you have made a request)

- Manage your participation in surveys, including taking into account your opinions and suggestions

Consent

The data is retained as long as the data subject does not unsubscribe (via the unsubscribe link integrated into the newsletters)

- Conduct audience analyses or prepare statistics

- Send you customer information communications (Newsletters)

Legitimate interest

- Maintain a deleted list if you have asked not to be contacted

Legal obligations

RECRUITMENT MANAGEMENT

  • ID

  • Personal life

  • Professional life

  • Localisation

  • Internet

- Manage applications

- Manage interviews

 

Consent

Two years after the last contact with the candidate, on the latter's consent

RESEARCH AND DEVELOPMENT

  • ID

  • Healthcare

  • Genetics

- Target or molecule identification

- Compound identification

- Protocol development

Execution of a contract

Results are retained for 5 years after expiration or termination of a contract, depending on the type of project

ARTICLE 7: PERSONAL DATA: WHO HAS ACCESS TO YOUR PERSONAL DATA?

We don't pass it on to just anyone!

CYTOO agrees to only share you personal data with internally authorised persons and to authorised third parties such as the tax administration or the health authorities.

CYTOO may, if necessary, transfer your personal data to sub-processors such as:

  • KOESIO: Our IT service provider

  • Salesforce: Our CRM

  • OVH: Our data host

  • CPA audit, payroll manager and chartered accountant

  • KPMG, Statutory Auditor

The use of these service providers is necessary for the proper performance of our services. We are committed to verifying and guaranteeing compliance with the GDPR and the amended French Data Protection Act.

Apart from the recipients mentioned above, CYTOO is committed to not sharing your personal data with third parties or external bodies without your express consent.

CYTOO does not and will not make any sale, transfer or communication of your personal data to unauthorised third parties.

CYTOO does not use any automated decision based on your personal data. No profiling is carried out during processing, and the data we collect will never be used without human intervention.

ARTICLE 8: YOUR RIGHTS

You hold all the cards!

8.1 Your rights

In accordance with the regulations in force, you have the following rights concerning your personal data:

8.2 The DPO

CYTOO has appointed a Data Protection Officer (DPO). In order to exercise your rights, you can contact our Data Protection Officer (DPO) at the following address: rgpd@cytoo.com

8.3 The complaint to the CNIL

You can lodge a complaint at any time with the competent authority, namely the French data protection authority ( Commission National de l’Informatique et des Libertés - CNIL), via the following link: https://www.cnil.fr/fr/plaintes.

ARTICLE 9: SECURITY MEASURES

You entrust us with your data, so we take care of it!

CYTOO is responsible for the security of personal data, which it undertakes to process in a secure manner, and only for the time necessary to achieve the purpose pursued.

CYTOO has put in place technical and organisational measures to ensure an adequate level of data protection in relation to the nature and purpose of the processing.

Thus, in accordance with Article 32 of the GDPR relating to the security of processing, CYTOO has implemented:

  • The pseudonymisation and encryption of personal data. As soon as possible, the data is anonymised;

  • The means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

Nevertheless, the obligation of security remains an obligation of means, that is to say that we make every effort to guarantee the confidentiality and integrity of your personal data.

All persons with access to your personal data have been made aware of best data protection practices. They are bound by an obligation of confidentiality, and are liable to disciplinary action in the event of non-compliance with this provision.

ARTICLE 10: TRANSFERS OF DATA OUTSIDE THE EUROPEAN UNION

A well-organized trip!

As part of our work and for the management of your requests, we may be required to transfer data outside the European Union. However, before we transmit your personal data, we verify the rules applicable to data transfers outside the European Union (United States, Canada, Japan).

ARTICLE 11: COOKIE

You can choose to eat cookies or go on a diet.

As with most websites, our website uses cookies:

If you wish to limit your traces, we recommend that you refuse them by default via the cookie management banner that we have set up on our website.

Our cookie policy also explains how to accept, personalize or refuse cookies by expressing your choice using the banner at the bottom of your screen.

ARTICLE 12: UPDATES TO THE DATA PROTECTION POLICY

You're on the right track, you've almost finished reading!

This personal data protection policy is subject to change.

The last update was made In May 2023