This document refers exclusively to personal data of a general nature, since the specific protection of genetic data is dealt with in the document “PROTECTION OF GENETIC DATA”, which is also displayed on the website.
“24GENETICS, S.L. ” (hereinafter referred to as 24Genetics) is committed to ensuring that your personal information is protected and not misused, strictly subject to the provisions of the Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and guarantee of digital rights, and in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), and other regulations in force.
First, at 24Genetics there is a DATA PROTECTION DELEGATE (hereinafter, the DPD), who is in charge of ensuring that there is strict compliance with all data protection regulations, advising us and supervising all the processing we carry out. In addition, the DPD is at your disposal to answer any questions related to the processing of your personal data.
Second, at 24Genetics we take all necessary measures to prevent cyber-attacks. However, if a breach in our security affecting your personal data were to occur, we would immediately notify the SPANISH DATA PROTECTION AGENCY to help us manage the incident, and you yourself, if the situation is serious. In any case, we believe that the most effective and definitive measure against this risk is not to have on our website the genetic data of our customers, so that if we suffer a cyberattack could not find any trace of such data.
Third, in order to provide you with our services, we sometimes subcontract to specialized companies (for example, courier companies), which may have access to your personal data in order, exclusively, to develop their work. In any case, we apply a rigorous supplier selection process to ensure that all our suppliers comply strictly with data protection regulations. Fourth, if the service you hire requires sending the company a DNA sample, we inform you that from the moment it reaches us, it becomes coded, so that the biological sample is subjected to a process of coding or dissociation: your personal data will not be associated with the sample because the information that identifies you will be replaced or unlinked through the system of using a unique bar code. This will only allow duly authorized 24Genetics personnel to link the saliva sample, and the genetic information derived from it, to your 24Genetics customer account, so that only such duly authorized 24Genetics personnel will have access to the relationship between your biological sample, your DNA and information obtained from its processing, and the code assigned in each case. And, in any case, 24Genetics personnel who access your genetic data in the exercise of their functions will be subject to the duty of secrecy on a permanent basis.
By providing us with your personal information and using our website, we understand that you have read and understood the terms related to personal data protection information that are exposed, giving your consent to that effect. 24Genetics is obliged to comply with the current legislation on data protection, both national and European, with the sole purpose of processing your data in a lawful, fair and transparent manner.
I. ORIGIN OF THE PERSONAL DATA PROCESSED
The personal data we process comes from the data subject.
II. IDENTITY AND CONTACT DETAILS OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
In accordance with the provisions of art. 11 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights and other regulations in force in this regard, we inform you that the personal data that you may provide during the use of the website www.24 genetics.com (hereinafter, the website) will be processed, as PERSON RESPONSIBLE FOR THE PROCESSING, by “24GENETICS, S.L.” (hereinafter, 24Genetics), with address in Madrid, Paseo de la Castellana, n.º 95, Planta 28 (C.P. 28046), holder of Tax Identification Number B-8693812 and registered in the Mercantile Registry of Madrid in Volume 28370, Folio 116, Page M-51931; and with e-mail address email@example.com.
III. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
Likewise, and as we have already mentioned, 24Genetics has appointed a DATA PROTECTION DELEGATE (hereinafter, the DPO), in charge of ensuring that your data is treated appropriately. In addition, if you would like to make a comment, make a suggestion or ask any kind of question regarding our use of your personal information, you can contact him/her by sending an e-mail to the following address: DPD@24genetics.com.
IV. PURPOSES OF THE PROCESSING FOR WHICH THE PERSONAL DATA IS USED AND ESSENTIAL DATA COLLECTED
The main reason why we collect your personal information is to facilitate and improve the service we provide to you. This main reason is divided into six other more specific purposes for which we collect your personal data, which are as follows:
1.ª) To manage the creation of a user account: to enjoy the service it is necessary for the applicant to create an account and identify himself as a user, since the account allows the telematic processing of both the contracting of the service and the payments derived from the provision of such service. In any case, through the section “My account”, included in the heading “Login” in the top menu of the web, you can modify at any time the personal data you have provided; 2.ª) Manage the Help Center: the purpose of this is to offer you the best possible attention and assistance because, through it and at any time, you can raise all your doubts, comments, suggestions or incidents related to the service we provide. Consequently, it allows us to analyze the requests for information, suggestions and complaints from customers for their management and resolution. 3rd) To carry out marketing actions: we will use your personal data to send you news, products and promotions related to 24Genetics. However, you may unsubscribe from these communications at any time. To do so, simply click on the “unsubscribe” link contained in any of the communications. 4th) Improving the service: at 24Genetics we are constantly working on improving the application and the website, and for this reason we carry out tests, research and analytical studies, and develop new products that end up improving the quality of the service. But it happens that such work often requires the use of personal user data. Therefore, this data allows us to optimize the website, make it more functional and adapt it to your needs. 5th) Preventing fraud: the processing of users’ personal data is also necessary to prevent potential fraud against them and against 24Genetics, making it possible to implement measures that make our Platform a safe place. 6th) To consult the user’s opinion about 24Genetics: it is very useful for us to know what your opinion about 24Genetics is in order to be able to make strategic decisions that make us a company aligned with the interests and concerns of our users. Therefore, at times we may ask you to respond to a simple survey to find out what your perception of us is. However, please note that we are only interested in knowing the opinion of our users in a strictly statistical way. Therefore, when we receive your opinion, we will anonymize it, that is to say, your answers will only be associated with a code. Subsequently, we will deliver the anonymized information to the entity that helps us carry out these studies so that it can proceed to analyze it together with the opinions of many other users, and can thus elaborate a statistical study on the image and perception that users have of 24Genetics. Of course, you don’t have to give us your opinion if you don’t want to.
In order to be even more precise, we will now list the fundamental data we collect from the user, expressing the specific purposes we pursue with their processing:
– E-mail: through it we can communicate with the user and keep him/her informed of news and updates of the website. In any case, the user always has the possibility to unsubscribe, from your user profile, both in the receipt of the generality of our emails and exclusively in certain communications. – Name and surname or company name, as well as NIF: with these data we can invoice our services. This is also to enable us to duly comply with all legal (e.g. those resulting from Law 10/2010 on the prevention of money laundering and terrorist financing) and tax obligations that apply to such payments. – Postal, fiscal and, where appropriate, social address: its processing is essential for tax and logistical purposes. – Contact telephone number: it is convenient in order to have a better communication and, thus, be able to offer a personalized attention. – Payment data: this data is necessary to carry out transactions involving our services. In this regard, it should be noted that the means of payment we use are the following:
– Tracking ID, using tracking software: Generally, each of our users is assigned a tracking ID that helps us understand how you behave when you browse our site. This data helps us to improve our user experience and is not used for any other purpose. – KIT number: this is the label that the client will stick on the DNA sample (if the contracted service requires it to be sent), as well as on the documents to be sent to us and which the user keeps for himself/herself. – Order number: this is the number with which we identify each of the user’s orders.
V. LEGAL BASIS FOR PROCESSING
The processing of user data by 24Genetics is based on the consent given by the user for this purpose. This consent may be withdrawn by the interested party at any time, although, in the event of revocation, such revocation will not affect the lawfulness of the processing previously carried out.
It is also legally based on the fact that the processing is necessary for the performance of the contract you sign. And, finally, that the processing is also necessary for the satisfaction of legitimate interests pursued by 24Genetics. With regard to this last legal basis, we proceed to specify what these legitimate interests of 24Genetics are, depending on the purpose pursued:
1st) To provide the Service: using your personal data is necessary to be able to execute the contract that binds us to you. Otherwise, you would not be able to use the service.
2nd) To carry out marketing activities: we will use your personal data to send you news, offers and promotions based on your profile, but only if you have given us your consent for this purpose. The communications we send you may be sent by email, SMS, apps, etc. Remember, in any case, that you can ask us at any time to stop sending you these personalized communications.
3rd) Improve our service: we consider that at 24Genetics we have a legitimate interest in carrying out tests, research and analytical studies that improve the quality of our service, allow us to make it more functional and adapt it to your needs. In our opinion, this treatment also benefits you directly, since you will be able to enjoy a service that more accurately meets your needs.
4th) To prevent fraud: we also understand that 24Genetics has a legitimate interest in trying to prevent potential fraud related to the service. This treatment is positive for 24Genetics and also for you, since it will allow us to use procedures that try to avoid fraudulent uses of the service.
5th) To consult your opinion about 24Genetics: we believe that we have a legitimate interest in knowing your perception of 24Genetics, as it will allow us to make strategic decisions that are adapted to the needs and concerns of all our users.
VI. RECIPIENTS OF PERSONAL DATA (COMMUNICATION OF USER DATA)
The personal data provided by the user will not be communicated to third parties, unless it is necessary for the provision of the requested service or when the user has expressly accepted its communication. Regarding the first circumstance, it should be noted that in some cases it is necessary for us to communicate the information you have provided to 24Genetics’ collaborating companies in order to be able to provide the requested service. For example, courier companies or third party providers who assist us with various service-related issues. These third parties only have access to the personal information they strictly need in order to carry out their collaboration. Therefore, the volume and type of personal data we share with them is minimal: it is limited to what is essential. In any case, we ensure that they perform in a confidential and fair manner, and in full compliance with applicable data protection regulations. To this end, we require them to enter into specific agreements with us governing their use of users’ personal data.
VII. CRITERIA USED TO DETERMINE THE PERIOD OF RETENTION OF PERSONAL DATA
We only store your personal information to the extent that we need it, in order to use it for the purpose for which it was collected, and always in accordance with the legal basis for processing it, in accordance with applicable law. In any case, if you exercise your right of deletion and/or limitation of the processing of your data, 24Genetics will keep the information duly blocked, without giving it any use, while it may be necessary for the exercise of claims or for the defense against them, or may derive some kind of judicial, legal or contractual liability for its processing, which must be addressed, and for which its recovery is necessary. In addition, and as already mentioned, the period of conservation of your personal data depends on each of the purposes for which we use them. Next, we will tell you for how long or until what time we will keep your data in relation to each of the purposes outlined above: 1.º) Provision of the service: we will use your personal data until you decide to stop using our service, for which you must delete your user account. As long as you do not unsubscribe, we will continue to process your personal data for this purpose. Please note that if there is any unresolved issue related to the service, we will try to resolve it before you can unsubscribe. 2.ª) Marketing actions: we will use your personal data until you ask us to stop doing so, regardless of whether you continue to use our service or have unsubscribed. Please note that you can ask us to stop sending you personalized news, offers and promotions at any time: simply click on the “Unsubscribe” link contained in any of our communications. 3rd) Service improvement and feedback on 24Genetics: we will use your personal data until you decide to stop using our service, for which you will need to delete your user account. As long as you do not unsubscribe, we will continue to process your personal data for this purpose. 4th) Fraud prevention: as in the previous case, we will use your personal data until you decide to stop using our service, for which you must also delete your user account. As long as you do not unsubscribe, we will also continue to process your personal data for this purpose.
VIII. USER’S RIGHTS REGARDING DATA PROTECTION
The user may send an e-mail to firstname.lastname@example.org, enclosing a photocopy of his/her ID card or other document proving his/her identity, at any time and free of charge (unless the request is manifestly unfounded or excessive), to exercise the following rights:
Right of access: the right to obtain from the data controller confirmation of whether or not personal data concerning him/her are being processed and, if so, the right to obtain information on his/her specific personal data processed and on all the matters referred to in the preceding paragraphs. Right of rectification: the right to correct and complete inaccurate and incomplete personal data. Right to erasure: the right to obtain without undue delay from the data controller the erasure of personal data concerning him/her, provided that any of the circumstances provided for in the data protection regulations apply (including that the data subject withdraws the consent that legitimated the processing of such data, and such consent is not based on any other legal basis). Right to restriction of processing: the right to obtain from the controller the restriction of data processing when one of the conditions provided for in the data protection regulations is met (among others, when the data subject contests the accuracy of his or her personal data, for a period of time that allows the controller to verify the accuracy of the data). Right to object: the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data by the controller in the following cases: where his or her data are processed on the basis of a public interest mission or legitimate interest, including profiling; and where the purpose of the processing is direct marketing, including also the aforementioned profiling. Right to portability: the right to receive personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format, and to transmit it to another controller without being prevented from doing so by the controller to whom he/she has provided it, provided that the processing is legitimate on the basis of his/her consent or within the framework of the performance of a contract. However, this right, by its very nature, does not apply where the processing is necessary for the performance of a task carried out in the public interest or for the exercise of official authority vested in the controller. Right to lodge a complaint with a supervisory authority: you may lodge a complaint with the SPANISH DATA PROTECTION AGENCY, especially when you are not satisfied with 24Genetics’ response to the exercise of your rights.
IX. VOLUNTARINESS OF THE PROVISION OF PERSONAL INFORMATION
Visiting the website does not imply that the user is obliged to provide any information about himself/herself. However, the possibility of using some of the services available on the website depends on the completion of forms that require personal information. The data requested in the different forms on the website are those necessary to provide the requested services. The refusal to provide them may result in the impossibility of adequately providing such services. Likewise, certain functionalities of the web depend on you authorizing the processing of your personal data.
X. USER RESPONSIBILITY
The user will be responsible for ensuring that the data provided to 24Genetics is true, accurate, complete and up to date. To this effect, the user will be responsible for the veracity of all the data he/she communicates and must keep the information provided duly updated, in such a way that it corresponds to his/her real situation. Likewise, the user shall be liable for any false or inaccurate information provided through the website, and for any damages, direct or indirect, that this may cause to 24Genetics or third parties.
XI. PROTECTION OF THE PERSONAL DATA PROVIDED
24Genetics will treat the user’s data at all times in an absolutely confidential manner and will keep the mandatory duty of secrecy with respect to the same, in accordance with the provisions of the applicable regulations, and adopting for this purpose the necessary technical and organizational measures to ensure the security of your data and avoid its alteration, loss, unauthorized access or processing, given the state of technology, the nature of the data stored and the risks to which they are exposed.
This English version of the document has been prepared for information purposes only and has no legal value, so that the only legally binding version of this agreement is the one drafted in Spanish, which can be consulted at https://24genetics.es/politica-de-privacidad/