Private policy

Version 05 of 29 March 2024

Contents

  1. Who are we?. 1
  2. Who are the data subjects?. 2
  3. What is our commitment to data protection?. 2
  4. What personal data do we process and for what purposes?. 2
  5. In what capacity do we process your personal data?. 4
  6. On what basis do we process your personal data?. 4
  7. Where does your personal data come from?. 5
  8. Who has access to your personal data?. 5
  9. How do we manage our processors?. 6
  10. Where do we process your personal data?. 6
  11. What are the applicable retention periods?. 7
  12. What are your rights?. 7
  13. What level of security do we provide?. 9
  14. Do you have any questions or complaints?. 9
  15. Anything else?. 9

 

  1. Who are we?
  • Name: 101 Genomes Foundation (‘we’, “us”, ‘our’)
  • Headquarters: Avenue de Sumatra 6, 1180 Uccle (Belgium)
  • Company number: BE0684.609.172
  • Website: https://www.f101g.org (the ‘Website’)
  • Contact details of our contact person for any questions relating to data protection: dpo@f101g.org.
  1. Who are the individuals concerned?

2.1 We process personal data relating to:

  • participants in our research projects (such as the Genome4Good initiative and the GEMS study);
  • participants in specific research projects who entrust us with data hosting;
  • fund donors (e.g. people who give us money), fundraisers (e.g. people who raise money for us) and supporters (e.g. people who attend our events, etc.);
  • representatives of our partner organisations (e.g. research centres, associations and other organisations);
  • representatives of our suppliers;
  • candidates applying for employment with us;
  • visitors to our website and our workplaces;

Hereinafter: ‘data subjects’, “you”, ‘your’.

2.2 This privacy policy (the ‘Policy’) applies to all processing of your personal data that we carry out.

  1. What is our commitment to data protection?

3.1 We are committed to making every effort to ensure that our personal data processing activities comply with applicable data protection legislation, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the ‘GDPR’) and the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, as amended, supplemented or replaced from time to time (the ‘Applicable Data Protection Legislation’).

  1. What personal data do we process and for what purposes?

4.1 If you are a participant in one of our projects or in a specific research project of a group that entrusts us with data hosting, we process:
8.2 We entrust the processing of some of your personal data to subcontractors only to the extent necessary to perform their tasks and in accordance with our written instructions and the Applicable Data Protection Legislation.

8.3 In the event of a restructuring (e.g. a financing transaction), we may transfer certain personal data concerning a limited number of data subjects to a third party involved in the transaction (e.g. a bank) in accordance with Applicable Data Protection Legislation.

  1. How do we manage our processors?

9.1 We take appropriate measures to ensure that our processors process your personal data in accordance with the Applicable Data Protection Legislation.

9.2 Among other things, we ensure that our subcontractors undertake to process personal data only on our instructions, not to engage another subcontractor without our prior authorisation, to take appropriate technical and organisational measures to ensure the security of personal data, to ensure that persons authorised to access personal data are subject to appropriate confidentiality obligations, to return and/or destroy the personal data they process at the end of their services, to comply with audits and to provide us with assistance in following up on requests from data subjects regarding the exercise of their rights in relation to their personal data.

  1. Where do we process your personal data?

10.1 We ensure that the health and biometric data of participants in our projects (including Genome4Good) are hosted exclusively on servers located within the European Economic Area (‘EEA’).

The data collected is processed under our control so that it is accessible in biological format in our ‘BioB’ and in electronic format in our ‘Genomic Cloud’.

  • BioB. We have created our own biobank called ‘BioB’. Our BioB is hosted in France by CryopAL Biobanque Solutions, which holds ISO 9001:2015 (No. 181277/1415F) and ISO 20387:2018 (No. 211277/1415F) certifications. The creation of BioB was approved on 5 April 2022 by the Ethics Committee of Erasme Hospital (Brussels, Belgium). It was then assigned notification number BB220008 by the Belgian Agency for Medicines and Health Products (AFMPS) on 9 June 2022.
  • Genomic Cloud. We have created our own bioinformatics biobank called ‘Genomic Cloud’. Our Genomic Cloud is built in Azure (ISO 27001:2013, Defender 100% Secure score) and complies with FAIR principles.

10.2 In the highly unlikely event that your personal data is transferred to countries outside the EEA, we will ensure that the following safeguards are in place:

  • the country to which the personal data is transferred has been granted an adequacy decision by the European Commission pursuant to Article 45 of the GDPR and the transfer falls within the scope of that adequacy decision;
  • we will carry out an impact assessment of the transfer, adopt additional measures if necessary and conclude a contract with the recipient of the personal data containing the standard contractual clauses for the protection of personal data adopted by the European Commission pursuant to Article 47 of the GDPR.

10.3 In the event that your personal data is transferred to a country that does not have a level of protection equivalent to that provided by the GDPR, appropriate safeguards will be put in place to ensure a level of security and protection appropriate to the nature of the data transferred. You will be informed of the safeguards put in place via your dedicated portal and/or by email, and if you would like more information, you can always contact the Data Protection Officer of the 101 Genomes Foundation at dpoAT101gDOTorg.

  1. What are the applicable retention periods?

11.1We ensure that your personal data is only kept for a period that does not exceed the time necessary for the purposes for which it is processed.

11.2 We retain accounting documents (which may contain some of your personal data) for a period of seven (7) years from the date of issue in accordance with accounting law. These documents contain the personal identification data, professional identification data and contact details of our clients’ representatives.

11.3 We retain the data to which you have given us access for the duration of the projects in which you participate (such as Genome4Good). In all cases, your personal data is retained for the time required by regulations.

11.4 We also use the following criteria to determine how long to retain personal data, depending on the context and purposes of each processing operation:

  • the date of our last contact;
  • security reasons (e.g. the security of our information systems);
  • any ongoing or potential dispute or litigation with a data subject;
  • any legal obligation to retain or erase personal data (e.g. a retention obligation imposed by accounting or tax law).
  1. What are your rights?

12.1 Subject to the limitations contained in the Applicable Data Protection Legislation, you have the right to information, the right to access, rectify and erase your personal data, the right to object to or restrict the processing of your personal data, the right to data portability and the right to withdraw your consent.

12.2 Below is a table describing each of your rights in more detail:

Right Description
The right to information You have the right to obtain clear, transparent and understandable information about how we process your personal data and how you can exercise your rights. This information is contained in the Policy. If it is not sufficiently clear, please contact us (using the contact details provided in the Policy).
The right of access You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where they are, access to the personal data. You have the right to obtain a copy of your personal data, unless the exercise of this right infringes on the rights and freedoms of others.
Right to rectification You have the right to obtain the rectification of personal data concerning you if it is inaccurate. You also have the right to have personal data concerning you completed if it is incomplete.
The right to erasure (the ‘right to be forgotten’) You have the right to obtain the erasure of your personal data. However, the right to erasure (or the ‘right to be forgotten’) is not absolute and is subject to specific conditions. We may retain some of your personal data to the extent permitted by Applicable Data Protection Legislation, in particular where processing is necessary for compliance with a legal obligation to which we are subject or for the establishment, exercise or defence of legal claims.
Right to object to processing You have the right to object to certain types of processing (where the processing is based on our legitimate interests and, taking into account your particular situation, your interests or fundamental rights and freedoms prevail).
Right to object to processing for marketing purposes You have the right to object at any time to the processing of your personal data when we process such data for marketing purposes.
Right to restriction of processing You have the right to obtain restriction of processing in certain circumstances (for example, when we no longer need your personal data but it is still necessary for the establishment, exercise or defence of legal claims).
The right to data portability In certain circumstances, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another data controller.
The right to withdraw your consent If you have given us your consent to process your personal data, you have the right to withdraw it at any time.

 

12.3 Please address any requests regarding your rights in relation to your personal data that we process in our capacity as data controller to our contact person for all data protection matters using the contact details provided in the Policy. We undertake to respond to your request as soon as practicable and always within the time limits set out in the Applicable Data Protection Legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law. Finally, please note that if we have any doubts about your identity, we may ask you to provide proof of identity in order to prevent unauthorised access to your personal data.

12.4 Please note that we may charge a reasonable fee based on the technical and administrative costs of responding to your request for access to your data and your right to data portability (this contribution shall at least cover the full costs incurred by us for collecting, sequencing, processing and storing the data).

12.5 The groups authorised to have access only have access to your anonymised or at least pseudonymised data (i.e. in such a way that this data cannot be linked to your personal identification data). We are the only ones who can link your Research Data to your personally identifiable information. You acknowledge that, upon your request, we will validly comply with your request to exercise (i) your right to object to the processing of your Research Data, (ii) your right to withdraw your consent to the further processing of your Search Data, and (iii) your right to delete your Search Data by irreversibly erasing the link between your Search Data and your personally identifiable information.

  1. What level of security do we provide?

13.1 We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of your personal data.

Our BioB (biobank), in which biological samples are stored, is hosted in France by CryopAL Biobanque Solutions, which holds ISO 9001:2015 (No. 181277/1415F) and ISO 20387:2018 (No. 211277/1415F). It was approved on 5 April 2022 by the Ethics Committee of Erasme Hospital (Brussels, Belgium) and received notification number BB220008 from the Belgian Agency for Medicines and Health Products (AFMPS) on 9 June 2022.

Our Genomic Cloud, where the computer data is stored, is built in Azure and has achieved ISO 27001:2013 certification (+Defender 100% Secure score). After consultation with our Data Access Committee (DAC), bioinformatics researchers may be granted access to a query interface on our Genomic Cloud in order to conduct their research. The electronic data we collect does not leave the instance where it is stored in our Genomic Cloud. Researchers authorised to query the data may conduct their analyses on copies of the data, but they may not extract or save the data locally. Only the research results are repatriated and belong to the researchers.

13.2 We follow industry best practices to ensure that personal data is not accidentally or unlawfully destroyed, lost, altered, disclosed or accessed without authorisation.

  1. Do you have any questions or complaints?

14.1 If you have any questions or complaints about how we process your personal data, please address them first to our contact person for data protection issues using the contact details provided in the Policy.

14.2 You have the right to lodge a complaint with the competent supervisory authority. The competent authority for Belgium is the Data Protection Authority, Rue de la Presse 35, 1000 Brussels, +32 (0)2 274 48 00, contact@apd-gba.be.

  1. Anything else?

15.1 We reserve the right to update the Policy from time to time. We will notify you of any changes we make to the Policy.

15.2 In the event of any conflict or inconsistency between any provision of the Policy and any provision of any other policy or document relating to the processing of personal data, the provision of the Policy shall prevail.