Introduction
The Cerba laboratory, whose head office is located at ZAC des Epinaux, 10-12 Avenue Roland Moreno, 95740 Frépillon, processes your personal data as part of its medical biology activity, in compliance with current legislation, and in particular Regulation (EU) 2016/679 of 27 April 2016 ("RGPD").
This policy provides you with information on how your personal data is processed by the medical biology laboratory, as well as on the potential re-use of your biological residues as provided for in the French Public Health Code.
This policy, which is accessible on our website, is updated regularly to take account of legislative and regulatory developments and any changes in the processing operations carried out by Ketterthill. This version of the policy is a translation of the French Version of said policy. In the event of contradiction, the French version of the privacy policy shall prevail.
This policy was updated on 11/03/2024.
To find out more about the treatments carried out by the Cerba laboratory for colorectal cancer screening, you can consult the data protection policy on the screening website.
What are our commitments?
We undertake to comply with the applicable regulations for all processing of personal data that we carry out. Therefore, we undertake to comply with the following principles:
We process your personal data lawfully, fairly and transparently;
We collect your personal data for specific, explicit, and legitimate purposes and will not process it in a manner inconsistent with these purposes;
We ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
We make every effort to ensure that the personal data is accurate and, if necessary, updated. We take all reasonable steps to ensure that inaccurate personal data, in relation to the purposes for which it is processed, is deleted or rectified without delay;
We retain your personal data in a form that allows your identification only for the period necessary for the purposes of the processing.
We guarantee an appropriate level of security for the personal data we process.
These commitments are demonstrated as follows:
We respect your privacy.
We guarantee that the protection and security of your personal data is one of our main focuses.
We do not use your personal data for purposes that have not been brought to your attention.
We do not consider that your personal data should be stored for an unlimited period.
We do not sell your personal data to third parties.
We work with trusted partners who provide sufficient guarantees as to the implementation of technical and organisational measures so that our processing meets the requirements of the applicable regulations.
We respect your rights as a data subject and as a patient and make every effort to fulfil your requests as long as they are well founded.
How do we collect your personal data?
Your personal data has been entrusted to Laboratoire Cerba by the medical biology laboratory that took your sample, your health establishment or your prescribing health professional who took the sample.
As part of colorectal cancer screening, the data was sent to us by you using the identification form.
What personal data do we process?
We remind you that personal data is information relating to an identified or identifiable natural person (the “data subject”), such as your first and last name, postal address or data concerning health (“health data”).
We undertake to process only personal data that is strictly necessary for the purposes for which it is collected, and to keep it only for as long as is necessary for those purposes.
The categories of personal data we process are as follows:
|
Processing activity |
Legal basis |
Personal data category |
Retention period (active database**) |
|
Laboratory management (carrying out your examinations, interpreting and transmitting your results and administrative management of the practice) |
Performance of the contract/legal obligation |
Identification data*, health data* and social security number. |
5 years from last visit |
|
Anonymisation of data for re-use for scientific research or quality control purposes |
Legitimate interest (implementation of specific guarantees relating to processing for scientific research or quality control purposes) |
Health data* |
N/A (anonymised data) |
|
Listening to and recording calls made to the Customer Relations Department
|
Legitimate interests (improving service quality, training employees, evaluating employees, local management) |
Identification data, Health data |
90 days from recording |
|
Website management |
Legitimate interest (management of contacts, logins, account creation) |
Identification data*, connection data and logs, data relating to the management of contacts and the creation of accounts |
3 years from the last contact 6 months for connection logs |
|
Recruitment management |
Performance of pre-contractual measures |
|
|
|
Supplier management |
Performance of the contract |
Identification data*, professional data |
3 years from the end of the contractual relationship 10 years from the date of issue for invoices |
|
Clients management |
Performance of the contract |
Identification data*, professional data |
3 years from the end of the contractual relationship 10 years from the date of issue for invoices |
* For example, surname and first name are considered to be identification data, and biological results are considered to be health data;
** Once the storage period in the active database has expired, the data may be stored in intermediate archives for longer periods, in particular if their storage is required by the Public Health Code or to protect the rights and interests of the Cerba laboratory when longer prescription periods are provided for.
In accordance with the applicable regulations, once your analyses have been completed, the residues from your samples will be disposed of. However, unless you object, these residues may be kept for use in scientific research or quality control, either directly or after transfer to third parties, in strict compliance with medical confidentiality and the Public Health Code.
Your data will only be communicated to members of the medical biology laboratory who are authorised to do so or who need to know it.
Your data will only be communicated, where necessary, to the following recipients:
the medical biology laboratory, the healthcare establishment, the prescribing healthcare professional (unless you object) at whose request Cerba has carried out the samples and analyses;
the reference medical biology laboratories to which, if necessary, your samples are sent for analysis; subcontractors, trusted service providers of the laboratory, in charge in particular of IT or debt collection;
promoters and/or CROs for scientific research projects, quality control or statistical studies;
paying agencies;
authorised staff of Cerba HealthCare and Cerba Healthcare Gestion;
The administration as part of our legal obligations, particularly in the context of notifiable diseases (Laboé-SI, ARS, etc):
If you are a patient who has been the subject of a report as referred to in article R.3113-1 of the CSP (French Public Health Code), in particular an illness justifying urgent local, national or international intervention, your data may be transmitted, after pseudonymisation, to your Regional Health Agency (ARS); to find out more about the processing of your personal data by your ARS, and its public interest mission, you can consult the ARS's privacy policy;
Unless you object on legitimate grounds, your results may be transferred to your Dossier Médical Partagé (DMP ; shared medical record), with results being distributed via the Messagerie Sécurisé de Santé (MSSanté ; secure health messaging system), a public service offered to improve your follow-up within the laboratory and, subsequently, to share your medical information with the practitioners of your choice; to find out more about this processing, you can consult the "Mon Espace Santé" privacy policy.
We make every effort to ensure that the number of such persons remains as small as possible.
We only provide our trusted service providers with the information they strictly need to provide the service and they may not use your personal data for any other purpose.
We always make our best efforts to ensure that all our trusted service providers with whom we work maintain the security of your data.
We also ensure that when our relationship with a trusted service provider comes to an end, the service provider deletes your personal data without delay.
We select our trusted service providers with great care, ensuring that they offer sufficient guarantees, particularly in terms of expertise, reliability and resources, to implement technical and organizational measures capable of meeting the requirements of applicable legislation, particularly in terms of security. In this respect, we ensure that our trusted service providers process personal data only on our documented instructions. We also ensure that their staff have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
When your personal data has been entrusted to Cerba by a correspondent located outside the European Union, who has itself carried out your sampling, the results are communicated to them by us in a secure manner, and their transfer is carried out in compliance with articles 45 et seq. of the GDPR.
1. Under Regulation 2016/679 on the protection of personal data, you have the right to access, object to, rectify and delete your personal data, as well as the right to limit the processing of this data.
The right of access allows you to ask an organisation if it holds data about you and to have it communicated to you in order to verify its content.
The right to object allows you to object, on legitimate grounds, to your data being used by an organisation for a specific purpose. In the case of prospection, you may object to the processing without legitimate grounds.
The right of rectification allows you to request the rectification of inaccurate or incomplete information concerning you. This prevents an organisation from using or circulating incorrect information about you.
The right to erasure allows you to ask an organisation to erase your personal data. Please note, however, that in order to comply with our legal obligations and to establish, exercise or defend legal claims, we cannot delete the contents of your medical file.
The right to limit processing allows you to ask an organisation to temporarily freeze the use of some of your personal data.
For more information about your rights and how to exercise them, visit the CNIL’s Website.
2. You may object to the re-use of your medical waste for scientific research or quality control purposes, directly with Cerba, under the conditions set out in Article L.1211-2 of the French Public Health Code.
By e-mail to this address: rpd.cerba@lab-cerba.com ;
By mail at the following address: CERBA - RPD - ZAC des Epinaux, 10-12 Avenue Roland Moreno, 95740 Frépillon
If you feel that your rights have not been respected, particularly after contacting us, you may submit a complaint to the CNIL.
My Cerba