This Privacy Statement applies to you and your personal data because you are a customer of a subject that is part of the CBC Group. The subject of the CBC Group is a company that acts as a controller in the processing of your personal data. For the purpose of this Privacy Statement, the CBC Group subject with which you have a contract (controller) is responsible for protecting your personal data. This statement explains how we will use personal information that we obtain from you or from third parties for the duration of your contractual relationship with CBC. Please note that since this statement applies to the entire CBC group, small local differences may occur as the specific information is processed for individual purposes. For detailed information, please contact your local data protection officer (see below).
We may update this statement from time to time and, if this happens, we will inform you here. This version of the Privacy Statement was released on 1.4.2018.
1. Types of personal data
We process the following data:
- Personal contact information. For example, your name, surname, address, home address, mailing address, email address, contact phone number, ID card number, birth number, academic title, birth date.
- Work contact information. For example, the business address you represent, a working email address, and a phone number.
- Contract data. For example, the content of a contract with our company, including all its additions, the scope of services provided, the type of terminal equipment, its designation.
- Information about family members and family members. For the purpose of incorporating into preferred groups of customers.
- Health facts. For example, microbiological and serological examinations of umbilical cord blood.
- Payment information. For example bank account number and amount of paid services.
- Correspondence and communication data. For example email correspondence, Internet data transfers and IP addresses.
2. Purposes and objectives of data processing
The Controller will process your data for the following purposes:
- Customer Administration. We keep personal records of all our customers and their services. Based on the analysis of our records, we also make strategic choices for our customers. The legal basis of the processing is the fulfillment of the contract concluded between us and the data subject, the fulfillment of the legal obligation.
- Processing and storage of umbilical cord blood, umbilical tissues, and placental tissue. Part of the care is a Return form, which the parent fills in after one year of age of the child due to the detection of diagnoses such as hemato-oncological diseases (severe anemia, severe immunodeficiency, etc.), to discuss with the client the justification of keeping the collection. At the same time, however, we do not insist on sending a Return form if the client does not explicitly wish to do so. The legal basis is a legitimate interest (in the sense of a reasonable expectation that the controller seeks to maintain the usability and quality of the collection).
- Direct marketing. We are engaged in the development of our customer’s offers tailored to them. The legal basis for the processing is the legitimate interest of the controller and the consent of the data subject.
- Taxes and accounting. In order to fulfill the obligations arising from the Tax Act and other financial-related regulations, we are obliged to process certain personal data. The legal basis for processing is the fulfillment of a legal obligation.
- Dispute resolution and infringement investigations. We may process personal data for the purpose of resolving disputes, complaints or legal proceedings, or if we suspect the offense that we would like to investigate further. The legal basis for the processing is the legitimate interest of the controller and the fulfillment of contractual obligations under the contract in which the data subject acts as a contracting party.
- Compliance with the law. We may need to process your personal information to comply with the law (e.g. match your name with names on the so-called designated lists and comply with the law on money laundering) or to comply with a court order. The legal basis for processing is the fulfillment of a legal obligation.
- Data sharing with parent company Cord Blood Center AG. Your data in the necessary scope of services provided will also be provided by the decision of the Office for Personal Data Protection of the Slovak Republic within the CBC Group in order not to contact you with the services you have purchased from us and to benefit from the benefits of the CBC Group. The legal basis is the legitimate interest of the controller and the consent of the data subject.
- Marketing consents. We may also use other data, but only on the basis of special consents that we request from you in advance. The legal basis is the consent of the data subject.
- Voice recordings. Personal expressions from calls to call centers. The legal basis is the consent of the data subject.
- Processing a request for the provision of information related to the services provided by controller (Customer Center). We process the personal data of the data subjects (our customers or potential customers) for this purpose based on the consent of the data subject, to the extent of the data filled in by the data subject in the relevant contact form published on our website. Personal data are stored until the request is processed (until the required information is provided), but for a maximum of one year. The provision of data is voluntary, but without their provision it is not possible to process the request. You can revoke your consent at any time by sending an email to: email@example.com. Withdrawal of consent shall not affect the lawfulness of the processing resulting from the consent prior to its withdrawal.
3. Parties that may have access to your data
Controller may share your data with third parties in the following circumstances:
- We may share your personal information with other third parties acting on our behalf, such as your service provider. In such cases, these third parties may use your personal information only for the purposes described above and only in accordance with our instructions;
- Our employees will have access to personal data. In such a case, access shall be granted only if it is necessary for the abovementioned purposes and only if the employee is bound by the obligation of confidentiality;
- If required by law or court order, we may share your personal information with, for example, our suppliers or clients, tax authorities, social security authorities, law enforcement agencies or other governmental authorities.
4. Location of your personal information
Our employees will have access to your personal data within the European Economic Area while in our care. Access to your data will also be available in Switzerland, which has laws guaranteeing a level of data protection similar to that of the European Union.
5. Storing personal data
We keep your personal data for a limited time, and these data will be deleted when they are no longer needed for processing, and other valid legislation does not require you to archive the data for a longer period of time. In most cases, this means that we will store your data for the duration of your contract. As far as possible, we will delete the data as long as your contract is in force as soon as it is no longer necessary. In any case, we will erase your personal records within 24 months after the termination of the contractual relationship, unless local legislation requires them to be retained.
We may process your personal information for a longer period of time after termination of the relationship in the event of a continuing legal dispute or if you have granted us permission to store your personal data for a long time.
6. Legal basis for processing your data
In most cases, we process your personal information on the basis that the processing is necessary for the purposes of the legitimate interest we are pursuing, on a contractual basis or on the basis of your consent as the data subject or by law as a separate regulation. In many cases, we will also need to process your personal information on a legal basis. In the case of consent processing, you always have the option to cancel your consent.
7. Your rights under the General Data Protection Regulation
According to the GDPR, you have certain rights.
Right of access by the Data Subject
You are entitled to a copy of the personal information we have about you as well as some details on how we use it. Your personal information will normally be provided to you in writing, unless otherwise requested, or if you have requested it by electronic means, the information will be provided electronically if possible.
Right to rectification
We take reasonable steps to ensure the accuracy and completeness of the information we have about you. However, if you do not think so, you can ask us to update or supplement this information.
Right to erasure
Under certain circumstances, you have the right to ask us to delete your personal information, for example, when the personal data we have obtained is no longer necessary for the original purpose or when you withdraw consent. However, this will need to be balanced with other factors. For example, we may have legal and regulatory obligations, which means we will not be able to meet your request.
Right to restriction of processing
Under certain circumstances, you are entitled to ask us to discontinue your personal information, for example, when you believe that the personal information we have about you may be inaccurate or if you believe that we no longer need your personal data to be used.
Right to data portability
Under certain circumstances, you have the right to ask us to transfer the personal data you have provided us to another third party of your choice.
The right to object
You have a right to object to data processing that is based on our legitimate interests, as is the case here. If we do not have a valid legitimate reason for processing when you file an objection, we will not process your personal data further. However, please note that we may not be able to provide certain services or benefits unless we are able to process the necessary personal data for that purpose.
Unsubscribing from marketing offers, news and business information
In accordance with the rights of the data subject, the customer has the opportunity to unsubscribe from receiving marketing offers, news and business information. In the case of e-mail communication, each such electronic message includes an “unsubscribe” section at the bottom which ensures that e-mail address will be excluded from further receiving. In the case of marketing offers, news and business information received in a different form than e-mail communication (eg. SMS, MMS, (land) mail, etc.), it is possible to exercise the right of data subject to unsubscribe by direct request at this contact address: firstname.lastname@example.org. In order to meet such a data subject requirement, the controller is obliged to properly verify the identity of the data subject.
Rights related to automated decision making
You have the right to refuse automated decision-making, including profiling, which has a significant legal or similar effect on you. Group companies typically do not use automated decision making or profiling, but if you were the subject of an automated decision and you disagree with the result, you can contact us through the contact details below and ask us to review the decision.
Right to cancel consent
In most cases, we do not process your personal information with your consent. However, it may happen that we ask for your consent in specific cases. Where we do, you have the right to withdraw your consent to the further use of your personal information.
8. Contact details
If you would like to contact our Data Protection Officer (DPO), please send an email to email@example.com.
If you would like to file a complaint about how we process your personal information, even with respect to the above rights, you can contact our Data Protection Officer, and your suggestions and requests will be reviewed.If you are unhappy with our response or believe that we process your data unfairly or unlawfully, you may complain to the Supervisory Authority of the Office for the Protection of Personal Data.
If you have any further questions regarding the processing of your personal data, you can contact us through our Data Protection Officer.