December 5th, 20241. RECITALSThe protection of individuals with regards to the processing of their Personal Data (as defined below) is a fundamental right that DiaDeep takes very seriously.DiaDeep processes Personal Data as part of its relations with its visitors, its prospects, partners, clients, employees, job applicants, contacts, investors , services providers, patients, contractors and any users of its website:
www.diadeep.com (the “Website”) (all together the “Individuals”).DiaDeep is firmly committed to conducting its business in accordance with the applicable data protection regulations and, in particular, the General Data Protection Regulation (EU) 2016/679 of April 27th, 2016 (“GDPR”), which aims to protect individuals’ rights with regards to the collection, use, retention, transfer, disclosure and destruction of their Personal Data.The purpose of this privacy policy (“Privacy Policy”) is to set forth the types of Personal Data DiaDeep may receive from Individuals’ interactions with DiaDeep notably through its media platforms.
DiaDeep is committed to ensuring the protection of Individuals' Personal Data, preserving its security, and upholding Individuals' rights. This includes providing clear information about its data processing activities and ensuring transparency. Below are the key sections detailing DiaDeep’s approach:Description of the types of Personal Data collected and processed by DiaDeep.Explanation of why DiaDeep processes Individuals’ Personal Data and the intended purposes.Overview of the legal grounds that authorize DiaDeep to process Individuals’ Personal Data.
Information on where DiaDeep collects Personal Data from (e.g., individuals, third parties).Identification of parties authorized by DiaDeep to access or process Individuals’ Personal Data.Details on how DiaDeep ensures the security and protection of Personal Data against unauthorized access and breaches.Duration for which DiaDeep retains Individuals’ Personal Data and the criteria used to determine retention periods.Explanation of Individuals’ rights under applicable laws, such as access, rectification, erasure, and objection.Guidance on how Individuals can contact DiaDeep and exercise their data protection rights effectively.Please read the following Privacy Policy carefully and note that the following definitions will apply to this Privacy Policy:Data Controller(s): DiaDeep.Data Processor(s): natural person or legal entity who processes Personal Data on behalf of DiaDeep.Data Recipient(s): individual or legal entity who receives Personal Data from DiaDeep. Data Recipients may therefore also be employees of DiaDeep or of external entities (e.g. partners such as healthcare organizations or healthcare professionals, suppliers, services providers, clients, exhibitors, banks, agents etc.).Data Subject(s): the Individuals.Personal Data: refers to any information or pieces of information that can directly or indirectly identify a Data Subject, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of that individual.2. OBJECTIVEThe purpose of this Privacy Policy is to meet the information obligation of DiaDeep under the GDPR (Article 12 to 14) and to document the rights of the Individuals regarding the processing of their Personal Data.3. SCOPEThis Privacy Policy applies to all processing of Individuals’ Personal Data.DiaDeep makes every effort to ensure that Personal Data is processed within the framework of strict internal governance. That being said, this Privacy Policy only covers Personal Data of which DiaDeep is the Data Controller and therefore not any processing that may be established or performed outside the scope of governance specified by DiaDeep.The processing of Personal Data may be managed directly by DiaDeep or via Data Processors specifically designated by DiaDeep.This Privacy Policy is independent of any other document that may apply in the context of the contractual relationship between DiaDeep and the Individuals. Specific privacy and data protection information’s notices and/or consent or non-opposition form, will be communicated to the concerned Individuals if necessary, regarding specific situations where DiaDeep may process Personal Data.4. PURPOSESDiaDeep does not process any Personal Data of Data Subjects if not relating to the Personal Data collected by or for its departments or processed in association with its departments and if it does not comply with the general principles of the GDPR.DiaDeep may process Personal Data for the following purposes:
DiaDeep’s business and contractual relationship purposes Management of contractual relationship, management of contact relationship, and business development, including without limiting the foregoing for identifying potential contractors, partners, service providers, clients.Execution and management of the agreements concluded with DiaDeep’s academic partners (e.g. healthcare organizations such as hospitals, universities, research centers, healthcare professionals), DiaDeep’s non-academic partners (e.g. pharma companies, software companies or other corporate partners), DiaDeep’s service providers and/or DiaDeep’ suppliers.Implementation and management of invoicing and accounting purposes.
Research and developments activitiesImplementation and management of research and developments activities, including carrying out market research, scientific studies, whether clinical studies, observational studies, post-market studies, or any other kind of scientific research projects (including projects using data already available at DiaDeep or at DiaDeep’ partners for research purposes, and projects where additional data is derived from available human biological samples available at DiaDeep’ partners).
Compliance with legal, regulatory, industrial best practices and ethical obligations applicable to DiaDeep Design, development, manufacturing & sales of software as medical devices in support of diagnosis, prognosis, screening in pathology (including activities of vigilance, post-market surveillance, ...).Administrative formalities, registration, declarations, or audits, including but not limited to those applicable:to the management of the recruitment;in the frame of the relationship between DiaDeep and health care professionals and/or health care organizations and/or academic institutions and/or hospitals in the country where DiaDeep operates.Compliance with the requirements of the industry standards applicable to DiaDeep and with any applicable DiaDeep’ policies.Ensuring the security of Personal Data collected and processed by DiaDeep.Ensure that the Personal Data are processed in accordance with the applicable data protection laws and regulations, including for instance the processing of the first name and the last name of the Data Subjects when they exercised their rights to DiaDeep in accordance with GDPR to ensure the effective management of their request.
Marketing purposesImplementation and management of marketing campaigns, generally via email, SMS, phone, etc. and media advertising.Implementation, communication and management of its newsletter.Implementation and management of targeted advertising and segmentation.Organization and management of events, in which DiaDeep participates or which DiaDeep is a sponsor.Implementation and management of social selling campaigns (including the collection of data relating to registrations, posts, likes, replies, forwards, comments, opinions, etc.).Implementation and management of surveys and statistics.
Management of the recruitments Management of the job advertisement and the job application, including the management of the pre-contractual relationship between DiaDeep and the job applicant.
Management of the Website purposes Implementation and management of the Website (case studies, contact forms, etc.).
Protect DiaDeep’s rights and interest Management of the investigation, pre-litigation, and litigation.Protection of DiaDeep’ rights or those of third parties, including intellectual property rights, privacy, safety, and property.Protect DiaDeep against any actions or omissions which are likely to cause harm to DiaDeep, including fraudulent actions or omissions.Although the list is intended to be as exhaustive as possible, any new use or modification or withdrawal of any existing processing will be notified to the concerned Data Subjects by the publication of new versions of this Privacy Policy on the Website. DiaDeep invites the Data Subjects to check online this Privacy Policy on a regular basis to be aware of this new use, modification, or withdrawal of any existing processing.DiaDeep is granted by the Individuals with a right to process their Personal Data for the aforementioned purposes. However, any data supplemented by the processing and analysis of DiaDeep, otherwise known as supplemented data, shall remain the exclusive property of DiaDeep (usage analysis, statistics, etc.).5. LAWFULNESS OF THE PROCESSING CONDUCTED BY DIADEEPThe purposes for which DiaDeep process Personal Data described above are based on the legal basis described below.
The processing is necessary for the purpose of the legitimate interest of DiaDeep or a third party in the meaning of the GDPRWhen DiaDeep processes Personal Data for its legitimate interest, DiaDeep shall take into account Data Subject’s fundamental rights and interest to assess if the legitimate interests pursued by DiaDeep do not create an imbalance with Data Subject’s fundamental rights and interest.For example, the processing of Personal Data by DiaDeep is based on its legitimate interest for the following purposes:Protect DiaDeep from fraudulent actions or omissions;Implementation and management of research and developments activities;Management of contact relationship, and business development;Sending newsletters about DiaDeep to healthcare professionals and/or contractors with whom DiaDeep have pre-existing relationships in the framework of their professional activities.
The processing is necessary for the purpose of the compliance with the legislation applicable to DiaDeepDiaDeep may process Personal Data in order to comply with legal obligations applicable to DiaDeep.For example, the processing of Personal Data by DiaDeep may be based on the compliance with legal obligation applicable to DiaDeep for the following purposes:Monitoring the adverse event or devices deficiencies of marketed products;Transparency regarding DiaDeep’s relationship with healthcare professionals and/or healthcare organizations or academic institutions or hospitals;Financial and tax reporting;Management of the Data Subjects access requests.
The Data Subject has given consent of the processing of its Personal Data for one or more specific purposesDiaDeep may process Personal Data for one or more specific purposes for which the Data Subject concerned will have clearly expressed its consent for the processing of its Personal Data for these purposes.For example, the communication to DiaDeep’s newsletter to the Data Subject concerned is based on their consent.
The processing is necessary for the purpose of the performance of a contractDiaDeep may process Personal Data for the execution of a contract between the Data Subjects (or their employers) and DiaDeep.For example, the processing of Personal Data by DiaDeep may be necessary for the performance of a contract for the following purposes:Negotiation of contracts with DiaDeep’s partners, suppliers, service providers, clients;Follow-up of DiaDeep’s contractual relationship with its partners, suppliers, service providers, clients.
The processing is necessary for reasons of public interestWhen the applicable law of the Data Subject’s country entitles DiaDeep to do so, notably in the case of public interest, DiaDeep may process Personal Data of concerned Data Subjects.For example, if in Data Subject’s country the law provides that DiaDeep may process Data Subject’s Personal Data in the area of public health to ensure a high standards of quality and safety of healthcare and medicinal products or medical devices, DiaDeep could process Data Subject’s Personal Data in the frame of scientific research projects aiming to improve the products marketed by DiaDeep or third parties or to develop new medical devices.The Personal Data that DiaDeep is processing about Data Subjects, include a wide range of Personal Data and depends on DiaDeep's relationship with the Data Subjects, as well as the third parties with which DiaDeep is working, and which may provide DiaDeep with the access to Personal Data.For example, DiaDeep may process the following Personal Data:
Non-technical Personal Data (depending on the circumstances)Identity and identification (such as surname, first name, date of birth, pseudonym, client number, username, and password).Contact details (such as e-mail, postal address, phone number), notably for sending newsletters.Professional data, if applicable (notably the company name, function, as well as all the Personal Data related to candidate for a job offer such as the data related to the professional experiences and the education for the job application).Bank details, if required.Data relating to current contracts.
Technical Personal Data (depending on the circumstances)Data Subjects internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP address, etc.).Technical information such as the type of browser and operating system Data subject uses or Data Subject’s device information (unique device identifier, hardware model, operating system and version, mobile network information).In some cases, notably for its research and development activities, DiaDeep may need to process sensitive Personal Data, as defined by the Article 9 of the GDPR. DiaDeep takes the protection of this sensitive Personal Data and more broadly the protection of all the Personal Data very seriously and takes all necessary measures, whether contractual, technical or organization to preserve the protection, integrity, and confidentiality of such Personal Data.As provided above, specific privacy and data protection information notices and/or consent or non-opposition form, will be communicated to the concerned Data Subjects if necessary, regarding specific situations where DiaDeep may process their Personal Data.6. PERSONAL DATA SOURCESPersonal Data is generally collected from Data Subjects directly (direct collection).Collection may also be indirect via specialized partners, clients, service providers and suppliers of DiaDeep, which are authorized to do so in compliance with their applicable law and in application of their own privacy and data protection policies.In such cases, DiaDeep takes the greatest of care to ensure the quality of data it receives. If Data Subjects have any question related to the initial collection of their Personal Data by the partner, client, services provider, or supplier of DiaDeep, where applicable DiaDeep could invite Data Subjects concerned to contact them directly and/or to refer to their data protection policies.7. CHILDREN’S PERSONAL DATADiaDeep’s Website is not intended for children under thirteen (13) years old. DiaDeep does not knowingly process Personal Data from children under the age of thirteen (13) years old through DiaDeep’s Website.If a parent or a guardian becomes aware that his or her children has provided Personal Data to DiaDeep through DiaDeep’s Website, he or she should contact DiaDeep's Data Protection Officer without delay to require the deletion of the Personal Data concerned in accordance with the applicable data protection laws.For more information on how to contact DiaDeep’s Data Protection Officer, please see Article 15 (“Data Protection Officer”) of this Privacy Policy.8. PERSONAL DATA RECIPIENTSTaking into account the purpose(s) for which Individuals’ Personal Data are processed, DiaDeep will ensure that Personal Data can only be accessed by authorized internal and external Data Recipients which need to know them.
DiaDeep’s internal Data RecipientsDepending on the purpose(s) of the processing and the Personal Data processed, the authorized staff from DiaDeep may include:Communications and Marketing Department;Departments responsible for managing the partners relationship and sales development, such as: Medical devices Department; Partnership Department Business Department; R&D Department;Finance Department;IT Department;Legal Department;People Department;Product Department;Authorized employees from departments responsible for control and audit functions (departments responsible for internal control procedures, etc.).
DiaDeep’s external Data RecipientsDepending on the purpose(s) of the processing and the Personal Data processed, the DiaDeep’s external Data Recipient may include:Partners of DiaDeep (e.g. healthcare organizations such as hospitals, research centers, universities, healthcare professionals, services providers, suppliers, pharma companies, or other corporate partners);Legal or administrative authorities, as required by the applicable laws and regulations to which DiaDeep may be subject;Potential acquirers and other stakeholders in the event of a corporate operation such as a change of control of DiaDeep, resulting from a capital increase, merger, demerger, or by the total or partial sale of the business activities.Data Recipients of the Personal Data are bound by a confidentiality obligation. In any case, DiaDeep only provides them with the information strictly needed to process Personal Data in compliance with the purposes identified.DiaDeep decides which Data Recipients may access to which Personal Data by means of a contract or internal policies.Personal Data may also be forwarded to any authority legally entitled to receive it. In such cases, DiaDeep is not liable for the manner in which said authorities access and process the Personal Data but will limit the Personal Data accessed by these authorities to the strict minimum required by such authorities.DiaDeep will never sell Personal Data to any third parties.9. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONIf as part of the processing activities described above, DiaDeep needs to transfer Personal Data from Data Subjects established in the European Economic Area (“EEA”) to recipient(s) located outside of the European Economic Area, such as its service providers and/or its partners and/or its affiliates, DiaDeep will ensure that adequate and appropriate safeguards are implemented as required by the GDPR (e.g. ensuring an adequacy decisions from the European Commission is in force in accordance with Article 45 of the GDPR, or binding legal act or European Commission Standard Contractual Clauses have been signed with the recipient where applicable).10. RETENTION PERIODThe retention period of Personal Data is defined by DiaDeep in accordance with its legal and contractual obligations and, failing this, depending on the specific needs, notably in accordance with the following principles:
Clients and partners’ Personal DataFor the duration of contractual relations with DiaDeep, which includes the duration of the contract, the terms of the warranties plus five (5) years for legal requirements, without prejudice to storage and retention obligations or the statute of limitations.
Job applicant’s Personal DataUnless otherwise requested by the job applicant, their Personal Data are processed and stored during two (2) years from the collection of their Personal Data, DiaDeep may request the job applicant to extend this retention period of two (2) years every (2) years.The retention period set forth above is without prejudice to the storage and retention obligations or the statute of limitations that may apply to DiaDeep.
Personal Data relating to contacts and potential clientsThree (3) years from collection of the Personal Data by DiaDeep or from the last contact made by the potential client or contact.
Information related to bank details (i.e. data related to bank or payment cards)until full payment is made or;until the goods are received or the service is provided. This period shall be extended by the withdrawal period for distance sales of goods and services.Data Subjects are reminded that deletion or anonymization are irreversible operations and Personal Data cannot be subsequently restored by DiaDeep. As such, it will no longer be possible to identify any Data Subjects, even indirectly, and any link between you and your data will be deleted. Once Personal Data has been anonymised, no one will be able to link the anonymised data and the initial Personal Data, and DiaDeep will no longer be able to comply with Data Subject’ requests to exercise their rights as described below.11. DATA SUBJECTS’ RIGHTSAs Data Subjects and in accordance with applicable data protection laws, Individuals are entitled to exercise the following rights:
Confirmation and access right Data Subjects are entitled to request DiaDeep to issue confirmation of whether or not their Personal Data is being processed and will benefit from access rights and a right to request a copy of their Personal Data. Any abuse of this right will be subject to costs that would be borne by the Data Subjects.If Data Subjects request a copy of their Personal Data via electronic means, the requested information will be provided in a commonly used electronic format, unless specified otherwise.Data Subjects are notified that this access right may not cover confidential information or data for which communication is prohibited by law.The access right may not be exercised in an abusive manner, i.e. exercised legally with the sole objective of undermining the proper execution of the service in question.
Updating and rectification rightsData Subjects are entitled to request DiaDeep to rectify their Personal Data, in the event that their Personal Data should be inaccurate, incomplete, or obsolete.
Right to oppose to the processing activitiesData Subjects are entitled to oppose the processing of their Personal Data, subject to the legal and/or regulatory restriction that may exist with respect to this opposition right.For instance, with respect to the newsletter sent by DiaDeep to the Data Subjects, each of them can opt out at any time by clicking the “unsubscribe” link at the bottom of DiaDeep’ newsletters.
Right to deletionThe deletion right of Data Subject does not apply where processing is conducted in compliance with a legal obligation or if the processing is necessary for the establishment, exercise, or defense of legal claims.In other circumstances, Data Subjects may request deletion of their data if any of the following criteria are met:the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;if a Data Subject withdraws the consent on which the processing has been based and there exists no other legal basis;the Data Subject objects to processing required for DiaDeep to pursue its legitimate interests and there exists no other pressing and legitimate reason to continue processing;the Data Subject objects to the processing of its Personal Data for marketing purposes, including profiling;the Personal Data has been processed unlawfully.In accordance with legislation of Personal Data protection, Data Subjects are notified that this is an individual right that may only be exercised by the Data Subjects in relation to their own information.
Rights to restrict processingData Subjects are notified that the right to restrict processing is not intended to apply when the processing conducted by DiaDeep is made in order to comply with laws and regulations applicable to DiaDeep and/or when the processing of the Personal Data is necessary for performance of its services.
Personal Data Portability right DiaDeep will accede to Personal Data portability requests in the specific circumstances of Personal Data communicated Data Subjects personally, via online services provided by DiaDeep itself and for purposes based solely on personal consent.In such cases, the Personal Data will be communicated in structured and commonly used format able to be read by a machine.
Automated individual decision-making DiaDeep does not conduct automated individual decision-making.
Rights after deathData Subjects are notified that they have the right to issue instructions concerning the retention, deletion, and communication of their data after their death.Any request related to the exercise of the rights described above shall be subject to a written request sent by e-mail at
dpo@diadeep.com or by post at Legal Department – DiaDeep – 24 Rue du Dauphiné, 69003 Lyon 03 - France, accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, Data Subjects are notified that the rights set forth above are individual rights that may only be exercised by the Data Subjects themselves in relation to their own information, so that for security reasons, DiaDeep must verify Data Subject’s identity before communicating any Personal Data to the concerned Data Subject. Once the identity has been verified, DiaDeep will destroy the signed identity document provided by the Data Subjects.The response time for Data Subject’s request may vary depending on the complexity of the request or if the Data Subject submitted a large number of requests.Notwithstanding, the right of deletion described above, DiaDeep will retain the Personal Data associated with the deletion request in order to be able to track the deletion request and its management.12. DATA PROCESSORSDiaDeep notifies Data Subjects that it may engage any Data Processor of its choice to process their Personal Data.In any such case, DiaDeep ensures that the Data Processor complies with its obligations under applicable data privacy laws and regulations and in particular with the GDPR.DiaDeep undertakes to sign a contract with all Data Processors, imposing on the latter the same Personal Data protection obligations that apply to DiaDeep. Furthermore, DiaDeep reserves the right to perform an audit on the Data Processor to verify the latter's compliance with its obligations under the GDPR.13. SECURITYDiaDeep has implemented technical and organizational measures to protect the integrity and confidentiality of Data Subjects’ Personal Data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects.This measure includes for instance security techniques of a physical or logical nature which DiaDeep judges to be appropriate to prevent the destruction, loss, degradation or unauthorized disclosure of Personal Data in an accidental or illegal manner. The main elements of these measures include notably and without limitation:Management of Personal Data access rights;Internal back-up;Identification processes;Security audits;Implementation of an IT system security policy;Implementation of business continuity and disaster recovery plans;Use of security protocols and/or solutions.14. PERSONAL DATA BREACHIn the event of any breach of Personal Data, DiaDeep undertakes to notify competent data supervisory authority (e.g. you can access to the list of the competent supervisory authority within the European Union by visiting the website of the European Data Protection Board) as set out in the GDPR.Should any such breach present a high level of risk for Data Subjects and the Personal Data has not been protected, DiaDeep shall:Notify the Data Subjects concerned;Issue the necessary information and recommendations to the Data Subjects concerned.15. DATA PROTECTION OFFICERDiaDeep has appointed a Data Protection Officer. The contact details of the Data Protection Officer are as follows:E-mail address:
dpo@diadeep.com;Should Data Subjects wish to obtain any particular information or pose a specific question, they may contact the Data Protection Officer who will provide a response within a reasonable period in light of the question posed or information requested.In the event of encountering any problem with the processing of Personal Data, Data Subjects may contact the Data Protection Officer.16. PROCESSING RECORDAs Data Controller, DiaDeep undertakes to maintain a record recording all completed processing activities. This record is a document or software that lists all processing conducted by DiaDeep in its capacity as Data Controller.DiaDeep undertakes to provide any competent supervisory authority on request with all information enabling said authority to verify the compliance of processing with applicable Personal Data protection regulations.17. RIGHT TO SUBMIT A COMPLAINT TO SUPERVISORY AUTHORITYData Subjects concerned by the processing of their Personal Data have the right to submit a complaint to the competent supervisory authority (e.g. you can access to the list of the competent supervisory authority within European Union by visiting the website of the European Data Protection Board) should they believe that the processing of their Personal Data does not comply with the applicable data protection laws and regulations.
The list of the supervisory authority is available at the following address:For the countries of the European Union:
https://www.edpb.europa.eu/about-edpb/about-edpb/members_en;For the United Kingdom:
https://ico.org.uk/make-a-complaint/18. AMENDMENT OF THIS PRIVACY POLICYThis Privacy Policy may be amended or supplemented at any time in the event of legal or judicial developments, or in response to new uses and any decisions or recommendations issued by the competent supervisory authority or in order to reflect the changes of DiaDeep’s practices.Any new version of this Privacy Policy will be available on this page. Therefore, DiaDeep invites the Data Subjects to check this Privacy Policy on a regular basis.19. FOR FURTHER INFORMATIONFor any further general information about Personal Data protection, please consult the website of the competent supervisory authority (e.g. you can access to the list of the competent supervisory authority within the European Union by visiting the website of the European Data Protection Board).20. INFORMATION RELATING TO THIS PRIVACY POLICYIf Data Subjects need any further information or assistance, do not hesitate to contact DiaDeep at the following address:By e-mail at:
dpo@diadeep.com;Or by post at the attention of the Legal Department – DiaDeep – 64 Bd du 11 Novembre 1918, 69100 Villeurbanne, France.