Hereunder you will find the information on how Genorama LLC (hereinafter: Genorama) processes and protects your personal data:
1. Collecting of personal data, defining data controller and data processor
Genorama is a world-renown genetic testing company that provides various genetic testing and microbiome analysis services (hereinafter: the Services) and is engaged in the development of such tests. In order to provide you the Services, Genorama must process your personal data, including your health and biometric data.
The data collected and processed by Genorama may include your name, personal identification number or date of birth, nationality, phone number, e-mail address, home address, bank account details and other data needed for the provision of Services, but also the data pertaining to your health, genes and microbiome (hereinafter: the Data). Genorama collects and receives the Data from you when you place the order for Services. In relation to the Data received from you, Genorama is the data controller within the meaning of data protection legislation.
In case the Services are ordered by medical institution or some distributor, then your Data is collected and passed to Genorama by your doctor, other healthcare specialist or employee of such distributor. In this case Genorama is regarded as the data processor and such medical institution or distributor as the data controller within the meaning of data protection legislation.
In case you belong to an organization of Genorama’s partner (medical institution or distributor of Services, etc), then Genorama wishes to process your Data (mainly your name, e-mail address, and data related to your position and organization/employer) in order to send you marketing materials and offers, to inform you about the changes and developments in our Services portfolio and in the testing field that may interest you.
2. Principles of processing the Data
Genorama processes Data in compliance with the European principles of data protection – such as lawfulness, fairness, transparency, purpose limitation and data minimization principles etc – and the requirements of applicable laws. Genorama considers your interest, rights and freedoms to be the priorities when processing the Data.
3. The ground and extent of processing the Data
As a data controller Genorama processes your Data mainly for the performance of a contract concluded with you for the provision of Services. Genorama processes your Data only to the extent needed for the establishment of such objectives.
The processing of Data may be necessary also for the performance of Genorama obligations arising from the law (e.g. in relation to providing information to Estonian electronic health system, accounting etc).
In some cases, Genorama may wish to use your Data for performing research or making statistics. In the first case Genorama (or your doctor or the employee of the distributor) will inform you about the possibility and ask your consent to participate in the research when placing the order for Services. Genorama processes your Data for statistical purposes on the ground of legitimate interest of Genorama, which means the balance between the interests of Genorama and your rights. Genorama cannot provide to you the best Services and the development of the Services without making statistics and analyzing the market. Nonetheless, the impact of such Data processing to your rights is minimal, as results of such processing is impersonalized.
In case you belong to an organization of Genorama’s partner (medical institution or distributor of Services), then Genorama processes your Data for the purposes of sending you marketing information only in case you have given Genorama a prior consent for that. The provision of your consent is free and independent from the Services provided by Genorama to you or your organization. In addition, you may always withdraw your consent by sending a respective notice to Genorama or by clicking to the link provided at the end of the e-mail.
In case the Services are ordered by medical institution or some distributor, then Genorama processes your Data as a data processor on behalf of and on the basis of the agreement concluded with such medical institution or distributor (i.e. data controller). In this case the ground, extent and conditions for processing your Data shall be determined by respective medical institution or the distributor of Services.
4. Passing the Data and data processors
In case you or the person who ordered the Services for you is located in the European Economic Area, then Genorama processes your Data mainly within European Economic Area and shall not transfer the Data to third countries or international organizations. In case Genorama does this, then it guarantees that the Data shall be transferred only to such a third country or international organization that complies with the same data protection requirements that are in essence equal to the level of protection applied in European Economic Area.
In case you or the person who ordered the Services for you is located outside of the European Economic Area, then Genorama processes and passes your Data also to third countries. In this case your service provider shall guarantee that your Data is protected and processed in compliance with the laws of the state that you or your service provider is located.
Genorama shall keep your Data confidential and shall not disclose them to third persons, except in cases it is needed for the provision of the Services, in case you have given to Genorama a clear consent for that or in case there is some other legal ground for disclosure (e.g. ground arising from the law). Genorama uses modern security measures for the secure and compliant passing of the Data. Upon your request and in case it is technically possible (i.e. mainly in case you have Estonian ID card), Genorama uses encryption for sending the answers of the tests performed in the course of provision of the Services.
In some cases, it is needed to use third persons to process the Data – these persons are called processors. Processors process the Data on behalf of Genorama only if it’s necessary for the purposes of Data processing and only on the condition that the processor provides the level of protection of the Data as required by applicable laws. Genorama uses mainly the following processors and sub-processors (provided by categories):
• Developer and controller of Estonian electronic health system, who processes your Data to guarantee the proper functionality and development of the system;
• Other IT-services providers, who help Genorama to securely store, systemize and in other ways process the Data and guarantee the proper performance and development of Genorama website and other software used for the provision of Services;
• Advertising and marketing partners, including messaging providers, who help Genorama to deliver you marketing materials and offers;
• Accounting services providers;
• Laboratory services providers.
In case Genorama processes your Data as data processor on behalf of medical institution or distributor of Services (please see Clause 1), then Genorama passes your Data to such medical institution or distributor of Services.
5. Storing of the Data
Genorama stores the Data on paper and electronically for as long as there may arise some claims from the contractual relationship or as demanded by applicable laws (e.g. Genorama must preserve the results of the tests related to provision of health care services for 30 years). The Data that is no longer needed for the provision of Services ordered by or for you or for the performance of data storing obligation arising from the law, shall be deleted within reasonable time.
In case you have given to Genorama your consent for receiving marketing materials and offers, Genorama shall store your respective Data without a term until you withdraw the consent.
6. Your rights
You have at any time the right to turn to Genorama in order to use the rights arising from law:
• Right to request information on what Data Genorama has on you;
• Right to demand the correction or deletion of the Data;
• In cases provided in the law right to demand restricting the processing of Data or object to processing of the Data;
• Right to demand the transmission of the Data;
• Right to demand that you would not to be subject to a decision based solely on automated processing.
7. Disputes and contact details
In case you have any doubts or propositions on how Genorama processes or protects your Data, you may always contact Genorama’s Data Protection Officer Kaie Jaakson via e-mail info[at]genorama.com or telephone +372 7307 295 and we shall find together a way or solution on how to protect your privacy even better. In case you still find that in processing your Data Genorama has infringed your rights, you may turn to Estonian Data Protection Inspectorate.
Genorama values your privacy and shall take all efforts to protect your Data and to comply with the data protection legislation.