Privacy and Policy
last update made on: 04 January 2022
2 Company / Controller
Pregenic Solutions Pvt. Ltd.
Flat 102 B-134 Pearl Pleasure Apt, Jaipur-302004, Rajasthan
(“Pregenic”, “we”, “us”, “ours” etc.).
- It is important to us that your Personal Data is kept secure and confidential. We have procedures for collecting, storing, deleting, updating and disclosing Personal Data to prevent unauthorized access to your personal data and to comply with applicable law.
- When we ask you to make your personal data available to us, we will inform you about the types of personal data we process and for what purposes. You will receive this information when we collect the personal data in question.
4 Categories of personal data and data subjects
1. We typically collect and process the following categories of Personal Data
- Ordinary personal data:
- Sample no.
- Name, for shipping purposes – is deleted after shipping
- Address, for shipping purposes – is deleted after shipping
- Email address
- Special categories of Personal Data:
- Health data
- DNA profile
- Ordinary personal data:
(collectively your “Personal Data”)
2. We typically collect and process Personal Data about the following data subject categories:
- Potential customers
- Customers (current)
- Former customers
- Contact persons at suppliers, public authorities and other business partners
- Visitors on Pregenic website and/or on Pregenic’s , including Facebook, LinkedIn and Instagram.
5 Legal basis for processing of Personal Data
- Processing of ordinary Personal Data
- Our legal basis for processing ordinary Personal Data lies first and foremost in our relationship with the customer and in being able to manage the service agreements. As a rule, we will have the right to process the necessary ordinary Personal Data in accordance with Article 6 (1), points a-c and point f, including article 9 (2), points a and f and sections 6 and 7 of the Data Protection Act.
- The above provisions govern the basis for processing Personal Data if (i) consent has been provided by the data subject, (ii) the processing is necessary to perform our services under our service agreement or to take other actions at the request of the customer prior to the completion of a service agreement, (iii) the processing is necessary to comply with a legal obligation, (iv) the processing is necessary to fulfil essential interests that exceed the interests of the data subject, or (v) the processing is necessary for a legal claim to be established; claimed or defended.
- It is our assessment that the personal data we process in relation to a customer, a partner or a supplier or a public authority will largely be provided for in the stated regulations.
- Processing of special categories of Personal Data
- We process special categories of your Personal Data, i.e. your health data and DNA profile, for the purpose of delivering our services to you and fulfil the service agreement we have entered into upon your request.
- We process special categories of your Personal Data based on your consent in accordance with GDPR Article 9 (2), point a, and Article 6 (1), point a. It is voluntary for you to provide your consent and you may withdraw your consent at any time by contacting Pregenic at firstname.lastname@example.org. However, please note that we will not be able to provide our services to you without your consent to process special categories of your Personal Data.
- Processing of Personal Data in relation to the administration of service agreements
- We process your Personal Data in order to fulfil the service agreement we have made with you or to act at your request in connection with the conclusion of the service agreement. We also process your Personal Data to continuously manage the service agreement we have entered into. Our legal basis for processing of your Personal Data in connection with the conclusion of the service agreement is in accordance with GDPR Article 6 (1), points a-c and point f and section 6 (1) under the Data Protection Act and based on your consent in accordance with GDPR Article 9 (2), point a, and Article 6 (1), point, with respect to processing of special categories of Personal Data.
- It is voluntary to sign up for Pregenic’s newsletters. If you sign up for our newsletters, we will record the contact information you have entered and the choices of news you want to receive. If you no longer wish to receive newsletters from us, you can unsubscribe by using the unsubscribe link in the email or by contacting us at email@example.com.
- Marketing in general
- In connection with marketing purposes, the processing of Personal Data is primarily based on GDPR Article 6, (1) point f and section 6 (1) of the Data Protection Act. We assess from time to time whether it is appropriate to obtain consent, for example, whether it is appropriate to obtain consent in connection with the use of imagery for our website, in newsletters, on social media, etc. If the processing of Personal Data is based on consent, our legal basis in the GDPR is Article 6 (1), point a, and section 6 (1) under the Data Protection Act.
6 Your rights
- You have certain rights with respect to the Personal Data that Pregenic processes about you. You have the following rights:
- Right to insight is the right to know if your Personal Data is processed and, if so, the right to obtain a copy of the Personal Data.
- Right to data portability is the right to receive Personal Data about yourself that you have given to Pregenic.
- Right to rectification is the right to correct wrong Personal Data.
- Right of deletion / right to be “forgotten” is the right to have, with certain restrictions, your Personal Data deleted without undue delay.
- Right to object is the right to object to our processing of your Personal Data.
- Right to restrict processing of Personal Data is the right to restrict handling of Personal Data, e.g. if a request for deleting of data cannot be granted.
7 General data processing principles
- Data processing principles
- We will process the data subject’s Personal Data lawfully, fairly and in a transparent manner.
- Our processing of Personal Data is subject to a purpose limitation, which means that Personal Data must be collected for explicitly stated and legitimate purposes. They may not be further treated in a manner incompatible with those purposes.
- We process Personal Data based on a principle of data minimization, which means that it must be sufficient, relevant and limited to what is necessary for the purposes for which it is processed.
- Personal Data must be processed based on a principle of accuracy, which means that it must be correct and, if necessary, up to date.
- We process Personal Data based on a retention-limit principle, which means that Personal Data must be stored in such a way that it is not possible to identify the data subjects for longer than required for the purposes for which the Personal Data is processed.
- Personal Data must be processed based on a principle of integrity and confidentiality, which means that it must be processed in a way that ensures adequate security of the Personal Data, including protection from unauthorized or unlawful processing and from accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Risk analysis
- In the course of our case process, we must carry out the technical and organisational measures to ensure a level of security that fits the risks specifically associated with our processing of Personal Data.
- Data protection impact assessments (DPIA)
- The GDPR Article 35 requires that if processing, particularly by using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of Personal Data.
- The obligation to carry out an impact assessment applies only in exceptional cases where there is a high risk involved regarding the rights and freedoms of individuals.
- It is our assessment that we will rarely carry out treatments that meet one of the above criteria. It must therefore be assumed that the rules on impact assessment will have a relatively limited scope in relation to our treatment of customers’ Personal Data.
- If an impact assessment is carried out anyway, the results of the assessment will be considered when taking appropriate measures
- Data Protection Officer (DPO)
- Under the GDPR article 37 the obligation to appoint a Data Protection Officer requires that the processing of Personal Data is included as a “core activity”, when:
- processing activities are carried out which, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects to a large extent, or
- processing sensitive information to a large extent, or
- processing a large amount of Personal Data relating to criminal convictions and offences.
- It is our assessment that Pregenic does not process Personal Data to the above extent. We have therefore chosen not to appoint a Data Protection Officer.
- As a result of the principle of accountability – regardless of the fact that Pregenic is not obliged to appoint a Data Protection Officer – we have appointed a person in our organization who is responsible for ensuring an adequate level of data protection in the case of treatment of our customers’ Personal Data.
- Regarding Personal Data about our customers, we will work independently, including independently assess whether there are grounds for collecting/processing Personal Data, what Personal Data is relevant and necessary, and how long Personal Data should be stored. In this situation, Pregenic will therefore act as a data controller.
- Data Processing Agreements
- If we are data controllers and have considered that a data-trading structure is available with one of our suppliers, a data processing agreement must be drawn up.
- The data processing agreement shall be entered between us (the controller) and the other party (the data processor) and shall comply with the applicable requirements for data process agreements as referred to in Article 28 (3) of the GDPR. This implies drawing up a contract or other legal document binding on the data processor. It is also a requirement that the data processing agreement be in writing, including electronically.
- In addition, the GDPR sets several specific requirements for the content of the data processing agreement. The agreement must include information on the status and duration of the processing, the nature and objectives of the processing, the type of Personal Data, categorization of data subjects and our obligations and rights as controller, as well as the duties of the data processor in relation to performing the task. The requirements are specifically described in GDPR Article 28 (3), points a-h.
- Transfer of Personal Data to third countries
- Pregenic’s treatment of Personal Data will predominantly take place within the EU.
- If it is necessary to transfer Personal Data to a third country or international organization located outside the EU/EEA, we shall ensure prior to the transfer of Personal Data to the third country or international organization that the transfer of Personal Data is carried out in a manner that constitutes sufficient guarantee that the Personal Data is protected, including in certain cases the use the EU Commission’s standard data protection contract provisions and, where deemed necessary, supplementary measures to ensure the protection and integrity of your Personal Data.
- Data processors
- In some cases, we use external companies to carry out the technical operation of Pregenic’s IT systems, etc. In some cases, these companies act as “Data Processors” for Pregenic.
- The Data Processor acts solely on our instructions and the Data Processor has taken the necessary technical and organizational security measures against the accidental or unlawful destruction, loss or deterioration of Personal Data and against the disclosure of unauthorized persons, misrepresentations or otherwise being processed in breach of applicable data protection legislation.
- In certain cases, our Data Processors use other data processors to process Personal Data for which Pregenic is the data controller. Other Data Processors may be established inside and outside the EU/EEA.
10. Other disclosure of Personal Data
- Personal Data may also be disclosed to:
- Insurance companies
- Credit institutions
- External law firms
- Other suppliers
- Personal Data may also be disclosed to:
- We do not use your Personal Data for profiling.
8 Security measures
- We have taken the necessary technical and organizational security measures to protect your Personal Data from accidental or unlawful destruction, loss or change and from unauthorized public disclosure, misuse, or other conduct in violation of applicable law.
- We use encrypted database protected with a wide range of security measures and access restrictions.
- Personal Data can be accessed only using an encrypted SSL or VPN connection. When sending data, al files are transferred securely via HTTPS and using TLS encryption (version 1.2 or higher).
- Denied access attempts are monitored routinely to ensure that no attempts are made to gain unauthorized access to the Data Controller’s data.
- All files are digitally signed to ensure no tampering. It also uses several anti-hack security measures, including ASLR (randomizing memory addresses), DEP (validating code is run from expected locations) and SEH (ensuring only valid exception handlers).
- Access to Personal Data is limited to persons who have a need for access to Personal Data. Employees who process Personal Data are instructed and trained to know what to do with Personal Data and how to protect Personal Data.
- Log records are routinely spot checked to ensure that Personal Data are accessed solely in accordance with the instructions under which the employee works.
- When documents (papers, filing data, etc.) with Personal Data are thrown out, shredding or other measures are used to prevent unauthorized persons from accessing Personal Data.
- Passwords are used to access PCs and other electronic devices with Personal Data. Only the persons who need access will have a code and then only for the systems that he or she needs to use. Persons with access codes must not leave the code to others or leave it for other to see. Check-ups on assigned codes will be carried out at least once every six months.
- PC’s connected to the Internet have an updated firewall and virus control in-stalled.
- If sensitive Personal Data or Social Security number is sent by email over the Internet, such emails must be encrypted. If you send Personal Data to us by email, please be aware that this is not secure if your emails are not encrypted. We advise you to not send us confidential or sensitive Personal Data by email unless this is specifically agreed in advance so that we can ensure the necessary level of security.
- In connection with the repair and service of data equipment containing Personal Data and when data media is to be sold or discarded, we take the necessary measures to ensure that the Personal Data cannot come to the attention of unauthorised persons. For example, by using declarations of confidence.
- When using an external data processer to process Personal Data, a written agreement is signed between us and the data processor. This applies, for example, when an external document is used or if cloud systems are used in the processing of Personal Data – including communication with the customer. Similarly, a written agreement is always made between us and our customers if we act as data processors. The data processing agreements are also available electronically.
- Pregenic takes backup of all data bases and files on shared drives. Backup is stored on an external server.
- All backup data and files are overwritten (deleted) in intervals of 30 days.
9 Retention periods and deletion
- Deletion – When
- Upon termination of the contractual relationship with a customer or supplier, we will delete the Personal Data from the customer in question or supplier relationship as soon as it is no longer necessary to retain the applicable Personal Data. The fact that we may protect your or our interests through possible liability may involve the retention of Personal Data for 3 years (or in exceptional circumstances for a longer period) after the end of our agreement with the customer or supplier.
- However, several other considerations, as well as specific rules, mean that Personal Data should not always or must not be deleted until a certain period has elapsed.
- The accounting rules mean that Personal Data linked to a payment must be kept for 5 years + the current calendar year after the end of the financial year. This is the case regarding information on the payment of service fees.
- If Personal Data is obtained based on your consent, we will in principle delete the Personal Data obtained based on consent immediately after you withdraw your consent. However, with regard to marketing, we are obliged to keep the documentation, stating that we lawfully asked for your consent, for 2 years from the latest marketing material sent to you. This also applies to newsletters you have been signed up for.
- Deletion – How
- Deletion of Personal Data means that Personal Data is irrevocably removed from all storage media on which it has been stored and that Personal Data cannot be restored in any way.
- Alternatively, Personal Data can be completely anonymised with the effect that it can no longer be assigned to a person. In that case, the regulation of Personal Data does not apply at all and complete anonymisation is therefore an alternative to deletion. However, it is important to bear in mind that anonymisation – as an alternative to deletion – pre-supposes the deletion of all traces that may lead to the person to which the information relates. It is usually a very difficult practice.
- After deletion/anonymisation, we will carry out appropriate cross-checks in the form of searches by name, email address, etc. the customer and the specific case to ensure that nothing appears.
10 Anonymisation of data for statistical purposes
- Pregenic may use the anonymization of data from customers for statistical and research purposes, as well as to improve systems, processes, and products. This means that results cannot be used to identify specific individuals. Thus, irrevocable anonymization is carried out so that the data subject can no longer be identified.
12 Contact information
13 Right of complaint
- If you have any questions or concerns regarding Pregenic’s processing of your Personal Data, we encourage you to contact us at firstname.lastname@example.org. We will be happy to answer your questions and address any concerns you may have regarding our data processing.