Data protection policy

(Updated on 2024-04-12)

Data Protection Policy

As data controller, the Biocodex Microbiota Foundation, established in France at 7 avenue Gallieni in Gentilly (94250) (hereinafter, the “Controller” or the ”Foundation”), undertakes to comply with the regulatory provisions applicable to the protection of personal data, in particular Regulation (EU) 2016/679 of April 27, 2016 – General Data Protection Regulation (hereinafter, the “GDPR”), on the processing that it implements on its website, accessible at www.biocodexmicrobiotafoundation.com (hereinafter, the “Website”). 

Définitions

With reference to Article 4 of the GDPR, the following definitions apply:

• "Personal data" means any information relating to an identified or identifiable natural person; an "identifiable natural person" is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
  This includes, for example, any information concerning the user of the Website, such as surname, first name, e-mail address, etc.
• "Processing" means any operation or set of operations, whether or not carried out using automated processes, applied to personal data or sets of personal data.
  This refers to the Website or a service offered on the Website, such as the management of the users’ requests.
• "Data controller" means the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing.
  The publisher of the Website acts as data controller.
• "Data processor" means the natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller.
  For example, the Website host acts as data processor on behalf of the Website publisher.
• "Recipient" means the natural or legal person, public authority, department or other body that receives personal data, whether or not it is a third party.
  This may include the publisher staff authorized to manage the Website.

Generalities

The User is free to browse the Website without having to explicitly provide any personal information. However, he/she may be asked to provide personal data, for example by contacting the Controller. In addition, the Website uses "cookies", which may send data concerning the User to third-party companies.

The Website, as well as each service offered on the Website, limits the collection of personal data to what is strictly necessary and is accompanied by information detailing in particular:

• The purpose of the processing of personal data,
• The legal basis for the processing,
• The source of the data (if not supplied by the Website user),
• Whether data collection is mandatory or optional,
• Recipients of the data,
• Data retention period,
• Whether data is transferred outside the European Union,
• The rights of the individual to his or her data and how to exercise them.

Security measures

The Controller takes all necessary precautions to protect the security of the Website user's personal data, and in particular to prevent it from being distorted, damaged or accessed by unauthorized third parties.

In addition, the Website has an SSL certificate to secure data exchanges between the user and the Website.

GDPR rights

In accordance with the GDPR, the user of the Website has a right of access, rectification, deletion, portability, limitation and opposition to the data concerning him/her, which he/she may exercise, under the conditions provided by the GDPR, with the Data Protection Officer (DPO) of Biocodex (in English if French is not possible), via the e-mail address dpo[at]biocodex.com (replace "[at]" with "@") or by post: DPO BIOCODEX, 7 avenue Gallieni, 94250 GENTILLY, France; he/she also has the right to lodge a complaint with a supervisory authority (please see https://edpb.europa.eu/about-edpb/about-edpb/members_en).

Website management

What is the purpose of the processing and what is its legal basis?

The purpose of processing personal data is to manage the Website. It enables the Controller: 

• The preparation and publication of content;
• Putting services on line for users;
• Technical administration, in conjunction with the service providers involved in processing;
• Security management;
• Production of statistics on audience and use of online services.

With reference to Article 6(1)(f) of the GDPR, the processing is necessary for the purposes of the legitimate interests pursued by the Controller (promote research on microbiota and their interaction with various pathologies).

What data is processed, where they come from and how long are they kept?

The categories of data processed are: 

• Data relating to the persons who are the subject of publications (identity, functions, contact details, etc.);
• Data relating to browsing on the Website (time stamps, users' IP addresses, technical data relating to the equipment and browser used by users, geolocation, cookies) and on digital platforms via share buttons and media (cookies and other tracers);
• Data relating to the management of services offered to users;
• Data relating to the management of publications (purpose, deliverables, follow-up, statistics);
• Data relating to the management of technical services (time-stamping and purpose of requests, tracking, follow-up, statistics);
• Website audience and online services usage statistics.

Data may come from: 

• The Controller staff in charge of publishing content and technical administration of the Website;
• Contributors to publications;
• Website users;
• Staff of the service providers concerned;
• Third-party sites (websites, social networks, search engines, etc.). 

Data collected during browsing, which is not necessary for the operation of the Website (such as some types of cookies), is optional. Unless otherwise specified, all other data collected is mandatory.

Data retention: 

• Published data is kept online until the site is closed, after which it is archived for 5 years;
• Data relating to exchanges with service providers are kept for 5 years after the end of the contractual relationship;
• Unless required by law, or unless there is a particularly high risk, log data is kept for up to 6 months;
• The data required to produce statistics on the audience and use of online services is kept in a format that does not allow individuals to be identified by their IP address, and includes an identifier (relating to the cookie) kept for a maximum of 13 months (unless the person concerned objects).

Who is the data intended for?

Depending on their respective needs, the following are recipients of all or part of the data:

• The Controller staff in charge of content publication and technical administration of the Website;
• Staff of the service providers concerned;
• Website users;
• Staff responsible for supervising the security of the Controller’s information systems.

Due to their presence on the Internet, publications may be accessible outside the European Union.

Support for national research projects

What is the purpose of the processing and what is its legal basis?

The purpose of the processing of personal data is to support international research projects on microbiota. It enables the Controller to: 

• Organize calls for applications (in particular, to create a database for mailing purposes);
• Select research projects;
• Financing the selected project;
• Archiving the awards ceremony;
• Production of anonymous statistics.

With reference to Article 6(1)(f) of the GDPR, the processing is necessary for the purposes of the legitimate interests pursued by the Controller (promote research on microbiota and their interaction with various pathologies).

What data is processed, where they come from and how long are they kept?

Details of the person responsible for the research project:

• Full name,
• Position, title, main activity,
• Telephone number, e-mail address,
• CV.

Details of the organization responsible for the research project and, where applicable, its parent company:

• Name, legal status,
• Department,
• Postal address,
• Country.

Research project data:

• Project description, 
• Confidential scientific summary,
• Non-confidential summary.

Project team data:

• Investigators:
  • Surname and first name,
  • Position, title, main activity,
  • E-mail address.
• Partner organizations:
  • Name of organization, location,
  • Department,
  • Name and e-mail address of main contact.

Other data:

• Bibliography,
• Research project budget and schedule.

The data processed comes from searches of scientific publications relating to the theme of the research grant (public data). They also come from researchers applying for the fellowship.

Data is kept in an active database, from receipt of applications to selection of the prizewinner, and is then archived definitively for scientific research purposes, in accordance with Article 89 of the RGPD.  Except for data relating to prize-winners, for which data is kept in an active database for the duration of the research project (maximum 3 years), then a further 3 years (having regard to the limitation periods of the tax authorities).

Who is the data intended for?

Depending on their respective needs, the following are recipients of all or part of the data:

• Candidates for the grant;
• Members of the Foundation's Board of Directors and International Scientific Committee; 
• Biocodex staff in charge of the Foundation's administrative management;
• Staff of relevant service providers.

Due to the international scope of the competition, some data may be transferred outside the European Union.

Management of requests

What is the purpose of the processing and what is its legal basis?

The purpose of processing personal data is to manage requests and reports made on the Website. It enables the Controller: 

• Receive requests/notifications;
• Manage the follow-up of correspondence;
• Drawing up anonymous activity statistics.

With reference to Article 6(1)(f) of the GDPR, the processing is necessary for the purposes of the legitimate interests pursued by the Controller (collecting requests and reports from users from its websites).

What data is processed and how long are they kept?

The categories of data processed concerning the sender are: 

• Identity: e-mail address;
• Subject and body of the message.

Unless otherwise specified, all data is mandatory.

Data is kept for up to 5 years from the time the request is processed. If the request concerns an adverse reaction, a medical question or a product quality complaint, data retention is defined in the specific subsequent processing.

Who is the data intended for?

Depending on their respective needs, the following are recipients of all or part of the data:

• Controller staff responsible for:
• processing requests;
• health vigilance, medical information or product quality complaints (where applicable);
• data protection (where applicable).

About cookies

The Controller uses various computer "cookies" on the Website to measure the audience and integrate services to improve the interactivity of the Website. 

What is a computer "cookie"? 

A computer "cookie" is a text file that may be deposited on a user's terminal during browsing on a website. Cookies are an important tool enabling organizations to gain an overview of their users' online activity.

How it works: generally small in size and identified by a name, it is transmitted to the user's browser by the website visited. The browser stores it for a certain period of time, and sends it back to the website each time it is reconnected. In principle, cookies can be easily viewed and deleted.

In themselves, cookies are harmless, as they contain no executable code. They perform important functions for websites: they can be used to memorize a customer account identifier, browsing preferences, enable browsing to be tracked for statistical or advertising purposes, and so on.

However, cookies can store enough data to identify a user without his or her consent and, in some cases, can be used to create profiles of individuals. This is why it is essential that cookie management is controlled within the framework of data protection.

What are the different types of cookies?

In general, cookies can be classified in three different ways: by origin, by lifetime and by purpose.

Origin

First-party cookies - These cookies are placed on the visitor's terminal directly by the website being visited.

Third-party cookies - These cookies are placed on the visitor's terminal by a third-party organization, such as an advertiser.

Lifetime

Session cookies - These cookies are temporary and expire when the browser is closed or at the end of the visit (session).

Persistent cookies - This category includes all cookies that remain on the visitor's terminal until they are deleted. They may be deleted manually or automatically (depending on the expiration date of the cookie, or when the browser is closed if so configured).

Purpose

Strictly necessary cookies - These cookies help to make a website usable by enabling basic functions such as page navigation, access to secure areas of the site, or storing items in an online shopping cart. The website cannot function properly without these cookies.

Preference cookies (functionality cookies) - These cookies enable a website to retain information that modifies the way the site behaves or displays, such as the visitor's preferred language or the region in which he or she is located.

Statistical cookies (performance cookies) - These cookies help the website owner, through the collection and communication of information, to understand how visitors interact with the site, such as which pages are visited and which links are used. The aim is to subsequently improve the website. Although intended for use by the website owner, these cookies may come from third-party organizations that may track the visitor for marketing purposes.

Marketing cookies - These cookies track the user's online activity to help, for example, advertisers deliver more relevant ads. These cookies may share this information with other organizations or advertisers. These cookies are persistent and almost always come from third parties.

How can I control the placement of cookies?

In general, website users can prevent cookies from being deposited on their terminal, or delete existing ones, by configuring their web browser accordingly. For instructions on how to manage cookies, please refer to your browser's help section.

• Please note, however, that blocking the deposit of cookies in your web browser may lead to malfunctions on the Website, as well as on other websites.

What types of cookies are used on the Website?

Internal cookies storing the result of user consent 

These cookies are deposited directly by the Website and enable the User's choices on the deposit of third-party cookies to be retained.

"Didomi token (didomi_token)":

• Purpose: contains consent information for personalized purposes and for personalized partners, as well as information specific to Didomi (user ID, for example) ;
• Maximum retention period: 6 months.

"Consent string (euconsent-v2)":

• Purpose: contains the IAB TCF consent string (*) as well as consent information for all IAB standards (partners and purposes);
• Maximum retention period: 6 months.

(*) For more information: https://iabeurope.eu/transparency-consent-framework/ 

Third-party cookies  

The Website relies on certain services offered by third parties. These may include, for example, audience measurement services, video hosting services, etc.

The purposes served by these third parties use cookies deposited directly by these services. Via these cookies, these third parties may collect and use the user's browsing data on their own behalf in order to offer, for example, targeted advertising and content based on the user's browsing history. For further information, the User can consult the privacy policy of these third parties via the cookie management module set up on the Website.

By default, these third-party cookies are not stored. The User is informed of the third-party cookies used and can consent to their deposit in the cookie management module or directly via a contextual consent request, for example by activating the playback of an external video. He/she can indicate its preferences, either globally for the Website, or service by service. He/she can reverse its choices at any time by calling up the cookie management module via a permanent link at the bottom of the page.

Data collected by third-party cookies may be transferred outside the European Union.