Personal data and haemovigilance
Note to declarants:
As we do not have access to the identity of donor concerned by haemovigilance case, we ask you, when it is possible, to provide to the donor the present notice by the means you consider the most relevant (email, personal delivery, etc.) in order to ensure transparency and a good understanding of the processing of his/her personal data.
Data controller
LFB BIOMEDICAMENTS (3, avenue des tropiques, ZA de Courtaboeuf, 91940 les Ulis – France) acts as a data controller as defined in General Data Protection Regulation (GDPR).
Purpose of the processing
We process your personal data for the following purposes:
– the collection recording, analysing, monitoring, documentation, transmission and retention of the data relating haemovigilance cases.
– the management of contact (i.e. the declarant).
Legal basis
We can only process your personal data if it is lawful. Processing is only lawful insofar as it based on one of the legal bases mentioned in the applicable law (GDPR).
The processing of your personal data is based on the following legal bases:
– For compliance with a legal obligation to which the data controller is subject (article R. 1221-22 and following from “Code de la santé publique” [French Public Health Code], article L1221-13 from “Code de la santé publique” [French Public Health Code] and appendix 14 from “Bonnes Pratiques de Fabrication” [Good Manufacturing Practices]).
Given the processing of personal data concerned, we are required to process data concerning health.
The processing of your data concerning health is necessary for reasons of public interest in the area of public health. The purpose of this processing of personal data is to ensure compliance with high standards of quality and safety of the medicinal products manufactured by LFB BIOMEDICAMENTS.
Categories of data subject and personal data concerned
The following categories of personal data are concerned by the processing:
– The declarant’s data: name, surname, contact details (address, email, phone number), when appropriate the speciality of the health care professional concerned.
– The donor’s data: data which allow indirect identification of the person exposed to the haemovigilance, donation identification, health data about the donor (for example seroconversion with viral marker concerned, risk behaviours, useful medical information declared by the donor, her/his family background).
We only use the data strictly necessary for the assessment of the haemovigilance case.
We do not know donor’s identity and this will not be forwarded to us unless the donor contacts us directly.
The collection of your data is necessary to fulfil the above-mentioned purpose.
Source of the personal data
– For declarants: we obtain your personal data directly from you.
– For donors: we obtain your personal data via the declarants.
Recipients of personal data
Depending upon their respective needs, recipients of all or part of the personal data are the following recipients:
– Employees of the LFB Group’s haemovigilance department and when strictly necessary for the performance of their duties, the other employees of the – LFB Group (e.g. the administrators of the haemovigilance database).
When necessary and exclusively in the context of their haemovigilance activity:
– Our service providers acting as a data processor on our behalf (within the limit necessary for the performance of the work we have entrusted to them).
– In the event that personal data is entrusted to a data processor, an agreement will be concluded in order to ensure and guarantee that personal data is processed in accordance with our instructions and that adequate technical and organizational measures are taken to protect it. Personal data is hosted by a service provider with the status of certified health data host.
National or foreign public authorities in charge of vigilance, national or foreign health authorities (except for data directly identifying the person exposed to the haemovigilance case).
Data transfers outside the European union
No data transfer outside the European Union is carried out as part of this processing.
Period for which the personal data will be stored:
Your personal data is kept no later than 40 years from the date of donation (in accordance with the French public health code).
Once the retention period has been reached, personal data is destroyed.
Security
We put in place technical and organisational measures allowing the protection of your personal data. We take reasonable steps to protect your data from loss, misuse, unauthorised access, disclosure, modification or destruction of your data.
Your rights
Within the conditions and limits of the applicable regulations, you have the following rights:
– Right of access: you can access the personal data that we hold about you.
– Right to rectification: you can ask us to correct data that is inaccurate or incomplete.
– Right to restriction of processing, in particular in the event that you dispute the accuracy of the personal data that we hold about you.
Due to the legal obligation to which we are subject, you do not have a right to erasure, a right to object as well as right to portability.
Under certain circumstances, we will not be able to respond to your request if you want to exercise your rights. In such a case, we will explain the reasons for our refusal.
To exercise your rights, please contact our Data Protection Officer at the address below.
More specifically for plasma doners, if you do not wish to disclose your identity to the LFB Group, please contact the plasma centre to which you have donated to exercise your rights.
Contact and reclamation
To exercise the above rights or for any questions in connection with personal data, please send any request to the LFB Group Entity’s Data Protection Officer, in priority by email: privacy@lfb.fr or by post to the following address: LFB BIOMEDICAMENTS, Data Protection Officer, Legal Affairs and Compliance Department, ZA de Courtabœuf, 3 avenue des Tropiques, 91940 LES ULIS – FRANCE.
If you consider, after contacting us at the contact details above, that your rights are not respected or that data processing does not comply with data protection rules, you may lodge a complaint with a supervisory authority in particular in the Member State in which your habitual residence, place of work or the place where you consider that a breach of the regulations has been committed.
Version date: February 2022