Privacy Statement
PRIVACY POLICY
- About this privacy policy
When you visit www.ncardia.com (the “Website”) or you interact with Ncardia in any other way, Ncardia (“we”) collects, stores and uses personal data about you. We are committed to protecting the personal data that we hold about you and we want to inform you as transparently as possible about how we use such data. This privacy policy therefore sets out which data we collect about you, for which purposes, for how long and the measures we have taken to protect such data. We invite you to read this privacy policy carefully and reach out in the event you have any questions about this policy or the personal data we hold about you through the contact information below. From time to time, we will make changes to this privacy policy so we would like to encourage you to revisit this privacy policy on a regular basis. We will always endeavor to draw your attention to any material changes we might make to the privacy policy by sending you an email or by including a visual marker on the Website.
We only process (i.e. collect, record, organize, structure, store, adapt, consult, use, disclose, erase or destruct) your personal data in accordance with this policy and applicable privacy and data protection laws, such as the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (also referred to as the “General Data Protection Regulation” or the “GDPR”). - About us
We are Ncardia Services B.V., also hereinafter referred to as “Ncardia”. Our registered offices are at Galileiweg 8, 2333 BD Leiden, the Netherlands and we are registered under company number 77260163. We are the controller of your personal data as described in this privacy policy, meaning that we are responsible for the personal data we hold about you.
We have appointed a data protection officer (DPO) to help us in protecting the privacy and personal data of individuals. You can contact our DPO with any questions or other queries you may have through any of the following means:
- By email at dpo@ncardia.com
- By regular mail at
Ncardia Services B.V.
To the attention of the data protection officer
Galileiweg 8
2333 BD Leiden
The Netherlands
- About your personal data
The type of personal data that we collect from you, our reasons for using it, the time period during which we keep it and the third parties with whom we share it differ depending on how you interact with us. Please refer to the correct section below depending on whether you interact with Ncardia as a visitor of the Website, as an applicant for a vacant position, in a business context (e.g. as a (potential) supplier or client of Ncardia) or as a patient or healthcare professional or the responsible person of an accredited institution.
- Visitor of the Website
As a visitor of the Website, your personal data is collected by Ncardia in a number of ways.
Method 1 - Cookies and related technologies
Method 2 - Queries submitted through our contact form, by email or through any other means of communication
What are the categories of personal data that we collect?
1 - IP address, cookie preferences, location data, (Website) preferences and settings, clicks, device specifications
2 - Your identification and contact details (your first name, last name, email address, phone number), the company you work for, your background or user profile, the subject matter of your query, your message or query and any other information you may decide to share with us.
How is personal data collected?
1 - Personal data is collected automatically through the cookies set on our Website.
2 - Personal data is provided by you through the text fields on our contact form, by email or through such other means of communication you choose.
What are our purposes for collecting personal data?
1 - We use cookies and related technologies to make the Website available to you and to review how you use our Website in order to improve the Website and our services. More information can be found in the cookie policy.
2 - We collect your personal data to adequately respond to your query or message.
What is our legal basis for collecting personal data?
1 - In the event of strictly necessary cookies, we collect your personal data on the basis of our legitimate interest in making the Website available to you. For any other cookies, such as third party or analytics cookies, we will always ask your consent prior to setting such cookies. You can withdraw your consent at any time.
2 - Your personal data is collected on the basis of our legitimate interests in adequately responding to your query or message.
What is the retention period of the personal data?
1 - Cookies can be set for a few seconds, your browsing session or for a longer period of time. More information can be found in the cookie policy.
2 - We will retain your personal data for as long as needed for the purpose of informing you about our services and for a maximum of five years.
What are the consequences in the event you fail to provide us with your personal data?
1 - As cookies are set automatically, there are no consequences if you do not provide us with personal data. If you, however, do not give your consent for certain cookies for which we require your consent, certain parts of the Website will lose some functionality.
2 - In the event you fail to provide us with your personal data, we may not be able to respond adequately to your query or message. If you fail to complete certain fields of the contact form on our Website, the contact form may malfunction.
Who are the recipients of your personal data?
1 - Ncardia, Ncardia’s affiliates and a number of service providers that help us in managing the Website will receive your personal data. More information can be found in the cookie policy.
2 - Ncardia and Ncardia’s Affiliates will receive your personal data. In some instances, we might also share your personal data with our service providers or suppliers, if needed to answer your query or message appropriately. - (Potential) applicant
If you are interested in working at Ncardia or Ncardia’s affiliates and/or we are interested in working with you (e.g. when we find your profile on LinkedIn or through a recruitment agency), we also collect certain information about you.
What are the categories of personal data that we collect?
Your identification and contact details, your academic background, your professional background, any performance or personality information obtained from assessment tests and any other information you may share with us (e.g. in your resume, motivation letter) or with business focused social media platforms such as LinkedIn. We also collect information about your previous work experiences when we perform background checks. We also collect your identification and contact details if you are a third party and such information has been provided by an applicant for the performance of a reference check.
How is personal data collected?
Personal data is provided by you if you send us your interest in a vacant position or submit a spontaneous application. We also collect personal data from (semi) publicly available resources, such as social media platforms or from third parties, such as recruitment agencies or organizations aiding us in organizing assessment tests. We also receive personal data from third parties if the applicant has provided us with references to perform background checks.
What are our purposes for collecting personal data?
We collect this personal data for recruitment purposes, i.e. in order to assess whether you would be qualified to fill a position at Ncardia or Ncardia’s affiliates.
What is our legal basis for collecting personal data?
We collect this information on the basis of our human capital interests and in order to take steps at your request to enter into an agreement with you.
What is the retention period of the personal data?
If you are employed by us after the recruitment phase, we will retain your personal data for as long as you are employed by us. If you are not employed by us after the recruitment, we retain your personal data for maximum five years.
What are the consequences in the event you fail to provide us with your personal data?
If you apply for a position and you fail to provide us with your personal data, we might not be able to assess whether you are the right fit for a position.
Who are the recipients of your personal data?
Ncardia and Ncardia’s affiliates and any service providers supporting us in our recruitment efforts (e.g. headhunting agencies). - Business contacts
If we believe that you may be interested in the services that we provide or you engage with Ncardia in a professional context, for example, as a client or a supplier of Ncardia, we also process certain information about you.
What are the categories of personal data that we collect?
As a Prospect: Your identification and contact details, your academic background, your professional background and any other information about your professional life or your query or the organization or company that you work for which you may share online.
As a Client: Your identification and contact details, your academic background, your professional background and any other information about your professional life.
As a Supplier or service provider: Your identification and contact details, your academic background, your professional background and any other information about your professional life.
How is personal data collected?
As a Prospect: Personal data is provided by you if you contact us directly with a query regarding our services or products. We also receive personal data from third party service providers offering professional contact information such as Zymewyre and Global Data and collect personal data from publicly accessible sources such as social media platforms.
As a Client: Personal data is provided by you or by the company or organization you work for with whom we (intend to) enter into an agreement.
As a Supplier or service provider: Personal data is provided by you or by the company or organization for which you work for with whom we (intend to) enter into an agreement.
What are our purposes for collecting personal data?
As a Prospect: We collect this personal data for the purpose of identifying and getting into contact with prospective clients.
As a Client: We collect this data for the purpose of providing services to you or your company or organization.
As a Supplier or service provider: We collect this data for the purpose of engaging you or your company or organization for services or to buy products from you or your organization.
What is our legal basis for collecting personal data?
As a Prospect: We collect this personal data on the basis of our legitimate business interests in getting into contact with prospective clients or on the basis of your explicit consent in the event of unsolicited direct marketing communication and you have not been in contact regarding our products and services prior to such communication.
As a Client: We collect this personal data on the basis of our legitimate business interests and to perform the contractual agreement with you or to take steps at your request to enter into a contractual agreement. We also sometimes need this data to comply with a legal obligation.
As a Supplier or service provider: We collect this personal data on the basis of our legitimate business interests and to perform the contractual agreement with you or to take steps at your request to enter into a contractual agreement. We also sometimes need this data to comply with a legal obligation.
What is the retention period of the personal data?
As a Prospect: We will retain your personal data for as long as needed for the purpose of informing you about our services and for a maximum of five years.
As a Client: Your personal data will be retained for as long as the business relationship between Ncardia and you or your company or organization exists and for five years thereafter. We may retain personal data after this time as may be necessary to comply with our legal obligations.
As a Supplier or service provider: Your personal data will be retained for as long as the business relationship between Ncardia and you or your company or organization exists and for five years thereafter. We may retain personal data after this time as may be necessary to comply with our legal obligations.
What are the consequences in the event you fail to provide us with your personal data?
As a Prospect: In the event you fail to provide us with your personal data, we may not be able to respond adequately to your query or message or contact you otherwise.
As a Client: In the event you fail to provide us with your personal data, we may not be able to adequately provide our services to you or perform the contractual relationship with you.
As a Supplier or service provider: In the event you fail to provide us with your personal data, we may not be able to adequately receive products or services from you or your company or perform the contractual relationship with you.
Who are the recipients of your personal data?
As a Prospect: Ncardia and Ncardia’s affiliates and any service providers supporting our marketing activities.
As a Client: Ncardia and Ncardia’s affiliates and any subcontractors or service providers supporting us in our operations.
As a Supplier or service provider: Ncardia and Ncardia’s affiliates and any other subcontractors or service providers supporting us in our operations and the clients that we work for.
- Donors, healthcare professionals or responsible persons
We also process the personal data of donors of human body materials for use in research, personal data of the treating healthcare professional that supported the collection process and personal data of the responsible person from which we receive human body material and accompanying personal data. If you are a donor, please refer to the informed consent form and the information provided by the healthcare professional that treated you during the donation process to receive accurate information about how your personal is processed. If you are a healthcare professional or a responsible person, we use your personal data in accordance with the applicable legislation on human body materials. Below you can find some additional information on how we use your personal data.
What are the categories of personal data that we collect?
Donors of Cells: Your identification number (pseudonym), gender, age (date of birth if strictly necessary), medical and clinical data necessary to ensure the quality and safety of human body material (selection criteria, medical tests, medical history, health status, type of human body material) and genetic information necessary for the gene-editing process. Note that all personal information that we obtain, process and share about you is pseudonymized and we will not attempt to re-identify you unless required by applicable laws.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: identity and contact information of the responsible person or the lead physician or its designee responsible for the removal and academic/professional background information.
How is personal data collected?
Donors of Cells: Personal data is provided by you to the healthcare professional responsible for the collection of the cells and in a pseudonymized format transferred to us.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: Personal data is provided by you or by the institution, company or organization that you work for when the cells are transferred to us.
What are our purposes for collecting personal data?
Donors of Cells: We collect this personal data for the purpose of performing research with cells.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: We collect this personal data as part of our responsibilities for the purpose of performing research with cells.
What is our legal basis for collecting personal data?
Donors of Cells: We collect this personal data on the basis of your specific consent given on your informed consent form, on the basis of the legal obligations that we have under regulations on the use of human body materials for research and on the basis of our or our client’s legitimate interest for research purposes. Some data that we receive, such as health data and genetic data is considered special category data or sensitive data. We process such personal data on the basis of your specific consent as given on your informed consent form or for scientific research purposes provided that we implement appropriate safeguards.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: We collect this personal data on the basis our legal obligation to comply with the legislation on human body materials and for our legitimate research interests.
What is the retention period of the personal data?
Donors of Cells: We retain your personal data accommodating the cells for minimum thirty years in accordance with applicable legislation.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: Your personal data is retained for as long as is necessary to ensure the quality and safety of the cells and to comply with the applicable legislation. The personal data accommodating human body material needs to be retained by Ncardia for a minimum of thirty years.
What are the consequences in the event you fail to provide us with your personal data?
Donors of Cells: In the event you fail to provide us with your personal data, we will likely not be able to use your cells for research.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: If you or the institution, company or organization that you work for fails to provide us with the personal data as required by applicable legislation, we will likely not be able to use the cells in research.
Who are the recipients of your personal data?
Donors of Cells: Ncardia and Ncardia’s affiliates, any suppliers and service providers supporting our operational activities and any of our customers that are marketing authorization holder of advanced therapy medicinal products or that are engaged in non-clinical or clinical research phases for such medicinal products.
Healthcare professional supporting collection of cells or responsible person of an accredited institution from which we receive cells: Ncardia and Ncardia’s affiliates, any suppliers and service providers supporting our operational activities and any of our customers that are the marketing authorization holder of advanced therapy medicinal products or that are in non-clinical or clinical research for such medicinal products
- The protection of your personal data
We have implemented several measures to keep the personal data concerning you under our control safe. These include technical measures such as firewalls, encryption, access controls and password protections but also include organizational and contractual measures, such as internal data protection trainings and policies and ensuring that our staff and our service providers are bound by confidentiality in respect of your personal data. We conduct data protection impact assessments whenever required to ensure that our data processing activities do not compromise the rights and freedoms of individuals.
We do not sell or rent your personal data to third parties. We do share your personal data with third parties, such as our affiliates, suppliers and customers, as set out above, in order to achieve our purposes. We may also sometimes have to share your personal data with relevant regulatory authorities. Sometimes those third parties are located in countries outside the European Economic Area which do not offer the same protection as your own country. In such cases, we have implemented adequate safeguards to ensure that your personal data is also protected outside the European Economic Area, such as imposing the standard contractual clauses as issued by the European Commission on our contracting parties located abroad. You can contact us at any time to receive specific information about such safeguards through using our contact information above. - Your rights
You have certain rights in respect of the personal data that we hold about you, which you can exercise by making use of the contact information as set out above. The following rights could be available to you, however, note that the GDPR sometimes imposes restrictions on when such rights can be exercised. We are happy to help you find out whether a right is available to you in your specific situation. If you are a donor, please reach out to the healthcare provider that collected the human body material from you if you want to exercise any rights. That way, we can ensure your personal data remains pseudonymized at all times.
- Right to access: You have the right to obtain confirmation from us if, and to which extent, we process personal data about you. Unless it adversely affects the rights and freedoms of others, you can obtain a copy of the personal data we hold about you upon your request.
- Right to rectification: Without undue delay, you have the right to rectify any incorrect or incomplete information we have concerning you.
- Right to erasure: In some instances, you will have the right to have the personal data we hold about you deleted. This so-called “right to be forgotten” applies if:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
- you object to the processing and/or there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation; or
- the personal data have been collected in relation to the offer of information society services;
- The right to erasure will not apply if processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
- Right to restrict processing: You also have the right to request restriction of the processing of your personal data in the event that
- you contest the accuracy of the personal data. The restriction of processing will apply for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of the personal data;
- we no longer need the personal data for the purposes of processing as set out above, but you need it for the assertion, exercise or defence of legal claims; or
- you have objected to the processing as long as it is not yet clear whether our legitimate grounds override your interests.
If processing of personal data has been restricted on your request, we will only store your personal data, unless you have consented to the processing of your personal data, processing is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
- Right to object: You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by Ncardia if such processing is based on the legitimate interests pursued by Ncardia. We will then no longer process your personal data, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Note that you always have the right to object to processing for direct marketing purposes.
- Right to data portability: Unless this would adversely affect the rights and freedoms of others, if the processing of your personal data is carried out by automated means and based on your consent or on a contract, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and you also have the right to transmit such data to another controller.
- Automated individual decision-making, including profiling: Lastly, you also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly affects you, unless, the decision is necessary for entering into, or performance of, a contract between Ncardia and you, is authorised by applicable law, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or the decision is based on your explicit consent.
- Right to withdraw consent: If the processing is based on your consent, you have the right to withdraw your consent at any time. We will then no longer process your personal data but this does not affect the legality of the processing prior to such request.
- Right to lodge a complaint
We do our utmost best to protect the personal data under our control. However, you are always entitled to lodge a complaint with a data protection authority about the processing of personal data by us. You can find a list with the relevant data protection authorities and their contact details through the following link: www.ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
Ncardia’s Privacy Statement was last updated on October 09, 2023.