Introduction
Cerba Path processes your personal data as part of its anatomocytopathology activity, in compliance with the legislation in force.
This policy provides you with information on how your personal data is processed by Cerba Path, as well as on the potential re-use of your biological residues as provided for in the French Public Health Code.
This policy, which is accessible on our website, is updated regularly to take into account legislative and regulatory developments, and any changes in the company's organisation or in the processing it carries out.
This policy was updated on 25/04/2024.
What are our commitments?
We undertake to comply with the applicable regulations for all processing of personal data that we carry out. Thus, we undertake to respect the following principles:
- We process your personal data in a lawful, fair and transparent manner.
- We collect your personal data for specific, explicit and legitimate purposes and do not process it in a way that is incompatible with those purposes.
- We ensure that personal data is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
- We make every effort to ensure that personal data is accurate and, where necessary, kept up to date. We take all reasonable steps to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay.
- We shall keep your personal data in a form which allows your identification only for as long as is necessary for the purposes of the processing.
- We guarantee an appropriate level of security for the personal data we process.
These commitments are manifested in the following ways:
- We respect your privacy.
- We ensure that the protection and security of your personal data is our primary concern.
- We do not use your personal data for purposes that have not been brought to your attention.
- We do not consider that your personal data should be stored indefinitely.
- We do not sell your personal data to third parties.
- We work with trusted partners who provide sufficient guarantees that technical and organisational measures are in place to ensure that our processing operations meet the requirements of the applicable regulations.
- We respect your rights as a data subject, and as a patient, and make every effort to respond to your requests as soon as they are justified.
How do we collect your personal data?
We collect your data either directly from you or indirectly. In the latter case, your personal data has been entrusted to us by our health partners (doctors, prescribers, laboratories, hospitals, clinics and health centres) who are involved, where applicable, in the taking of samples.
What personal data do we process and for how long?
We remind you that personal data is information relating to an identified or identifiable natural person (the "data subject"), such as your first and last names, your postal address or data concerning health.
We undertake to process only personal data that is strictly necessary for the purposes for which it is collected and to keep it only for as long as is necessary for those purposes.
1. The categories of personal data that we process are as follows :
Processing activities |
Legal basis |
Categories of personal data |
Retention period (active basis) |
Management of the medical office (carrying out your exams, interpretation and transmission of your results and administrative management of the medical office) |
Performance of the contract |
Identification data, data concerning health and social security number. |
5 years from the last visit |
Anonymisation of data for re-use in scientific research or quality control |
Legitimate interest (establishment of specific safeguards for processing for scientific research or quality control purposes) |
data concerning health |
Not applicable |
Sending out satisfaction surveys |
Legitimate interest (improvement of services) |
Identification data |
Duration of the survey |
Management of the website (management of contacts, connections, account creation) |
Legitimate interest |
Identification data, connection data and logs, data relating to the management of contacts and account creation |
3 years from the last contact 6 months for connection logs |
Management of the website (management of online orders and payments) |
Performance of the contract |
Identification data, order data, bank details |
3 years from the end of the contractual relationship 10 years for invoices from the date of issue The duration of the transaction for bank details |
Recruitment management |
Performance of pre-contractual measures |
Identification data and data relating to the professional situation of the applicant |
2 years from the date of application (unless objected to) |
Supplier management |
Performance of the contract |
Identification data, professional data |
3 years from the end of the contractual relationship 10 years for invoices from the date of issue |
Customer management |
Performance of the contract |
Identification data, business data |
3 years from the end of the contractual relationship |
What happens to your samples and residues from medical biology analyses?
In accordance with the applicable regulations, once your analyses have been completed, the residues from your samples will be disposed of. However, unless you object, these residues may be kept for use in scientific research or quality control, either directly or after transfer to third parties, in strict compliance with medical confidentiality and the French Public Health Code.
Who can access your personal data?
Your data will only be communicated, if necessary, to the following recipients:
- Authorised Cerba Path staff;
- Subcontractors, trusted service providers of the medical office, in charge of IT or debt collection.
With regard more specifically to data concerning patients:
- The responsible doctor or the co-responsible doctor and, within the limits of the authorisations issued by them and under their responsibility, the members of the anatomocytopathology office (biologists, doctors, technicians, nurses, etc.) for the above-mentioned purposes.
- The laboratories or reference centres to which your samples are sent for certain exams.
- Health establishments, prescribing doctors (unless you object), external samplers, who have sent us your samples for analysis or at whose request we have carried out the samples and analyses.
- Subcontractors, trusted service providers of the laboratory, in charge of IT or debt collection.
- The regional cancer screening coordination centre (CRCDC) as part of screening campaigns; to find out more about the processing of your personal data by your CRCDC, you can consult their data protection policy on their website, which you can find via the following list;
- The administration, in particular as part of the compulsory declaration of diseases as provided for in article R.3113-1 of the CSP (e.g. mesothelioma); to find out more about the processing of your personal data by your ARS, and its public interest mission, you can consult the ARS's data protection policy;
We make every effort to ensure that the number of such persons remains as limited as possible.
We only provide our trusted service providers with the information they strictly need to provide the service and they may not use your personal data for any other purpose.
We always make our best efforts to ensure that all our trusted service providers with whom we work maintain the security of your data.
We also ensure that when our relationship with a trusted service provider comes to an end, that service provider deletes your personal data without delay.
We select our trusted service providers with great care, ensuring that they have sufficient guarantees, including expertise, reliability and resources, to implement technical and organisational measures to meet the requirements of applicable legislation, including security. In this respect, we ensure that our trusted service providers process personal data only on our documented instructions. We also ensure that their staff are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality.
What are your rights as a data subject?
1. You have the right to access, object to, rectify and delete your personal data, as well as the right to limit the processing of such data.
- The right of access allows you to ask an organisation if it holds data about you and to have it communicated to you in order to verify its content.
- The right to object allows you to object, on legitimate grounds, to your data being used by an organisation for a specific purpose. In the case of commercial canvassing, you may object to the processing without legitimate grounds.
- The right of rectification allows you to request the rectification of inaccurate or incomplete information concerning you. This prevents an organisation from using or distributing incorrect information about you.
- The right to erasure allows you to ask an organisation to erase your personal data. Please note, however, that in order to comply with our legal obligations and to establish, exercise or defend legal claims, we cannot delete the contents of your medical file.
- The right to limit processing allows you to ask an organisation to temporarily freeze the use of some of your personal data.
2. You may exercise your right to object to the processing of your data by your Regional Cancer Screening Coordination Centre by contacting the latter directly; for the contact details of your RCDC, please consult the attached list.
3. You may object to the re-use of your medical biology residues for scientific research or quality control purposes, directly with Cerbapath, under the conditions set out in article L.1211-2 of the French Public Health Code.
For more information about your rights, please visit cnil.fr.
You can exercise your rights with the "Personal Data Referent" of Cerba Path
- either by e-mail to the following address : Rpd@Cerbapath.com
- or by post to the following address RPD Cerba Path - 30 Boulevard de Vaugirard 75015 Paris
If you feel, after contacting us, that your rights have not been respected, you may submit a complaint to the CNIL.