Connect by Circular-Lab

Privacy Policy

Privacy Policy

Privacy Policy

The purpose of this Privacy Policy is to inform data subjects about the various personal data processing activities carried out by Connect by Circular-Lab, S.L (hereinafter, Circular-Lab) with the personal data collected through this website www.circular-lab.com in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (LOPDgdd).


Definitions

The following terms used in this Privacy Policy shall have the meanings set forth below:

Personal data: Any information about an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data subject: An identified or identifiable natural person to whom the personal data pertains.

Processing of personal data: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data controller (or controller): The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor (or processor): The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Recipient of personal data: A natural or legal person, public authority, agency, or other body to which the personal data is disclosed, whether a third party or not.

Consent of the data subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

International data transfers: The movement of personal data from Spanish territory to recipients located in countries outside the European Economic Area (the EU countries plus Liechtenstein, Iceland, and Norway).

Pseudonymized data processing: The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.


Who is responsible for the processing of data provided on the website?

The data controller of the personal data collected on the website is:
Corporate name: Connect by Circular-Lab, S.L
Tax ID: B88077219
Address: Av. Reina Victoria 10, 10B, 28003, Madrid
Contact: protecciondedatos@circular-lab.com

DATA PROTECTION OFFICER

ALARO AVANT, S.L
Email: protecciondedatos@circular-lab.com

What are your data used for? (purpose of processing)

The purposes for which your personal data collected through the website will be processed are as follows:

To manage your inquiry or request submitted through any of the contact channels available on the website.
If you have provided your consent, to send commercial communications regarding the services offered by Circular-Lab and/or news related to the sector.
To comply with legal obligations applicable to Circular-Lab, such as responding to and processing data protection rights requests and reporting data breaches related to personal data protection.

Who do we process data about?

The category of data subjects whose personal data we will process for the purposes indicated above includes users of the website and clients of Circular-Lab.

What data do we process?


How do we obtain and where do the data come from?

The personal data we process has been provided by you.

Legal basis for the processing of personal data
The legal basis that legitimizes the processing of your personal data is:

  • The consent you have given us for sending commercial communications.
  • Legitimate interest to address the request and/or inquiry.
  • Execution of a contract or pre-contractual measures for the management of service provision, including administrative management.
  • Compliance with legal obligations applicable to Circular-Lab: GDPR and Organic Law 3/2018, which support processing for the purpose of complying with the exercise of data protection rights of data subjects and notification of security breaches related to personal data protection.

We inform you that your personal data may be disclosed to the following entities to manage the contractual and administrative relationship of Circular-Lab:


Public Administration with jurisdiction over the matter.

Law enforcement authorities.

Auditors and inspectors.

When required by law or competent authorities.


Will international data transfers be made?

International data transfers involve the movement of personal data from European territory to recipients located in countries outside the European Economic Area (the EU countries plus Liechtenstein, Iceland, and Norway). If international transfers of your personal data are made, your personal data will be protected in accordance with this Privacy Policy and the applicable legal requirements in force at the time, including verifying the level of protection in the destination country and adopting the guarantees required by law.
We inform you that, due to the hosting of the Circular-Lab website, your data will be transferred to service providers located outside the European Economic Area, specifically to Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043 (USA), which acts as a data processor for Circular-Lab by providing hosting services for the website and cloud computing. In this regard, we inform you that Google LLC is adhered to the EU-US Data Privacy Framework agreement (Information available at: https://www.dataprivacyframework.gov/s/participant-search) and also has standard contractual clauses adopted by the European Commission. Additionally, Circular-Lab has adopted complementary technical, organizational, and contractual measures to ensure an essentially equivalent level of protection.
If additional international data transfers are made, you will be informed in advance. In such cases, the international transfer will be made to recipients in countries with a level of protection equivalent to the European Union. If some of these recipients are in third countries without an adequacy decision from the European Commission or appropriate safeguards for adequate protection, Circular-Lab will ensure the protection of your data by signing standard contractual clauses approved by the European Commission.



How long will we keep the data?

We inform you that the personal data provided will be retained for as long as necessary to fulfill the purposes for which they were initially collected (indicated in point 2 of this Privacy Policy) and for the periods established by applicable legislation, as well as the periods established to address potential claims arising from processing, or until the consent provided is revoked. Likewise, we will retain your data as long as you do not object to the processing. All of this is in accordance with the principles of data minimization and limitation of the retention period established by applicable law.

What are the data protection rights of the data subject?

You may exercise your rights of access, rectification, erasure, objection, not to be subject to automated individual decision-making, data portability, and restriction of processing of your data by contacting Connect by Circular-Lab, S.L, located at Av. Reina Victoria 10, 10B, 28003, Madrid or via the email address protecciondedatos@circular-lab.com, for which we may request documentation to properly verify your identity. You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if you consider that your rights have been violated.


How do we protect the user’s data?

We are committed to protecting the information you provide us. Therefore, in response to the trust placed in us and considering the importance of protection and confidentiality required for your personal data, we inform you that we have adopted the necessary technical and organizational measures to ensure the confidentiality, availability, integrity, and resilience of our systems and processing services. To this end, we use security measures designed to provide an appropriate level of security for the risk of processing the personal data provided. However, the user should be aware that Internet security measures are not impregnable, and while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss, or breaches will never occur.


Accuracy of personal data

The data subject guarantees that the data provided are truthful, accurate, complete, and up to date. The data subject shall inform us of any changes to the data provided through the channels referenced in the header of this policy.

If the user provides data about third parties, they declare that they have the consent of the data subjects and undertake to inform them of the information contained in this clause, exempting the organization from any liability arising from non-compliance with this obligation.

Accuracy of personal data

The data subject guarantees that the data provided are truthful, accurate, complete, and up to date. The data subject shall inform us of any changes to the data provided through the channels referenced in the header of this policy.


Data processing on behalf of third parties

The personal data processed through the systems or services offered by Circular-Lab will be processed by Circular-Lab as a processor or sub-processor. In this regard, Circular-Lab indicates the main aspects of processing as a processor below.


For the provision of the service, Circular-Lab processes personal data on behalf of the client, which forms part of the processing activities under the client’s responsibility, as outlined in Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).


This agreement authorizes Circular-Lab, as the processor, to process on behalf of the client (data controller) the personal data necessary to provide any of the services contracted by the client. These are:


Consulting project services, such as market studies, among others.

C-LAB® Platform Service (Software as a Service for digitizing and structuring reports for medical centers in various indications).

Real-world Diagnostic data service.

For the C-LAB® Platform Service, the data controller may use it and upload pseudonymized files or documents, with the client being responsible for the information included in the Platform. Regarding such documentation and/or files, Circular-Lab will act as the processor, adopting all relevant security measures. However, we remind the client that as a user of the Platform, they must use it properly, not introducing personal information that could compromise the privacy or data protection of the data subjects. In this regard, we urge the client to comply with the principle of data minimization set forth in the GDPR and only include the documentation and information strictly necessary for the processes carried out on the Platform, not introducing personal data unnecessary for the intended purpose.


In this regard, the client’s responsibility data to which Circular-Lab may have access for the provision of these services are as follows:


Regarding consulting project services and Real-world Diagnostic data services provided by Circular-Lab:


Categories of data subjects: Any category of data subjects deemed necessary by the controller for the proper provision of the service.

Types of data: Any category of personal data deemed necessary by the controller for the proper provision of the service.

Regarding the C-LAB® Platform service provided by Circular-Lab:


Categories of data subjects: Any category of data subjects included by the controller in the Platform.

Types of data: Circular-Lab may process as a processor the following personal data:

Pseudonymized data.

Special categories of personal data: health-related data.

For the provision of the service, Circular-Lab may access and process the aforementioned personal data under the client’s responsibility solely for the purpose of fulfilling the services covered by the business and/or contractual relationship and always following the client’s instructions (if the processor considers that any instructions violate the GDPR or any other applicable data protection provision, the processor will immediately inform the controller). The client guarantees that the data included in the Platform have been lawfully obtained and are lawfully processed.


The processing of these data will primarily involve the collection of data provided by the client, registration in the Circular-Lab Platform, storage, access, and structuring, as well as destruction upon completion of the service. Once destroyed, the processor, upon request by the controller, will certify their destruction in writing and provide the certificate to the controller. In any case, Circular-Lab may retain a copy, with the data properly blocked, as long as liabilities may arise from the execution of the service provision.


It is the client’s responsibility to inform the data subjects of their right to information when collecting their data.


For its part, Circular-Lab and its personnel, appropriately trained in data protection, are obliged to:


Maintain the confidentiality and secrecy of the data subject to the service provision and not disclose the data to third parties unless expressly authorized by the controller or in legally permissible cases. If the processor must transfer personal data to a third country or an international organization under Union or Member State law applicable to them, they will inform the controller of this legal requirement beforehand unless prohibited for reasons of significant public interest.

Implement necessary security measures to: Ensure the confidentiality, integrity, availability, and resilience of processing systems and services; restore the availability and access to personal data promptly in the event of a physical or technical incident; verify, evaluate, and assess the effectiveness of technical and organizational measures implemented to ensure processing security; pseudonymize and encrypt personal data, where applicable.

Keep an updated record of processing activities carried out by Circular-Lab on behalf of the controller.

Assist the client in potential requests to exercise data protection rights (access, rectification, erasure, objection, portability, and restriction of processing, and not to be subject to automated individual decision-making [including profiling]) by data subjects.

Notify the client as soon as possible, and in any case within a maximum period of 36 hours, of any data security breaches, allowing the client sufficient time to inform, if necessary, the competent supervisory authority or the data subjects.

Support the client, where appropriate, in conducting data protection impact assessments and prior consultations with the supervisory authority.

Provide the client with all necessary information to demonstrate compliance with their data protection obligations and allow the client or their authorized auditor to conduct inspections or audits.

For the contracted service, Circular-Lab, in addition to auxiliary services necessary for the normal functioning of the processor’s services, will subcontract the following services:


Hosting services at Amazon EC2 datacenters (Amazon Web Services) located within the EU (Ireland). Their privacy policy and contact details can be found on their website (https://aws.amazon.com/es/privacy/), to correctly provide clients with the contracted C-LAB® Platform service.

Cloud computing services and email services from Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043 (USA), which acts as a processor for Circular-Lab, providing website hosting and cloud computing services. In this regard, we inform you that Google LLC is adhered to the EU-US Data Privacy Framework agreement (Information available at: https://www.dataprivacyframework.gov/s/participant-search) and also has standard contractual clauses adopted by the European Commission. Additionally, Circular-Lab has adopted complementary technical, organizational, and contractual measures to ensure an essentially equivalent level of protection.

Project management tool for generating technical documentation: provided by Atlassian Pty Ltd (JIRA). Due to the use of the JIRA tool, data may be transferred outside the European Economic Area, both to Atlassian group companies and to third parties with which it operates for the proper provision of the service (the list of subprocessors can be found at https://www.atlassian.com/es/legal/sub-processors#atlassian-group-sub-processors). In this regard, Circular-Lab informs you that Atlassian is adhered to the EU-US Data Privacy Framework agreement and also has standard contractual clauses adopted by the European Commission for international data transfers made to both Atlassian group companies and relevant subprocessors (Information available at: https://www.atlassian.com/es/legal/privacy-policy#how-we-transfer-information-we-collect-internationally). Furthermore, Atlassian has adopted additional technical measures to ensure adequate protection (you can consult technical and organizational security measures at https://www.atlassian.com/legal/security-measures#program-management).

To subcontract with other companies, this must be communicated to the client in advance and in writing, with a 10-day notice, indicating the processing activities to be subcontracted and clearly identifying the subcontractor company and their contact details. Subcontracting may take place if the controller does not object within the established period.


Any subcontractor, who will also be considered a processor, is equally obligated to comply with the obligations established in this document for the processor and the instructions issued by the client (as the controller). It is the responsibility of the initial processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements regarding the proper processing of personal data and ensuring the rights of the affected individuals. In case of non-compliance by the subprocessor, the initial processor remains fully responsible to the controller regarding the fulfillment of obligations.


Additionally, it is the client’s responsibility, as the data controller, to:


Provide the processor with the data necessary for the service provision.

Conduct, where appropriate, an impact assessment on personal data protection for processing activities to be carried out by the processor.

Conduct prior consultations as necessary.

Ensure compliance with the GDPR by the processor prior to and during the entire processing period.

Supervise the processing, including conducting inspections and audits.


Accuracy of personal data

The data subject guarantees that the data provided are truthful, accurate, complete, and up to date. The data subject shall inform us of any changes to the data provided through the channels referenced in the header of this policy.


Confidentiality and Security of Data

Circular-Lab is committed to protecting the information you provide us. Therefore, Circular-Lab, in response to the trust placed in the Company and considering the importance of protection and confidentiality required for your personal data, informs you that it has adopted the necessary technical and organizational measures to ensure the confidentiality, availability, integrity, and resilience of its systems and processing services. To this end, we use security measures designed to provide an appropriate level of security for the risk of processing the personal data provided. However, the user should be aware that Internet security measures are not impregnable, and while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss, or breaches will never occur.


Privacy Policy Updates

This Privacy Policy was updated in September 2024. Circular-Lab reserves the right to modify its data protection policy in the event of changes to current legislation, judicial doctrine, or for its own business criteria. If any changes are made to this policy, the new text will be published at the same address.