Data Protection Policy
As part of its activities as a medical genetics and molecular pathology laboratory, it is essential for GenoMed – Diagnósticos de Medicina Molecular, S.A., (“GenoMed”) to collect and process personal data. In fact, carrying out genetic tests to support clinical or prenatal diagnosis, as well as pre-symptomatic tests in the areas of oncology and genetic diseases and pharmacogenetics (hereinafter “clinical genetic tests”), paternity, genealogy and ancestry tests (hereinafter “nonclinical genetic tests”), as well as other molecular biology analyses, necessarily involves the processing of personal data of users/customers.
Increasingly frequent interaction with users of our websites, applications and digital services (hereinafter collectively the “Platforms“) also requires, in some cases, the collection of personal information from you in order to take advantage of services provided by GenoMed, or the collection of data from your device (through files known as cookies) to improve the performance of those Platforms.
Therefore, this GenoMed Data Protection Policy (hereinafter the “Data Protection Policy“) aims to inform data subjects whose personal data we process about the essential aspects of such data processing. The categories of data subjects whose personal data are processed by GenoMed include our customers (where they are natural persons) and users of the Platforms (hereinafter jointly referred to as “Customer(s)“), healthcare professionals prescribing genetic or molecular pathology tests carried out by GenoMed, business partners who are natural persons, or their representatives or contact persons with whom we interact in the course of our business, GenoMed’s interlocutors in regulatory or other relevant administrative entities, or associations of companies that have a relationship with GenoMed, researchers, physicians or other members of the scientific community who also interact with GenoMed as part of their business (hereinafter the Customers and persons falling into the other categories of data subjects are jointly referred to as “Data Subjects“).
Why do we process your personal data?
GenoMed is committed to protecting the security and privacy of Data Subjects. In this context, it has drawn up this Data Protection Policy in order to state its commitment to and respect for the rules of privacy and protection of personal data.
We intend the Data Subjects to be aware of the general privacy rules and the terms of processing the data we collect, in strict respect and compliance with the applicable legislation in this field, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation” or “GDPR“).
The performance of the activities developed by GenoMed, both with regard to its core activities of carrying out genetic and molecular pathology tests, and with regard to complementary activities with the implementation of quality systems, marketing initiatives or of a scientific nature, involves the processing of personal data of the Data Subjects.
In this Privacy Policy we specify the grounds justifying the processing of personal data in relation to the various categories of Data Subjects in the section “WHY DO WE PROCESS YOUR PERSONAL DATA?“.
What is personal data?
Personal data shall mean any information, of whatever nature and whatever its support, including sound and image, concerning an identified or identifiable natural person (“Data Subject“). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to more specific elements of his or her physical, physiological, mental, economic, cultural or social identity.
There are certain categories of personal data which, by their nature, are particularly sensitive from the point of view of the fundamental rights and freedoms of data subjects and are classified in the GDPR as “special categories of data“. These may relate to the racial or ethnic origin of the data subject, their political opinions, religious or philosophical beliefs, genetic information, biometric identifiers, sex life, sexual orientation or the health of the data subjects.
Personal data falling within special categories of data includes “health data” and “genetic data“.
Data concerning health shall be data on the health status of a data subject which reveal information about his or her past or present physical or mental health, including information about the natural person collected during enrolment for, or in the course of, the provision of healthcare services, (i) any number, symbol or particular assigned to a natural person in order to uniquely identify him or her for healthcare purposes (ii) information obtained from the analysis or examination of a body part or bodily substance, including from genetic data and biological samples; (iii) any information about, for example, a disease, disability, disease risk, medical history, medical treatment or physiological or biomedical condition of the data subject regardless of its source, such as a doctor or other health professional, a hospital, a medical device or an in vitro diagnostic test.
“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from the natural person in question, including chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or from the analysis of another element enabling equivalent information to be obtained.
Other important definitions
Processing – an operation or set of operations which is performed upon personal data or sets of personal data, by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller – a natural or legal person, public authority, agency or another body which alone or jointly with others determines the purposes and means of the processing of personal data;
Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Third party – a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;
Consent of the data subject – free, specific, informed and explicit expression of will, by which the data subject accepts, through a declaration or unequivocal positive act, that personal data concerning him or her may be processed;
Personal data breach – breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;
Pseudonymisation – the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the need for further information, provided that such further information is kept separately and subject to technical and organisational measures to ensure that personal data cannot be attributed to an identified or identifiable natural person;
Anonymisation – a technique resulting from the processing of personal data in order to remove sufficient detail from the data to no longer be able to identify the data subject irreversibly. More precisely, the data must be processed in such a way that they can no longer be used to identify a natural person using “all the means likely reasonably to be used”, whether by the controller or by a third party. The main techniques for anonymising personal data are randomisation and generalisation;
Supervisory authority – an independent public authority established by a Member State, with responsibility for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of data within the Union. In Portugal, the supervisory authority will be the National Commission for Data Protection (“CNPD”);
International data transfers – transfers of personal data that are or will be subject to processing after transfer to a third country (not located in the European Union) or to an international organisation, and the transfer may occur between two or more controllers, or between controllers and processors;
Who is the data controller of your personal data?
The Data Controller of the personal data of the Data Subjects is GenoMed.
As part of its clinical genetic and molecular pathology testing activities, GenoMed will be the data controller from the moment it receives test requisitions submitted by healthcare facilities, which contain the personal data of the users necessary to perform the prescribed test. Alternatively, GenoMed will be the data controller from the time of the scheduled sample collection in cases where GenoMed collects the data itself, and from samples by its own means, which may be for clinical genetic testing and molecular pathology analysis, and is generally the case for non-clinical genetic testing.
GenoMed will also be responsible for processing Customer data for the purposes of administrative management of the services it provides to them. In this regard, GenoMed will be responsible with respect to the processing of data necessary for the billing of services and to establish contact with Customers in the context of the provision of services (e.g., in response to complaints, requests for clarification, suggestions, quality and satisfaction surveys).
Regarding the processing of Customer data for purposes linked to the marketing of services – such as sending direct marketing communications through different communication channels, both physical and digital, for the purposes of improving our services and meeting our administrative and commercial objectives, internal audit and compliance of systems and processes, the Controller will also be GenoMed.
What personal data do we collect and by through means?
Personal data of Data Subjects may be collected directly in connection with genetic testing when GenoMed collects samples and personal identification and contact data in direct interaction with you, in the use of our Platforms, or when you contact us. We may also receive your personal data indirectly through Health Care Facilities or Laboratories with which we collaborate, or through other service providers who provide services on our behalf, or our partners.
Your personal data processed by GenoMed may include personal data directly or indirectly relating to your health, as well as genetic data.
Categories of personal data we process and means and timing of collection
Categories of data processed | Means and time of collecion |
Identification and contact details | - Through our website and in accordance with its Privacy and Cookies Policy; - In connection with clinical and non-clinical genetic testing. |
- Through our website and in accordance with our Privacy and Cookie Policy; | |
Name, phone number, e-mail, message subject and other personal data you choose to share | Through the contact form on our website and in accordance with our Cookies and Privacy Policy. |
Health and genetic data | In the context of clinical and non clinical genetic testing. |
Data concerning your health, genetic data, racial or ethnic origin within the scope of clinical research activities (to be specified by the monitor or investigator of the study/trial when requesting informed consent for participation in the study/trial) | In the course of clinical studies/trials, or epidemiological studies if you have decided and consented to participate. |
Special Categories of Personal Data
In providing our services, we will necessarily need to collect data relating to your health and genetic data. In certain cases, we may need to collect data relating to your racial or ethnic origin. Such information is considered “special categories of data” under the GDPR and GenoMed will observe the more stringent protection requirements set out in the GDPR when processing such data, both in relation to the appropriate lawful grounds for processing (see the section “ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL DATA? “below) and the implementation of appropriate technical and organisational measures to minimise the processing, restrict access and ensure the security of such data (see section “WHAT ARE THE SECURITY MEASURES ADOPTED BY GENOMED?“).
What are the purposes of collecting your personal data?
The personal data of Data Subjects are processed by GenoMed for a variety of purposes, including:
- Processing of personal data of healthcare professionals and users to perform clinical genetic tests and molecular pathology analyses as part of the provision of healthcare, and the performance of clinical research activities, including the transmission of the results report to the Client, and/or to the healthcare professional requesting the test;
- Processing of Customers’ personal data in the context of non-clinical genetic tests (such as paternity, genealogy and ancestry tests);
- Administrative management of test requests and other documentation submitted by Customers, by health care providers where they are followed and by health sub-systems, as well as the reception of samples and the performance of collections when these are carried out directly by GenoMed;
- Customer and business partner data as part of the management of GenoMed’s systems and services related to its clinical and non-clinical genetic testing and molecular pathology activities and the operation of its Platforms;
- Use of pseudonymised Customer data for statistical and genetic variant knowledge gathering purposes;
- Customer, business partner and healthcare provider data for billing and collection, compliance with accounting, tax and financial reporting obligations;
- Quality management through the participation of the Data Holders in satisfaction surveys;
- Contact with our Clients for appointment management, information provision and client relationship management;
- Complaints management;
- Auditing, quality certification and continuous improvement of the services provided by GenoMed;
- Marketing initiatives, such as sending newsletters and informative and marketing communications that are considered relevant to the promotion of our services;
- Contacts with healthcare professionals to streamline processes relating to tests and analyses performed by GenoMed, and as part of networking and knowledge sharing initiatives;
- Scientific collaboration and knowledge sharing with external researchers.
- Transmission of Customers’ personal data to health units/health professionals requesting the respective tests, as well as to courts, criminal police bodies and other competent administrative entities in the exercise of their authority powers.
On what legal basis do we process your personal data?
GenoMed will only process your personal data where it is properly entitled to do so. The GDPR requires that for the processing of personal data to be lawful, there must be an adequate legal basis for each specific processing. Such grounds may be of various kinds.
Thus, the processing of personal data of Data Subjects by GenoMed may be based on the following lawful grounds:
- With regard to the processing of health-related data and genetic data, in the context of its activity of carrying out clinical genetic tests, and molecular pathology analyses, on the basis of the written consent of users (art. 9(2)(a) of the GDPR), in the circumstance that (i) such processing is necessary for the purposes of medical diagnosis, or the provision of health care (art. (ii) processing is necessary in the field of public health for the purposes of ensuring a high level of quality and safety of health care and medicinal products or medical devices, including epidemiological studies (art. 9(2)(i) of the GDPR), in which case the rules applicable to clinical research activities shall be complied with, in particular to safeguard the rights and freedoms of the Data Subjects or (iii) processing is necessary for scientific research and/or statistical purposes (art. 9(2)(i) of the GDPR), and technical and organisational measures for data protection shall be taken;
- Regarding the processing of genetic data, within the scope of its activity of carrying out nonclinical genetic tests, upon consent of the respective holder (art. 9 paragraph 2 point a) of the RGPD), or for the purpose of complying with a legal obligation resulting from a decision by an administrative or judicial entity with authority powers (art. 9 paragraph 2 point f) of the RGPD);
- The processing of identification data, contact data, professional data and financial information of Data Subjects may be based on (i) the performance of a contract to which the Data Subject is a party, or a contract entered into between GenoMed and an entity of which the Data Subject is part as an employee or representative, (ii) consent of the Data Subject, (iii) compliance with legal obligations to which the Controller is subject as a medical genetics laboratory which is subject to the rules applicable to healthcare providers, and obligations of a general nature applicable to it such as tax obligations reporting and auditing obligations, and (iv) the pursuit of legitimate interests of the Controller (except where the interests and fundamental freedoms of the data subject prevail) in the context of processes implemented in the field of its quality management policies and attaining certifications, in the context of scientific collaboration initiatives with research institutions involving knowledge sharing with external researchers, in responding to requests for information or complaints addressed to it through GenoMed’s website, or by other means of contact (e-mail, post or telephone).
As regards the processing of personal data carried out by GenoMed to inform you of news and offers of interest to you and to personalise and improve your experience as a Client (through customer satisfaction surveys), the lawful basis for such processing is consent from the Data Subject.
In accordance with the RGPD, in cases where the basis for the lawfulness of the processing of personal data is based on the consent of the Data Holder, the Data Holder has the right to withdraw their consent at any time, and the withdrawal of consent shall not compromise the lawfulness of the processing carried out on the basis of the consent previously given.
For more information about your rights under the GDPR, please see the section “WHAT ARE THE RIGHTS OF THE DATA SUBJECTS?” below.
GENOMED’S RELATIONSHIP WITH HEALTH UNITS
Due to the regulatory framework applicable to the performance of genetic tests, the clinical genetic tests performed by GenoMed are always the subject of a requisition signed by a health professional, whereby patient/user data is transmitted from the Health Units where the Customers are followed to GenoMed for the purposes of performing the prescribed test. For molecular pathology analyses, the data flow is the same.
In these requests, the healthcare professionals concerned must complete a specific form for the test or analysis prescribed, namely using the templates that are available on the GenoMed website (www.genomed.pt) and/or previously shared by GenoMed.
The Health Unit requesting the tests and/or analyses is responsible for collecting personal data, taking samples (when this takes place in hospital) and collecting informed consent from the patient for the purpose of complying with the legal requirements applicable to the performance of genetic tests and/or the provision of other health care.
How long do we keep your personal data?
The personal data that GenoMed collects is processed in strict compliance with applicable legislation and is stored in specific databases created for this purpose.
The period of time for which data are stored and retained varies according to the purpose for which the information is used. There are, however, legal requirements that oblige data to be kept for a certain period of time.
The periods for which GenoMed retains personal data are as follows depending on the categories of data being processed:
- Personal data necessary for the provision of healthcare to Data Subjects and their family members, shall be kept under the terms of the legislation applicable to the archiving of hospital documentation and for the periods defined therein, and other applicable legislation, but in any case for a minimum period of 5 years from the date of the respective reports of the results of the tests performed by GenoMed;
- The data necessary for billing the services provided by GenoMed will be kept for a period of 10 years;
- Data processed and stored as part of contractual relations to which GenoMed is a party are retained until the expiry date of the rights in question, the general limitation period being 20 years;
- Data processed as part of quality assessment and control processes, in the context of waste treatment and management, and regulatory and compliance procedures, are retained for a period of 5 years;
- Data processed by GenoMed in connection with marketing initiatives, professional networking and scientific initiatives for the exchange and sharing of knowledge are retained for a period of 5 years from the date of collection of the data, or the last interaction at the initiative of the data subject.
What are the rights of the data subjects?
Under the terms of the applicable legislation, the data subject may at any time request access to personal data concerning him or her, as well as their rectification, erasure or limitation of processing, the portability of his or her data, or oppose their processing, directly through the telephone number (+351) 21 799 95 01, the e-mail address rgpd@genomed.pt or by contacting GenoMed in person.
In the case of data relating to your health, your right of access to health information (or that of a third party with your consent or as permitted by law) may be exercised directly, or through a physician if the data subject so requests, by written request to GenoMed’s data protection contact at the contact details below.
Data subjects may obtain confirmation of, and access to, the personal data concerning them that is being processed, and will be provided with a copy of the data being processed by GenoMed if they so request, and in the absence of legal restrictions.
Where a Data Subject requests exercise of their rights, GenoMed may ask the Data Subject to specify what information or processing activities their access request relates to, so that GenoMed can provide the requested information without jeopardising GenoMed’s trade secrets or intellectual property rights.
In accordance with the law, Data Subjects are also guaranteed the right, by the above-mentioned means, to withdraw their consent for the processing of data for which consent is the basis for the lawfulness of the processing.
To this end, the Data Subject has the right to withdraw his or her consent at any time, which shall not, however, invalidate the processing carried out until that date on the basis of the consent previously given.
The Data Subject may also, at any time, request the elimination of his/her personal data, under the terms of the law. Nevertheless, the party which is Data Controller in each case may refuse to grant their request for erasure of the data in certain situations, in particular where the data are still necessary for the purpose for which they were collected or where the processing is required for compliance with a legal or contractual obligation under the applicable legislation, or where the data are held by GenoMed only in an anonymised form.
The Customer also has the right, under the terms of the applicable legislation, to request the limitation of the processing, to oppose the processing or to obtain the portability of his or her data, provided the legal conditions are met. To this end, you must submit a request to the contacts mentioned below.
Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to lodge a complaint with the CNPD or another competent supervisory authority under the law, should he or she consider that his or her data is not being legitimately processed by GenoMed under the terms of the applicable legislation and this Policy.
What are the security measures adopted by GenoMed?
GenoMed is committed to ensuring the confidentiality, protection and security of the personal data of Data Subjects, through the implementation of appropriate technical and organisational measures to protect their data against any form of improper or illegitimate processing and against any accidental loss or destruction of such data. To this end, we have systems and teams in place to guarantee the security of the personal data processed, creating and updating procedures to prevent unauthorised access, accidental loss and/or destruction of personal data, undertaking to comply with the legislation on the protection of Customers’ personal data and to process such data only for the purposes for which they were collected, as well as to guarantee that such data is treated with adequate levels of security and confidentiality.
Because we recognise the sensitivity of this information, and in order to ensure compliance with applicable rules on personal data protection, we have provided our employees with the necessary training. In addition, our employees are committed to not revealing to third parties, or using for purposes contrary to the law, any personal information about GenoMed’s customers that comes to their knowledge in the course of their work.
In this context, for any questions regarding the protection of personal data you may contact the GenoMed data protection contact using the contact details below.
Under what circumstances is data disclosed to other entities?
GenoMed uses other entities to provide certain services, including other laboratories that it subcontracts to perform certain genetic tests that are not performed internally, and other service providers, such as computer systems support services, consulting firms and external entities that perform auditing activities. These services may involve access by the subcontractors to personal data of GenoMed’s customers and/or health professionals, or data of business partners.
In such circumstances, any GenoMed sub-contractor will process our Data Subjects’ personal data only to the extent necessary for the provision of those services, in our name and on our behalf, and strictly in accordance with our instructions.
Where subcontracting other laboratories to perform certain genetic testing or molecular pathology analyses, the subcontracting laboratories will be required to have access to the Personal Data of the Customers concerned.
GenoMed has defined clear rules of engagement for the processing of personal data with its subcontractors, and requires them to adopt appropriate technical and organisational measures to protect the rights of the Data Subjects concerned.
GenoMed may also transfer personal data of its Customers to third parties where necessary under applicable law, in compliance with legal obligations/judicial orders, or to respond to requests from public or government authorities, for the purposes of medical diagnosis, the provision of health care or treatment, or for the purposes of certification, evaluation, and measurement of GenoMed’s service levels.
In any of the above situations, GenoMed undertakes to take all reasonable steps to ensure the effective protection of the rights, freedoms, and guarantees of Data Subjects.
GenoMed also processes personal data in the context of partnerships with other laboratories, acting on behalf of other laboratories as a subcontractor, in which case such relationships involving subcontracting are governed by a written contract in accordance with the provisions of the regulations applicable to medical genetics laboratories and with Article 28 of the GDPR.
Under which circumstances may your data be subject to international transfers?
In connection with obtaining certifications, evaluating and measuring service levels, and subcontracting, GenoMed may transfer some of your personal data to third countries (outside the European Union or the European Economic Area). Also as a subcontractor, and strictly as provided contractually and on written instructions from the controller, GenoMed may transfer your personal data to third countries or international organizations. In such cases, GenoMed will implement the necessary and appropriate measures under applicable law to ensure the protection of personal data subject to such a transfer, strictly complying with legal provisions regarding the requirements applicable to such transfers, in particular by informing Customers in this regard.
Should the outsourcing of the processing of personal data involve the transfer of personal data by GenoMed to a third country that is not the subject of a European Commission adequacy decision for not ensuring an adequate level of protection, GenoMed shall regulate such data transfers using the standard contractual clauses providing adequate protection guarantees approved by the European Commission for the transfer of personal data to third countries.
Contact us
You may contact the GenoMed personal data protection contact for further information about the processing of your personal data, as well as any questions related to exercising your rights under applicable law, and in particular those referred to in this Data Protection Policy, at the following contact details:
Telephone: (+351): (+351) 21 799 95 01
e-mail: rgpd@genomed.pt
Address: Edifício Egas Moniz, Sala P3-A-23 Av. Prof. Egas Moniz – 1649-028 LISBOA
How can you become aware of any changes to our data protection policy?
GenoMed reserves the right to make modifications or updates to this Data Protection Policy at any time and these changes will be duly updated on our Platforms. We suggest you consult them regularly to be aware of any changes.
Date of last update: April 19, 2023.