Data protection
Privacy policy
Introduction
Ketterthill processes your personal data as part of its medical biology business and website management, in accordance with current legislation.
This policy provides information on how Ketterthill processes your personal data.
This policy, which is accessible on our website, is updated regularly to take account of legislative and regulatory developments and any changes in the processing operations carried out by Ketterthill. This version of the policy is a translation of the French Version of said policy. In the event of contradiction, the French version of the privacy policy shall prevail.
This policy was updated on 11 March 2024.
What are our commitments ?
We undertake to comply with the applicable regulations for all processing of personal data that we carry out. Therefore, we undertake to comply with the following principles:
- We process your personal data lawfully, fairly and transparently;
- We collect your personal data for specific, explicit, and legitimate purposes and will not process it in a manner inconsistent with these purposes;
- We ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
- We make every effort to ensure that the personal data is accurate and, if necessary, updated. We take all reasonable steps to ensure that inaccurate personal data, in relation to the purposes for which it is processed, is deleted or rectified without delay;
- We retain your personal data in a form that allows your identification only for the period necessary for the purposes of the processing.
- We guarantee an appropriate level of security for the personal data we process.
These commitments are demonstrated as follows:
- We respect your privacy.
- We guarantee that the protection and security of your personal data is one of our main focuses.
- We do not use your personal data for purposes that have not been brought to your attention.
- We do not consider that your personal data should be stored for an unlimited period.
- We do not sell your personal data to third parties.
- We work with trusted partners who provide sufficient guarantees as to the implementation of technical and organisational measures so that our processing meets the requirements of the applicable regulations.
- We respect your rights as a data subject and as a patient and make every effort to fulfil your requests as long as they are well founded.
How do we collect your personal data ?
Personal data may be collected directly from you, for example via our website or during your appointment.
It may also be collected indirectly through partners or clients (hospitals, doctors, private laboratories, etc.) who need to use the expertise of the Ketterthill laboratory. In this case, your data will be transmitted securely.
What personal data do we process ?
We remind you that personal data is information relating to an identified or identifiable natural person (the “data subject”), such as your first and last name, postal address or data concerning health (“health data”).
We undertake to process only personal data that is strictly necessary for the purposes for which it is collected, and to keep it only for as long as is necessary for those purposes.
The categories of personal data we process are as follows:
| Processing activity | Legal basis | Personal data category | Retention period (active database**) |
| Laboratory management (carrying out your examinations, interpreting and transmitting your results and administrative management of the practice) | Performance of the contract | Identification data*, health data* and social security number. | 5 years from last visit |
| Anonymisation of data for re-use for scientific research or quality control purposes | Legitimate interest (implementation of specific guarantees relating to processing for scientific research or quality control purposes) | Health data* | N/A (anonymised data) |
| Satisfaction surveys | Legitimate interest (improvement of services) | Identification data* | Survey duration |
| Website management | Legitimate interest (management of contacts, logins, account creation) | Identification data*, connection data and logs, data relating to the management of contacts and the creation of accounts |
3 years from the last contact 6 months for connection logs |
| Management of online orders and payments | Performance of the contract | Identification data*, order related data, bank details |
3 years from the end of the contractual relationship 10 years from the date of issue for invoices The duration of the transaction for bank details |
| Recruitment management | Performance of pre-contractual measures | Identification data*, data related to the candidate’s professional situation. | 2 years from date of application (unless opposed) |
| Supplier management | Performance of the contract | Identification data*, professional data |
3 years from the end of the contractual relationship 10 years from the date of issue for invoices |
| Clients management | Performance of the contract | Identification data*, professional data |
3 years from the end of the contractual relationship 10 years from the date of issue for invoices |
| Video surveillance *** | Legitimate interest (safety of people and property, patient flow management) *** | Video and audio recordings in the event of an incident *** | 1 month maximum *** |
* For example, surname and first name are considered to be identification data, and biological results are considered to be health data;
** Once the storage period in the active database has expired, the data may be stored in intermediate archives for longer periods, in particular if their storage is required by the Public Health Code or to protect the rights and interests of the Cerba laboratory when longer prescription periods are provided for.
*** The presence of video surveillance, the data processed and the retention period depend on the sites according to their needs, in compliance with the legislation in force.
Who can access your personal data?
Your data will only be communicated, where necessary, to the following recipients:
- Authorised Ketterthill staff and, where applicable, authorised Cerba Healthcare Gestion and Cerba Healthcare support staff (e.g. internal audit, legal department);
- Subcontractors and trusted service providers, particularly those responsible for IT;
- If necessary, the reference medical biology laboratories to which your samples are sent for analysis;
- The administration as part of our legal obligations, in particular the E-Santé agency as part of the supply of your personal medical file (DSP);
- Sponsors/Promoters and/or CROs for scientific research projects, quality control or statistical studies;
- In the case of video surveillance, the authorised personnel of the site concerned, as well as the competent authorities in the event of an investigation.
We make every effort to ensure that the number of such persons remains as small as possible.
We only provide our trusted service providers with the information they strictly need to provide the service and they may not use your personal data for any other purpose.
We always make our best efforts to ensure that all our trusted service providers with whom we work maintain the security of your data.
We also ensure that when our relationship with a trusted service provider comes to an end, the service provider deletes your personal data without delay.
We select our trusted service providers with great care, ensuring that they offer sufficient guarantees, particularly in terms of expertise, reliability and resources, to implement technical and organizational measures capable of meeting the requirements of applicable legislation, particularly in terms of security. In this respect, we ensure that our trusted service providers process personal data only on our documented instructions. We also ensure that their staff have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
What guarantees are there in the event of data being transferred outside the European Union?
When your personal data has been entrusted to Ketterthill by a correspondent located outside the European Union, who has itself carried out your sampling, the results are communicated to them by us in a secure manner, and their transfer is carried out in compliance with articles 45 et seq. of the GDPR.
What are your rights as a data subject?
1. Under Regulation 2016/679 on the protection of personal data, you have the right to access, object to, rectify and delete your personal data, as well as the right to limit the processing of this data.
- The right of access allows you to ask an organisation if it holds data about you and to have it communicated to you in order to verify its content.
- The right to object allows you to object, on legitimate grounds, to your data being used by an organisation for a specific purpose. In the case of prospection, you may object to the processing without legitimate grounds.
- The right of rectification allows you to request the rectification of inaccurate or incomplete information concerning you. This prevents an organisation from using or circulating incorrect information about you.
- The right to erasure allows you to ask an organisation to erase your personal data. Please note, however, that in order to comply with our legal obligations and to establish, exercise or defend legal claims, we cannot delete the contents of your medical file.
- The right to limit processing allows you to ask an organisation to temporarily freeze the use of some of your personal data.
For more information about your rights and how to exercise them, visit www.cnpd.lu.
2. As part of the Luxembourgian law on the reform of the healthcare system of 17 December 2010, which provides for the introduction of a platform for sharing and exchanging medical data between the healthcare professionals involved in your care, the results of your examinations will be sent to the digital health agency (“Agence E-Santé”) and recorded in your personal medical record (“Dossier Médical Personnel”, or “DSP”).
You may object to the transmission of your health data to the Agence E-Santé as part of the DSP. You can notify us of your objection either directly at one of our collection centres or by sending us a written message.
You may exercise your rights listed above:
- Either by mail, to the Laboratory’s “Data Protection Officer” at the following address: Laboratoire Ketterthill, Att. Délégué à la protection des données, 8 Avenue du Swing, L-4367 Belvaux;
- Or by e-mail to this address: dataprotection@ketterthill.lu or by filling in the contact form and choosing the subject “Data Protection”.
If you feel that your rights have not been respected, particularly after contacting us, you may submit a complaint to the CNPD.
