Privacy Policy

Stago, when acting as a controller in a manner that attracts compliance obligations in your jurisdiction,  will handle your personal data in accordance with applicable laws and this policy.

In order to protect your privacy and your personal data as effectively as possible, we have appointed  a data protection officer. This person, who is the privileged point of contact for the supervisory  authority, is responsible for ensuring that we process your data in accordance with applicable law.

You can contact our data protection officer at the following address: dpo@nullstago.com

We are committed to ensuring the highest possible level of protection for the persons whose personal  data we process ("data subjects"). 

We follow the applicable regulations for relevant data protection laws and we are committed to  respecting the following principles:

• We process your personal data in a lawful, fair and transparent manner;
• We collect your personal data for specific, explicit and legitimate purposes and will not process  it in a way incompatible with these purposes (Limitation of purposes);
• We ensure that the personal data processed are adequate, relevant and limited to what is  necessary for the purposes for which they are processed (data minimisation); • We do our best to ensure that personal data is accurate and, if necessary, kept up to date. We  will take all reasonable measures to ensure that inaccurate personal data, having regard to the  purposes for which they are processed, are deleted or rectified without delay (Accuracy);
• We keep your personal data in a form allowing your identification only for the time necessary  for the purposes of the processing (Storage limitation)
• We process your personal data in such a way that is appropriate to secure against illegitimate  access, unauthorized alteration, or destruction for said data using technical and organizational  measures (integrity and confidentiality).
• We make sure to be able to demonstrate our compliance (accountability)

These commitments are manifested as follows:

• We respect your privacy and your rights;
• We ensure that the protection and security of your personal data are at the center of our  concerns;
• We consider each processing operation taking into account the principles of data protection,  in order to satisfy the principle of data protection by design;
• We will not use your personal data for purposes that have not been brought to your attention or cannot otherwise be reasonably anticipated; We will only store your personal data in accordance with requirements at law
• We only share your personal data within Stago (including its affiliates), and with our processors (as defined below). We do not sell your personal data to third parties;
• We are committed to securing and protecting your personal data. To this end, we only work  with trusted partners (our processors) who provide appropriate levels of guarantees for the  protection of personal data;
• We respect your rights and will do our best to satisfy your requests, if they are justified.

We remind you that personal data is information relating to an identified or identifiable natural person,  which may include your email address, your first and last name, your IP address, etc.

We collect your personal data as part of our sales, after-sales service, distribution, and promotion purposes. In some cases, we collect your personal data directly from you. In other cases, your personal  data is communicated to us by a third party (our customers, our suppliers, etc.).

The personal data that we are likely to collect and process are, for example:

• Identification data, such as your first and last name, your address, your telephone number,  your e-mail address, your profession;
• Application data, such as your CV, diplomas, professional experience, if you wish to apply to  Stago;
• Data relating to an order or a service provided to us, if you are a supplier or service provider  to Stago.

The processing of personal data carried out by Stago has an explicit, legitimate and determined  purpose.

Your personal data may for example be processed for the following purposes:

• If you are a customer or a prospect, we may process your personal data for the following  purposes:
  • managing our relationship with you;
  • organization, registration and invitation to events, trainings and webinars;
  • management and follow-up of customer, supplier and third party files;
  • prevention of money laundering and terrorist financing and the fight against corruption;
  • invoicing;
  • accountability.
• If you submit an application for a position within Stago, we may process your data in order to  manage your application.
• If you have subscribed to our newsletter, we may also process your personal data in order to  send you said letter by e-mail.
• If you are one of our supplier or service provider, we can finally process your data for the  management of our relationship with you.

If we need to process your personal data for any purpose other than a purpose originally  communicated to or reasonably anticipate by you, the purpose of the processing will be communicated  to you on a case-by-case basis, for each such additional processing that we carry out on your personal  data.

We always ensure, when we process your personal data, that the processing has a lawful purpose and  is carried out in accordance with applicable law and this policy.

The following purposes and processes  may apply:

• When you have personally entered into a contract with Stago, and the performance of this contract  requires us to process your personal data, the legal basis for the processing is the performance of the  contract. For example, this could be the case if you are a Stago employee.
• When processing is necessary for the execution of pre-contractual measures taken at your request,  our legal basis is based on these pre-contractual measures. For example, this is the case when you  submit an application for a position to us, which requires us to review your CV in order to make a  decision on your application.
• When the processing is necessary for the purposes of the legitimate interests which we pursue, our  legal basis is constituted by these legitimate interests. For example, the processing of your personal  data for prospecting purposes as part of the management of the contract of the company for which  you work, as part of our clinical studies which are of a public interest nature and are necessary for the  development of our medical devices.
• We may also process your personal data by relying on another of the legal bases listed in local and /  or European legislation or regulations that are applicable to Stago as an employer or private company  based in the European Union. For example: compliance with a legal obligation to which Stago is subject,  your consent to processing.

Stago will keep your personal data only for the time necessary for the purposes for which they are  processed, and in accordance with applicable legislation. Thus, the retention period of your personal  data depends on the purpose of the processing to which they are subject, according to the  correspondences below:

• Management of the relationship with our clients: 5 years from the end of the relationship with  the client;
• Organization, registration and invitation to Stago events: 3 years from the end of the  relationship with the person concerned if they are a client and 3 years from the last contact if  the person concerned is a prospect;
• Prevention of money laundering and terrorist financing and fight against corruption: until the  legal or regulatory obligation incumbent on us is satisfied;
• Invoicing: 10 years from the end of the financial year concerned;
• Accounting: 10 years from the end of the financial year concerned;
• Management of candidates for a position: 2 years from the last contact with the candidate;
• Sending our newsletter: the duration of the newsletter subscription;
• Management of relationships with service providers and suppliers: 5 years from the end of the  relationship;
• Response to requests sent to us through the contact form on our websites: the time required  to respond to the request concerned.

Authorized persons within Stago and in some cases, our trusted processors, may access your personal  data. We do our best to ensure that the number of such persons is kept as small as possible and to  maintain the confidentiality and security of your personal data.

We only provide our processors with the information they need in order to provide the service and ask  them not to use your personal data for other purposes. We always do our best to ensure that all of our  processors with whom we work maintain the integrity, availability, confidentiality and security of your  data. When our relationship with a trusted processor comes to an end, we require that processor  deletes your personal data as soon as possible.

We select our processors with great care, ensuring that they provide sufficient guarantees, particularly  in terms of expertise, reliability and resources, to implement the technical and organizational  measures to meet the requirements of the applicable legislation, in particular the security of the  processing. In this regard, we require that our processors process your personal data only on our  documented instructions. We also require that their staff are committed to confidentiality or are  subject to an appropriate legal obligation of confidentiality.

We may ask our processors to provide a service that requires the processing of your personal data, for  example in the following cases:

• hosting our website;
• the storage of your personal data;
• maintenance of our hardware / software.
• Where applicable, we ensure that the use of these processors does not infringe our obligation of confidentiality.

Your personal data may be stored in Australia, the European Union (EU), and/or the European  Economic Area (EEA) by Stago and its processors.

By providing us with your personal data, you acknowledge that your personal data may be used, stored, and disclosed overseas, including in jurisdictions that may not provide equivalent levels of data  protection as your home jurisdiction. To protect your personal data, we take care to work with entities,  partners, and service providers who are based in countries that provide adequate levels of data  protection, or we otherwise take steps to ensure that your personal data receives adequate levels of  data protection in the jurisdictions in which it is processed in accordance with all applicable privacy  laws.

On a case-by-case basis, we will inform you of our intention to transfer personal data to a third country,  of the existence or not of an adequate decision of the Commission and, where appropriate, of the  reference to the appropriate safeguards and the means of obtaining a copy or the place where they  have been made available.

Depending on the processing operations to which your data is subject, you may have the following rights:

The right to obtain confirmation from us whether or not personal data concerning you is being  processed (right of access). If this is the case, you can access your personal data and obtain  information such as the purpose of the processing, the categories of personal data concerned,  etc.;

• The right to update or correct your personal data by contacting us, or by amending your  information on your account if applicable.
• The right to obtain from us the rectification of inaccurate personal data concerning you (right  of rectification);
• The right to obtain the erasure of your personal data, provided that one of the reasons  justifying this right applies (right of erasure);
• The right to obtain restriction of processing, when one of the reasons justifying the exercise of  this right applies (right to restriction of processing). If you choose to limit the personal data we  process about you we may not be able to communicate with you or fulfil our purposes or  services as outlined above;
• The right to remain anonymous or use a pseudonym. If you do not provide us with some or all  of the personal data we request, or request to remain anonymous, we may not be able to  provide you with the relevant services and this may also have an effect on whether we can  begin or continue a relationship with you;
• The right to data portability when the processing is based on consent or a contract and the  processing carried out using automated processes;
• The right to object, for reasons relating to your particular situation, to certain processing of  personal data (right of objection);
• The right not to be the subject of a decision based exclusively on automated processing  including profiling except in cases which allow it.

To exercise these rights, you can contact us at the following address: dpo@nullstago.com
In order for us to process your request satisfactorily, you may need to prove your identity, by whatever  means we reasonably request. If in doubt on our part, we may ask you for additional information,  including the secure transmission of a copy of an identity document, signed by you.

We will do our best to promptly satisfy your requests. Whatever our response, we will get it to you  within one month, but our response time may be extended by an additional reasonable period of time,  depending on the complexity and number of requests or if we require further information from you.

If you request to access your data, we may require the payment of reasonable fees which take into  account the administrative costs incurred in providing the information, making communications, or  implementing the measures requested by the data subject.

If, for any reason whatsoever, you consider that our response is not satisfactory, we inform you that  you can lodge a complaint with the relevant supervisory Authority in your jurisdiction, which may  include the below:

European Union: For more information about the GDPR, please contact the European Data Protection  Supervisor, the European Union’s independent data protection authority or visit their website at:  https://edps.europa.eu/. 

Australia: For more information about protecting your privacy in Australia, please contact the Office of  the Australian Information Commissioner (“OAIC”) via their website at www.oaic.gov.au.

You may request, and Stago will provide, any information about our data processing operations that  we are required to provide at law. Whenever Stago carries out processing operations on your personal  data, it takes all required and reasonable steps to bring to your attention:

• The identity of the controller and the contact details of the data protection officer;
• The source from which the data comes when the data has not been collected from you;
• The purpose of the processing as well as the legal basis for the processing;
• When the processing is based on legitimate interests, the justification of these interests
• The recipients or categories of recipients of the data
• If applicable, the intention to make a transfer outside the EU and the terms and conditions  authorizing this transfer
• The retention period of the data or the criteria used to determine this period
• The rights you have regarding this processing;
• Information on whether the requirement to provide data is regulatory or contractual in nature  or whether it conditions the conclusion of a contract and whether you are required to provide  such data as well as the possible consequences of not providing of this data;
• If applicable, the existence of automated decision-making, the underlying logic, importance  and expected consequences;
• When Stago intends to carry out further processing for a different purpose, information about  the other purpose.

This information will be made available to you as soon as possible and, in the case of direct collection  of your data, at the time of collection.

Some of our obligations may limit your right to information: if the personal data concerning you is  covered by confidentiality with regards to an obligation of professional secrecy incumbent on us, and  if we have obtained it by means of an indirect collection, it is possible that we do not process your  information.

Stago attaches great importance to the protection of your personal data and takes all reasonable  precautions to this end. We ask our partners who process your data on our behalf to do the same.

We are constantly doing our best to protect your personal data. Upon receipt of your data, we apply  strict procedures and security measures (technical and organizational) to prevent unauthorized access.

This policy was last updated in March 2021.