FlowJo Data Privacy Notice
Last revised 05/21/2018
FlowJo, LLC, USA ("Company" or "we" or "our") and each of its affiliates and subsidiaries (collectively, the "Becton Dickinson Group" or "BD Group") take data privacy seriously. This Data Privacy Notice ("Notice") informs the users of SeqGeq®, FlowJo®, FlowJo Envoy, FlowJo Portal ("FlowJo Products") how the Company, as controller within the meaning of the General Data Protection Regulation ("GDPR"), collect and process the personal data and other information of such users (hereinafter "you" or "your") in connection with their usage of the FlowJo Products.
1. Categories of Personal Data and Processing Purposes
2. Processing Basis and Consequences
3. Categories of Recipients and International Transfers
4. Retention Periods
5. Your Rights
6. Cookies and other tracking technologies
7. Questions and Contact Information
8. Changes to this Notice
1. Categories of Personal Data and Processing Purposes—What personal data do we process about you and why?
Registration Data: If you register with a FlowJo Product to receive a serial number for authorized usage of FlowJo Products, you will be asked to provide the following personal data about you: full name, organization/institution (if applicable), country, telephone number, email address, hardware address, password ("Registration Data"). We process your Registration Data for purposes of access control, license administration, defending, establishing and exercising legal claims, and IT and network security. If you have entered into a license agreement directly with us and if you therefore register the FlowJo Product independently (i.e., not via an organization/institution), we process your Registration Data also for the following purposes: administering the license agreement, providing customer care services, providing marketing materials to the extent permitted by applicable law, complying with legal obligations, and defending, establishing and exercising legal claims.
Metadata: When you access the FlowJo Product, we will collect metadata that result from your usage of the FlowJo Product. Metadata include, but are not limited to: IP address, Mac address, browser type and version, operating system and interface, version of the FlowJo product, device and reagent information, underlying license information, date and time of the FlowJo Product usage ("Metadata"). Your Metadata may be used to enable your access to the FlowJo Products, to ensure compliance with license restrictions and for IT and network security. Furthermore, we process the Metadata to analyze the usage of the FlowJo Product, to understand the areas of most interest to the users and thereby to improve the quality and services of the FlowJo Product and of other products and services.
Your Registration Data is actively provided by you. Your Metadata is automatically collected by us as a byproduct of your usage of the FlowJo Product.
2. Processing Basis and Consequences—What is the legal justification for processing your personal data and what happens if you choose not to provide it?
We rely on the following legal grounds for the collection, processing, and use of your personal data:
the processing is necessary for the performance the license agreement and/or the end-user license agreement or to take steps at your request prior to entering into such agreements;
- the processing is necessary for the purposes of our and BD Group's legitimate interests, except where such interests are overridden by your justified interests; our legitimate interests are in particular access control, license administration, IT and network security, customer care services, marketing, and improvement of the quality and services of the FlowJo Product and of other products and services.
- the processing is necessary for compliance with a legal obligation to which we are subject;
- the processing is necessary for defending, establishing and exercising legal claims;
- you consented to the processing of your personal data.
The provision of your personal data is not required by a statutory obligation. The provision of your personal data is necessary to enter into the license agreement with us and/or to register with and use the FlowJo Product as requested by you. However, the provision of your personal data is voluntary. Not providing your personal data may result in disadvantages for you as you will not be able to use the FlowJo Products. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.
3. Categories of Recipients and International Transfers—Who do we transfer your personal data to and where are they located?
You should expect that we will transfer your personal data to third parties for the processing purposes described above as follows:
- Within the Company: Your personal data will be processed and used by the Company located in the USA. Depending on the categories of personal data and the purposes for which the personal data has been collected, different internal departments within the Company receive your personal data. For example, our R&D, IT, Sales, Legal, Marketing and Finance departments have access to your Registration Data and Metadata on a need to know basis.
- Within the BD Group: Our parent entity, Becton, Dickinson and Company, in the USA and other affiliates in the USA (each affiliate including us referred to as "BD Affiliate") may receive your personal data in aggregated form as necessary for the following purposes: product improvement, marketing, and cyber-security. Internally, the following departments may have access for such purposes: R&D, IT, Sales, Legal, Marketing and Finance departments.
- With data processors: Certain third-party service providers, whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the processing purposes described above, such as hosting providers, customer care providers, marketing service providers, IT support service providers, and other service providers who support us in maintaining our commercial relationship with you. The Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed. A list with the main Processors can be found here www.flowjo.com/policies/partners.
- Other recipients: We may transfer—in compliance with applicable data protection law—personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or selected business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. We will not disclose your personal data to third parties for advertising or marketing purposes or for any other purposes without permission.
Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfill their job responsibilities.
International transfers. Your personal data will be processed by the Company in the USA. You should expect that the recipients identified above which will receive or have access to your personal data, are also located outside the European Union and the European Economic Area (together "EEA").
- Some of the Processor recipients located in the USA are certified under the EU-U.S. Privacy Shield, and thereby the transfer is recognized as providing an adequate level of data protection from a European data protection law perspective.
- Other recipients in the USA, in particular BD Affiliates, which are not certified under the EU-U.S. Privacy Shield, will provide appropriate safeguards based on standard data protection clauses adopted by the European Commission or by a supervisory authority (Art. 46(2)(c) or (d) GDPR) or binding corporate rules approved by the competent supervisory authority (Art. 46(2)(b), 47 GDPR). You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 7 below.
4. Retention Periods—How long do we keep your personal data?
Your personal data will be retained for the term of the license agreement and/or your registration with the FlowJo Products as necessary to provide you with access to the FlowJo Products. Once the license agreement or your registration has lapsed, we may retain your personal data for 10 years as necessary. We will, however, upon request restrict further processing of your personal data by de-identifying your personal data. Legal or regulatory obligations or pending legal claims may require a longer retention and processing period. Also, we will retain and actively process your contact details and interests in the FlowJo Products for a longer period of time if the Company is allowed to send you marketing materials. Prior to deleting any personal data, we may anonymize your personal data for future statistical and reporting purposes.
5. Your Rights—What rights do you have and how can you assert your rights?
Right to withdraw your consent: If you have declared your consent regarding certain collecting, processing and use of your personal data (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can withdraw your consent via this link www.flowjo.com/policies/how-to.
Additional data privacy rights: Pursuant to applicable data protection law, you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data (including objection to direct marketing and profiling). Below please find further information on your rights to the extent that the GDPR applies. Please note that these rights might be limited under the applicable local data protection law.
- Right to request access to your personal data: As provided by applicable data protection law, you have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. This access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
- Right to request rectification: As provided by applicable data protection law, you have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to request erasure (right to be forgotten): As provided by applicable data protection law, you have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
- Right to request restriction of processing: As provided by applicable data protection law, you have the right to obtain from us that we restrict the processing of your personal data. In such case, the respective data will be marked and may only be processed by us for certain purposes.
- Right to request data portability: As provided by applicable data protection law and subject to certain restrictions, you have the right to request transmission of your personal data, which you have provided to us, in a structured, commonly used and machine-readable format to another entity.
- Right to object:
|Under certain circumstances, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Such right to object especially applies if we collect and process your personal data for profiling purposes in order to better understand your interests in our products and services or for direct marketing.
If you have a right to object and if you exercise this right, your personal data will no longer be processed for such purposes by us. You may exercise this right via this link www.flowjo.com/policies/how-to or by contacting us as stated in Section 7 below.
Such a right to object may, in particular, not exist if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
You can exercise your rights via this link www.flowjo.com/policies/how-to or by contacting us as stated under Section 7 below. You also have the right to lodge a complaint with the competent data protection supervisory authority in the relevant Member State (e.g., the place where you reside, work, or of an alleged infringement of the GDPR).
6. Cookies and other tracking technologies
7. Questions and Contact Information
If you have any questions about this Notice or if you want to exercise your rights as stated above in Section 5, please contact us at: FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA, firstname.lastname@example.org.
The Company's Data Protection Contact Person can be contacted at email@example.com or via postal letter to Data Protection, FlowJo LLC, 385 Williamson Way, Ashland, OR 97520, USA.
The contact details of our representative within the EU are as follows: FIRST EUROPEAN DATA REP, WTC Amsterdam Airport, Schiphol Boulevard 195, 1118 BG Schiphol, The Netherlands.
8. Changes to this Notice
We may update this Notice from time to time in response to changing legal, regulatory or operational requirements. We will notify you of any such changes, including when they will take effect, by updating the "Last revised" date above or as otherwise required by applicable law. If you do not accept updates to this Notice, you should stop using the FlowJo Products.