- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this policy) refers to KCAS Bioanalytical and Biomarker Services, LLC (headquarters in Kansas, USA), and our subsidiary companies FlowMetric (in Pennsylvania, USA and Milan, Italy) and Active Biomarkers (in Lyon, France).
- Cookies are small files that are placed on your computer, mobile device, or any other device by a website, containing the details of your browsing history on that website, among its many uses.
- Device means any device that can access our website, such as a computer, a cell phone, or a digital tablet.
- Personal Data is any information that relates to an identified or identifiable individual. For the purposes of GDPR, Personal Data means any information relating to you such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the company to facilitate our services, to provide services on behalf of the company, to perform services related to our services, or to assist the company in analyzing how our services are used. For the purpose of the GDPR, Service Providers are considered Data Processors.
- Website refers to any of the websites maintained by our company, accessible at www.kcasbio.com, www.flowmetric.com, www.active-biomarkers.com.
- You means the individual accessing or using our services, or the company or other legal entity on behalf of which such individual is accessing or using our services, as applicable.Under GDPR, you can be referred to as the Data Subject or as the User as you are the individual using the service.
Collecting and Using Your Personal Data
Types of Data Collected
KCAS may collect personal information (data) about you, which could include your full name, phone, fax, or cell phone number, email address, the company for which you work, the position you hold, or your resume. KCAS only collects the information if you provide it via email, business card or phone call, or employment application.
KCAS may process personal data. Processing is defined as any operation which is performed on personal data; this may include collection, recording, organizing, structuring, storing, adapting or altering, retrieving, consultation use, disclosing by transmission, disseminating or otherwise making available, alignment or combination, restriction, erasing, or destroying.
Under data privacy laws, Controllers decide the reasons and necessity for processing data, and Processors process data in accordance with the instructions of the Controller, on their behalf.
If you choose not to provide us with your personal data, KCAS may not be able to provide you with any of our services, process your employment application, or respond to communications from you via our website. If we ask for personal data which is a contractual requirement or which is needed to comply with our legal obligations, we will inform you.
Additional privacy terms tailored to different methods of data processing by business lines and operations may apply to personal information shared with KCAS. If alternative privacy terms are provided to you for a specific purpose, those terms will govern the processing of personal data in relation to that purpose.
If at any time you have questions about our practices or any of your rights as described herein, you may contact our Data Protection Officers at the email addresses provided below. These inboxes are actively monitored and managed by personnel trained in our policies, processing, and handling of personal data.
Website Visitor Data
In order to deliver the information or services offered by our company and website, including www.kcasbio.com, www.flowmetric.com, and www.active-biomarkers.com, we may need personal information from you, such as your email address. The data about you KCAS collects, uses, and shares depends on who you are and how we interact with you.
Generally, the information collected from you via our website is limited to email address, phone number, the company you work for, and the position you hold. An exception is your application for an employment opportunity, which may include other personally identifying information as provided by you; this is described in a future section.
We collect information in several ways:
- On our website pages, you can register with KCAS to receive information regarding webcasts, blog posts, newsletters, available services marketing information, and company updates. To provide these services, we may collect your name, email address, phone number, employer name, and your position. You will have the option of cancelling your registration by clicking on an unsubscribe link in each email alert message you receive.
- On our website, you may opt to provide personal information about yourself depending on your association with KCAS:
- If you are interested in employment opportunities with KCAS
- If you are interested in obtaining services from or providing services to KCAS
- On our website, you can register to receive email updates regarding employment opportunities. The personal information collected is your email address.
- On our website, you can register to receive customized information, such as a quote for services. The information generally collected on a “Contact Us” form, where you can choose to be contacted by KCAS. The personal information collected may include your name, country, company name and position, phone number, email address, as well as the content of your request.
- Websites also collect information about your computer hardware and software, which may include your IP address, browser type, operating system, domain name, access times, and referring website addresses. This information is used for the operation of our services, to maintain and monitor the quality of our services, and to provide general statistics regarding use of websites.
Legitimate Business Interests
KCAS may use your personal information for the following purposes, which are in our legitimate business interests:
- Where processing enables us to enhance, modify, personalize, or otherwise improve our websites, products, and services (e.g., determining whether, when, and the IP address and associated city of a marketing, sales, or business development email communication we sent you).
- Determining the effectiveness of promotional campaigns and advertising, and ensuring communications are relevant to the choices you make.
- Conducting satisfaction surveys after the execution of services.
- Better understanding the needs of the research communities we aim to serve.
- Processing in relation to employment opportunities with KCAS, recruiting talent to join KCAS, onboarding employees or contractors, granting and ensuring appropriate access to KCAS systems and facilities, and ensuring the safety and security of the workplace.
- Protecting the security of KCAS websites, tangible and intangible assets, property, rights, or obligations, or the property rights or obligations of third parties.
- Taking precautions against potential liability on the part of KCAS.
If we process your personal information under consent provided by you, you have the right to withdraw that consent at any time. Your withdrawal of consent, however, will not affect the lawfulness of any processing we have undertaken before the withdrawal. We may process your personal information where necessary for our compliance with a legal obligation. Finally, in some cases, we process your personal information as necessary to perform a contract with you or to take steps that you request before we enter into a contract.
Under data protection laws around the globe, certain types of personal data, sensitive or special category data require enhanced protection. These include a requirement that the national law of the country specifically allows the processing of that data, or more enhanced security applied to the data, or that the personal data processed may improve the health of people in that country. The laws vary around the countries we work in, and we respect the national law and adhere to the rules around the processing of sensitive data.
Employees and Job Applicants
In connection with our recruiting processes and programs, we process your personal data in accordance with this policy. If such processing conflicts with the requirements of specific national law, that applicable law will prevail.
To apply for a position on our site, we will collect personal data about you (e.g., name and phone number) and your professional experience, education, and training (e.g., resume). Upon offer of employment, examples of data collected are your name and any former names, address, email, contact information, universities attended, professional certification work, educational history (e.g., resume, CV), references, achievements, and copies of identification documents. Upon employment, your photo will be taken.
We process your personal data for necessary human resources and business management reasons, including identifying and evaluating candidates for potential employment, as well as for future roles that may become available; recordkeeping in relation to recruiting and hiring; ensuring compliance with legal requirements, including any diversity and inclusion requirements and practices; conducting background and criminal history checks as permitted by applicable law. We may also analyze your personal data or aggregated/pseudonymized data to improve our recruitment and hiring process and augment our ability to attract successful candidates.
We may desire to retain your personal data to consider you for future employment opportunities. In such an event we will seek your consent to be part of our future job alerts. If you consent to future job alerts, but subsequently wish to withdraw, please contact us at the privacy email addresses listed above.
Your personal data may be accessed by recruiters and interviewers in the country where the position for which you applied is based or by recruiters and interviewers in different countries within our organization.
Individuals performing administrative functions and IT personnel within our organization may also have a limited access to your personal data in order to perform their jobs. We have put in place legal mechanisms designed to ensure protection of your personal data that is processed by us, including the transfer of it to countries other than the one in which you reside.
We may use third party service providers to provide a recruiting software system. We may also share your personal data with other third-party service providers that may assist us in recruiting talent, administering, and evaluating pre-employment screening, background checks and testing, and improving our recruiting practices.
We maintain processes designed to ensure that any processing of personal data by third party service providers is consistent with this Notice and protects the confidentiality, availability, and integrity of your personal data.
If you accept an employment offer, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with specific country requirements and our data protection and other workplace policies, which will be provided to you at that time.
Upon employment, we may share your internal CV with any client of ours whose study you may work on, or with any Sponsor auditor or regulatory auditor who requests training records as part of an audit.
Study Participants, Collaborators, and Stakeholders
Clinical Trial Participants
KCAS is a global contract research organization (CRO) supporting clinical trials and medical research studies of Sponsors (i.e., the companies conducting the clinical trials). In relation to KCAS’s delivery of CRO services to Sponsors, the Sponsor is in control of how and why your personal data is processed and is therefore the Data Controller; KCAS is a Data Processor. The purposes for which clinical trial participants’ personal data will be used by study sites and Sponsors will depend on the nature of the study and will be addressed in more detail in study-specific documentation provided to patients by the Sponsor. As such, participants should look to that document to understand how their personal data is processed.
For KCAS’s purposes of bioanalytical and biomarker services, study data is pseudonymized, meaning names and other identifying information are excluded. Instead, participants are identified by a code or Subject ID. KCAS’s role as Data Processor may include the transfer of such information to the applicable Sponsor, its corporate affiliates, business partners, and third-party service providers performing services related to the study.
Customer and Business Data
In order to provide services or purchases, or to provide information about KCAS’s capabilities and offerings, we will use personal data collected from you to provide the requested information and process requested transactions. We may also use personal data to improve the quality of our services, send and receive communications about KCAS services, and to enable our business partners and agents to perform activities on our behalf to meet your inquiry or provide services.
For individuals engaged by KCAS clients and collaborating with KCAS in connection with projects where KCAS is providing services, personal data may be used by KCAS to carry out the applicable services and related services (e.g., client name and contact details).
If you are a customer, or if you request or indicate an interest in information about our services, we may process your name, email address, phone number, job title, information about the company where you work, including website address, postal address, job title and function, company size and financial information, comments you provide, and information about which of our services you use, or which may be of interest to you. We maintain and update this information as we continue to engage with you, and we process personal information about individuals to fulfill our obligations under contract or agreement, or as required in support of financial auditors hired by KCAS.
Vendor and Contractor Data
Vendor representatives may share personal data with KCAS to provide information about services, such as business support and laboratory products and services, which may be available through a vendor. KCAS will use any personal data provided by the vendor and its representatives to receive and assess the vendor information, products, and services. Uses may include processing for requested transactions, reviewing the quality of the vendor’s services, sending and receiving communications about the products and services available through the vendor, and enabling KCAS’s business partners, consultants, clients, and agents to perform activities and make decisions in relation to the vendor.
For vendors engaged by KCAS, including in relation to research studies being managed by KCAS and its clients, your personal data may be used by KCAS to carry out the projects, activities, and other related services in connection with which the vendor is engaged by KCAS. This may include the transfer of such personal data to the applicable KCAS study sponsor or client, other vendors involved in a project for which a vendor is engaged and such parties’ respective corporate affiliates, business partners and third-party service providers performing services or activities related to the project or activities for which a vendor is engaged by KCAS.
Legal Basis and Data Sharing
KCAS processes personal data it holds about you in accordance with applicable legal provisions in Europe, most particularly the European Union General Data Protection Regulation (EU GDPR). The personal data we hold are either retained at our French or Italian sites or are transferred to countries benefitting from an adequacy decision from the European Commission, or to the United States. Data transferred to the United States are strictly held by KCAS’s secure servers and used for internal business purposes under global corporate policies.
KCAS uses external services for its customer relationship management and its external communication tools such as newsletters and e-mail. Any personal data sharing with sub-contractors acting for KCAS is carried out in accordance with legal provisions in France or Italy, and in Europe and within boundaries strictly defined by the purpose of the processing.
Data Shared with Consent
In cases where we need your consent to process your personal data, we will ask you to make a positive identification (e.g., to check a box, sign a document, provide information electronically) that you agree to processing. By providing consent, you are stating that you have been informed as to the nature, purpose, scope, and duration of our processing. Where we rely on consent to process your information, you have the right to withdraw that consent for that activity at any time.
Data Shared to Fulfill a Contract
In cases in which you have entered into a contract with KCAS, we may process your personal data because it is necessary to deliver the service you have requested, you are employed by us, or if you provide a service to us.
International and Third-Party Transfers of Personal Data
To facilitate our global operations, KCAS companies may transfer, store, and process personal data in a country other than the one from which it was provided; this is limited to transfers between our operations in France and Italy and our entities in the United States. Examples of such transfers include data backups and analytical data processing; all transfers are carried out by KCAS companies or vendors which comply with GDPR and/or hold SOC 2 and ISO certifications.
Laws in the United States differ from the laws applicable to European countries. We take appropriate steps to ensure that personal data is processed, secured, and transferred according to applicable law. Where we transfer personal data from the European Economic Area to the US, which does not offer the same level of data privacy protection, we have ensured appropriate safeguards are in place via internal corporate policies regarding encryption and restriction of access.
As a global business, it may be necessary to transfer personal data within KCAS businesses and with agents, contractors, or partners of KCAS. These agents, contractors, or partners are restricted from using this data in any way other than to provide services for KCAS. KCAS may, for example, provide your personal data to agents, contractors, or partners for hosting our databases, for data processing services, or so that they can send you information that you requested.
KCAS may be required to share personal data in response to an authorized information request by governmental authorities or where required by law.
As part of, or during negotiations of, any merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business or assets (including as part of any bankruptcy or similar proceedings), we may transfer personal data to other parties involved in these transactions. Under these circumstances, all parties have entered into a confidentiality agreement and are obligated to protect any information provided as part of the transaction and not to use the personal data for any purpose other than the purpose for which it was collected.
When we collect information that is not personal information or convert personal information into information which can no longer be used to identify you (such as through aggregation or anonymization), we may use and disclose that information for any purpose, as unidentifiable data is not covered under data protection laws.
KCAS may use personal data it receives from Sponsors and business customers to provide laboratory services for and under the direction of its business customers who act as the Data Controllers. We will keep personal information about you for as long as we provide these services. We will retain personal information as long as you work for or with us, or as long as we are addressing a concern, question, complaint, or request you have made to us, as applicable to our interactions with you. If we have a contract or other agreement with a customer, we will follow the retention obligations of that agreement.
We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. When we no longer need personal data, we securely delete or destroy it.
While KCAS does all that we can to secure your personal data, the sending of information over the internet is not completely secure; therefore, you do this at your own risk. Once we receive your personal information, we implement strict security procedures to prevent unauthorized access.
KCAS uses means of prevention, rules, and technological processes to ensure the protection against any unauthorized access, fraudulent use, alteration, disclosure, loss, or destruction of your personal information, considering the risks involved and the nature of the personal information. We also have implemented measures to maintain the ongoing confidentiality, integrity, and availability of the systems and services that process personal information and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.
KCAS ensures appropriate technical and organizational measures are taken to protect personal data from unauthorized or unlawful processing and to protect against accidental loss, destruction, or damage. KCAS’s websites and electronic databases have security measures in place to protect the loss, misuse, unauthorized access or disclosure, alteration, or destruction of the information under our control. However, as effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our databases, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the internet. We have a privacy incident response program designed to promptly respond to and escalate all privacy-related questions, complaints, or concerns, including any potential privacy or security incident.
KCAS reserves the right to take appropriate legal action, including without limitation, referral to law enforcement, for any illegal or unauthorized use of this Website. We also reserve the right take any action to prevent the unauthorized use of our intellectual property rights.
We may cooperate with any law enforcement authorities or court order requesting or directing us to disclose the identity of or locate anyone for the prevention or detection of crime or the apprehension or prosecution of offenders. There may be other circumstances in which we may be required by law to disclose information about you or your use of this Website. You waive and hold us harmless from any claims resulting from such disclosures and from any actions taken as a consequence of investigations by either us or law enforcement authorities.
KCAS does not seek information from individuals under 16 years of age, and no information should be submitted to KCAS by anyone under 16 years of age.
Your Personal Data Rights and How to Make a Request or Lodge a Complaint
You may lodge a complaint pertaining to the application of your rights by contacting the concerned supervisory authorities.
You have rights in respect of your personal data. Our Global Policy is to extend the rights listed below to all our data subjects worldwide unless the local law states otherwise.
- The right to be informed – If we are processing your personal data, we must inform you the who, why, what of the processing including who else may view it or use it, how long we will retain it for, and if we are transferring the data to another country.
- Right to withdraw consent – If we are processing your personal data on the basis of your consent, you are entitled to withdraw your consent to that processing at any time (see contact details section). However, the withdrawal of your consent will not invalidate any processing we carried out prior to the withdrawal of your consent. Patients participating in clinical trials must request to withdraw directly with the Sponsor, clinic, practitioner, or to whomever they supplied consent for the trial. Clinical trial data is subject to federal regulations, and KCAS will discontinue processing at the request of the Data Controller (e.g., Sponsor).
- The right of access to your personal data – You can request a copy of the personal data we hold about you.
- The right to rectification – You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
- Right to erase your personal data (right to be forgotten) – You have the right to be forgotten in certain circumstances including, for example, where the personal data are no longer needed for the purpose for which they were collected. However, this right does not apply where, for example, processing is necessary to comply with a legal obligation, or for the establishment, exercise, or defense of legal claims.
- The right to restrict the processing of your personal data – You have the right to ask us to restrict certain processing activities in some circumstances, including, for example, where the accuracy of the data in question is contested. Where processing has been restricted, we can only process it for limited purposes such as, for example, the establishment, exercise or defense of legal claims.
- The right of data portability – You have the right to have your data returned to you or to a third party in certain cases.
- The right to object – You have a right to object to the processing of your personal data in certain cases. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interest.
Where KCAS is the data controller, we will assess your request and, subject to applicable laws and exceptions, respond within the relevant legal time limits. Our Global Policy is to respond to your request within one month.
If you feel your data protection rights have been infringed by KCAS, you have the right to complain to your local data protection supervisory authority.
For any concern about the privacy of the personal data we hold about you or request regarding the application of your personal rights, please contact us at the email addresses above, or by calling or writing to:
Attn: Data Protection Officer
10830 S Clay Blair Boulevard
Olathe, KS 66061