1. Introduction

This is the Privacy Statement of LactaScreen B.V. This Privacy Statement informs you about how we handle your personal data when you use our website and/or services. By “Personal Data” we mean all information relating to an identified or identifiable natural person, as further defined in the General Data Protection Regulation (EU) 2016/679. By “Data Controller” we mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as further defined in the General Data Protection Regulation (EU) 2016/679. This privacy statement was last updated on November 28, 2022. All definitions mentioned in this privacy statement have the same meaning as in the General Data Protection Regulation (EU) 2016/679.

2. Purposes and Personal Data

Website Visitors When visiting our website https://www.LactaScreen.com (“Site”), we process Personal Data. When the Site is used, we may automatically collect information about users’ use of the Site. For example, which functionalities are used and how long users spend on each page of the Site. We use this information to analyze the use of the Site and identify opportunities for further development and improvement of our services. The (external) analysis tool (e.g., Google Analytics) we use collects and analyzes this information for us. We obtain these insights by placing cookies. Thanks to these cookies, it is not necessary to enter or download the same information when revisiting the Site. Certain cookies are necessary for the websites to function, and we only place other cookies with permission. You can read more about cookies in our cookie policy. Placing Order and Processing It is possible to place an order for a breast milk test via our website. We need personal data for the administrative processing of this order. This is to send the order to the correct address, to create an invoice, and to be able to contact you regarding the test results if necessary. The personal data we minimally need for processing an order are: first name, last name, address, city, phone number, and email address. Conducting Test When an order is placed through our website, the self-test is sent to the home address. After self-administering the test, the test material must be sent to our laboratory. The laboratory only receives the sample number which is applied to the test material. With this sample number, we can link the test result to the correct person, so that minimal personal data is processed during the test. During the feedback, only the sample number and test result are displayed. Contacting It is possible to contact our helpdesk via our Site. When our helpdesk is contacted by phone, personal data may be processed if this is necessary for handling a question or request. In most cases, this will only involve name, phone number, and/or email address. We may also process other personal data when we are contacted, but only if this is voluntarily provided to us. Anonymous Research During the ordering process, you give permission for the use of results for anonymous scientific research, then we can make results available to third parties for medical scientific research. When transferring the data, we ensure that no Personal Data is passed on. We do not provide sample numbers, names, or other traceable data. Additionally, you have the right to withdraw consent at any time. Contact info@GenericProductName.com with the sample number to have the test data removed.

3. Legal Bases

The legal bases for the processing of the above Personal Data are the need to comply with our legal obligations, to execute the agreement, and our legitimate interests. This concerns our interests in targeted promotion of our products and services (marketing) and for correctly and effectively managing contact with our customers (handling customer contact).

4. Anonymization and Sharing of Personal Data

4.1 We can anonymize your Personal Data so that it is impossible to identify specific individuals (for example, by removing all pieces of information that could identify a person, such as the IP address, through a process that makes it impossible to re-identify a person) and then use this anonymized information for any purpose. 4.2 We will not share Personal Data with other individuals or organizations unless we believe it necessary to protect your safety or that of others, to investigate fraud, or to respond to a government request or otherwise exercise our legal rights to defend against legal actions; and when we believe it is necessary to share information to assist in an investigation or prevention of illegal activities, suspected fraud, or situations with potential threats to the safety of a person.

5. Rights

In accordance with the General Data Protection Regulation (GDPR), the following rights can be exercised:

• Right of access. You can contact us to obtain information about whether or not we process Personal Data about you. If that is the case, we will inform you about the categories of Personal Data we process, the purposes of processing, the categories of recipients to whom Personal Data has been or will be disclosed, and the intended retention period or criteria for determining that period.
• Right to rectification. You have the right to correct or complete inaccurate or incomplete Personal Data that we process about you.
• Right to object. In the event that our processing is based on a legitimate interest, you have the right to object to this processing at any time. We will then no longer process your Personal Data unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
• Right to restriction of processing. You have the right to obtain from us a restriction of processing of your Personal Data in specific situations as provided for in the applicable data protection legislation (e.g., when you contest the accuracy of your Personal Data, for a period enabling us to verify the accuracy of your Personal Data).
• Right to erasure of Personal Data. You have the right to ask us to delete your personal data from our systems if your Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed. Moreover, you have the right to have your Personal Data erased if you exercise your right to object as mentioned above, unless we have an overriding legitimate ground not to delete the relevant data. We may not be able to immediately delete all remaining copies from our servers and backup systems after the active data has been deleted. These copies will be deleted as soon as reasonably possible.
• Right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format and/or request us to transmit this data to a third party when technically feasible. Please note that this right only applies to Personal Data that you have provided to us.
• You also have the right to lodge a complaint with your local data protection authority if you believe that we have processed your Personal Data unlawfully. For the Netherlands, see: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten

6. Data Retention

We determine the retention period of Personal Data based on the following criteria: (a) the purpose for which we use your Personal Data: we retain the data as long as necessary for that purpose (see chapter 2); and (b) legal obligations: various laws and regulations impose minimum retention periods that we must comply with. When we no longer need the Personal Data, we will only retain the Personal Data in a non-identifiable form (anonymizing the data: no longer traceable to an individual).

7. Security

We ensure the protection of Personal Data against unauthorized access, use, and loss. We have implemented appropriate administrative, technical, and physical measures to protect the Personal Data specified in chapter 2. In particular, we have taken the following security measures:

• Secured website;
• Personal Data is securely used through only encrypted

network connections;

• SSL certificate for the Site;
• Encrypted databases and passwords;
• Measures to prevent DDOS attacks and hacking attempts;
• Monitoring the Site for errors and traffic;
• Additionally, physical and digital measures have been taken for access protection of the systems in which personal data is stored.

8. Third-party Sites and Services

The Site may contain links to other websites, apps, and online services operated by third parties over which we have no control. We are not responsible for the collection, use, and disclosure of Personal Data on those websites and other online services by those third parties. We recommend that you review the privacy policy of third-party websites and other online services that you visit.

9. Updates to this Privacy Policy

We reserve the right to adjust this Privacy Policy from time to time. These changes will be announced on our website. We therefore recommend that you consult this Privacy Policy regularly so that you are aware of any changes.

10. Contact and Questions

To exercise the aforementioned rights (see chapter 5), or if you have questions about our use of Personal Data during the use of the Site or our services, please contact us at info@LactaScreen.com. To ensure that the request for access has been made by you, we ask you to send a copy of your ID along with the request. Make sure that your passport photo, MRZ (machine readable zone, the strip with numbers at the bottom of the passport), passport number, and citizen service number (BSN) are blacked out or made illegible in this copy. And preferably indicate in a watermark that the copy is only intended for LactaScreen.com. This is to protect your privacy. We will respond as quickly as possible, but in any case within one month, to the request.