The data controller is Diabeloop SA, a French société anonyme. Its registered office is located at 17 Rue Félix Esclangon, 38000 Grenoble, France. It is registered with the French trade and companies registry under RCS n° 810 416 438 Grenoble.
The competent supervisory authority of Diabeloop is the Commission Nationale Informatique et Libertés, the French data protection authority.
The Data Protection Officer of Diabeloop can be reached by post (17 Rue Félix Esclangon, 38000 Grenoble, France) or by email (email@example.com) or by phone at +33(0)476095418.
Purposes for which personal data is processed
Diabeloop processes Personal Data via the Website for the following purposes (hereinafter the “Purposes”):
- for the purpose of providing you with the information or services you have requested (particularly sending the Newsletter, correspondence by email, sending commercial information, white papers or even assessing your level of satisfaction with the services provided);
- for the purpose of collecting information with a view to improving our Website and our products and services (particularly via cookies, see section II);
- in order to contact you about different events concerning Diabeloop, including product updates and customer support.
The information required by Diabeloop for the above purposes is marked with an asterisk (*) on the relevant pages of the Website. If You fail to complete the required fields marked with an asterisk(*), Your access to all or part of the services and functions of the Website could be blocked and Your requests may not be processed. The other fields are optional and are designed to improve the quality of the service proposed on the Website.
The other information is optional but will allow us to get to know You better and to improve the information and services proposed to You. Diabeloop collects the following main pieces of information: Your full name, postal address, email address and telephone number.
The legal basis for the processing Your personal data is Diabeloop’s legitimate interest to communicate with clients and people interested in its products, as well as increase the public’s information concerning its activities and to improve its website.
Your personal data will only be communicated to Diabeloop employees on a need-to-know basis. The hosting service provider of Diabeloop, Amazon Wold Services, can also access your personal data, for maintenance purposes, as well as some of Diabeloop’s subcontractors, all of which are bound by confidentiality obligations in accordance with provisions of Article 28 (3) of the GDPR. Neither Diabeloop nor any of its processors will sell the personal data collected from this Website to third parties.
Duration of data retention
Your personal data will generally be actively kept by Diabeloop for a maximum duration of 3 years, except for data collected through cookies which are kept for a shorter period (see our Cookies Policy). Upon the term of the above-mentioned period, the data may be archived separately (with restricted access rights) for an additional period of two (2) years to ensure the conservation, exercise and defence of Our rights in court, as appropriate.
Your rights as a data subject
You have the following rights concerning your personal data, which you can exercise by contacting our Data Protection Officer (see Article 1).
1. Right of access and communication of the data
You may access your personal data, in accordance with your rights under GDPR.
Diabeloop reserves the right, if appropriate, to request identification from data subjects who request access to their data and to object to data requests that are manifestly abusive (because of their high number or their repetitive or systematic nature).
2. Right of rectification and erasure of data and right of limitation of data processing
You have the right to obtain, at the earliest convenience, the rectification of your personal data that may be inaccurate.
You also have the right to obtain the erasure of your data if they are not necessary with respect to the purpose for which Diabeloop had collected them, if you withdraw your consent and there is no other legal basis for the data processing, if the data has been subject to an illicit processing or if the data must be erased in order to respect a legal obligation to which Diabeloop is subject.
Please note that the exercise of this right is made without prejudice of Diabeloop’s right to continue to process the data if such data processing is necessary for the assertion, the exercise or the defence of legal rights in court or to the respect of its legal obligations.
You have the right to request the limitation of the processing of your data by Diabeloop if:
You contest the accuracy of the data processed by Diabeloop, for a time period which allows Diabeloop to verify this accuracy,
The data processing is illicit but you object to the erasure of the data,
Diabeloop no longer needs these data for the purpose of their processing but they are necessary to you for the recognition, the exercise or the defence of your legal rights in court.
3. Right to data portability
If Your personal data was collected on the basis of Your consent or on the basis of its necessity to the performance of Diabeloop’s obligations under a contract with you, You may have a right to the portability of your data, i.e. a right to obtain that your personal data processed by Diabeloop be transmitted to you or another data controller in a structured, commonly used and machine-readable format. To exercise this right, please contact our Data Protection Officer at one of the above-mentioned addresses.
4. Right of opposition and withdrawal of consent
You have the right to object at any time to the processing of your data for legitimate reasons.
You also have the right at any time to withdraw your consent to the processing of your data by Diabeloop when consent is the legal basis of the processing of your data. Withdrawal of consent shall not affect the lawfulness of the processing carried out prior to the withdrawal, nor the right of Diabeloop to retain the data to ensure the preservation, defence and exercise of its rights in court.
5. Right to set guidelines of the fate of your data after your death
The above-mentioned rights will expire upon the death of the data subject. You can set guidelines concerning the retention, deletion and communication of your data after your death.
These guidelines are general if they concern all your personal data and are registered with a trusted digital third party certified by the Commission Nationale Informatique et Libertés.
They are specific if they are registered directly with Diabeloop’s Data Protection Officer and concern only the data processed by Diabeloop.
These guidelines can be changed or revoked at any time.
In the absence of instructions, the heirs of the deceased may exercise the above-mentioned rights to the extent necessary for the organisation and settlement of the estate and the processing of the death by Diabeloop.
6. Response times
Diabeloop undertakes to respond to your request for access, rectification or opposition or any other additional request for information within a reasonable period of time, which may not exceed 1 month from receipt of your request.
7. Right to contact our Data Protection Officer
We remind you that you can contact our DPO by post (17 Rue Félix Esclangon, 38000 Grenoble, France) or by email (firstname.lastname@example.org).
Transfer to a third country outside the European union
Diabeloop does not transfer any personal data of Users outside the European Union.
Complaint to the competent authority
If you consider that Diabeloop does not comply with its obligations with regards to your personal information, you can address a complaint or a request to the competent authority. In France, the competent authority is the Commission Nationale Informatique et Libertés (the French data protection authority), to which you can send a request electronically by clicking on the following link: https://www.cnil.fr/fr/plaintes/internet.
Please find below the details of the data protection supervisory authorities in the various European countries where DBL Systems are distributed:
Italy: the competent authority is the Garante per la Protezione dei Dati Personali (the Italian data protection authority), which offices are located in Rome, via di Monte Citorio 121 (tel. +39 06696771) to which you can send a complaint following the procedures and indications published on the Authority’s web site www.garanteprivacy.it
Spain: the competent authority is the Agencia Española de Protección de Datos (the Spanish Data Protection Agency), which offices are located in Madrid, calle de Jorge Juan, 6 (tel. 901 100 099) to which you can send a complaint following the procedures and indications published on the Authority’s web site http://www.agpd.es/
Switzerland: the competent authority is the Préposé fédéral à la protection des données et à la transparence (the Federal Data Protection and Transparency Commissioner), which offices are located in Berne, Feldeggweg 1 (tel. +41 (0)058 462 43 95) to which you can send a complaint following the procedures and indications published on the Authority’s web site http://www.leprepose.ch/
Netherlands: the competent authority is the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority), which offices are located in The Hague, Bezuidenhoutseweg 30, avenue Den Haag 2594 (tel. (+31) – (0)70 – 888 85 00) to which you can send a complaint following the procedures and indications published on the Authority’s web site https://www.autoriteitpersoonsgegevens.nl/
Germany: the competent authority is the the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (the Federal Commissioner for Data Protection and Freedom of Information), which offices are located in Bonn, Graurheindorfer Str. 153 (tel. +49 (0)228 99 77 99-0) to which you can send a complaint following the procedures and indications published on the Authority’s website https://www.bfdi.bund.de/. You may also contact the competent supervisory authority within your Land.
Diabeloop will process user data absolutely confidentially at all times, under the duty of secrecy of the same, in accordance with applicable regulations, taking necessary technical and organizational measures to guarantee the security of your data and prevent unauthorized changes, loss, processing or access, in view of the state of technology, the nature of the data stored and risks to which they are exposed.