Privacy Policy

2018. 11.05.

PRIVACY NOTICE REGARDING THE USE OF THE WWW.LABCUP.NET, WWW.LABCUP.COM WEBSITES, ONLINE PLATFORM, INCLUDING THE ASSOCIATED MOBILE AND DESKTOP APPLICATION AND THE PROVISION OF SERVICES RELATED THERETO

The provider of the www.labcup.net, www.labcup.comwebsites (hereafter referred to as Website) and the online LabCup platform, including the associated LabCup mobile apps and web service (hereinafter referred to as: Software) which is LabCup Limited(1 Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, Ireland, D15 AKK1, hereinafter as: Service Provider) informs the users of the data processing regarding the engagement of the Website and the Software as follows, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (hereinafter referred to as GDPR).

1.) TERMS

Service Provider	LabCup Limited (1 Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, Ireland, D15 AKK1, e-mail address: info@labcup.net, represented by: Gábor Radics)
Website	The entirety of the content and the services available via the www.labcup.net and www.labcup.com web addresses operated by the Service Provider.
Software	Laboratory and research institution inventory software provided by the Service Provider.
Visitor	Natural persons who do not engage any services, but are merely browsing the Website.
Customer	Organizations that entered into a customer agreement and having an account to the Software.
Authorized User	Customers or individuals granted access to a workspace by a Customer. Visitors, Customers and Authorized Users shall be deemed together as Users.
Website GTC	The General terms and conditions of the Website, which are made available on the Website, and which regulate in detail how the Customers or Authorized Users may use the Website and the Software available there.

2.) WHAT IS THE PURPOSE OF THE PRESENT NOTICE?

The Website’s and Software’s terms of use are governed by the Website GTC, which shall apply to all questions not addressed herein. By using the Website and the Software, Service Provider and the User enter into an agreement per the provisions of the Website GTC. The present Privacy notice serves to provide adequate information to them and on the management of personal information by Service Provider, relating to the Website, the Software and the services, as is required by applicable law.

Regarding the data processing of any contact name, email, telephone number submitted through the homepage or directly through email for the purpose of price and information queries, the Service Provider shall be deemed as a data controller. Regarding the data processing of name, email address, any inventory data, images or files or other content submitted through the Software by the Authorized Users, Service Provider shall be deemed as a data processor.

3.) WHAT IS THE PURPOSE OF THE WEBSITE?

On the Website, the Users may browse the available general information material and the service offers, as displayed by Service Provider without the need for registration, they may search among these by various criteria, and may choose to ask for more information or to subscribe for the services thereon by filling out the provided registration and order form with their data.

The services on the Website may only be engaged by persons over the age of 16. If you learn that anyone younger than 16 years old has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.

The Website contains a contact form where the Users are able to write messages, ask questions or request further information concerning the Software or the Website.

4.) WHAT IS THE PURPOSE OF THE SOFTWARE?

The Software provides complete laboratory and research institution laboratory management system on a cloud based platform as Software as a Service (SaaS), which is available on desktop or on mobile devices. The Service can be used only after registration. Registration and using the Software is allowed only to persons over the age 16. If you learn that anyone younger than 16 years old has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.

In the Software the Customers or the Authorized Users are able to handle multiple laboratory management processes, including chemical, consumable, biological inventory management, risk assessments, equipment or other assets bookings, issue reporting, training record, digital fire registry, purchasing,etc.).

The Software helps to minimize administration and automate procedures and this is all used throughout the system, with every chemical and item on the system tracked uniquely by barcode/ID.

5.) HOW DOES THE PRESENT PRIVACY NOTICE APPLY TO THE USERS, VISITORS?

By accessing the Website, by utilising the services thereon, and by using any of the Website functions, the Visitors automatically acknowledge the contents of the present Privacy notice without any separate statements.

By purchasing the Software and creating an account in there the Customers automatically acknowledge the contents of the present Privacy notice without any separate statements.

By using the Software with access to a workspace, the Authorized Users automatically acknowledge the contents of the present Privacy notice without any separate statements.

6.) HOW AND BY WHOM MAY THIS PRIVACY NOTICE BE AMENDED, AND HOW AND WHERE IS IT PUBLISHED BY SERVICE PROVIDER?

Service Provider is entitled to unilaterally amend this Privacy notice at any time, publishing it in a joint, amended version on the Website, under a separate menu item. We request that all Users carefully read the present notice on every Website visit.

The Privacy notice is available in the Software Settings Menu as well.

The present Privacy notice is continuously available on the Website and in the Software. The Users may open, view, print, save the Privacy notice, but may not amend them, only Service Provide is entitled do so.

7.) WHAT PERSONAL DATA DO WE MANAGE, FOR HOW LONG, FOR WHAT PURPOSES AND BY WHAT AUTHORIZATION?

The legal bases for our data processing are the following:

a.) GDPR Article 6 (1) a) where the processing is based on the informed consent of the data subject (hereafter referred to as Consent)
b.) GDPR Article 6 (1) b), on where processing is necessary for the Performance of Contract to which the data subject is party (hereafter referred to as Performance of Contract)
c.) GDPR Article 6 (1) c) where data processing is necessary for the fulfillment of or compliance with a legal obligation of the data controller (e.g. obligations with tax statues – hereafter referred to as Compliance)
d.) GDPR Article 6 (1) f) where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereafter referred to as Lawful interest).

Furthermore, we inform you that in case of the legal basis of data processing is consent based on GDPR Article 6 (1) c) or explicit consent based on GDPR Article 9 (1) a), the User is entitled to withdraw his/her consent in any time which will not affect the legality of the data

The legal basis for the data processing is specified below, per data categories and by reference to the elements of the above list.

7.1) Data processed regarding Customers and Authorized Users pertaining to their use of the Website and the Software

In order to use the Website’s and the Software’s functions, the Users shall provide their data. Certain data shall be provided during the registration, which is necessary for the online purchase and use of Website services and the Software, as well as during the ordering, billing and communication with us.

The following data may be provided by the Customer or the Users during those processes:

A)	B)	C)	D)	E)	F)
Data subject	Data category	Data source	Purpose of data processing	Legal basis of data processing	Timeframe of data processing, deletion time
Authorized Users	full name	Authorized User	Concluding the contract, registration Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	As defined in the data retention policy
	e-mail address	Authorized User	Concluding the contract, registration Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	As defined in the data retention policy
	password	Authorized User	Concluding the contract, registration Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	As defined in the data retention policy
	user requests	data collected automatically	Auditing purposes	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent
	IP address	data collected automatically	Personalizing the Website/Software Development of the Website/Software	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent
	browser agent info & referrer	data collected automatically	Personalizing the Website/Software Development of the Website/Software	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent
	language preferences	data collected automatically	Personalizing the Website/Software Development of the Website/Software	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent
	application IDs	data collected automatically	Personalizing the Website/Software Development of the Website/Software	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent
	crash data	data collected automatically	Personalizing the Website/Software Development of the Website/Software	GDPR Article 6 (1) a): Consent	until the withdrawal of the consent

The Users are entitled to object against the data processing on the legal basis of Legal interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interests of the Service Provider are the following:

Claim and law enforcement: the data processed for that particular purpose are used for submitting claims and serve as evidence in case of a lawsuit. Those data can be requested by the Authorized Users as well for the same purpose. Processing the data for claim and law enforcement purposes is the legal interest of both the Service Provider and the Authorized User and does not affects the Authorized User’s fundamental rights and other personal rights disproportionately.
Statistical purposes: the data processed for that particular purpose are used for making statistics from anonymized and aggregated data. Taking the fact into consideration that the data used for that purpose are anonymized and aggregated, the User is no more identifiable, so it does not affects the Authorized User’s fundamental rights and other personal rights disproportionately.
Audit purposes: the data processed for that particular purpose are used for making statistics from anonymized and aggregated data. Taking the fact into consideration that the data used for that purpose are anonymized and aggregated, the User is no more identifiable, so it does not affects the Authorized User’s fundamental rights and other personal rights disproportionately.

7.2) Data processed regarding the Customers

A)	B)	C)	D)	E)	F)
Data subject	Data category	Data source	Purpose of data processing	Legal basis of data processing	Timeframe of data processing, deletion time
Customer	Name of Customer’s contact person	Data subject	Concluding the contract Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest In case of processing purposes of column D/f): GDPR Article 6 (1) c): Fulfilment of legal obligation	8 years after termination of the contract
	Work phone number of Customer’s contact person	Data subject	Concluding the contract Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	8 years after termination of the contract
	Work e-mail address of Customer’s contact person	Data subject	Concluding the contract Fulfilment of the contract Claim and law enforcement Identification Communication	In case of processing purposes of column D/a)-b) and d)-e): GDPR Article 6 (1) b) Performance of Contract In case of processing purposes of column D/c): GDPR Article 6 (1) f) Legitimate interest	8 years after termination of the contract

The Customers are entitled to object against the data processing on the legal basis of Legal interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interests of the Service Provider are the following:

Claim and law enforcement:

7.3) Data processed regarding the persons submitting the contact form

The Users are able to submit any messages directly to the Service Provider via the Website by filling a contact form.

A)	B)	C)	D)	E)	F)
Data subject	Data category	Data source	Purpose of data processing	Legal basis of data processing	Timeframe of data processing, deletion time
Person submitting a message via contact form	Name of the person*	Data subject	Communication, administration	GDPR Article 6 (1) f) Legitimate interest	Until withdrawal of consent
	Work e-mail address*	Data subject	Communication, administration	GDPR Article 6 (1) f) Legitimate interest	Until withdrawal of consent
	Personal data disclosed in the message	Data subject	Communication, administration	GDPR Article 6 (1) f) Legitimate interest	Until withdrawal of consent

The Users are entitled to object against the data processing on the legal basis of Legal interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interests of the Service Provider and the Users are the following:

The Service Provider’s and the User’s joint legitimate interest is that the User can submit any messages directly to the Service Provider and the Service Provider can answer this message and are able to handle the administration tasks concerning the message. The amount of data processed for that purpose are limited to the necessary level, so this data processing does not affects the User’s fundamental rights and other personal rights disproportionately.

7.4) Data collected automatically via the Website

We use cookies and other various analytics services on the website in order to understand the Visitors preferences and behaviour relating to the Website, to develop the Website based on those, and to generate anonymous statistics on Website traffic. Certain small programs aid the Users in not having to input their data on repeat visits, and to make their identification easier and quicker, while other programs serve to identify the Users. The following personal data are collected automatically through our Website:

A)	B)	C)	D)	E)	F)
Data subject	Data category	Data source	Purpose of data processing	Legal basis of data processing	Timeframe of data processing, deletion time
Visitor	IP address Browser user agent info & referrer	Collected automatically	User identification Customization of the Website Analysis, development of the Website and of the services accessible through the Website	GDPR Article 6 (1) a) Consent	Until withdrawal of consent

The scope of collected data in insubstantial, these are merely used for anonymous statistics and analyses, it is not used to identify behaviours or preferences, and no automated decisions are made based thereon, no personalized offers are made by the Service Provider based thereon.

Upon visiting the Website and using the Software, Service Provider places cookies within User’s browser and in HTML-based emails as per the regulations herein.

In general, the cookie is a small file consisting of letters and numbers, which is sent to the device of the User from the web server of the Service Provider. It enables for example the Service Provider to recognize the final appliance of the User when the connection is created between the web server of the Service Provider and the device.

Service Provider does not use the aforementioned cookies and personal data collected automatically by them either for the purpose of profile making, direct marketing, automated decision-making or for online behavioral marketing.

Purpose of cookies used by Service Provider:

a.) Security: aiding and ensuring safety, moreover enabling and aiding Service Provider to detect unlawful conduct.
b.) Preferences, attributes and services: cookies let Service Provider know, what language is preferred by the User, what are their communications preferences, aid the User in completing forms on the Website, making them easier to fill out.
c.) Performance, analytics and research: cookies aid the Service Provider in understanding how the Website performs in various areas. Service Provider may use cookies, which rate, improve and search the Website, the products, functions, services, including when User enters the Website from other websites, and the devices, such as User’s computer or mobile device.

Types of cookies utilized by Service Provider:

a.) analytics, tracking cookies;
b.) session cookies, which only operate during the active session (usually the Website visit itself);
c.) permanent cookies: which help in identifying the User as an existing user, making it easier for them to return without having to log in again.

Third party cookies:

None

Control of cookies:

Most cookies enable Users to control cookie usage via their settings. However, if User restricts the usage of cookies, this may hinder user experience, since it will no longer be customized. User may also stop the saving of personal settings, such as the saving of login information.
If User does not wish for Service Provider to use cookies when User visits the Website, he/she may refuse usage under his/her settings page. In order to let Service Provider knows that the User has refused usage of cookies, a denial cookie is placed on the User’s device, thus, Service Provider will know that no cookies may be placed on the device upon the next visit of the Website. If the User does not wish to receive cookies, they may change their browser settings accordingly. If no such change has been made, Service Provider will view User as having given consent to the sending of any kinds of cookies. The Website shall not function completely without cookies.
For further information of cookies, including types, management and removal, visit Wikipedia.org or www.allaboutcookies.org or www.aboutcookies.org.

8.) WHO MANAGES YOUR PERSONAL DATA, AND WHO HAS ACCESS TO THEM?

8.1) The data controller

The controller of the personal data specified under point 6. hereto is Service Provider, the company data of which are as follows:

Labcup Limited
Registered office: 1 Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, D15 AKK1, Republic of Ireland
Company No: 546898
VAT No: IE3342518FH
E-mail: info@labcup.net
Tel: +353 87 9841870
Represented by: Gábor Radics

On behalf of Service Provider, the data is accessible to the employees of Service Provider whose access is essential to the performance of their duties. Access authorizations are specified in a strict internal code.

8.2) Data processors

For the processing of the personal data of representative and contact persons, we engage the following companies, with whom we have entered into data processor agreements. The following data processors conduct the processing of personal data:

Some of the data processors we use process your personal data outside of the European Union. We hereby inform you concerning the data transfers to abroad as follows:

a.) U.S.-based processors used by the controller, which are on the Privacy Shield List:

Name and type of data processor	data processing activity	categories of data subjects	categories of data processed
Accountant	Accounting, Payroll	Customers	name, e-mail address, phone number of the Customer’s contact person, banking information, billing address,
Bank	Online payment services	Customers, Contractors	name, e-mail address, phone number of the Customer’s contact person, banking information, billing address,
Customer support software/service	Customer support system	Authorised users	Ticket data, requestor/contact data, application integration data,knowledge base data, report data
Accounting software/service	Accounting, Invoicing	LabCup Staff	name, e-mail address, phone number of the Customer’s contact person, banking information, billing address,

9.) WHO IS THE DATA PROTECTION OFFICER OF THE SERVICE PROVIDER AND WHAT ARE THEIR CONTACT DETAILS?

Name: Gábor Radics
Seat: 1 Blanchardstown Corporate Park, Ballycoolen Road, Blanchardstown, D15 AKK1, Republic of Ireland
Tel: +353 87 9841870
E-mail: dpo@labcup.net

10.) WHAT RIGHTS DO YOU HAVE REGARDING THE PROCESSING OF YOUR DATA, AND HOW CAN YOU EXERCISE THEM?

a.) Right of access: you may inquire as to what data is managed, for what purposes, for how long, to whom do we forward them, and where the data originates from.
b.) Right of correction: should your data change or be recorded wrong, you may request that this be rectified or corrected.
c.) Right of deletion: in instances specified by law, you may request that we delete your stored personal data.
d.) Right of restriction: in instances specified by law, you may request that data management be restricted regarding your personal data.
e.) Right to objection: in case of data processing under the legal basis of legitimate interest you may object to your personal data being managed, in which case we do not manage your personal data any further.
f.) Right to data portability: you may request the porting of your personal data, in which case we hand over your stored data either to you, or directly to a data controller of you choosing, if such is technically safe and manageable.
We wish to note that data portability requests may only be issued regarding data managed per your consent, or regarding data that is managed automatically, and that we may only conclude data portability requests aimed towards other providers if such is possible from a technical and security viewpoint.
In cases of such requests, we conduct ourselves pursuant to applicable law, and will provide information on the rendered measures in one month.
g.) Right to revoke consent: in cases where the legal basic of data processing is consent based on GDPR Article 6 (1) c) or explicit consent based on GDPR Article 9 (1) a), you have the right to revoke such consent at any time, which does not affect the legality of data management conducted prior to the revocation.
h.) Right of complaint: should you have any complaints or grievances regarding our data management, you have the right to lodge a complaint by the supervisory authority:
Main supervisory authority:
- Irish Data Protection Comissioner
- Office of the Data Protection Commissioner
- Postal address: Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland
- Telephone: +353 57 868 4757
- E-mail: info@dataprotection.ie
- The Service Provider is incorporated in Ireland, its place of activity and center of activity is in Ireland. Therefore its main supervisory authority is the Irishdata protection authority.
- Moreover, you may file a suit against Service Provider if your personal data has been infringed upon.

11.) MEASURES TAKEN FOR THE PURPOSES OF DATA SECURITY

Service Provider has enacted the following information security procedures for the purposes of data protection.

We follow a detailed information security code regarding the safety of the data and the information that is under our control, with which compliance is mandatory for all our personnel, and which is both known and used by our staff.

We regularly coach and train our employees regarding data and information security requirements.

11.1. Data security in IT infrastructure

We store personal data on a rented cloud, on rented servers and on the hard drives of company computers, access to which is strictly controlled and only granted to a very restricted circle of personnel. We regularly test our IT systems in order to ensure and maintain data- and IT security.
Office workstations are password-protected, third-party storage devices are restricted and may only be used following approval and virus control.
Protection against malicious software is provided regarding all of the systems and system elements of the Service Provider.
During the planning and operation of programs, applications and tools, we address security functions separately and with emphasis.
When allocating authorizations to our IT systems, we pay close attention to the protection of data (e.g. passwords, authorizations) affecting these systems. Passwords provided on the Website are encrypted using Hash and Salted Hash technology. In developers’, staging and demo environments, User data is masked and stored accordingly.
We store the application passwords encrypted using salted hash technology.
We mask e-mail address of the given User with which the services are used
Secret character series used by us for salting
Hash algorithm used for encryption

11.2. Data security in communication

Regarding electronically forwarded messages and files, we use SSL/TSL encryption. We secure the integrity of data on both the controller’s and the user’s data, in order to comply with the principle of safe data exchanges.
The protection we use detects the illegal intrusions, modifications and inclusion. We prevent data loss and damage by fault detecting and correcting procedures and we ensure the prevention of deniability.
Regarding the network used for data transmission, we provide defense against illegal connection and eavesdropping per an adequate security level.

11.3. Data security in software development and programming

during the development of our Website and application, we build in to the design process the requirements of data protection and data security which are continuously ensured in the whole development process.
During the software development we separate the test/developer environment and the go live environment, during the testing we usually depersonalize the personal data.
During the programming we meet the fundamental requirements of secure coding, we use platform and programming language technics for the avoidance of typical vulnerability, we follow the newest recommendations for the examination of the codes.
We use continuous tracking for identifying the vulnerabilities newly realized; our developers regularly following the professional data security recommendations and we use programming technics for the avoidance of the typical failures. We check the codes on the basis of the principles of secure coding and we ensure the appropriate documentation with change tracking.

11.4. Data security in document management

We comply with data security requirements in document management as well, which we stipulate in document management by-laws. We manage documents by pre-set access and authorization levels, based on the level of confidentiality regarding the documents. We follow strict and detailed rules regarding the destruction of documents, their storage and handling at all times.

11.5. Physical data security

In order to provide physical data security, we ensure our physical barriers are properly closed and locked, and we keep strict access control regarding our visitors at all times.
Our paper documents containing persona data are stored in a closed locker that is protected against theft, to which only a select few have authorized access.
The rooms where storage devices are placed in have been made to provide adequate protection against unauthorized or obtrusive intrusion, as well as fire and environmental damage. Any data carrier used for data transit, backups and archives can be stored only in appropriately closed rooms.

11.6. What procedure do we follow upon an incident?

Pursuant to applicable law, we report incidents to the supervisory authority within 72 hours of having gained knowledge thereof, and we also keep records of them. In cases regulated by applicable law, we also inform subjects of the incidents, where necessary. In cases where such is required by law, we also inform concerned data subjects thereof. Regarding other matters, we conduct ourselves pursuant to our global Incident Management Rules and the processes set out therein.

12.) WHEN AND HOW DO WE AMEND THIS PRIVACY NOTICE?

Should the scope of data or the circumstances of data management be subject to change, this notice shall be amended and published on www.labcup.net and www.labcup.com websites and in the Software within 30 days, as is required by GDPR. Please pay attention to the amendments of this notice, as they contain important information regarding the management of your personal data.