• Use personal data only for specified and lawful purposes
• Collect and use only the minimum amount of personal data required in order to meet our legitimate business needs
• Take steps to ensure that the personal data that We hold is kept accurate and up- to-date
• Take appropriate measures against the risks of unlawful use and accidental loss or destruction of, or damage to, personal data
• Honour data subject rights requests in regard to access, correction, deletion, restriction, objection, and porting
• Impose suitable contractual controls whenever We engage parties to process data on our behalf
• Report personal data breaches to competent authorities and affected individuals in appropriate cases
• Comply with accountability requirements that include maintaining a record of processing activities, conducting data protection impact assessments in appropriate cases, and abiding by privacy-by-design and privacy-by-default principles

• Human resources
• Healthcare professionals
• Patients
• Suppliers

• Where an BioSenseTek Affiliate is simply processing personal data on behalf of a non AZ entity who controls and is legally responsible for the processing of that personal data
• Personal data which originates from a jurisdiction where the transfer of personal data is not regulated, and which is not controlled at any stage by an BioSenseTek Affiliate in a regulated jurisdiction
• CCTV footage (because CCTV footage is not ordinarily moved across borders)
• Data about BioSenseTek employees of U.S entities

The type of personal data which may be transferred could include anything which BioSenseTek has a legitimate business need to transfer as part of its business operations. The privacy notice which you are provided with at the time of collection (or shortly thereafter) will provide you with more information about what personal data is being collected by BioSenseTek and how it is going to be used

Whilst We may transfer personal data to any of Our Affiliates, it is likely that most transfers will be to our Affiliates in the U.S, India, Poland, Mexico, Kuala Lumpur (Malaysia) and Costa Rica. Further details of BioSenseTek’s operations are available on our website.

• Transparency and easy access: We will provide you with information about how We process your personal data to the extent necessary to ensure that processing is fair, and to a level that satisfies the notice requirements of the EU GDPR. This information will normally be provided through a privacy notice which is provided to you at the time BioSenseTek first collects your personal data, or shortly thereafter.
• Access: You may ask BioSenseTek for access to the personal data that We hold about you and BioSenseTek will take steps to provide you with access to the Personal Data you have requested. However, We may not be able to provide you with all the information you ask for. Any information which is withheld will only be withheld based on applicable laws. Details of how to access your information will be made available to you on the applicable BioSenseTek privacy notice which covers the processing of your personal data
• Rectification, deletion, and restriction: You may ask BioSenseTek in writing to rectify, amend, delete, or suspend the use of the personal data that BioSenseTek holds about you, where that personal data is inaccurate or used in breach of the BCRs. Except in certain circumstances and subject to the applicable law, BioSenseTek will comply with that request. Details of how to request rectification, amendment, deletion or restriction will be made available to you on the applicable BioSenseTek privacy notice which covers the processing of your personal data
• Right of objection: You may object to the collection, retention or use of your Personal Data by BioSenseTek if there are compelling legitimate grounds
• Automated processing, including profiling: In the unlikely circumstance that We process information about you on a purely automated basis that has a significant impact on you, We shall give you the opportunity to discuss the output of such processing before making those decisions (save to the extent otherwise permitted under applicable law).

• Commitments to notify other BioSenseTek Affiliates in the event that applicable national laws may interfere with their compliance with the BCRs;
• Commitments to provide access to and make available a complaints procedure for prompt resolution of complaints and concerns brought by individuals in relation to their data, without prejudice to their ability to bring a complaint before a competent supervisory authority; and
• Commitments to cooperate with competent supervisory authorities, including in relation to auditing and audit reports, reporting changes to the BCRs and resolution of disputes.

Depending on your circumstances and location, you may be able to enforce your privacy rights using the BCRs through one of the regulators who has approved the BCRs or through an English court or a court in your jurisdiction or court where the relevant BioSenseTek Affiliate you believe breached the BCRs is established.

You are also entitled to obtain a copy of the IGA upon request, in order that you can see the mechanism by which We ensure that We protect your information and give you enforceable rights. We may redact some commercially sensitive information from the copy of the IGA we give to you.

As part of the BCRs, We have also agreed that where you can show you have a case against Us, we shall have the burden of proving that We have complied with the BCRs. Before exercising those rights we request you contact us in the manner described in the “Ask a Question/Raise a Concern” section below so that we can try to address your concerns.