Privacy Policy

1 - Introduction

1.1 - With this privacy notice, we wish to inform you on how and why we Process your Personal Data and which rights you have under the European General Data Protection Regulation (« GDPR ») and other local laws on Privacy and the Processing of Personal Data (« Applicable Laws »).

1.2 - You will see defined terms in this privacy notice. If not defined within this privacy notice, these terms have the meaning provided for in the Applicable Laws.

2 - Processing of Personal Data

2.1 - As part of our activities, we may Process[1] Personal Data[2] about you, your employees, directors, agents or other representatives (« Data Subject(s) » or « you ») in the manner described below.

2.2 - We are committed to protecting your privacy and your Personal Data and to respecting your rights. This notice explains how we Process your Data, in accordance with the Applicable Laws.

2.3 - If you are an entity, please inform your employees, directors, agents and other representatives of our Processing of their Personal Data. Every time you transfer Personal Data to us in the context of our business relationship, you guarantee to us that it is lawful for you to do so, that you have appropriately informed the respective individual of such Processing and that no transfer of Personal Data to us will put us in breach of the Applicable Laws.

3 - Data Controller

3.1 - Within the Univercells group, each entity will, for their respective activities with or towards you as well as for their respective contacts with you, as described further below, qualify as the Data Controller for their Processing of your Personal Data, which means that they determine why and how your Data is Processed.The details of the concerned Data Controller (herein also "we" or "us"), responsible to make sure your Data is Processed in a lawful, transparent, and secure manner are as follows:

- For activities of Quantoom Biosciences SA: Quantoom Biosciences SA with registered office in 1400 Nivelles (Belgium), rue de la Maîtrise 11, and with company number 0744.643.858 (Register of Legal Entities Brabant Wallon),
- For activities of Quantoom Research Center (France): SYNHELIX SAS with registered office at 4 rue Pierre Fontaine, Genopole (91058) Evry Cedex, France, registered with the Evry Trade and Companies Registry under number 848 917 373,
- For certain activities (marked below with an *) we may Process your Personal Data as a joint data controller together with Univercells SA, with registered office in 6040 Charleroi (Belgium), Zoning de Jumet, Avenue Centrale 52 and with company number 0502.742.28 (Register of Legal Entities Hainaut/division Charleroi), which provides centralised services to the different group entities. This means that the respective group entity determines why and how your Data is Processed together with Univercells SA to maintain harmonised processes throughout the group. Both entities will then jointly make sure your Data is Processed in a lawful, transparent, and secure manner in line with specific joint controller arrangements agreed between the Univercells group entities.

3.2 - We have set-up a group privacy point of contact which you can reach by contacting: privacy@univercells.com.

4 - How and why we Process your Personal Data

4.1 - We may Process your Personal Data for various purposes. Below, we describe for each purpose, the type of activities we perform, the categories of Data Subjects to whom such Processing relates to the categories of Personal Data we Process, as well as the applicable legal basis and retention period.

Client management

Type of activities	Category of Personal Data	Legal Basis
Sales & Customer Management	Identification data; Professional data; Business contact data	Legitimate Interest (Performance of business for clients).
Marketing & Communication to existing customers (e.g. promotion of similar offerings, satisfaction reviews, surveys, information on events)	Identification data; Professional data; Business contact data; Marketing data	Legitimate interest (Customer satisfaction and customer retention)
R&D or manufacturing	Identification data; Professional data; Business contact data	Legitimate Interest (Performance of business for clients)
Labs Rental & Utilities	Identification data; Professional data; Business contact data; Possibly data related to health [in the event of illness];	Legitimate Interest (Performance of business for clients)

Supplier management

Type of activities	Category of Personal Data	Legal Basis
Supply Chain Management (*) including: Procurement Planning Logistics	Identification data; Professional data; Business contact data	Legitimate Interest (Supply Chain Management)

Protecting the interests of our company and organisation (including our financial and legal interests, our compliance with applicable legal requirements, the continuity and growth of our business, etc.)

Type of activities	Category of Personal Data	Legal Basis
Business development (), including: Marketing intelligence & analysis Licensing Merger & Acquisitions ()	Identification data; Professional data; Business contact data; Education/qualification data;	Legitimate interest (Business growth & continuity)
Legal Services, including Corporate Legal Support and Management of IP and other Assets (*)	Identification data; Professional data; Business contact data; Education/qualification data;	Legitimate Interest (Business growth and continuity / Protection of the Organisation and safeguarding its interest)
Finance, including: Accounting & Audit FP&A & Corporate Finance Cost Controlling	Identification data; Professional data; Business contact data	Legitimate interest (Finance)

Management of disputes

Type of activities	Category of Personal Data	Legal Basis
Management of litigation and disputes (*)	Identification data; Professional data; Business contact data; Data relevant to the dispute at hand; Possibly criminal or sensitive data exchanged in the context of a dispute	Legitimate interest (Legal defence) Necessity for the Establishment, Exercise or Defence of legal claims

Security

Type of activities	Category of Personal Data	Legal Basis
Video surveillance (in so far access would be granted to labs) Badging system management (in so far, a badge would be granted)	Image data; Badge logs / location data; Identification data	Our legitimate interest (Security)

Quality & R&D

Type of activities	Category of Personal Data	Legal Basis
Quality Services / R&D for biomedical research excluding clinical trials or processing of patient data (*)	Identification data; Professional data; Business contact data; Private contact data; Education/qualification data; Performance data	Necessity to comply with our legal obligations (quality requirement) or Our legitimate interest (Quality management & control / Growth of Business and Business Continuity)

(Direct) Marketing

Type of activities	Category of Personal Data	Legal Basis
Marketing & Communication towards prospects	Identification data; Professional data; Business contact data; Marketing data	Consent
Analytics and performance management (through cookies)	Cookie data	Consent (except essential technical cookies) as further described in the Cookie Notice on our Websites

4.2 - We may also Process your Personal Data (e.g. as a contractor, consultant or partner) in the context of our internal workforce management, which activities are described in a separate (internal) notice and which will, when applicable, be provided to you.

4.3 - In addition to the Data categories listed above, we may use other types of Data relating to you that you may have voluntarily provided to us, that were provided to us in the context of our business relations or that we have deducted or generated from Data that were already in our possession.

5 - We may collect your Data in different ways

5.1 - We may collect Data that you have voluntarily provided to us (for by applying or registering for an event, visiting our booth at a congress, attending a meeting with one of our team members, by giving us your business card, responding to a survey or participating in a Website feature) or through the company or organisation you work for.

5.2 - It may also be possible that we receive or indirectly collect Data about you, for example, from our business partners or from public sources such as social networks or public websites.

6 - Sharing your Personal Data with others

6.1 - We restrict access to your data to employees and any person acting under our authority on a need-to-know basis, who respect our confidentiality rules and comply with our instructions.

6.2 - Any person having access to your Personal Data (e.g. our Marketing & Communication team, our Sales team, our Procurement team, our IT team) and acting under our authority Processes your Data in respect of the instructions that we have given them and has committed him or herself to respect our confidentiality rules.

6.3 - We may call on intragroup or external Processors for the Processing of your Personal Data (e.g. intragroup service providers, external IT service providers, external mailing providers). In this case, we only call on Processors providing sufficient guarantees on the lawfulness, transparency and the security of the Processing of your Data.

6.4 - We may also need to transfer your Data to other Recipients (both intragroup and external) if we believe in good faith that this is necessary, at all times taking into account our obligations under the Applicable Laws. We could transfer your Data to, for example:

- Attorneys or courts to safeguard the rights and interests of our organization, our people, our customers and partners or the public in general;
- Public or enforcement authorities to comply with a legal obligation or procedure;
- External or internal service providers;
- Potential investors or counsels in the context of an equity raise, reorganisation or an M&A transaction;
- Our (statutory) auditors to perform an audit.

6.5 - We may also share your Data with authorized distributors, business partners to communicate with you or to respond to your queries.

6.6 - We are an international organisation, operating globally and may therefore transfer your Personal Data outside the European Economic Area (EEA). Transfers from our entities in the European Economic Area to entities outside the EEA are covered by intercompany data transfer agreements in line with Applicable Laws. When your personal data is shared by us with or transferred by or to a third party outside the EEA, when required, we will enter into the appropriate data transfer agreements or otherwise make sure appropriate safeguards are in place.

7- Minimizing and securing your Personal data – Data retention & deletion

7.1 - At all times we aim to minimize the Personal Data we process, to make sure we only use your Data when and in so far, we need it. Where possible we also pseudonymise or key-code your Data so that you cannot be directly identified.

7.2 - We only keep your data where and in so far as we need it, in line with the mandatory retention terms. Once we are no longer required to keep your Personal Data or have an appropriate basis to continue the Processing, we will either delete or anonymise your Data.

8 - We respect your rights

8.1 - We have implemented reasonable, risk-based technical and organisational measures to ensure that your Data is protected from loss or disclosure, unauthorised use, modification or destruction.

8.2 - Under the Applicable laws You have certain rights in relation to the Personal Data we hold about you, including:

- the right of information about and access to your Personal Data;
- the right to rectify or erase certain Personal Data;
- the right to restrict or to object to certain processing;
- the right to data portability;
- the right to withdraw your consent, where the processing is based on consent.

8.3 - You can request the exercise of your rights by contacting us using the contact details below.

8.4 - In order to guarantee the security of your Data and to avoid any misuse, before responding to your request, we will ask you to provide us with an acceptable proof of your identity and will verify the legitimacy of your request and whether all the conditions have been satisfied.

9 - Contact us

9.1 - If you have any questions or concerns about the way we collect, store and use your Data, do not hesitate to direct them to our Group privacy point of contact:

- By email: Privacy@univercells.com
- By phone: T +32 (0)2 318 83 48
- By mail: Avenue Hermann Debroux 54, 1160 Auderghem, Belgium

9.2 - We will deploy our best efforts to find a quick and fair solution to any concern that you may submit to us.

9.3 - In addition, if you have reasons to believe that the Processing of your Personal Data by us infringes the Applicable Laws, you have the right, at all times, to lodge a complaint with a supervisory authority. You can reach the Belgian Data Protection Authority through: www.dataprotectionauthority.be

[1] “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
[2] “Personal Data” or “Data” means the information that identifies you or allows you to be identified either on its own or in combination with other information.