In all Labfit activities involving interaction with its customers and the provision of services, total confidentiality is guaranteed, which we value as a fundamental criterion for maintaining the trust placed in this company. This commitment, which involves all employees and service providers contracted by Labfit, guarantees that the identity of customers, services provided and results thereof will not be disclosed, except when expressly authorised by the data subjects or required by legal or contractual obligations.

With regard to personal data (relating to the identification of living individuals), Labfit, its employees and the service providers contracted by Labfit comply with the provisions of the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016). Since Labfit's activity mainly involves commercial relations with companies (whose data are not covered by the aforementioned Regulation), the points referred to in compliance with this legislation, within the scope of this activity, are as follows:

• Personal data of employees of companies and other entities with which Labfit establishes commercial relationships (e.g. personal email addresses) are not disclosed to other entities unless explicit authorisation is received to do so.
• The personal data of employees falls within a contractual relationship that does not require explicit consent for the purposes for which it is intended. This data is not processed, disclosed or transmitted outside the scope described, unless explicit authorisation has been given to do so.
• In research projects involving the participation of volunteers (or biological samples from volunteers), the collection, processing and storage of personal data is defined in advance, taking into account the minimisation of the data collected, and submitted for review by a suitable Ethics Committee. In such cases, and in accordance with the principle of transparency, the Free and Informed Consent document clearly explains, in simple and accessible language, what personal data is collected during the research, how it is processed, and how long it is retained and stored, safeguarding the restricted and controlled access to which this data is subject at Labfit. In cases where the processing serves multiple purposes, consent is requested for all of these purposes. In all cases, the data is not provided to third parties or stored in a database without the explicit authorisation of the volunteers.
• The personal data collection and storage system implemented at Labfit follows the principles of maximising security and protecting citizens' privacy, thereby minimising the risk to the rights of data subjects. In the event of personal data security breaches being identified, the risk and the need to notify the National Data Protection Commission, although unlikely, will be assessed by Labfit in light of the provisions of the GDPR.
• With regard to personal data received in the context of job application processes (scheduled or spontaneous), Labfit stipulates that the CVs to which it has access are stored for a maximum period of one year, after which the documents are destroyed and the email contacts deleted from the system. Applicants are informed by email (by the administration or the secretariat) about the procedures implemented at Labfit regarding this processing of personal data.
• The disposal of paper documents containing personal data is carried out by destroying documents in a manner that ensures the non-identification of the data subjects. The disposal of digital files is carried out by permanently deleting the files from the memory of the computer media.
• The GDPR provides that citizens may request the deletion of their personal data from the database where it is stored (right to be forgotten). To comply with this request, the data subject must contact Labfit directly (in writing - by email or post) and formally request this process. The data subject should, however, bear in mind that this deletion will never have retroactive effect on documents already issued (e.g. study reports) nor will it include information that Labfit is required to preserve in the context of managing the study conducted.
• If applicable and whenever formally requested, individual information will be properly organised so that it can be transferred to the destination that the applicant, being the data subject, deems appropriate.
• In addition to the erasure/deletion of data and its portability, owners of personal data freely provided to Labfit will have the possibility of access (to check which personal data of the owner is in Labfit's possession), rectification (correction of data that is incorrect or out of date) or limitation of its processing, by simply submitting a formal request as described for the erasure of data.