Privacy notice : exercising your rights


Exercising the rights of data subjects in relation to the processing of their personal data

The purpose of this notice is to inform you in full transparency of the way in which we process your personal data when you exercise one or more of the rights defined in the applicable regulations and in particular in Chapter III of the General Data Protection Regulation (GDPR) as well as in the law relating to information technology, files and freedoms.

  • Data controller:

The LFB entity with which you exercise your right(s) acts as data controller.

  • Purpose of the processing:

The applicable regulations offer the persons whose data is processed various rights that can be exercised directly with the entity acting as data controller (right of access, right of rectification, right to erasure, right to restriction, right of objection).

We process your personal data for the following purpose: management of the exercise of your rights in the context of personal data processing as provided for by the applicable regulations.

  • Legal basis:

We can only process your personal data if it is lawful. Processing is only lawful insofar as it based on one of the legal bases mentioned in the applicable law (GDPR).

The processing of your personal data is based on the following legal bases: We have a legitimate interest in processing your data, in particular in order to prove that we have responded to your request within the time limits imposed by the regulations. The legitimate interests that we pursue are balanced against your interests, fundamental freedoms and rights that require protection of personal data.

  • Data subject:

This processing of personal data concerns the following data subject: the data subject exercising his/her rights as mentioned in the applicable regulations.

  • Categories of personal data concerned:

The following categories of personal data are concerned by the processing:

  • Your identification data (e.g. name and surname)
  • Your contact details (e.g. email, address, telephone number …)
  • The content of our exchanges


  • Source of the personal data:

Personal data come:

  • Directly from you
  • From alternative sources including where necessary LFB and its data processors.


  • Obligation to provide your personal data:

The processing of your personal data is necessary to carry out the processing referred above. Failure to provide this data would make it impossible to respond to your request.

  • Recipients of personal data:

Depending upon their respective needs, recipients of all or part of the personal data are the following recipients:

  • The LFB departments directly concerned by your request.
  • The Data Protection Officer.
  • Our service providers acting as a data processor on our behalf (within the limit necessary for the performance of the work we have entrusted to them).

In the event that personal data is entrusted to a data processor, an agreement will be concluded in order to ensure and guarantee that personal data is processed in accordance with our instructions and that adequate technical and organisational measures are taken to protect it.

  • Public authorities, government bodies, etc.


  • Data transfers outside the European union:

Your personal data is processed in the European Union but may be transferred to countries outside the European Union (USA for example).

When we transfer your data to countries which do not offer a level of protection equivalent to that implemented within the European Union, we put in place appropriate technical and legal guarantees in order to protect your data against any access, use or unauthorized disclosure.

  • Period for which the personal data will be stored:

Your personal data is kept for 6 years from the closing of your request.
Once the retention period has been reached, personal data is, depending on the case, destroyed or anonymized. In the latter case, this means that it will be impossible to identify you from this data.

  • Security:

We put in place technical and organisational measures allowing the protection of your personal data. We take reasonable steps to protect your data from loss, misuse, unauthorised access, disclosure, modification or destruction of your data.

  • Your rights:

Within the conditions and limits of the applicable regulations, you have the following rights:

  • Right of access: you can access the personal data that we hold about you.
  • Right of rectification: you can ask us to correct data that is inaccurate or incomplete.
  • Right to erasure (right to be forgotten): you have the possibility under certain conditions to obtain the erasure of the personal data that we hold about you. However, we have the possibility of not responding favourably to your request, in particular in the event that we need your personal data to meet a legal obligation.
  • Right to restriction of processing, in particular in the event that you dispute the accuracy of the personal data that we hold about you.
  • Right to object: you can object, for reasons relating to your particular situation and under certain conditions, to the processing of data concerning you.
  • Right to portability: you can receive the personal data that we hold about you in a readable format so that we can store or transmit it.
  • Right not to be subject to a decision based exclusively on automated processing, including profiling.

Under certain circumstances, we will not be able to respond to your request if you want to exercise your rights. In such a case, we will explain the reasons for our refusal.

  • Contact and reclamation:

To exercise the above rights or for any questions in connection with personal data, please send any request to the LFB Group Entity’s Data Protection Officer, in priority by email: or by post to the following address: LFB BIOMEDICAMENTS, Data Protection Officer, Legal Affairs and Compliance Department, ZA de Courtabœuf, 3 avenue des Tropiques, 91940 LES ULIS.

 If you consider, after contacting us at the contact details above, that your rights are not respected or that data processing does not comply with data protection rules, you may lodge a complaint with a supervisory authority in particular in the Member State in which your habitual residence, place of work or the place where you consider that a breach of the regulations has been committed.

Version: 07/07/2021