ZTRON Privacy and Security Handbook
深圳华大智造科技股份有限公司及其子公司(本手册中又称为“华大智造”、“华大”、“我们”和“我们的”),致力于保护并维护您(本手册中又称为“您的”、“客户”和“用户”)及数据主体的隐私。因此,华大智造承诺,在销售和运营ZTRON数据中心一体机、ZSM(ZTRON搭载的生物样本管理平台)、ZLIMS(ZTRON搭载的实验室信息管理平台)、MegaBOLT(ZTRON的生物信息分析加速系统)、PaaZ(ZTRON的生信分析及数据管理平台)、ZMART(ZTRON应用市场)以及提供其中的应用和服务时,会严格遵守适用的数据隐私相关的法律法规。
MGI Tech Co., Ltd and its affiliates (hereby referred to as “MGI Tech”, “MGI”, “we”, “us” or “our” in this handbook), are committed to protecting and maintaining privacy of your (hereby referred to as “your”, “our clients”, “our customers” or “users” in this handbook) and data subjects. Accordingly, MGI are committed to complying with applicable data privacy regulations when selling and operating ZTRON (a genomics data center appliance), ZSM (ZTRON’s biological sample management platform), ZLIMS (ZTRON’s laboratory information management system), MegaBOLT (ZTRON’s hardware accelerating system for bioinformatics analysis), ZMART (ZTRON’s app market) and the applications and services.
通过本手册,我们想告知您我们如何处理个人数据以及告知您所享有的权利。我们明白处理个人数据对用户的重要意义,并严格遵守相关的法律规定。保护隐私对我们来说是至关重要的事情。我们承诺对个人数据的处理符合适用的数据保护规则,包括但不限于欧盟通用数据保护条款(General Data Protection Regulation,以下简称“GDPR”)等。
This handbook sets out how we process personal data and what kind of rights you may have. We understand the importance of processing personal data to users and strictly comply with applicable laws. The protection of privacy and personal information is one of our fundamental principles. We promise to process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection rules.
如果您希望就个人数据保护事项或本手册联系华大智造,您可以通过以下信息联系到我们的数据保护官(DPO),通常情况下,我们会在收到您的消息后十个工作日内回复。
深圳华大智造科技股份有限公司(简称MGI)
中国广东省深圳市盐田区北山工业区综合楼11栋
邮编:518083
电话:+86
400-096-6988
联系数据保护官员(DPO):dataprotectionofficer@mgi-tech.com
网站:www.mgi-tech.com
If you wish to contact MGI about personal data protection or
this handbook, please contact the Data Protection Officer (DPO) through the following information. Under
normal circumstances, we will reply within 10 working days after receiving your
message.
MGI Tech Co., Ltd
(MGI)
Address: Building 11, Beishan
Industrial Zone, Yantian District, Shenzhen, CHINA
Zip code:
518083
Phone: +86 400-096-6988
DPO: dataprotectionofficer@mgi-tech.com
Website: www.mgi-tech.com
本手册自本手册结尾处所载日期起生效。我们保留随时修改本手册的权利,因此请您务必经常查阅。如果我们对本手册做出重大变更,该等变更会导致您在本手册项下权利的实质减损,我们将在变更生效前,通过电子邮件、我们的网站和应用首页、或者产品设备开机页提供醒目通知的方式来告知您。
This handbook is effective from the date set out at the end of this handbook. We reserve the right to modify this handbook at any time, so please check it frequently. If we make significant modifications to this handbook and such changes may result in an actual impact on your rights under the handbook, we will notify you before the changes take effect through notifications on our website, application homepage and product device startup page or by sending you an email.
深圳华大智造科技股份有限公司(简称华大智造)秉承“创新智造引领生命科技”的理念,致力于成为生命科技核心工具缔造者,专注于生命科学与生物技术领域,以仪器设备、试剂耗材等相关产品的研发、生产和销售为主要业务,为精准医疗、精准农业和精准健康等行业提供实时、全景、全生命周期的生命数字化设备和系统。
华大智造成立于2016年,截至2020年9月30日,华大智造拥有员工1,578人,研发人员占比约34%,业务布局遍布六大洲50多个国家和地区,在全球服务累计超过1,000个用户,并已在全球多个国家和地区设立科研、生产基地及培训与售后服务中心等,是全球具有自主研发并量产临床级高通量基因测序仪能力的企业之一。
MGI Tech Co., Ltd. (referred to as MGI) is committed to building core tools and technology to lead life science through intelligent innovation. MGI focuses on R&D, production and sales of DNA sequencing instruments, reagents, and related products to support life science research, agriculture, precision medicine and healthcare. MGI is a leading producer of clinical high-throughput gene sequencers, and its multi-omics platforms include genetic sequencing, medical imaging, and laboratory automation.
As of September 30, 2020, MGI has 1578 employees, 34% of whom are R&D personnel. Founded in 2016, MGI operates in more than 50 countries and regions, serving more than 1000 customers. It has established scientific research and production bases, global training and service network in many countries and regions around the world. MGI is one of the companies in the world that have the ability to independent develop and mass-produce clinical high-throughput gene sequencers. Providing real-time, comprehensive, life-long solutions, its vision is to lead life science innovation.
创新智造引领生命科技。
Leading Life Science Innovation.
生命科技核心工具缔造者。
To Develop and Promote Advanced Life Science Tools for Future Healthcare.
我们严格按照适用法律和以下基本原则处理个人数据:
We are responsible for handling personal information
according to applicable laws and the following fundamental guiding principles:
√ 合法、公平和透明
√ 目的限制原则
√ 数据最小化原则
√ 准确性
√ 存储限制
√ 完整性和保密性
√
问责制
√ Lawfulness, fairness and transparency
√ Purpose limitation
√ Data minimization
√ Accuracy
√ Storage limitation
√ Integrity and confidentiality
√ Accountability
ZTRON主要用于生信分析和基因数据管理。ZTRON的设计严格遵循以上所有原则,符合华大智造的内部数据保护政策要求(包括经过DPO的check and confirm)以及GDPR要求。产品功能及详细操作指导请详见用户手册。
ZTRON is mainly used for bioinformatics analysis and genomic data management. The design of ZTRON strictly abides by all the above principles and complies with MGI’s internal data protection policy requirements (including having acquired DPO’s checking and confirmation) and GDPR requirements. All the product’s functions and detailed operation instructions can be found and checked in the product user manual.
ZTRON具体场景示例请参见附件。
See the addendum for ZTRON specific scenarios.
原则上,我们不收集个人数据,ZTRON处理的基因数据以及数据主体的其他个人数据均由使用我们产品和服务的用户收集和控制。ZTRON收集、处理、存储和传输个人数据的场景如下:
In principle, we DO NOT collect personal data. Personal data
processed by ZTRON is collected and controlled by our customers using our products and services. ZTRON will collect,
process, store and transmit personal data in the following circumstances:
√ 您通过ZMART购买应用时,您可能使用您的个人财务信息向第三方支付服务提供商付款;
√ 您使用ZTRON对您收集的基因数据进行编号管理;
√ 您使用ZTRON对您收集的基因数据进行生信分析;
√ 您通过ZTRON将您收集或处理的基因数据交付到您的本地数据中心存储。
√ You create a new account on ZTRON and enter your username and password;
√ You may use your personal financial information to make payment to third-party payment service providers while purchasing applications on ZMART;
√ You use ZTRON to number and manage the genomic data which is collected by you;
√ You use ZTRON to perform the bioinformatics analysis on the genomic data which is collected by you;
√ You transfer the genomic data collected or processed by you through ZTRON delivered to your local data centers for storage.
具体收集方式如下:
The specific collection methods are as follows:
√ 您在ZTRON创建新账号时,需要设置新账号的用户名和密码;
√ 您通过ZMART购买应用时,您可能填写个人财务信息以向第三方支付服务提供商付款,此时支付服务提供商将收集您的财务信息;
√ ZTRON进行生信分析所处理的基因数据以及其他个人数据由购买和使用我们产品的用户进行收集并录入ZTRON,收集方式也由用户来控制。
√
When you create a new account in ZTRON, you need to
set the username and password for the new account;
√ When
you use your personal financial information (you could also use company financial information) to make payment to the third-party payment service provider
for purchasing applications through ZMART, the payment service provider will collect your financial information;
√ The
genomic data and other personal data processed by ZTRON for
bioinformatics analysis are collected and recorded into ZTRON by the users who purchase and use our products and the method of collection is also controlled by
the users.
当您使用我们的产品和服务时,ZTRON可能会接触和使用相关个人数据。这些数据可能包括:
When you use our Products and Services, ZTRON may access and use the related personal data. This data may include:
√ 创建账号涉及的数据【由您收集】:姓名(选填)、电话号码(选填)、客户名称(选填)、电邮地址(选填)、用户名和密码;
√ 购买应用涉及的数据【由第三方支付服务提供商收集】:纳税人号(公司/个人)、地址(公司/个人)、电话(公司/个人)、银行账号(公司/个人)。我们和支付服务提供商承诺均不储存用于支付的财务信息,包括纳税人号、地址、电话、银行账号;
√ 样本管理涉及的数据【由您收集】,例如基因数据、样本ID、DNB ID、孔板ID;
√ 生信分析涉及的数据【由您收集】,例如基因数据、样本ID、DNB ID、芯片ID、测序/分析结果;
√ 交付涉及的数据【由您收集】,例如基因数据、样本ID、DNB ID、测序/分析结果。
√ Information used for creating account [collected by you]: first name(optional), last name(optional), mobile number (optional), customer name (optional), email (optional), username and password;
√ Information used for purchasing applications [collected by third-party payment service providers]: taxpayer ID (company/individual), address (company/individual), phone (company/individual), bank account (company/individual). We and the payment service providers promise not to store the financial information, including taxpayer ID, address, phone and bank account;
√ Information related to sample management [collected by you], which could include genomic data, sample ID, DNB ID, plate ID;
√ Information related to bioinformatics analysis [collected by you], which could include genomic data, sample ID, DNB ID, flowcell ID, sequencing/analysis results;
√ Information related to delivery [collected by you], which could include genomic data, sample ID, DNB ID, sequencing/analysis results.
注意:除本手册及更新部分所声明收集的数据类型外,我们不会收集其他的任何敏感个人数据(如宗教或哲学信仰、性取向、政治观点等信息)。
Note: In addition to the personal data discussed in this
handbook and the updated section, we will not collect any other
sensitive personal data (such as religious belief, sexual orientation, political opinion).
ZTRON通常会基于以下目的处理非基因数据,每个目的所对应的法律基础如列表所示:
ZTRON processes non-genomic personal data for the following
purposes. The legal basis for each purpose is shown in the table below:
使用目的 |
涉及的个人数据 Personal data involved |
法律基础 |
创建新的ZTRON账号并绑定相关的身份验证信息。 Creating a new ZTRON account and binding with relevant authenticating information |
姓名(选填) 电话号码(选填) 客户名称(选填) 电邮地址(选填) 用户名 密码
First Name(Optional) Last Name(Optional) Mobile Number (Optional) Customer Name(Optional) Email (Optional) Username Password |
是否创建账号由用户即您来决定,用户是新创建账号的控制者,ZTRON仅提供用户创建账号所需技术手段,因此该处理目的的合法性基础由用户决定。
Whether or not to create an account is decided by the user, who is the controller of the account. ZTRON only provides technical measures required for the user to create an account, so the legal basis of this processing purpose is decided by the user. |
除了售后运维(您书面提出运维需求时,我们会基于您的授权进行问题处理,此时可能会访问到个人数据,仅在此场景下,我们会在您的授权范围内进行数据处理,成为数据处理者)之外,我们没有处理和使用个人基因数据以及对应的数据主体的其他个人数据的场景。基因数据由您来收集和处理,ZTRON为您管理(为基因数据分配样本ID、DNB ID、芯片ID)和处理(生信分析、生成报告)基因数据提供技术支持。
We do not have a scenario for processing and using genomic data or other personal data of
the data subject except for after-sales operation and
maintenance (In this case, you
put forward the operation and maintenance requests in written form, and we will deal with the problem based on your authorization. Personal data may be accessed by us at this
time. Only in this scenario, we will process the data within
your authorization and become a data processor).
Genomic data is collected and processed by you. ZTRON provides technical support for you
to manage (assigning sample
ID, DNB ID, flowcell ID for genomic data) and process (bioinformatics analysis, report
generation) genomic data.
ZTRON处理基因数据的目包括生信分析[1]和基因数据管理,您应合规处理和使用个人基因数据,包括但不限于当地的法律法规和欧盟通用数据保护条例。
ZTRON’s purposes of processing genomic data include bioinformatics analysis and genomic data management. You
should process and use personal genomic data in compliance with, including but not limited to local laws and regulations
and the EU GDPR.
除非得到数据主体的明确同意,否则我们不会与任何第三方共享个人数据。
Unless we obtain the explicit consent of data subjects, we
will not share any personal data with any third party.
我们可能会在执法部门、监管机构或其他政府机构需要时,或为遵守有效的法律要求(如法院命令)的情况下,进行个人数据传输或共享。我们不会在司法机构未出具有效法律文书前,向其提供个人数据。
We may transmit or share personal data at the request of law
enforcement agencies, regulatory agencies or other government agencies, or to meet legal requirements
(such as complying with a court order). We will not provide personal data without a valid legal document
provided by the judiciary.
您有义务遵循内部安全政策,以规范共享或传输个人数据行为。此外,在法律允许的情况下,您可以临时与技术支持人员进行数据访问共享。
You
are obligated to follow internal security policies for regulating the sharing or transmission of
personal data. In addition, you can temporarily share data access with technical support
staff if permitted by law.
目前我们尚未正式推出合作的应用供应商的应用产品,如上架了合作的应用供应商的产品,我们将及时更新我们当前使用的第三方服务列表,以及每个第三方服务提供商的隐私政策链接,并通知您查看。我们不会与以下第三方共享任何个人数据,我们建议您阅读他们的隐私政策,以便了解这些第三方服务提供商是如何处理个人数据的。
At present, we have not officially launched the application of the cooperative application supplier. If the application of the cooperative application supplier is listed, we will update the following Third-Party Service Table with third-party service providers’ privacy policy link in time and notify you to check it. We do not share any Personal Data to the below third parties, we recommend you read their privacy policies so you can understand the manner in which the personal data will be handled by these third parties.
第三方服务 |
目的和使用方式 |
第三方隐私政策链接 |
Oceanpayment |
提供付款方式,以便我们能够向您出售我们的产品和服务 |
https://www.oceanpayment.com/about-us-op/privacy-policy/ |
Third-Party Service |
Purpose and Use |
Link to Third-Party’s Privacy Policy |
Oceanpayment |
Provide payment method that allows us to sell our products and services to you |
https://www.oceanpayment.com/about-us-op/privacy-policy/ |
在某些情形下,基于不同的业务场景和法律基础,您可能会与以下几种类型的合作机构发生数据传输、共享行为:
In some situations, you
may transfer or
share your personal data with the following partners based on different business scenarios and legal
basis.
√
您的商业合作伙伴
√
政府机构
√
银行、清算机构
√
您使用的网络服务的提供商
√
第三方软件服务提供商(名单不定时更新)
√
Your business partners
√
Banks and clearing agencies
√
Providers of internet service that you are using
√
Third-party software service providers (this list
will be updated irregularly)
原则上,我们不会进行跨境数据传输。所有数据是否涉及跨境传输均由您控制。
In principle, we do not conduct cross-border data
transmission. Whether or not personal data will be transmitted to third
country is controlled by you.
[数据传输特殊警示]
但是,在一些场景下,可能会涉及跨境传输问题,如:
√ 为了响应您或数据主体的合法权利(咨询、投诉、举报)时;
√ 为配合境外执法部门、监管机构或其他政府机构的监管要求;
√ 其他经数据主体明确授权的情形。
[Special Alert for Data
Transmission]
However, in the following
circumstances, cross-border transmission may be involved:
√ To respond legitimate rights of you
or data subjects (such as inquiries, complaints and reports)
√ To meet the supervision requirements of foreign law enforcement agencies, regulatory agencies or other government agencies
√ Other situations which have clearly been authorized by data subjects
为将个人数据传输至第三方国家提供适当的保障,我们使用符合GDPR第44-50条的数据传输机制,例如通过:
(1)《欧盟委员会2004/915/EC号决定》、《欧盟委员会2010/87/EU号决定》、《欧盟委员会C(2021) 3972 final号决定》规定的标准合同条款;
(2)根据GDPR第46条规定的标准保护条款;
(3)根据GDPR第49条,跨境传输可能存在的风险请点击【Link】查阅。请在每次传输前,充分阅读理解传输场景以及可能造成的风险,再决定是否进行传输。
We use data transfer mechanisms compliant with Articles 44 -
50 of the GDPR, which provide appropriate safeguards for the transfer of personal data to a third
country, e.g. by
(i)
Standard contractual clauses according to EU
Commission decisions of 27 December 2004 (2004/915/EC) ,05 February 2010 (2010/87/EU) and 04 June 2021
(C(2021) 3972 final);
(ii) standard protection clauses according to Article 46
GDPR;
(iii) according to Article 49 of
GDPR, please click 【Link】 for the possible risks of cross-border transmission. Before each transmission, read and
understand the transmission scenarios and the risks they may pose before deciding whether to
transmit.
华大智造会采取措施确保我们依据本手册和适用法律的要求进行数据收集和处理。包括当位于欧盟的数据主体的个人数据被转移至不被欧盟认可的同等数据保护水平国家或地区时,我们会使用各种法律机制,如签署欧盟委员会批准的《标准合同条款》或请求数据主体对跨境转移个人数据的同意,或者在跨境数据转移之前实施数据匿名等安全举措。您可以通过点击此处获取欧盟《标准合同条款》的副本。
MGI will take steps to ensure that we
collect and process data in accordance with the requirements of this handbook and applicable laws, including when the data subject’s
personal data in the European Union is transferred to the countries or regions of which the equivalent
level of data protection have not been recognized by the European Union, we use a variety of legal mechanisms, such
as signing EU standard contractual clauses, obtaining consent for cross-border transfers of personal
data from data
subjects, or implementing
security measures like data anonymity prior to cross-border data transfers. You can obtain a copy of the
EU standard contractual clauses by clicking
here.
您可以通过联系dataprotectionofficer@mgi-tech.com 查询有关数据传输具体安全措施的进一步信息。
You may request further information about the safeguards implemented in relation to specific transfers by contacting dataprotectionofficer@mgi-tech.com
通常情况下我们并不存储任何个人数据。我们承诺在取得数据主体的合法授权后,只在为达到处理目的所需要的范围内储存个人数据,且符合法律规定存储期限要求。
Under normal circumstances, we DO NOT store any personal
data. We promise to store personal data only to the extent
necessary for our processing purposes after having obtained the legal authorization of data subjects. We will strictly meet the legal requirements for data
retention periods.
除非我们在数据收集前另有说明,否则如果个人数据(1)根据收集或以其他方式处理的目的或(2)为了遵守法律义务,不再需要保留,我们将删除相关个人数据。
Unless otherwise indicated at the time of collection, we
erase the personal data if the retention of that personal data is
no longer necessary(1)for
the purposes for which they were collected or otherwise processed, or(2)
to comply with legal obligations.
关于您通过ZTRON收集的个人数据,您应当根据法律要求和业务需求自行定义数据留存期,并在到期后将数据删除。我们为您提供了相应指南(具体详见Data Protection Guidance for Customers)。您可以使用ZTRON中的Data Governance功能,通过设置治理规则来定义留存期,并实现针对基因数据的到期删除;而针对非基因个人数据,您则可以在存储到期后使用User Management功能来进行删除。
Regarding the personal data you collect through ZTRON, you must determine the data retention period based on legal and business requirements, and delete the data after expiration. We have also provided corresponding guidelines for you (see "Data Protection Guidance for Customers" for details). ZTRON has the Data Governance function, you can set the retention period by setting governance rules, and realize the regular deletion of genomic data. For non-genomic personal data, you can use the User Management function to delete them after the storage expires.
临时数据的留存期限和处置:
Retention period and deletion method of temporary data:
系统在运行分析流程时会产生临时文件,只有持有操作系统账号的您的员工通过访问操作系统才可以访问到临时文件。
临时文件默认留存期是在分析流程运行期间,分析完成后,临时文件将被自动删除,删除技术请参见本手册“删除权”章节中“关于我们使用的物理删除技术”部分。除此之外,为了确保不再使用的临时文件一定被删除或被覆盖,每隔一个时间段,系统会调用安全删除命令自动执行清理分析产生的临时数据。
Temporary files are generated when the system runs the analysis process. Only your employees who have operating system accounts can access temporary files by accessing the operating system.
Regarding the deletion of temporary files, the default retention period of temporary files is during the operation of the analysis process. After the analysis is completed, the temporary files will be automatically deleted. For the deletion technique , please refer to the section “Right to erasure”-"Deletion technique we are using". In addition, in order to ensure that temporary files that are no longer used are indeed deleted or overwritten, the system will call the safe delete command to automatically clean up the temporary files at regular intervals.
我们不会直接向儿童提供产品或服务,也不会主动收集他们的个人数据。就本手册而言,儿童指未满16周岁(或在适用法律有所不同的情况下同意收集和处理个人数据的最低法定年龄)的任何个人,如果发现我们的产品或服务,在未经监护人或父母同意的前提下,无意中收集了儿童的数据,我们会按照所适用的法律尽快协助数据处理者或数据控制者采取必要措施进行处理。
We do not provide Products or Services directly to children
or proactively collect their personal information. Children means any individuals who is under the age
of 16(or the minimum legal age at which personal data is consented to be collected and processed where
applicable law differs). If we are aware that we have inadvertently collected personal information from
children without the consent of guardians or parents, we will assist data processors or data controllers to take
the necessary measures to deal with it as soon as possible in compliance with applicable
laws.
我们和您一样关注儿童的健康成长,同时也积极督促您在收集儿童的数据前,必须获得其监护人或父母的同意。如果您发现我们的产品或服务出现可能收集儿童的问题或漏洞,欢迎您根据本手册中提供的联系方式,协助我们解决该问题。
We share the same concerns for the healthy growth of children and actively urge you to obtain permission from guardians or parents before collecting children’s data. If you find any issue or vulnerabilities in our Products and Services relating to the data collection of children, please contact us according to the contact information provided in this handbook and assist us in resolving the issue.
根据GDPR规定,如果您在欧洲经济区、英国或者瑞士,您将享有以下权利:
According to the GDPR, if you are in the European Economic Area, the United Kingdom, or Switzerland, you will have the following rights:
本手册以及用户协议等文本会向说明我们使用的数据主体的个人数据的具体内容。另外,我们也要求您、您的合作伙伴等第三方向数据主体披露相关个人数据使用情况,以获得其合法授权。
This handbook, together with our Terms of Use, tells about the ways in which we
use the personal data of data subjects. In addition, we also request you and your partners to reveal the
use of personal data and to obtain legal authorization of data subjects.
由于ZTRON不直接面向数据主体收集个人数据,我们为您提供了实现知情权的指南及告知信息的模板(具体详见Data Protection Guidance for Customers),要求您在向数据主体收集个人数据时使用数据主体易于访问的方式向其传达必要的信息。
Since ZTRON does not directly collect personal data from data subjects, we provide you with guidelines for responding to the right to be informed and templates for information notice (see "Data Protection Guidance for Customers" for details), and when you collecting personal data from the data subject, we require you to inform necessary information to the data subject in an easily accessible way.
另外,在数据主体行使访问权之前,您可能会需要使用适当的验证程序对其主体身份进行验证,以符合数据安全要求。
Data subjects have the right to ask you
for copies of their personal information. According to laws and contract provisions, there are some exemptions and limitations in what
you can provide in response to such requests, which means they may not always receive all the personal information you
process. You
should inform data subjects if any exemption or limitation applies and its
impact.
In addition, before
data subjects exercising the right of access, you
may use appropriate procedures to verify
their identity as the data subject so as to meet data security
requirements.
If data subjects request access to their personal data, you can use the data warehousing function in ZTRON: export the personal data requested by the data subject to your local data center or other storage device in a readable format, and then deliver it to the data subject in a manner trusted by the data subject (for instructions on using ZTRON's data warehousing function, please refer to "ZTRON User Manual").
When data subjects find their personal data is inaccurate or incomplete, they have the right to ask you to correct personal data they think is inaccurate or incomplete. If data subjects request a rectification, they need to explain in detail why they believe the personal data you hold concerning them is inaccurate or incomplete so that you can assess whether a rectification is needed. You are required to respond to their request within a reasonable period of time and inform them of the rectification results or reasons why it cannot be rectified.
为了保证分析结果的严谨性,ZTRON仅提供修改与基因数据关联的其他个人数据以及用户数据的功能,而无法直接修改基因数据。若数据主体提出更正除基因数据外的其他个人数据的需求或用户提出了修改其账号数据的需求,您可以通过Edit/Delete Customer Information及Edit, Delete User功能对相关数据进行修改(具体请参见《ZLIMS User Manual》和《ZTRON User Manual》)。若数据主体对基因数据的生信分析的结果有疑问,可以建议为数据主体增加测试或更换分析方案。
In order to ensure the rigor of the analysis results, ZTRON only provides the function of modifying other non-gene personal data associated with genomic data and account information of ZTRON, and cannot modify genomic data directly. If the data subject proposes to correct other personal data other than genomic data or the user of ZTRON proposes to correct his/her account information, you can modify the relevant data through the Edit/Delete Customer Information and Edit, Delete User functions (for details, please refer to "ZLIMS User Manual" and "ZTRON User Manual" ). If data subjects have doubts about the results of the bioinformatics analysis of genomic data, you can suggest them to have add tests or change the analysis plan.
在某些情形下,数据主体有权要求您删除其个人数据。在适当情况下,您应当遵从数据主体的要求,并会在30天内予以执行,并通知其相应结果和理由。
Data subjects have the right to ask you to erase their personal information in certain circumstances. Where it is appropriate that you are required to comply, data subjects’ request will be fully implemented within 30 days and you will inform them of the corresponding results and reasons.
若数据主体提出删除其个人数据的需求,您可以使用ZTRON中的一般的单独删除功能、批量删除功能、数据治理功能以及用户管理功能来支持删除权。
对于基因个人数据的删除:
可以使用Sample管理功能中的Delete Single Sample功能来删除单个样本(具体使用指导请参见《ZLIMS User Manual》);
可以使用Sample管理功能中的Batch Delete Sample功能对样本实施批量删除(具体使用指导请参见《ZLIMS User Manual》);
可以使用Data Governance功能,通过设置治理规则来实现基因数据的定时删除(具体使用指导请参见《ZTRON User Manual》)。
对于非基因个人数据(如账户信息)的删除:
可以使用User Management功能来删除账户信息(具体使用指导请参见《ZLIMS User Manual》和《ZTRON User Manual》)。
If the data subject requests the deletion of their personal data, you can use the general single deletion function, batch deletion function, data governance function and user management function in ZTRON to support the right of deletion.
For deletion of genomic personal data:
You can use the Delete Single Sample function in the Sample management function to delete a single sample (for specific instructions, please refer to "ZLIMS User Manual");
You can use the Batch Delete Sample function in the Sample management function to delete samples in batches (for specific instructions, please refer to "ZLIMS User Manual");
You can use the Data Governance function to implement the regular deletion of genomic data by setting governance rules (for specific instructions, please refer to "ZTRON User Manual" ).
For the deletion of non-genomic personal data (such as account information):
You can use the User Management function to delete account information (for specific instructions, please refer to "ZLIMS User Manual" and "ZTRON User Manual").
关于ZTRON中使用的物理删除技术:
直接删除的情况下,底层程序会直接调用srm命令删除指定数据,系统将需删除的文件用随机数据或0值覆盖文件所在的数据块。定时删除的情况下,当用户在系统配置了周期删除数据规则后,底层程序会在预定时间时,调用srm命令删除指定数据,系统将需删除的文件用随机数据或0值覆盖文件所在的数据块,达到从磁盘彻底清除数据的目的。
删除的日志记录:
ZTRON对任何删除操作都会进行日志记录,日志会记录删除操作的时间、操作者、文件名称、路径、文件属性,日志不会记录已删除数据的内容。
Deletion technique used in ZTRON:
In the case of direct physical deletion, the underlying program will directly call the srm command to delete the specified data, and the system will overwrite the data block where the specified data is located with random data or a value of 0. In the case of regular deletion, when the user configures the periodic deletion data rule in the system, the underlying program will call the srm command to delete the specified data at a predetermined time, and the system will overwrite the data block where the specified data is located with random data or a value of 0. To achieve the purpose of completely erasing data from the disk.
Log of Deletion:
ZTRON will log any delete operation. The log will record the time of the delete operation, the operator, the name, path, and file attributes of the deleted file. The log will not record the content of the deleted data.
在某些情形下,数据主体有权要求您限制处理其个人数据。例如,当担心与其相关的个人数据的准确性或使用方式,数据主体可以要求限制您使用其个人数据的方式。
另外,当您发现处理数据主体的个人数据缺乏法律基础时,您应当尽可能立即停止处理这些个人数据,并将处理结果及时通知到数据主体和相关方。
Data
subjects have the right to ask you
to restrict the processing of their personal information in certain circumstances. For example,
when worrying about the accuracy of their
personal data or how their personal data will be
used, they can request that you
limit the way in which you
use their personal data.
In addition, when you find your data processing lacks legal bases, you should, to the best of your abilities, stop the data processing immediately and inform data subjects and relevant parties of the result.
ZTRON没有直接支持限制处理权的功能,但是若数据主体提出限制处理其个人数据的请求,您可以通过ZTRON中的一般的单独删除功能、批量删除功能、数据治理功能以及用户管理功能来删除相关个人数据以达到限制处理的目的。
ZTRON does not have the function which could directly support restricting processing, but if the data subject requests to restrict the processing of their personal data, you can delete relevant personal data with the single deletion function, batch deletion function, data governance function and user management function in ZTRON to achieve the purpose of restricting processing.
数据主体有权获得其提供给您的个人数据,也有权要求您将其个人数据传输给另一个机构,若数据主体已经明确同意,或者履行协议所必需的,或者处理是通过自动方式进行的。
Data subjects have the right to receive their personal information which they have provided to you. They also have the right to have you send their personal information to another organization where your lawful basis for the processing is their consent, or where the processing is necessary for the performance of an agreement and the processing is carried out by automated means.
若数据主体提出转移数据给其他控制者的需求,您可以将数据主体要求访问的个人数据以可读的和数据主体要求的格式导出至您的本地数据中心或其他存储设备,后以数据主体信赖的方式交给数据主体或数据主体要求的其他控制者(ZTRON的入仓功能的使用指导请参见《ZTRON User Manual》)
If the data subject requests the transfer of data to other controllers, you can export the personal data requested by the data subject to your local data center or other storage device in a readable or data subject required format, and then deliver it to the data subject or other controllers required by the data subject in a manner trusted by the data subject (for instructions on using ZTRON's data warehousing function, please refer to "ZTRON User Manual").
在某些情形下,数据主体有权反对您处理其个人信息。在适当的情况下,您应遵照数据主体的要求,停止处理其个人数据或者告知其无法处理的理由。
Data subjects have the right to object to the processing of their personal information in certain circumstances. Where it is
appropriate that we comply with their request, we will stop processing their information for the use they have objected to or
inform them of the reasons why we cannot comply with their request.
若数据主体提出反对处理其个人数据的请求,您应根据相应请求停止对这些个人数据进行处理,或通过ZTRON中的一般的单独删除功能、批量删除功能、数据治理功能以及用户管理功能来删除相关个人数据以达到停止处理的目的。
If the data subject requests to object the processing of their personal data, you should stop processing the personal data according to the request, or use the single deletion function, batch deletion function, data governance function and user management function in ZTRON to delete relevant personal data to achieve the purpose of stopping processing.
ZTRON不具备用户画像和自动决策的功能。
ZTRON does not have the function of automated decision-making including profiling.
在某些情形下,数据主体有权撤销其同意授权。撤销同意并不影响在同意基础上完成或者正在进行的处理的合法性,直到撤销为止。
Data subjects have the right to withdraw their previous consent in certain circumstances. This will not affect the legality of processing that is ongoing or completed on the basis of that consent until the consent is withdrew.
若数据主体撤回其同意,您应当停止使用ZTRON对这些基于同意收集的个人数据进行处理;但该撤回同意的决定,并不影响此前您基于数据主体的同意或授权而使用ZTRON开展的个人数据处理行为。
If the data subject withdraws his consent, you should stop using ZTRON to process the personal data that collected based on the consent; however, this will not affect the lawfulness of your processing up to that point.
我们已经采取了广泛的技术和组织措施,以保护数据免受可能的危险,如防止未经授权的访问、未经授权的修改或分发,损害、破坏或滥用行为的发生。我们也会定期分析数据处理过程,评估安全政策,以确保其有效性和安全性与行业标准并行。
In order to protect the personal data from potential risks, such as unauthorized access, unauthorized modification or distribution, damage or abuse of use, we have adopted extensive technical and organizational measures. We also regularly analyze data processing processes and evaluate security policies used to ensure that their effectiveness and safety are parallel with industry standards.
我们使用加密技术,确保数据在静态/动态时得到完善的保护,确保数据的保密性。
我们有能力确保处理系统和服务的持续机密性、完整性、可用性和弹性;
我们有能力应对物理或技术事件,我们使用备份和热备份机制来提高系统可用性。
为了更好地满足 GDPR 合规要求并保护个人数据,我们积极主动地启动了 GDPR 合规计划。我们还改进和建立了包括 DPO(数据保护官)在内的数据安全委员会。该委员会是一个基于问责制的框架,可促进个人数据保护,并确保我们的运营符合欧盟和中国对个人数据保护的要求。
To better meet GDPR compliance requirements and protect personal data, we have launched a GDPR compliance program positively and proactively. We also improve and develop the data security committee which includes DPO (Data Protection Officer). The committee is an accountability-based framework that facilitates personal data protection, and to ensure that our operations meet the EU and China’s requirements for personal data protection.
另外,我们也采取了以下个人数据保护措施:
(1)自设计开始的数据保护
我们制定了适用于产品/系统等的内部 PbD 政策,以从项目开始促进隐私和数据保护在整个生命周期的合规性。 具体来说,我们制定了一个实用的工作计划来评估和改进当前流程,如下所示:
• 隐私影响评估 (PIA):评估当前整个产品开发生命周期中的隐私控制,并识别数据隐私方面的合规差距和风险;
• PbD 建议报告:不断增强和更新隐私控制以应对新的风险和法规要求。
In addition, we have also implemented the following corporate practices in personal data protection:
(1) Privacy by Design
We have lay down an internal PbD policy, which applies to product/ system engineering that promotes privacy and data protection compliance from the beginning of project and throughout the entire lifecycle. Specifically, we develop a practical work plan to assess and improve current processes as shown below.
我们也在ZTRON的设计阶段对其进行了隐私风险影响评估,评估发现其存在以下风险:基因数据进行一级分析(将测序结果从cal文件转换为fastq格式)时无法加密,以及生信分析这种尚在发展的新技术可能会对数据主体造成未知的影响。相应地,我们也采取了风险消减措施:对除一级分析外的其他数据处理行为中使用的数据进行加密,实施严格的访问控制措施,对所有数据处理行为进行日志记录;并建立完善的数据处理原则,采取足够的技术和组织措施,以在最大程度上减少可能对数据主体造成的影响。
We also conducted a privacy risk impact assessment on ZTRON during the design phase, and the assessment found that it has the following risks: genomic data cannot be encrypted during primary analysis (Converting sequencing results from cal file to fastq format); and bioinformatics analysis, a new technology still under development, may cause to data subjects unknown implied impact. Correspondingly, we have also taken risk mitigation measures, such as encrypting data processing phases other than the primary analysis, implementing strict access control measures, logging all data processing operations, and establishing complete data processing principles, and adopting technical and organizational measures to minimize the possible impact on the data subject.
(2)数据泄露事件响应
我们制定了内部数据泄露事件响应政策来指导我们如何响应数据泄露,以满足法律和数据保护机构的要求。 具体来说,我们建立了一个流程来管理事件,如下所示:
• 识别和初步评估
• 遏制和恢复
• 风险评估(包括对个人数据主体的风险和对公司的风险)
• 通知和报告
• 事后管理和评估
(2) Data breach incident response
We have formulated an internal data breach incident response policy to guide us on how to respond to data breaches in order to meet the requirements of laws and data protection authorities. Specifically, we develop a process to manage incidents as shown below.
对ZTRON而言,我们为其制定了事件响应框架和维护计划,以在设备交付使用后对其进行相关支持和维护,并对安全漏洞或针对ZTRON内部网络的攻击等安全事件进行处理和管理。
事件响应框架如下:
维护计划如下:
For ZTRON, we have formulated an incident response framework and maintenance plan to support and maintain the equipment after it is delivered to use, and to handle and manage security incidents such as security vulnerabilities or attacks on ZTRON's internal network.
The incident response framework is as follows:
The maintenance plan is as follows:
(3)隐私通知
我们尊重并重视数据主体的隐私。 因此,我们起草了一份详细的隐私通知,以帮助数据主体了解我们的隐私政策和责任。 数据主体可以在我们的网站上找到我们的隐私政策。 我们致力于尊重每个人的隐私并保护我们处理的个人数据。
(3) Privacy Notice
We respect and values data subjects’ privacy. Accordingly, we have drafted a detailed privacy notice to help data subjects understand our privacy policy and responsibility. Data subjects can find our privacy policy in our website. We are committed to respecting each person’s privacy and protecting the personal data we handle.
对ZTRON而言,我们撰写了本隐私安全说明手册以告知用户与ZTRON相关的隐私保护事项,并为其提供了数据保护指南及告知信息的模板(具体详见《Data Protection Guidance for Customers》),要求我们的用户在向数据主体收集个人数据时使用数据主体易于访问的方式向其传达必要的信息。
For ZTRON, we have written this ZTRON Privacy and Security Handbook to inform users of the privacy protection matters related to ZTRON, and provide users with data protection guidelines and information notification templates (see "Data Protection Guidance for Customers" for details). Users should notice the necessary information to the data subject in a way that the data subject is easily accessible, when collecting personal data from the data subject.
对于ZTRON我们制定了Data Protection Policy指导数据保护措施的落实(包括技术和组织措施)请见《Data Protection Policy》。
For other security measures(including technical and organizational measures) we have adopted, please refer to the Data Protection Policy.
我们要求您严格遵守华大智造的数据保护规则,以及相关数据保护法规,包括但不限于要求您在进行数据收集、处理前,取得个人的合法授权。同时,我们也将督促您持续履行该义务。
硬件维保 Hardware maintenance
通常情况下,硬件维保(如硬件更换等)是由第三方硬件供应商提供的,我们已与硬件供应商明确约定相关的数据安全保护义务,确有必要的话,我们会要求他们签署安全供应商协议,以符合华大内部的数据安全标准。对于因硬件供应商运维问题导致的数据泄露事故,应由该供应商最终承担。
Under normal circumstances, hardware maintenance services (such as hardware replacement) is provided by third-party hardware suppliers. We have already agreed on the relevant data security protection obligations with hardware suppliers. If necessary, we will require them to sign a security supplier agreement to comply with MGI’s internal data security standards. Data breaches caused by issues with the hardware supplier's operation and maintenance shall be borne by the supplier.
ZTRON历经了概念阶段(2020.01-2020.02)、设计阶段(2020.01-2020.03)、开发阶段(2020.02-2020.05)、测试验证阶段(2020.02-2020.6)和发布阶段(2020.6),具体流程图如下所示:
ZTRON has gone through the concept phase (2020.01-2020.02), design phase (2020.01-2020.03), development phase (2020.02-2020.05), test verification phase (2020.02-2020.6) and release phase (2020.6). The specific flowchart is as follows:
产品研发后会经过三类测试以保证ZTRON的功能(包括隐私保护所使用到的功能)、性能及安全性符合需求。
After product development, it will go through three types of tests to ensure that ZTRON's functions (including the functions used for privacy protection), performance and security meet the requirements.
测试范围 Test Scope |
测试目的、内容 Test Purpose and Content |
测试结果 Test Results |
功能测试 Function test |
测试目的:测试产品本身的功能
测试内容:订单管理、样本管理、芯片进度、生产管理、生产任务、仪器监控、报告管理、基础配置、系统管理、系统主页、与MGI-SDK对接、流程、样本QC、业务数据管理、权限管理、分析任务、数据治理、我的数据、交付管理、我的应用、资源管理、应用市场客户端、应用市场管理端等。
Test purpose: test the function of the product
Test content: order management, sample management, chip progress, production management, production tasks, instrument monitoring, report management, basic configuration, system management, system homepage, docking with MGI-SDK, process, sample QC, business data management, authority management , Analysis tasks, data governance, my data, delivery management, my application, resource management, application market client, application market management terminal, etc. |
产品符合设计的功能需求 Products meet functional requirements |
浏览器兼容性测试 Browser compatibility test |
测试目的:测试产品在各浏览器下是否能正常使用
测试内容:使用Chrome与Safari浏览器访问产品,检查各页面的显示及功能按钮。
Test purpose: test whether the product can be used normally under different browsers
Test content: Use Chrome and Safari browsers to access the product, check the display and function buttons of each page. |
产品兼容Chrome与Safari浏览器 The product is compatible with Chrome and Safari browsers |
易用性测试 Easy of use test |
测试目的:产品是否方便使用
测试内容:页面风格一致性、易浏览性、易操作性。
Test purpose: whether the product is easy to use
Test content: page style consistency, ease of browsing, and ease of operation. |
系统页面风格用语一致、界面简洁易懂、操作简单易用 The system page style and language are consistent, the interface is simple and easy to understand, and the operation is simple |
性能测试 Performance testing |
测试目的:测试产品页面性能、应用性能
测试内容:根据各性能场景测试响应时间;根据各流程测试消耗内存、平均耗时。
Test purpose: test product page performance, application performance
Test content: Test response time according to each performance scenario; test memory consumption and average time consumption according to each process. |
产品性能符合预期满足需求 Product performance meets expectations and meets demand |
安全性及隐私保护测试 Security and privacy protection test |
测试目的:测试产品的安全配置是否符合需求,测试功能是否符合隐私保护需求
测试内容:登录访问、传输加密、日志、安全扫描;根据GDPR隐私保护要求逐一检查功能是否满足需求。
Test purpose: test whether the security configuration of the product meets the requirements, and whether the test function meets the privacy protection requirements
Test content: login access, transmission encryption, log, security scanning; according to GDPR privacy protection requirements to check whether the functions meet the requirements one by one. |
产品的安全性符合预期满足数据安全与隐私保护需求 Product security meets expectations and meets data security and privacy protection requirements |
测试使用动植物基因数据以及网络上已公开的人类基因数据片段作为测试数据,最后阶段测试结束后,测试人员将清理所有ZTRON上的测试数据。
The test uses animal and plant genomic data and human genomic data fragments that have been published on the Internet as the test data. After the final stage of the test, the tester will clean up all the test data on ZTRON.
ZTRON的服务器上设有USB接口,该USB接口主要用于以下用途:
(1)可供您用于传递数据;
(2)系统离线升级时,您可使用USB接口访问系统软件;
(3)在维修升级时供维修人员使用。
USB的使用由您根据自身安全规范进行管理,但我们建议您在使用USB时:
(1) 总体上不建议您使用USB进行数据传递;如需使用时,您需采取适当的措施(如加密)保证ZTRON和USB媒体上的数据安全;
(2) 将USB分类并存储在仅有安全政策中授权的人员才能访问的地方;
(3) 对USB的进入、退出进行管理,包括维护介质进入、退出登记表。介质进入登记表中应包含介质种类、介质序列号、存储的信息类型;如果介质被寄出,还应记录其被寄出的日期、时间、发件人、使用的传送方式、接收人;如果介质是内部创建的,应记录创建日期、时间、创建人、登记人。介质退出登记表应包含已退出的介质的种类信息、介质的序列号、介质上存储的信息种类、发送的时期时间、收件人、使用的传送方式、负责接收介质的人员。
另外,若您不再使用ZTRON或储存了ZTRON中个人数据的介质,我们建议您以安全的、数据无法被还原的方式处置这些设备,确保在处置这些设备之前已删除所有个人数据。
The ZTRON server is equipped with a USB interface, which is mainly used for the following purposes:
(1)Can be used by you to transmit data;
(2)When the system is upgraded offline, you can use the USB interface to access the system;
(3)It is used by maintenance personnel during maintenance and upgrade.
The use of USB is managed by you according to your own safety regulations, but we recommend you when using USB:
(1) In general, it is not recommended that you use USB for data transfer. If it is need to be used, you need to take appropriate measures (such as encryption) to ensure data security on ZTRON and USB medium;
(2) Classify and store USB medium in a place where only authorized personnel in the security policy can access;
(3) Manage the entry and exit of USB media, including maintaining media entry and exit register. The media entry register should include kind of medium, serial number of the medium, the type of information stored. If it has been sent in: the date and time of the sending of the medium, the sender, the means of delivery used, and the person responsible for receiving the medium (i.e., the person who signed for receipt). Or if it has been created in-house, the date and time of its creation, the person creating the medium (i.e., who entered or copied the data onto it), and the person who logged the medium in the register. The media exit register form should include the information on the kind of medium that was sent out, the serial number of the medium, the type of information stored on it, the date and time it was sent out, the consignee, the means of delivery used, and the person responsible for receiving the medium.
In addition, if you no longer use ZTRON or the medium that stores personal data in ZTRON, we recommend that you dispose of these devices in a safe and unrecoverable way, and ensure that all personal data is deleted before disposing of these devices.
本手册生效日期:2020年9月1日
最新修订日期:2020年9月1日
Effective date: September 1, 2020
Last version date: September 1, 2020
[1] Bioinformatics analysis is the analysis of biological data, particularly DNA, RNA, and protein sequences. The application fields include maternal and child health, tumor research, infection research, drug research and development, population genome research, single cell research, DNA feature analysis, genetic disease research, ancestral identification, etc. (生物信息分析时对生物数据,尤其是DNA、RNA和蛋白质序列的分析。其应用领域包括母婴健康、肿瘤研究、感染研究、药物研发、群体基因组研究、单细胞研究、DNA特征分析、遗传性疾病研究、祖源鉴定等)