Revised November 2020
General — Who We Are
ATCC is a wholly owned, nonprofit subsidiary of International Bioresources Group ("IBG"), a nonprofit, 501(c)(3) corporation. We are not a government agency.
In all cases, we are committed to protecting the privacy of individuals in accordance with global privacy laws, including the EU General Data Protection Regulation 2016/679/UE (“GDPR”). Privacy statements begin with a description of the activities and individuals to which that statement applies. Statements may vary by country, region, or ATCC business group. Under the GDPR, ATCC is the controller of the personal data EEA data subjects provide to us either online or offline. Please make sure you read these descriptions carefully so that you can view the disclosures that apply to you based on how you interact with us and where you are located.
Across all of our business activities, ATCC seeks to base our privacy practices on accepted principles utilized by various research, academia, industry, and regulatory groups. In summary, these principles are as follows:
- Lawfulness and Transparency: To process data lawfully, fairly, and in a transparent manner in relation to the (“data subject”).
- Data Minimization: To collect and further process only the personal data necessary to achieve the purposes for which it was collected, in such a way that all data collected should be adequate, relevant, and limited to what is necessary in relation to these purposes.
- Data Quality: To process personal data that is, taking into account the purposes for which it was collected, accurate, complete, and up to date.
- Integrity and Confidentiality: To process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- Purpose Limitation: To use personal data only in accordance with the explicit and legitimate purposes that were specified before it was collected, and not further processed in a manner that is incompatible with those purposes.
- Openness: To be open about privacy practices, policies, and developments, and the details of any processing that takes place.
- Individual Participation: To respond to data subjects’ requests to know what personal data is being processed and guide how that data should be processed, as required by applicable law.
- Accountability: To be accountable for complying with measures that give effect to these privacy principles.
How We Collect Information
Information You Actively Submit. If you create an account, order products, register for services, or otherwise submit data using the Online Services, we collect information about you and the company or other entity you represent (eg, your name, organization, address, email address, phone number, fax number). You may also provide information specific to your interaction with the Online Services, such as payment information to make a purchase, shipping information to receive a purchase, or a resume to apply for employment. In such instances, the personal data collected by us is data you have actively submitted to us through the Online Services.
Information Passively Submitted. We automatically collect information during your use and navigation of the Online Services, including the URL of the website you came from, the browser software you use, your Internet Protocol (IP) address, IP ports, date/time of access, pages visited, amount of time you spend on the Online Services, and information about actions and transactions conducted on the Online Services.
Use of “Cookies” to enhance and customize your experience of the Online Services. A cookie is a small text file that may be stored on your computer or device used to access the Online Services. You may set your browser software to reject cookies but doing so may prevent us from offering conveniences or features on the Online Services. To reject cookies, refer to information about your specific browser software. We also use eTags, which are opaque identifiers assigned by a web server to specific versions of a resource found at a URL. If the resource at that URL changes, a new and different eTag is assigned. This allows us to track which pages you visit while on the Online Services. In addition, we use electronic images known as web beacons (also called pixel tags or clear GIFs) to track users who have visited the Online Services. Web beacons allow us to deliver content and marketing communications tailored to your interests. We strive to provide a customized, personalized experience to website visitors.
Statements may vary by country, region, or ATCC business group. Visitors located in the European economic region should consult the Cookie notice displayed on the website they are accessing to manage their cookie settings.
How We Use the Information Collected
We collect and process your personal identifying information for the purposes listed below. We rely on another authorized legal bases, including but not limited to the performance of a contract, compliance with our legal obligations, or the pursuit of our legitimate interests (to operate, administer, and improve our Site and Online Services as well as provide you with content you access and request) to collect and further process your personal identifying information, where your rights and freedoms as EEA data subjects do no prevail over our legitimate interests. In some case we may ask for your consent to process your personal data for some of these purposes.
We may use your personal data alone, or when aggregated with other information, for a variety of purposes as described below:
- Account Set-Up and Service
- Communications about Products and Services
- Site Improvement
- Enforcement of ATCC Policies
- Compliance with Regulatory Requirements and Applicable Laws
- Compliance with Our Obligations as a Government Contractor
- Customer Notifications
- Other Purposes, as disclosed at the time the information is collected
- Notwithstanding the forgoing uses, résumé or CV information will be used to evaluate your candidacy for a job opening or for qualification as it relates to Bio-Safety Level material handling.
We may combine the personally identifiable information you provide to ATCC with other information about you that is available to us, including non-personally identifiable information and information from third parties.
How We Share the Information We Collect
We will not disclose your personal data to third parties, except in the following circumstances and in accordance with applicable law:
- With your consent.
- To our global subsidiaries, divisions, and groups worldwide and third-party service providers, who act on our behalf and instructions to fulfill product orders, deliver services, provide IT support, and fulfill the other purposes set forth above. A list of our subsidiary companies currently working within our corporate group is available here.
- To our affiliate, partners, and service providers, in the application of the agreement entered with them and where applicable with you and in order to improve our and their products, services, and business practices.
- As required by applicable law, including, without limitation, in response to any government or regulatory agency request, to cooperate with law enforcement investigations, or upon receipt of any court order.
- To a prospective or actual purchaser or seller in the context of a merger, acquisition, or other reorganization or sale of our business or assets.
- To courts and public authorities to protect you, us, or third parties from harm, including fraud or instances where somebody’s physical safety is at risk.
We may also share your information with our third-party service providers (including contractors and distributors) to validate your payment information, to prevent fraud, to fulfill your order, and to perform other activities related to sales of ATCC products and services. We may share personally identifiable information of individuals submitting résumés or making inquiries concerning employment with other ATCC affiliates and third-party service providers for the purpose of conducting employment evaluation. Third-party service providers to whom we supply your personally identifiable information may use this information only to provide ATCC with a specific service provider pursuant to the terms of the contract entered into with this service provider and not for any other purpose. ATCC does not make its customer lists available for sale to third parties.
Materials deposited with us or purchased from us through our patent depository services are subject to special disclosure requirements. For individuals depositing material with us under our patent depository services, information related to such a deposit will be maintained in compliance to the Code of Federal Regulations (CFR) Title 37. Once a patent has been issued for the material included in the deposit, we are required to make the material that is the subject of the patent available to the public and may be required to supply certain personally identifiable information about the depositor to the public. For individuals purchasing material that was deposited as a patent deposit, we are required to share certain personally identifiable information about the purchaser with the depositor
Certain other materials deposited with us are subject to special disclosure requirements established by the depositor. For individuals purchasing material deposited with us for resale that is subject to such disclosure requirements, we may be required to share your personally identifiable information with the depositor. If such requirements exist for a particular deposit, you will be notified of these terms and will be asked to agree to them before your order is fulfilled.
International Transfers of Personal Data
Your personal data may be collected, transferred to, and stored by us in the United States and by our affiliates and third parties disclosed in the “How we share the information we collect” section above, that are based in countries not located within the European Economic Area, which may not provide for an adequate level of personal data protection.
Therefore, your personal data may be processed outside your jurisdiction and in countries that are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the European Economic Area. We ensure that the recipient of your personal data offers an adequate level of protection and security, for instance, by entering into the appropriate contractual arrangements and, if required, standard contractual clauses for the transfer of data as approved by the European Commission and where applicable completed by additional safeguards. You can obtain ask more detailed information about the transfer of personal data in contacting our DPO at the details specified in the “Contacting us” section below.
How Long Do We Keep Your Personal Data?
Your personal data shall not be retained beyond the necessary retaining period for achieving the purposes for which it was collected. We may retain your personal identifiable information for a period of time consistent with the original purpose of collection (see the “how we use the information collected” section, above) or as long as required to fulfill the purposes for which they are collected and further processed and for compliance of our legal obligations. We determine the appropriate retention period for personal identifiable information on the basis of the amount, nature, and sensitivity of the personal identifiable information being processed, the potential risk of harm from unauthorized use, or disclosure of the personal identifying information, whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation).
We will retain your personal information for a period of time that enables us to:
- Maintain business records for analysis and/or audit purposes.
- Comply with record retention requirements under the applicable laws.
- Defend or bring any existing or potential legal claims.
- Deal with any complaints.
- Enforce our commercial agreements.
We will archive your personally identifiable data when it is no longer required for these purposes and deleted them as soon as their retention is not necessary anymore.
After expiry of the applicable retention periods, your personal identifying information will be either archived with access limited only to the authorized individuals who might need to access the archived data or deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data.
For more information on data retention periods, please contact us by using the information in the “Contacting Us” section, below.
EEA Data Subjects Rights
EEA data subjects have rights over the processing of their personal data. Subject to an explicit request and to justifying their identity, EEA data subjects have a right of access, rectification, and opposition in connection with their personal data, as well as a right to deletion of their personal data, under the terms of the GDPR, by addressing their requests to ATCC using the contact details provided in the “Contacting Us” below. They also have a right to portability of their personal data.
Where they use their right to oppose to the processing, ATCC shall stop the processing of this data subject personal data, except where ATCC has legitimate and compelling reasons for processing, or for the purpose of ascertaining, exercising, or defending its legal rights. If necessary, ATCC will inform such data subjects of the reasons why the rights they exercised cannot be satisfied in whole or in part.
Our Sites are not directed at children. We do not knowingly collect personal identifying information from children under the age of 16. If you are a parent or guardian and believe your child has provided us with personal identifying information without your consent, please contact us by using the information in the “Contacting us” section below, and we will take steps to delete their personal identifying information from our systems.
ATCC implements all necessary technical and organizational measures in order to ensure the security and confidentiality of personal data collected and processed and, particularly, to prevent the data from being distorted, damaged, or communicated to unauthorized third parties by ensuring an appropriate level of security with regards to the risks associated with the processing and the nature of the personal data to be protected, taking into consideration the technological complexity and cost of implementation.