Harvard Bioscience, Inc. (“We”) are committed to protecting and respecting your privacy.

This policy (together with our terms of use and any other documents referred to on it) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it. Before using our website you are required to give specific consent to the processing of your Personal Data for the purposes set out under section “Uses made of the information” which you have done by checking the data processing consent box on our website.

Definitions

“Applicable Law” means (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a Party is a subject and/or in any jurisdiction that the Master Agreement is performed in; (b) the common law and laws of equity as applicable to the Parties from time to time; (c) any binding court order, judgment or decree; (d) any applicable industry code, policy or standard; (e) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a Party or any of that Party’s assets, resources or business;

“Data Protection Laws” means any Applicable Law relating to the processing, privacy, and use of Personal Data, including (a) in the United Kingdom, (i) the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or (ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations (Revised UK DP Law) (b) in member states of the European Union, the Data Protection Directive or the GDPR, once applicable, and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and (c) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;

“Data” means information which is stored electronically, on a computer, or in certain paper-based filing systems; “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and where referred to in this policy includes special categories of Personal Data.

Information we collect from you

We will collect and process the following Data about you:

Information you give us. This is information about you that you give us by filling in forms on www.harvardbioscience.com (“our site”) or by corresponding with us by phone, email or otherwise. It includes information you provide when you register to use our site, subscribe to our service, participate in discussion boards or other social media functions on our site, and when you report a problem with our site. The information you give us may include your name, address, email address and phone number, financial and credit card information, personal description and photograph.
Information we collect about you. With regard to each of your visits to our site we will automatically collect the following information:
o Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
o Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this site. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

List of cookies we collect

The table below lists the cookies we collect and what information they store.
COOKIE name
COOKIE Description
_ga
used to distinguish users
_gid
used to distinguish users
_gat
used to throttle request rate
wp-session
wordpress session cookie
DrupalVisitorMobile
drupal tracking cookie
s_cc
to determine if cookies are enabled
s_sq
information about the previous link that was clicked on by the user

Uses made of the information

We use information held about you in the following ways:

1. Processing of an inquiry form completed by you;
2. Processing a request for a catalog or expressing an interest in one or more of our products;
3. Providing your information to our marketing department who may contact you by post, telephone or email to request feedback and comments on our services or to provide information to you which may be of interest to you;
4. Providing your information to our agents and service providers for the purposes set out in 3 above;
5. If applicable, processing your application for employment in which case we shall retain a copy of your CV in case of suitable future opportunities.

Information you give to us. We will use this information:

1. To carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
2. To provide you with information about other goods and services we offer that are similar to those that you have already purchased or inquired about;
3. To provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, you will be able to withdraw your consent by contacting our Compliance Team;
4. To notify you about changes to our service; and
5. To ensure that content from our site is presented in the most effective manner for you and for your computer.

Information we collect about you. We will use this information:

1. To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
2. To improve our site to ensure that content is presented in the most effective manner for you and for your computer;
3. To allow you to participate in interactive features of our service, when you choose to do so;
4. As part of our efforts to keep our site safe and secure;
5. To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
6. To make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
7. Information we receive from other sources. We will combine this information with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).

Disclosure of your information

You agree that we have the right to share your personal information with selected third parties including:

1. Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
2. Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, women in SW1). We may make use of the Personal Data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience;
3. Analytics and search engine providers that assist us in the improvement and optimization of our site;
4. Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

We will disclose your personal information to third parties:

1. In the event that we sell or buy any business or assets, in which case we will disclose your Personal Data to the prospective seller or buyer of such business or assets.
2. If Harvard Bioscience, Inc. or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets.
3. If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Harvard Bioscience, Inc, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Where we store your Personal Data

All information you provide to us is stored on secure servers. Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

Your rights

You have the right to ask us not to process your Personal Data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.

Access to information

The Data Protection Laws give you the right to access information held about you. Your right of access can be exercised in accordance with the Data Protection Law. You also have the right to rectify Personal Data where it is no longer correct. If you wish to do so please contact us as set out below.

Right to Lodge a Complaint with Information Commissioner’s Office (“ICO”)

If you have any complaints about the way in which we process your Personal Data please do contact us, as set out below. Alternatively you have the right to lodge a formal complaint with the ICO.

Changes to our privacy policy

Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.

Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to our Compliance Team.

Harvard Bioscience Privacy Shield Policy

1.1 Everyone has rights with regard to the way in which their personal data in handled. During the course of our activities we will collect, store and process personal data about our employees, customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
1.2 Harvard Bioscience, Inc. and Data Science International, Inc. comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Harvard Bioscience Inc. and Data Science International, Inc. have certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/
1.3 Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.

2. About this policy

2.1 The types of personal data that Harvard Bioscience and its’ affiliates may be required to handle include information about current, past and prospective job applicants, employees, contractors, suppliers, customers and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 1998 (“DPA”) and the General Data Protection Regulation (“GDPR”) and other regulations.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 This policy does not form part of any employee’s contract of employment and may be amended at any time.
2.4 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

3. Definition of data protection terms

3.1 “biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
3.2 “consent” means consent given by the data subject which is freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
3.3 “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
3.4 “data” means information which is stored electronically, on a computer, or in certain paper-based filing systems.
3.5 “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
3.6 “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and where referred to in this policy includes special categories of personal data;
3.7 “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
3.8 “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.9 “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
3.10 “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
3.11 “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
3.12 “special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

4. Material scope and territorial scope

4.1 The DPA and GDPR applies to the processing of personal data for wholly or partly automated means and to processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
4.2 The GDPR applies to controllers and processors in the Union whether or not processing takes place in the Union.
4.3 The GDPR applies to the processing of personal data of data subjects who are in the Union where certain processing activities are undertaken.

5. lawfulness of processing

5.1 In the course of our business, we may collect and process personal data and are, for that purpose a controller. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
5.2 The DPA and the GDPR are not intended to prevent the processing of personal data, but to ensure that it is done lawfully and without adversely affecting the rights of the data subject.
5.3 We will only process personal data as specifically permitted by the DPA and GDPR. We will usually obtain the data subjects consent to process their personal data unless one of the exemptions within the GDPR permits processing without the consent of the data subject.
5.4 For personal data to be processed lawfully, one of the following conditions must apply:
5.4.1 the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
5.4.2 processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
5.4.3 processing is necessary for compliance with a legal obligation to which the controller is subject;
5.4.4 processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5.4.5 processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
5.4.6 processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

6. principles relating to processing of personal Data

6.1 We will process all personal data fairly and in a transparent manner. In particular personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. All personal data shall be:
6.1.1 adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
6.1.2 accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
6.1.3 kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
6.1.4 processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

7. Consent to process personal data

7.1 We shall usually seek the data subjects consent to process personal data using clear and plain language. The data subject has the right to withdraw their consent at any time.

8. Processing of special categories of personal data

8.1 We shall only process special categories of personal data:
8.1.1 if the data subject has given explicit consent to the processing of the special categories of personal data; or
8.1.2 if the processing is necessary for the purposes of carrying out our obligations or specific rights of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law.
8.2 Criminal convictions are not special categories of personal data but shall be dealt with in accordance with statutory obligations in the United Kingdom.

9. Records of processing activities

9.1 We shall maintain a record of processing activities under our responsibility. Those records shall contain all of the following information:
9.1.1 where applicable, our data protection officer;
9.1.2 the purposes of the processing;
9.1.3 a description of the categories of data subjects and of the categories of personal data;
9.1.4 the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
9.1.5 where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where appropriate documentation of suitable safeguards;
9.1.6 where possible, the envisaged time limits for erasure of the different categories of data; and
9.1.7 where possible, a general description of the technical and organisational security measures we have in place.

10. information and access to personal data

10.1 When we collect a data subject’s personal data we shall, at the time the personal data is collected, provide the data subject with all of the following information:
10.1.1 our identity;
10.1.2 the contact details of the data protection officer, where applicable;
10.1.3 the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
10.1.4 if the processing is being pursued for our legitimate interests or pursued for those of a third party;
10.1.5 the recipients or categories of recipients of the personal data, if any; and
10.1.6 where applicable, that we intend to transfer personal data to a third country or international organisation (“Relevant Information”).
10.2 We will, at the time when personal data are obtained, provide the data subject with the following information to ensure fair and transparent processing:
10.2.1 the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
10.2.2 the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
10.2.3 where the data subject have given consent to process personal data, the existence to withdraw consent at any time, without affecting the lawfulness of processing based on consent before it is withdrawn;
10.2.4 the right to lodge a complaint with a supervisory authority;
10.2.5 whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
10.2.6 the existence of automated decision-making, including profiling (“Further Information”).
10.3 Where personal data have not been obtained from the data subject we shall provide the data subject with the categories of personal data together with the Relevant Information. We shall, also provide information to ensure fair and transparent processing, namely we shall advise of the legitimate interests pursued by us or a third party in collection the data, the source from which the data originates, and if applicable, whether it came from publically accessible sources together with the further information. The information will be provided within a reasonable period after obtaining the data but no later than 1 month after receipt, or if we are using the data to communicate with the data subject, at the latest, at the time of the first communication to that data subject or if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
10.4 If any other purpose for processing is undertaken we shall so advise the data subject prior to commencing processing.
10.5 There are certain occasions where the provision of information will not be possible and we shall advise the data subject if this is the case, where possible.

11. right to access by the data subject

11.1 The data subject shall have the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information:
11.1.1 the purpose of the processing;
11.1.2 the categories of the personal data;
11.1.3 the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
11.1.4 where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
11.1.5 the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing;
11.1.6 the right to lodge a complaint with a supervisory body;
11.1.7 where the personal data are not collected from the data subject, any available information as to their source; and
11.1.8 the existence of automated decision-making, including profiling.
11.2 Information will usually be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive we may:
11.2.1 charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action required; or
11.2.2 refuse to act on the request.
11.3 Should we have any doubts concerning the identity of the person making the request we may request additional information necessary to confirm the identity of the data subject.

12. the right to rectification and erasure and restriction of processing

12.1 Data subjects shall have the right to rectification of inaccurate personal data concerning him or her. Data subjects shall also have the right to have incomplete personal data completed including by means of providing a supplementary statement.
12.2 Data subjects shall have the right to obtain from us erasure of personal data (the right to be forgotten).
12.3 In certain circumstances data subjects shall have the right to restriction of processing.
12.4 Where any rectification or erasure of personal data or restriction of processing has taken place we shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall, if the data subject asks, inform the data subject about those recipients.

13. Right to portability

13.1 Where a data subject provides personal data they shall have the right to be provided with a structured, commonly used and machine-readable format and have the right to transmit these data to another without hindrance from us in certain circumstances.

14. Right to object and automated individual decision-making

14.1 Data subjects shall have the right to object to automated decision-making, including profiling. If an objection is made we shall only continue processing where there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
14.2 Data subjects shall also have the right to object to processing for direct marketing purposes.

15. Data security – Data protection by design and by default

15.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data and shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
15.2 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if the data processor agrees to comply with those procedures and policies, or if the data processor puts in place adequate measures. By default only personal data which are necessary for each specific purpose of the processing shall be processed.
15.3 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
15.3.1 Confidentiality means that only people who are authorised to use the data can access it.
15.3.2 Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
15.3.3 Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
15.3.4 Data minimisation.
15.3.5 Pseudonymisation and encryption of data.
15.3.6 Risk assessments where necessary.
15.4 Security procedures include:
15.4.1 Entry controls. Any stranger seen in entry-controlled areas should be reported.
15.4.2 Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
15.4.3 Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
15.4.4 Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
15.4.5 Pseudonymisation and encryption of personal data.

16. Transferring personal data to a country outside the EEA

16.1 We may transfer any personal data we hold to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
16.1.1 The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
16.1.2 The data subject has given his or her consent.
16.1.3 The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
16.1.4 The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
16.1.5 The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
16.2 Subject to the above requirements, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.

17. Disclosure and sharing of personal information

17.1 We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
17.2 We may also disclose personal data we hold to third parties:
17.2.1 In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
17.2.2 If we sell all of our assets or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
17.3 If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
17.4 We may also share personal data we hold with selected third parties for the purposes set out in this policy.
17.5 We shall remain liable under the Principles if our agent processes such personal information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

18. Notification of a personal data breach

18.1 We shall, without undue delay, and where feasible, not later than 72 hours after having become aware of a personal data breach, notify the personal data breach to the Information Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of any data subject.
18.2 Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject we shall communicate the personal data breach to the data subject without delay.

19. COMPLAINT PROCESS

19.1 In compliance with the Privacy Shield Principles, Harvard Bioscience, Inc, and Data Science International, Inc. commits to resolve complaints about our collection and use of your personal information. EU individuals with inquires or complaints regarding our Privacy Shield policy should first contact us at Compliance@harvardbioscience.com
19.2 We are comitted to cooperating with the EU data protection authorities (dpas) and will comply with the advice given. We are also subject to the investigatory and enforcement powers of the Federal Trade Commission.
19.3 under certain circumstances an individual may invoke binding arbitration but this does not include when lawful requests by public authorities were complied with.
19.4

20. Changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.