Patients and Healthcare Professionals Privacy Policy

SERB highly values your personal privacy and is committed to respecting the privacy rights of all individuals. We ensure that the processing of personal data strictly adheres to the requirements of applicable laws and this privacy policy (the “Policy”).

This privacy policy (the “Policy“) covers the collection and the use of personal data concerning patients, as well as healthcare professionals(“HCPs”) (collectively “you”, “your“) by SERB SAS, a company organized under French law, whose registered office is located at 40 avenue George V, 75008 Paris, France, and its affiliates (each hereinafter referred to as the “”Company”, “we”, “us”, “our”, and collectively referred to as “SERB Group” ), acting as data controllers either independently or jointly depending on the processing activities.

Each entity of the SERB Group authorized to distribute a pharmaceutical product locally acts as an independent data controller for such products. For other language versions, please refer to our website.

What data do we process?
How do we process your data?
How do we collect your data?
With whom do we share your data
How is the outsourcing of your data managed?
Are your data transferred outside the European Economic Area?
What are your rights?
How do we guarantee the security of your data?
Questions and Complaints
Miscellaneous

1. WHAT DATA DO WE PROCESS?

1.1 The Company processes the following patients’ personal data for the purposes described below:

Personal identification data (gender, age, surname and first name or only initials of surname (first 3 letters) and first name (first 2 letters) where applicable);
Health data related to patient follow-up (information about the procedure to be performed on the patient, information from medical record, other health data: medical and family history, concomitant medications, etc.);
Where applicable, contact data (telephone number, postal address, e-mail address);
Where applicable, the personal data you have entered in the contact form on the website or in the complaints you have submitted.

1.2 The Company processes the following HCPs’ personal data for the purposes described below:

Personal identification data (surname, first name);
Professional identification data (job title, workplace (hospital, pharmacy, government entity), civil protection, civil defence, practice and therapeutic areas, speciality, professional registration number, degree, professional qualification and experience, scientific activities etc.);
Contact data (professional postal address, telephone, e-mail address, fax);
Financial information where applicable, collected for purpose of payment and transparency requirements in connection with the performance of a contract;
Data relating to meetings with our sales and medical representatives (time and location of the meeting, data relating to the cost of shared meals, data contained in the comment fields);
Where applicable, the personal data you have entered in the contact form on the website or in the complaints you have submitted.

2. HOW DO WE PROCESS YOUR DATA?

(a) Purposes

2.1 The Company processes your personal data for the following purposes:

(i) Applicable to patients

Management of the early and compassionate access authorizations
Management of your participation to our clinical research and studies.
Pharmacovigilance and materiovigilance monitoring (collection of adverse events, risks of incidents and/or incidents, patient monitoring (such as registers, database), writing reports of adverse reactions that may be related to the use of medicines), monitoring of “off-label” use.
Processing of medical information requests.

(ii) Applicable to HCPs

Pharmacovigilance and materiovigilance monitoring (collection of adverse events, risks of incidents and/or incidents, patient monitoring (such as registers, database), writing reports of adverse reactions that may be related to the use of medicines), monitoring of the “off-label”;
Processing of medical information requests.
Planning and support for the interaction between our in-field teams and you to create a tailored profile about you and categorize into different segments in accordance with this profile, and to identify you in the appropriate therapeutics areas and establish connections and interactions with you, being specified that no automated decision are made that would result in legal effects or have significant impact on you;
Maintenance interaction and communication with you with the support of our Customer relationship management (“CRM”) system:

(1) Engagement of effective direct communication with you by remote electronic channels (such as email, telephone, SMS etc.) and visit in person to provide : (i) pertinent news, research, educational materials within your specialty, (ii) relevant information about our products, which may include medical, clinical and marketing promotional materials(iii) all other kinds of updates related to products you are interested in.

(2) Invitation to attend the medical/healthcare events, such as conferences, both national and international.

Follow-up of Medical Scientific Liaisons (MSL) activities for providing specific medical information to HCPs and collecting feedback and opinions from HCPs.
Management of event registration and organization, principally facilitate you to receive the invitation and event-related information, ensuring seamless participation and attendance.
Establishment and management of collaboration with you, including the selection, planning, organization and review of any collaboration with you, particularly involving research and development (such as clinical trials or other research studies), consultancy services or participation as a speaker in webinars or conferences.
Transparency and ethic compliance: legal obligations imposed to Marketing Authorization Holders in pharmaceutical industry to ensure no ethical or business integrity non-compliance in the engagements with HCPs, which may involve public or non-public disclosure of information related to engagements, anti-bribery and corruption, and handling conflicts of interest.

(b) Legal basis

2.2 The collection and processing of your personal data is based on the legal obligations binding the Company, explicit consent you have given to receive promotional information from us, as well as on the legitimate interest of the Company in managing and processing requests for information. When they are based on our legitimate interests, these interests do not appear to us to take precedence over your interests and fundamental rights and freedoms.

2.3 In addition, when processing health data, the Company complies with the data protection and privacy legalization. In particular, the processing of health data carried out is necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services implemented by a health professional.

2.4 Your personal data is kept by the Company for periods not exceeding those necessary for the purposes for which they are processed, taking into account the sensitive nature of the data processed, the applicable statute of limitations and the legal or regulatory obligations imposed on the Company. The retention periods are specified in point

2.5 Beyond these periods indicated below your data will be regularly delated or anonymized unless it is necessary to keep them longer (i) to ensure compliance with legal, accounting and tax retention obligations, (ii) for the retention of evidence during the applicable limitation periods, (iii) for the exercise of our rights in the event of litigation or legal action throughout the period of the proceedings or investigation.

(d) Synthesis

2.6 The processing of your personal data can be summarized as follows:

(i) Applicable to patients


Processing Activity	Collected data	Legal basis	Data retention period
Management of the early and compassionate access authorizations	Personal identification data Health data related to patient follow-up	Legal obligation	2 years after approval by the National Pharmaceuticals Agency of the summary of the last synthesis report. Archiving on an intermediate basis during the MA and 10 years after its expiry.
Participation in clinical researches	Pseudonymized personal data which are not able to directly identify you (e.g. age, sex). Health data related to patient follow up to evaluate the drug’s efficacy	Consent Public interest Legitimate interest	In line with the specific regulatory requirements subject to different types of clinical study and the applicable jurisdiction.
Pharmacovigilance and Materiovigilance monitoring	Personal identification data (gender, initials) and reporter (gender, last name, first name). Health data related to patient follow-up. Contact data.	Legal obligation	Duration of the marketing authorisation and 10 years after the marketing authorisation ceases to exist. Duration of the marketing authorization and 15 years after the cessation of marketing authorization for medical devices.
Processing of medical information requests	Personal identification data; Contact data of the requestor; Personal data contained in the contact form on the website;	Legal obligation	10 years from receipt of the request.

In cases where the processing is for the purpose of managing clinical research studies in which you are enrolled, or for managing early and compassionate access authorizations, a patient study Informed Notice detailing data protection information in accordance with specific clinical research shall be provided to patients by the study doctor or investigator.

(ii) Applicable to HCPs:


Processing Activity	Collected data	Legal basis	Data retention period
Management of the early and compassionate access authorizations	Personal identification data Professional identification data Contact data	Legal obligation	2 years after approval by the National Pharmaceuticals Agency of the summary of the last synthesis report. Archiving on an intermediate basis during the MA and 10 years after its expiry.
Collaborations with HCPs (such as management of the clinical trials and clinical research studies, consultancy services, and participation as a speaker in webinars or conferences)	Personal identification data Professional identification data Contact data Financial information	Performance of contract Legal obligation	In line with the specific regulatory requirements and the applicable jurisdiction.
Pharmacovigilance and Materiovigilance monitoring	Personal identification data; Contact data	Legal obligation	Duration of the marketing authorization and 10 years after the marketing authorization ceases to exist. Duration of the marketing authorization and 15 years after the cessation of marketing authorization for medical devices.
Processing of medical information requests	Personal identification data; Contact details of the requestor; Personal data contained in the contact form on the website;	Legal obligation	10 years from receipt of the request.
Planning and support for the interaction between our in-field teams and you: – Creation of tailored profile about you and categorization into different segments in accordance with this profile. This profiling is based on two factors: i)the market size of your organization and, ii) your adoption of our products. – Identification of HCPs in the appropriate therapeutics areas for establishing of connections and interactions with you.	Personal identification data; professional identification data; Contact data;	Legitimate interest	3 years after the last active interaction.
Maintenance interaction and send sales and marketing communication with you based on our CRM system: – Engagement of effective direct communication with you by email, telephone, SMS or other electronic channels, and visit in person to provide: (i) pertinent news, research, educational materials within your specialty, (ii) relevant information about our products, which may include medical, clinical and marketing promotional materials. – Invitation to attend the medical/healthcare events, such as webinars and conferences, both national and international.	Personal identification data; professional identification data; Contact data; Data relating to the meeting with our sales representatives;	Explicit consent given by HCPs	Duration of consent Your personal data will no longer be used for marketing and sales communication purposes if you withdraw your consent.
Management of events registration and organization.	Personal identification data; Professional identification data; Contact data;	Legitimate interest for event organization.	6 months after the events.
Follow-up of Medical Scientific Liaisons (MSL) activities.	Personal identification data; Professional identification data; Contact data; Data relating to the meeting with our MSL;	Legitimate interest for communicating complex scientific and medical information to HCPs in accordance with their specialty.	As long as necessary to fulfill this processing purpose.
Transparency and ethic compliance under applicable regional and local rules and regulations and best industry practices and standards.	Personal identification data; Contact data; Financial transaction information; Transfer of value;	Legal obligation Your consent may be required as per applicable laws in some locals	As long as necessary to comply with local applicable industry regulations or guidelines.

3. HOW DO WE COLLECT YOUR DATA?

3.1 We collect your personal data:

(i) If you are a patient

directly from you when you contact us for asking medical information in terms of our products or reporting any adverse reactions related to our products.
indirectly through your doctor to whom you require medical information or report any adverse effects relative to prescribed medical products, or who engages into our study research and acts as study investigator.

(ii) If you are a HCP

directly from the interactions with you during the conference, forums, webinar and any other medical events you participate.
directly from you in the event of medical information requests, inquires, collaborations, surveys, etc..
from publicly available sources including websites, social media, journals etc., and third parties such as Veeva System Inc.

4. WHO DO WE SHARE YOUR DATA WITH?

4.1 If necessary, we may forward your personal data to the following recipients:

Our affiliates;
Our business partners and selected service providers or vendors, such as distributors, our technical service providers for hosting, archiving and telephone permanence, Clinical Research Organization for management of clinical studies;
Our legal advisers and/or lawyers and those of purchasers in the context of restructuring operations, divestments, mergers, and acquisitions or litigation;
Government entities and administrations authorised to access and/or obtain your personal data, and in particular the Ethic Committees, the local regulatory agency for approval of clinical trials and researches and for the medicinal products registration, the competent authorities for transparency requirements, the regional pharmacovigilance centers, the European database of adverse reaction reports that may be related to the use of medicinal products;
The courts and tribunals of the judicial order in case of litigation involving you;
Law enforcement authorities in the event of the observation or suspicion of the occurrence of an offence involving you in accordance with or as required by applicable law;

4.2 In the event of a restructuring, divestments, or merger (including reorganization), we may transfer your personal data to a third party involved in the transaction (for example, a purchaser) in accordance with applicable data protection legislation.

5. HOW IS THE OUTSOURCING OF YOUR DATA MANAGED?

5.1 We take appropriate steps to ensure that our contractors process your personal data in accordance with applicable data protection legislation.

5.2 These measures include the signing of a data processing agreement which requires processors, among other things, to process your personal data only on our instructions, not to engage a second-tier processor without our consent, to take appropriate technical and organizational measures to ensure the security of your personal data, to ensure that the persons authorised to access the data are subject to confidentiality obligations, to return and/or destroy your personal data at the end of their assignment or contract, to undergo audits and to provide us with assistance in following up on your requests to exercise your rights in relation to your personal data.

6. ARE YOUR DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA?

6.1 Your data may be transferred outside the European Union to the countries or regions where our affiliates operate or in which we engage authorized subcontractors, including in the US, in the fulfillment of processing purposes as stated in the section 2.1. We have controlled this transfer by implementing various legal and technical tools through standard contractual clauses ensuring a sufficient and appropriate level of protection of your data. We have also entered into appropriate contractual arrangements in accordance with applicable data protection legislation.

7. WHAT ARE YOUR RIGHTS?

7.1 In accordance with applicable data protection legislation, you have the right to access, rectify and delete your personal data, the right to object to or limit the processing of your personal data, the right to the portability of personal data and the right to define directives concerning the use of your personal data after your death.


Right	What does that mean?
The right of access	You have the right to obtain a copy of your personal data.
The right of rectification	You have the right to obtain the rectification of your personal data if they are inaccurate or incomplete.
The right to erasure (the “right to be forgotten”)	You have the right to obtain the deletion of your personal data. However, the right to erasure (or the “right to be forgotten”) is not absolute and is subject to specific conditions. We may retain your personal data to the extent permitted by applicable law, and in particular when their processing remains necessary to comply with a legal obligation to which the Company is subject or to establish, exercise or defend a right in court.
The right to restriction of processing	You have the right to obtain the limitation of the processing in certain circumstances (for example when the Company no longer needs your personal data, but they are still necessary for the establishment, exercise, or defense of a legal right).
The right to portability of personal data	You have the right, under certain circumstances, to receive the personal data concerning you that you have provided to the Company in a structured, commonly used, and machine-readable format and to pass it on to another data controller. This right applies only when the processing is based on your explicit consent or the performance of contract to which you are party.
The right to object to processing	You have the right to object to certain types of processing (for example, where the processing is based on the Company’s legitimate interests). This right does not apply when the processing is based on our legal obligations or the performance of contract to which you are party.
The right to withdraw consent	If you have given your consent to the Company’s processing of your personal data, you have the right to withdraw it at any time. Please note that this withdrawal shall not affect the lawfulness of our processing based on consent before its withdrawal.
The right to set guidelines on the fate of your data after your death (Applicable only to French residents)	You can set guidelines for the storage, deletion, and disclosure of your personal data after your death. These guidelines may be general or specific. General guidelines are registered with a trusted third party. Special directives are registered with the Company.

7.2 Please send us any request concerning your rights in relation to your personal data by email to dpo@serb.com. We will respond to your request as soon as possible and always within the time limits set out in the applicable data protection legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law.

8. HOW DO WE GUARANTEE THE SECURITY OF YOUR DATA?

8.1 We take appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with your personal data. We follow industry best practices to ensure that personal data is not accidentally or unlawfully destroyed, lost, altered, unauthorized disclosure or access.

9. QUESTIONS AND COMPLAINTS

9.1 If you have any questions or complaints concerning the processing of your personal data by the Company, please contact our data protection officer by email at dpo@serb.com.

9.2 You have the right to submit a complaint before the competent supervisory authority in your location regarding the processing of your personal data, please consult the contact details of the Data Protection Authorities here.

You can also reach out to the following authorities in the countries where our entities operate:


France:	Commission nationale de l’informatique et des libertés 3 Place de Fontenoy – TSA 80715 – 75334 Paris CEDEX 07 Tel: 01 53 73 22 22
Belgium	Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA) Rue de la Presse 35 – Drukpersstraat 35 1000 Bruxelles – Brussel Tel : +32 2 274 48 00 Email: contact@apd-gba.be
UK	Information Commissioner’s Office Water Lane, Wycliffe House Wilmslow – Cheshire SK9 5AF UNITED KINGDOM Tel: +44 1625 545 700 Email: icocasework@ico.org.uk
Germany	Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Graurheindorfer Str. 153 53117 Bonn Telephone: +49(0)228 997799-0 E-mail: poststelle@bfdi.bund.de
Poland	Urzad Ochrony Danych Osobowych Stawki 2 00-193 Warsaw Poland Tel. +48 22 531 03 00 Fax +48 22 531 03 01 kancelaria@uodo.gov.pl
Luxembourg	National Commission for Data Protection Commission nationale de la protection des données 41 rue de la Gare L- 1611 LUXEMBOURG Tél. (+352) 26 10 60-1 / Fax : (+352) 26 10 60-29 Email : info@cnpd.lu Website: http://www.cnpd.lu/
United States of America	U.S. Department of Commerce Federal Trade Commission 1401 Constitution Avenue, NW USA – WASHINGTON D.C. 20230 Tel: 1 202 48 21 816 / Fax: 1 202 50 18 013 Email: privacy@ntia.doc.gov Internet : www.export.gov
Australia	Office of the Australia Information Commissioner GPO Box 5288 Sydney NSW 2000 Email: foi@oaic.gov.au Tel: 1300 363 992 F +61 2 9284 9666

10. MISCELLANEOUS

10.1 This Policy is current effective as of March 1, 2024. The Company reserves the right to update this Policy at any time. If we make changes to this Policy, we will notify you so that you are always aware of how we treat your personal data.