INTRODUCTION

The following information provided by Menarini France (hereinafter referred to as "we", "us", the "Company", or the "Data Controller") is intended for any person(s) contacting the Company's switchboard with questions regarding pharmacovigilance, medical records, or claims relating to the quality of our products. In such cases, your call will be forwarded to the Department(s) concerned.

DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)

The Data Controller is Menarini France, whose head office located at 1 rue du Jura, BP 40528, 94633 Rungis Cedex, FRANCE, or any other Group Company you may contact via the switchboard (hereinafter referred to as the "Data Controller").

You can contact the Data Controller via the following email address: dpl@menarini.fr.

You can also contact the Data Protection Officer (DPO) via the following email address: dpo@menarini.com.

CATEGORIES OF DATA PROCESSED

We process both basic personal data (e.g.: first name, surname, telephone number, etc.) and sensitive personal data, notably those pertaining to your state of health. This particularly includes all data that you communicate to us in the context of contact via telephone and all other means of correspondence.

If you call our switchboard with questions regarding pharmacovigilance, medical records, or claims relating to the quality of our products, your call will be forwarded to the Department(s) concerned. Your telephone number may be automatically detected, and, where applicable, any voice messages you may leave will be linked with your telephone number. We hereby inform you that every time you provide personal data pertaining to third parties, you are required to have previously provided them with this Notice, and, if legally applicable, obtained their consent.

WHY WE PROCESS YOUR PERSONAL DATA

We hereby inform you that your data may be processed by the Data Controller for the following purposes:

(i) Managing your requests, including requests regarding medical records and observations or claims relating to the quality of our products.

(ii) Managing reports concerning pharmacovigilance and nutrivigilance, notably relating to adverse effects.

The legal basis for the above-mentioned processing is Article 9.2.(i) of the General Data Protection Regulation (GDPR).

(iii) Performing internal statistical analyses on the efficacy of our services and the quality of our products.

The legal basis for the above-mentioned processing is Article 6.1.(f) of the GDPR.

Finally, we may be required to process your basic and sensitive personal data in order to protect our rights in the context of legal proceedings or to uphold the Menarini Group Code of Conduct (Articles 6.1.(f) and 9.2.(f) of the GDPR).

All your data is processed either digitally or manually, either on paper or using suitable software and tools, in compliance with an appropriate level of security and privacy.

We require your data in order to provide you with the services described above. The refusal to provide any data deemed as necessary in order to process your request(s) may prevent us from providing these services. The refusal to provide any deemed as optional shall not entail any consequence on the service provided and/or the processing of your request(s).

HOW WE PROCESS YOUR PERSONAL DATA

In accordance with the provisions of Article 5.1.(c) of the GDPR, we undertake to keep our use of identifiable personal data to a minimum. Identifiable personal data is processed solely for the purposes defined in this document. Data is stored for as long as necessary in the context of the purposes for which it has been collected, and, in all cases, the criterion used to determine the retention period is based on compliance with the conditions set out by the laws in force and the principles of data minimization, retention limitation, and archive management.

ENSURING THE SECURITY AND QUALITY OF YOUR PERSONAL DATA

Menarini undertakes to ensure the security of your data and to comply with securities measures provided for by the laws in force in order to prevent losses of data and unauthorized or unlawful access to or use of your data, including, but not limited to, Articles 25 to 32 of the GDPR.

Menarini makes use of a certain number of technological security procedures and solutions designed to protect personal data. For example, your data is stored on secure servers in protected locations with restricted access.

PERSONS TO WHOM ACCESS TO YOUR DATA HAS BEEN GRANTED

For the purposed described herein, all personnel authorized to process your personal data belong to the following categories: personnel in charge of pharmacovigilance, medical records, and quality assurance; IT technicians; and any other personnel required to process this data in the context of their duties.

The data may also be made accessible to other Menarini Group companies in countries outside the European Union (hereinafter referred to as "Non-EU Countries"), for the above-mentioned purposes and/or administrative purposes, in accordance with Article 6.1.(f) and Recital 48 of the GDPR.

Additionally, data may also be made accessible in Non-EU Countries, to: (i) public entities, institutions, and authorities, for institutional purposes; (ii) professionals, independent consultants (working individually or under a partnership), and other third parties and service providers who provide the Company with commercial, professional, or technical services (e.g., IT or Cloud service providers), including outsourced call centers, for the above-mentioned purposes; (iii) third parties in the case of mergers, acquisitions, or takeovers of a company or branch, audits, or other extraordinary operations; (iv) supervisory organizations, located at the same address as the Data Controller, in the context of their supervisory operations and in application of the Menarini Group Code of Conduct. These organizations will only process the data required in the scope of their duties. They undertake to use said data solely for the above-mentioned purposes, and to process it in accordance with the law.

Data may also be made accessible to other recipients identified by the laws in force.

As stipulated above, the data is not communicated to third parties, whether natural persons or legal entities, which do not provide a commercial, professional, nor technical service to the Data Controller, and as such will not be disseminated. Recipients of this data must process it in their capacity as a Data Controller or person authorized to process personal data, where applicable, for the above-mentioned purposes and in accordance with the laws in force.

Regarding the transfer of data to Non-EU Countries (including to countries that do not guarantee the same standards of protection regarding data privacy as the laws applicable within the EU), the Data Controller hereby informs you that such data shall only be transferred in accordance with the methods described in the GDPR, including the confirmation of your consent, the adoption of the European Commission's Standard Contractual Clauses, and the selection of recipients adhering to international programs for the free movement of data or operating in countries considered safe by the European Commission.

YOUR RIGHTS

You can exercise the rights provided for under Articles 15 to 22 of the GDPR, at any time, including: the right to be informed about the processing of your data; the right to verify its content, origin, exactitude, and location (including Non-EU Countries, wherever they may be); the right to request a copy thereof; the right to request a rectification; and, if provided for by the law in force, the right to request the restriction of such processing; the right to request the erasure of such data; and the right to object to such processing; and the right to withdraw your consent (without affecting the lawfulness of processing carried out before its withdrawal) by contacting Menarini France at the above-mentioned mailing address or the following email address: dpl@menarini.fr.

It is also possible to submit any observations you may have on the processing of your data that you deem inappropriate by contacting the DPO at the following email address: dpo@menarini.com.

You can also lodge a complaint with the French Data Protection Authority (CNIL: Commission Nationale de l’Informatique et des Libertés).

IMP/APH/CMP/15 Version 2