Privacy Notice for HCPs – published on the Company’s Website

Dear Doctor / Health Care Professional

We take your privacy very seriously and we commit to respect it to the sector’s highest standards. For this reason we wish to provide up-to-date information as to how Menarini Hellas S.A, Patmou 16-18, 15123 Marousi (hereinafter the “Company”, or “we”) processes your personal data and ensures compliance with the applicable laws, including Regulation 2016/679/EU (the “Regulation”).

1. What we can do with your Data
The personal data you are conferring or you have previously conferred on occasion of previous contacts with us may be processed by the Company in its capacity of Data Controller for the following purposes:

(A) “Scientific Information Activities”, also performed via digital communication media as emails. Scientific Information includes all methods with which scientific information messages are conveyed to HCPs, i.e. directly by Reps, by correspondence (publications dispatched by postal mail and/or email), by means of events, congresses, webinars and continuing education.

(B) “Institutional Communication Activities”, performed also by means of digital communication media (e.g. email), pertaining to the Company and to its initiatives and products;

(C) Customisation of our Scientific Information activities/services by assessing your needs, preferences and professional interests (“Profiling”).

2. What Data we collect
The personal data which we may process (“Data”) are the following:

(1) Professional/Academic Title; (2) Name; (3) Surname; (4) Date and Place of birth; (5) year of graduation; (6) Gender; (7) Tax Number / Social Security Number; (8) Correspondence and visit address (street, number, city, county, as well as email address and details of any other digital account); (9) visit times; (10) work phone number; (11) professional mobile phone number; (12) Work sector; (13) Additional academic and professional qualifications/specialisations; (14) average number of registered patients; (15) job position (e.g. Consultant Cardiologist, Ippokratio General Hospital; Head of Cardiology Unit, Tzanio General Hospital); (16) conventions with the National Health System; (17) Data related to the Scientific Conferences and other symposia attended by the HCPs and supported by the Company; (18) Data pertaining to the use and/or viewing, on your part, of our electronic/digital informational materials; (19) other information pertaining to your profession and preferences with regards to the services we offer.

Consent to Data processing is required to enable us to perform our Scientific Information activities and for this reason we ask you to provide at least the above data highlighted in bold fonts: if you withhold them we will be unable to address any Scientific Information activity to you. Conversely, granting your consent to collect all the other data and to process them for the additional purposes indicated above (that is, other than Scientific Information) is optional -your refusal will not prevent us from addressing Scientific Information Activities to you, although we will be unable to tailor our services to your needs and/or to provide updates on the news regarding the Companies of our Group.

We inform you that your consent is the legal basis for the data processing operations described above, at art. 6.1.a. of the Regulation. Furthermore, your data may also be processed without your consent in order to fulfil obligations stemming from laws, regulations and EU law, as well as to enforce or defend a legal right judicially, to pursue legitimate interests (e.g. to share data among Menarini Group Companies) and in all other cases prescribed by arts. 6 and 9 of the Regulation, where these are applicable.

3. How we process your Data.
Data are processed both in paper and electronically and entered into the company system in line with the applicable laws –including the aspects pertaining to data security and confidentiality- and according to the principles of fair and lawful processing. Your Data shall be stored only as long as strictly necessary to fulfil the goals for which they were collected; in any case, the criterion used to determine the length of the storage period takes into due account the need to comply with any relevant legal requirement, the principle of data minimisation and the need to rationally manage the Company’s records. We may store your data even after the end of our activities towards you, but only for as long as necessary to fulfil contractual and legal obligations as well as to fulfil the purposes listed above. We update and maintain our databases so as to ensure your Data are always correct and accurate.

4. Who can access your Data
Data may be processed by staff belonging to the following categories: administrative staff, reps, product managers. Data may also be processed by all those other members of staff who may need to do so by reason of their job duties. In addition, pursuant to arts. 6 and 9, Recitals 48 and 52 of the Regulation, Data may be communicated to the Company’s parent company A. Menarini IFR Srl, based in Florence (Italy), as well as to other companies of the Menarini Group, including those located in non-EU Countries (“Third Countries”) for organisational, administrative, financial and accounting necessities. Based on the legal and regulatory provisions to which we are bound, we may communicate your Data to the [National Regulatory Agency for Medicines], to SFEE, to national and local Health Authorities, other health centres and universities, other public authorities, association bodies as well as other recipients to whom your Data shall be disclosed pursuant to laws or regulations. In addition, in relation to the above obligations and purposes, data may be communicated to other companies, such as suppliers, sub-suppliers, IT and “Cloud Computing” service providers, agencies and event organisation entities, professional service providers and companies that perform tax/administrative tasks on our behalf, even in Third Countries. Such entities/individuals will act, as the case may be, as data controllers or data processors, for the same purposes listed above and in line with the applicable law. As far as Data transfers to Third Countries are concerned –including transfers to countries which may not guarantee the same protection standards as the applicable privacy laws, we inform you that Data processing will take place only in accordance with the provisions set forth by the laws in force, such as, for example, your consent, the adoption of Model Contract Clauses approved by the EU Commission, the selection of commercial partners enrolled in programs for the international free movement of data (e.g. the EU-USA Privacy Shield) or operating in Countries considered safe by the EU Commission.

5. Your Rights to Access and Control your Data
You may at any time contact us at info@menarini.gr as well as to our address in order to exercise the rights afforded by arts. 15-22 of the Regulation, including: knowing whether or not any Data referring to you is being processed by us; access your Data; verify the Data’s content, origin, exactness, location (including, where applicable, the Third Countries where the data might be); obtain a copy of the Data; ask that the Data are supplemented, updated, amended; in the circumstances set forth by the law, ask that the processing of Data is restricted, that Data are deleted, anonymised, frozen; oppose to profiling operations and direct contact activities (including restricting contact methods to specific communication media), oppose to the processing of Data for legitimate reasons. Likewise, you may at any time withdraw consent (although this will not impair the lawfulness of the processing operations performed before your consent’s withdrawal) and/or notify the Menarini Group’s Data Protection Officer dpo at www.menarini. Com/Greece any observations you may have on our use of your Data which you consider inappropriate and/or lodge a complaint with the National Data Protection Authority.