Privacy Notice

PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF THE EU REG. NO. 679/2016 ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA (“GDPR”)

Pursuant to Article 13 of the GDPR, the company Dompé farmaceutici S.p.A. (hereafter referred to as "Dompé"), as

Data Controller, being the marketing authorization holder for medicinal products as well as the manufacturer or

distributor of medical devices, cosmetics, and nutritional supplements is required to provide certain information about

the use of Personal Data collected in the event of spontaneous reports regarding the occurrence, of adverse drug

reactions/experience and special situation, of unusual failure in efficacy, of incident and inconvenience, unwanted or

undesirable event or effects, or however named according to the applicable local law (now referred to as

"Undesirable Effect(s)"), occurring after taking a drug or after the use of medical device, cosmetic, or nutritional

supplement.

""" Identity and contact details of the Data Controller and of the DPO

In this section we indicate our references """

DATA CONTROLLER

Dompé farmaceutici S.p.A., with registered office at via San Martino 12, 20122, Milano, Italia, in the person of its

pro-tempore legal

e-mail: privacy@dompe.com

DPO: dpo@dompe.com

""" Purpose and legal basis of the processing

In the section we explain why we collect Your data """

Your Personal Data, which you have freely provided, will be collected and processed by Dompé:

> without Your consent (ex Art. 6.1 (c), GDPR)

for the execution of mandatory legal obligations in the field of pharmacovigilance and vigilance (by way of example

but not limited to: EU Directive 2010/84, EU Regulation 1235/2010, EU Regulation 520/2012 and EU Regulation

2017/745, as well as any additional local regulations in force), and more specifically, for the purpose of identifying

any unknown Undesirable Effects, improvement of information on already known Undesirable Effects, assessment

of the causal link between administration of the drug as well as the use of the medical device, cosmetic or food

supplement and the undesirable effect observed, as well as notification to the competent authorities of such

information to ensure that the that the drugs, the medical devices, cosmetics or nutritional supplements are safely

used and present a favorable benefit/ risk assessment for the population.

The provision of your Personal Data for the above purpose is necessary. Failure to provide it on your part will not

allow Dompé to fully fulfill the above pharmacovigilance and vigilance obligations.

""" Categories of Personal Data

In this section we indicate what data we collect """

As part of the purpose described above, Dompé will collect and process the following Personal Data:

for the reporter (ex Art. 4, no. 1 GDPR)

> Identifiable Data: initials or name and last name;

> Contact Details: postal address, e-mail address and telephone number (landline or mobile)

for the subject to whom the report refers (ex Art. 4, no. 1 and no. 15 and 9, GDPR

> Identifiable Data: initials or name and last name, age or date of birth;

> Contact Details: City of residence, telephone number (landline or cellular), e-mail address;

> Particular Data: sex, data relating to the state of health as well as any other information contained in the

report.

""" Methods of data processing

In this section we tell you how we use Your Personal Data """

We process Your Personal Data in line with the legislative provisions in force, through the use of supports and / or

IT, manual and / or telematic tools, in compliance with adequate technical and organizational security measures

following logic strictly related to the purposes for which data is collected.

""" Recipients or categories of recipients of the data

In this section we indicate who uses Your Personal Data """

In relation to the purposes indicated above, Your Personal Data are also processed by:

> as data controllers, by way of example but not limited to:

a) Regulatory Authorities (Italian and foreign): AIFA, FDA, EMA etc.,

b) Health control bodies, public administration bodies, public security authorities or judicial authorities

> as Data Processors and Sub-Processors of the processing, appointed pursuant to art. 28, GDPR:

a) Companies of the Dompé Group, located, including outside the European Union (or outside the country

where the data are collected);

b) business partners in Italy and abroad;

c) professionals and / or companies appointed by the Data Controller to perform support activities for the

purposes referred to in this privacy notice;

d) IT service providers for the management of the technological infrastructure, information systems and

telecommunications networks.

The complete and updated list of data recipients, as well as those authorized subjects pursuant to Art. 29, GDPR,

can be requested at the addresses indicated above.

Your Personal Data will be shared, with the subjects indicated above, where necessary.

""" Dissemination of Data

In this section we indicate whether Your data is disclosed to indeterminate subjects """

Your Personal Data are not disclosed to indeterminate subjects.

""" Data transfer abroad """

Your Personal Data, where collected both in the territory of the European Union and in countries outside the European

Union (including through the companies of the Dompé Group), may be disclosed to third parties, located in countries

outside the European Union or the territory in which they are collected (including the companies of the Dompé Group).

In any case, we guarantee that this transfer will only take place in accordance with the principles expressly

established by the GDPR in order to adequately protect the data.

""" Duration of the conservation of data

In this section we indicate how long we will conserve Your data """

Your Data will be processed for the time strictly necessary to pursue the purposes of pharmacovigilance and vigilance

of the safety of other products, which Dompé is required by law. In relation to this purpose, Your Personal Data are

stored in the security database for the time strictly necessary to manage the report and the related follow-up.

Specifically, Personal Data will be pseudonymized within three months of the closure of the case and in any case not

later than two years from the end of the financial year in which the initial report took place.

All data relating to the reporting of Undesirable Effects will be conserved as long as the product is authorized and for

a maximum period of 10 years starting from the expiration or revocation of the marketing authorization of the product

in the last marketing country, except any defensive needs of the Data Controller. At the end of this period, the data

will be deleted or made anonymous so as not to allow, even indirectly or by connecting other databases, the

identification of the data subjects.

""" Rights of the Data Subjects

In this section we indicate what rights You have in relation to Your data """

At any time, you may exercise the following rights:

a) right of access, i.e., the right to obtain confirmation from Dompé that Personal Data is or is not being

processed and, if so, to obtain access to it;

b) right of rectification and erasure, i.e. the right to have inaccurate Data corrected and/or incomplete Personal

Data supplemented or erased for legitimate reasons;

c) right to restriction of processing, i.e., the right to request the suspension of processing if legitimate grounds

exist;

d) right to data portability, i.e., the right to receive Personal Data in a structured, commonly used and readable

format, as well as the right to transmit the same to another data controller;

e) right to object, i.e., the right to object to the processing of Personal Data if there are legitimate grounds.

""" Complaint to the authority

We highlight Your right to be able to appeal to the competent data protection authority """

You also have the right to lodge a complaint with the competent data protection authority in the event of unlawful

processing of Personal Data if you believe that Your rights have not been respected or that your requests have not

been responded to in accordance with the law.

Updated Version: July 2022