Privacy Notice

PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF THE EU REG. NO. 679/2016 ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA (“GDPR”)

Pursuant to Article 13 of the GDPR, the company Dompé farmaceutici S.p.A. (hereafter referred to as "Dompé"), asData Controller, being the marketing authorization holder for medicinal products as well as the manufacturer ordistributor of medical devices, cosmetics, and nutritional supplements is required to provide certain information aboutthe use of Personal Data collected in the event of spontaneous reports regarding the occurrence, of adverse drugreactions/experience and special situation, of unusual failure in efficacy, of incident and inconvenience, unwanted orundesirable event or effects, or however named according to the applicable local law (now referred to as"Undesirable Effect(s)"), occurring after taking a drug or after the use of medical device, cosmetic, or nutritionalsupplement.""" Identity and contact details of the Data Controller and of the DPO In this section we indicate our references """DATA CONTROLLERDompé farmaceutici S.p.A., with registered office at via San Martino 12, 20122, Milano, Italia, in the person of itspro-tempore legale-mail: privacy@dompe.comDPO: dpo@dompe.com""" Purpose and legal basis of the processing In the section we explain why we collect Your data """Your Personal Data, which you have freely provided, will be collected and processed by Dompé:> without Your consent (ex Art. 6.1 (c), GDPR)for the execution of mandatory legal obligations in the field of pharmacovigilance and vigilance (by way of examplebut not limited to: EU Directive 2010/84, EU Regulation 1235/2010, EU Regulation 520/2012 and EU Regulation2017/745, as well as any additional local regulations in force), and more specifically, for the purpose of identifyingany unknown Undesirable Effects, improvement of information on already known Undesirable Effects, assessmentof the causal link between administration of the drug as well as the use of the medical device, cosmetic or foodsupplement and the undesirable effect observed, as well as notification to the competent authorities of suchinformation to ensure that the that the drugs, the medical devices, cosmetics or nutritional supplements are safelyused and present a favorable benefit/ risk assessment for the population.The provision of your Personal Data for the above purpose is necessary. Failure to provide it on your part will notallow Dompé to fully fulfill the above pharmacovigilance and vigilance obligations.""" Categories of Personal Data In this section we indicate what data we collect """As part of the purpose described above, Dompé will collect and process the following Personal Data:for the reporter (ex Art. 4, no. 1 GDPR)> Identifiable Data: initials or name and last name;> Contact Details: postal address, e-mail address and telephone number (landline or mobile)for the subject to whom the report refers (ex Art. 4, no. 1 and no. 15 and 9, GDPR> Identifiable Data: initials or name and last name, age or date of birth;> Contact Details: City of residence, telephone number (landline or cellular), e-mail address;> Particular Data: sex, data relating to the state of health as well as any other information contained in thereport.""" Methods of data processing In this section we tell you how we use Your Personal Data """We process Your Personal Data in line with the legislative provisions in force, through the use of supports and / orIT, manual and / or telematic tools, in compliance with adequate technical and organizational security measuresfollowing logic strictly related to the purposes for which data is collected.""" Recipients or categories of recipients of the data In this section we indicate who uses Your Personal Data """In relation to the purposes indicated above, Your Personal Data are also processed by:> as data controllers, by way of example but not limited to:a) Regulatory Authorities (Italian and foreign): AIFA, FDA, EMA etc.,b) Health control bodies, public administration bodies, public security authorities or judicial authorities> as Data Processors and Sub-Processors of the processing, appointed pursuant to art. 28, GDPR:a) Companies of the Dompé Group, located, including outside the European Union (or outside the countrywhere the data are collected);b) business partners in Italy and abroad;c) professionals and / or companies appointed by the Data Controller to perform support activities for thepurposes referred to in this privacy notice;d) IT service providers for the management of the technological infrastructure, information systems andtelecommunications networks.The complete and updated list of data recipients, as well as those authorized subjects pursuant to Art. 29, GDPR,can be requested at the addresses indicated above.Your Personal Data will be shared, with the subjects indicated above, where necessary.""" Dissemination of Data In this section we indicate whether Your data is disclosed to indeterminate subjects """Your Personal Data are not disclosed to indeterminate subjects.""" Data transfer abroad """Your Personal Data, where collected both in the territory of the European Union and in countries outside the EuropeanUnion (including through the companies of the Dompé Group), may be disclosed to third parties, located in countriesoutside the European Union or the territory in which they are collected (including the companies of the Dompé Group).In any case, we guarantee that this transfer will only take place in accordance with the principles expresslyestablished by the GDPR in order to adequately protect the data.""" Duration of the conservation of data In this section we indicate how long we will conserve Your data """Your Data will be processed for the time strictly necessary to pursue the purposes of pharmacovigilance and vigilanceof the safety of other products, which Dompé is required by law. In relation to this purpose, Your Personal Data arestored in the security database for the time strictly necessary to manage the report and the related follow-up.Specifically, Personal Data will be pseudonymized within three months of the closure of the case and in any case notlater than two years from the end of the financial year in which the initial report took place.All data relating to the reporting of Undesirable Effects will be conserved as long as the product is authorized and fora maximum period of 10 years starting from the expiration or revocation of the marketing authorization of the productin the last marketing country, except any defensive needs of the Data Controller. At the end of this period, the datawill be deleted or made anonymous so as not to allow, even indirectly or by connecting other databases, theidentification of the data subjects.""" Rights of the Data Subjects In this section we indicate what rights You have in relation to Your data """At any time, you may exercise the following rights:a) right of access, i.e., the right to obtain confirmation from Dompé that Personal Data is or is not beingprocessed and, if so, to obtain access to it;b) right of rectification and erasure, i.e. the right to have inaccurate Data corrected and/or incomplete PersonalData supplemented or erased for legitimate reasons;c) right to restriction of processing, i.e., the right to request the suspension of processing if legitimate groundsexist;d) right to data portability, i.e., the right to receive Personal Data in a structured, commonly used and readableformat, as well as the right to transmit the same to another data controller;e) right to object, i.e., the right to object to the processing of Personal Data if there are legitimate grounds.""" Complaint to the authority We highlight Your right to be able to appeal to the competent data protection authority """You also have the right to lodge a complaint with the competent data protection authority in the event of unlawfulprocessing of Personal Data if you believe that Your rights have not been respected or that your requests have notbeen responded to in accordance with the law.Updated Version: July 2022