Data Protection Policy of Personal Data

Venipharm IS COMMITTED TO PROTECTING YOUR PERSONAL DATA

Venipharm ("Venipharm", "we", "us") is committed to protecting information relating to identified or identifiable natural persons ("Personal Data") that we may process in the course of our activities and during interactions with you.

This policy defines the conditions for the collection, use, disclosure and storage by Venipharm of your Personal Data and recalls the rights you have under the regulations in force that you can assert against Venipharm in connection with the use of this data.

1. Legal Basis

Any processing of Personal Data implemented by Venipharm is carried out in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR");
• French Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms (known as the "Loi Informatique et Liberté") as amended.

Each Personal Data processing is based on a legal basis:

• The consent of the person concerned by a positive act,
• Preparation and, where applicable, performance of contracts with third parties,
• The processing is necessary for the performance of a task carried out in the public interest.

No collection of Personal Data is carried out without your knowledge.

2. Personal Data Collected

We collect Personal Data from, among other things, the following categories of persons:

• Representatives and employees of our service providers, suppliers, partners, customers, in particular health professionals, in the context of contract management,
• Patients and healthcare professionals in the context of our pharmacovigilance obligations,
• Job applicants.

3. Purposes of the Processing and Personal Data Collected

Personal Data is collected by Venipharm as Data Controller for the following specified, explicit and legitimate purposes only:

• Contract management,
• Management of health vigilance and medical information activities ("Pharmacovigilance"),
• Recruitment management.

This data may not be used in a subsequent manner that is incompatible with these purposes.

For each Processing, Venipharm undertakes to process only data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimization).

Venipharm undertakes to ensure that the data processed is accurate, and if necessary, kept up to date, and to take all reasonable steps to erase or rectify it when it is inaccurate (Accuracy).

Venipharm, in its capacity as Data Controller, is the recipient of the data. Only authorized employees of Venipharm, and where applicable its subcontractors (service providers or suppliers) will have access to the data collected within the limits of their respective attributions.

a) Contract Management

In the context of contract management, the Personal Data processed by Venipharm is used for the purposes of concluding and executing contracts, managing commercial activities (information and support, commercial proposals, order management, complaint management, invoicing), managing payments, managing customer accounts, and, where applicable, for the purpose of publishing in the context of transparency of links of interest in order to comply with the Articles L.1453-1 and R.1453-2 et seq. and D.1453-1 of the French Public Health Code.

In this context, the Personal Data processed by Venipharm concerning its service providers, suppliers, partners and customers are essentially made up of identification data (surname, first name, email address and telephone number) of their employees with whom Venipharm interacts, as well as exchanges and interactions (emails and other electronic messages, activity reports, minutes, commercial and payment documentation) between Venipharm and these Attendants.

b) Pharmacovigilance Case Management

As part of our Pharmacovigilance activities, it is our responsibility, in accordance with the regulations in force, when you notify us of a health event that occurred during the use of a Venipharm product (adverse reaction, unexpected reaction, etc.) to collect and Process some of your Personal Data.

This collection can be carried out:

• by telephone at (+33) 1 01 47 11 04 47
• via the following address: pharmacovigilance@venipharm.com

The Personal Data collected by Venipharm is described in the reference framework of the French Data Protection Commission ("CNIL") relating to the processing of personal data implemented for the purposes of managing health vigilance. These are: name, age or date of birth, email, telephone, address, profession as well as health data.

Their use and sharing are carried out solely for pharmacovigilance purposes, i.e. for the detection, evaluation, understanding and prevention of adverse reactions or any other problem related to medicine.

Venipharm, in its capacity as data controller, is the recipient of your Personal Data. Only authorized employees of Venipharm involved in the Pharmacovigilance activity will have access to it within the limits of their respective attributions.

Venipharm may transmit your Personal Data to service providers to whom Venipharm has subcontracted the Pharmacovigilance activities in Europe, it being specified, however, that your data will be subject to pseudonymization before their transfer: only initials, contact details, gender, age and health data are transmitted.

Venipharm and its Pharmacovigilance providers have signed a contract strictly governing the protection of personal data in accordance with Applicable Law.

In accordance with the regulations in force, Venipharm and Pharmacovigilance providers are obliged to report relevant pharmacovigilance information to health authorities worldwide (including countries that may have a different level of data protection than the European Union). The reports submitted include a description of the events, and only limited personal data about the patients: age, date of birth, gender, initials and relevant health data.

c) Recruitment Management

As part of its recruitment activities, Venipharm processes personal data concerning candidates necessary for the processing of their application(s). The data concerned are the candidate's identification data and contact details, his or her Curriculum Vitae, the letters, emails and documents sent by the candidates, the dates and results of interviews, the salary positioning, the follow-up given to the application, the type and duration of the contract offered.

4. Personal Data Duration of Storage

In the context of pharmacovigilance case management, insofar as reports concerning adverse events are essential in terms of public health, the data are kept in an active database for at least 10 years after the expiry of the marketing authorisation. They will then be archived in intermediate archiving for the legal or regulatory period applicable to each health vigilance.

For any other situation, the data is kept for a maximum of 3 years after the last interaction that Venipharm had with you.

5. Personal Data Breach Notification

Venipharm is responsible for notifying the competent supervisory authority (CNIL) of personal data breaches as soon as possible and, if possible, no later than 72 hours after becoming aware of them, unless the breach in question is not likely to cause a risk to the rights and freedoms of natural persons. Venipharm shall communicate the breach of personal data to the data subject as soon as possible, when such breach is likely to result in a high risk to the rights and freedoms of a natural person.

6. Data Security

Venipharm undertakes to implement the necessary technical and organizational security measures to guarantee a level of security appropriate to the risk, including:

a) Network Security

A protocol for securing flows between Venipharm's computer network and the internet network is in place. WPA2 is used for Wi-Fi networks. Access to the Venipharm network remotely (VPN) is secured with a username and password.

b) Website Security

The TLS protocol is used.

c) Server Security

Access to the tools and administration interfaces is restricted to authorised persons. The authorisation profiles are defined by computerised system for each employee. The management of staff authorisations to the various servers is in place with an annual review of authorisations.

d) Securing Computer Workstations

User authentication is carried out with a username and password containing numbers, letters, capital letters and special characters. A password reset is performed every 3 months. A limited number of access attempts is placed, and a block is automatically placed in case of failure. An automatic transfer lock is in place after a period of inactivity. Regular updates of the antivirus, firewall are installed. The user's agreement is validated before any remote intervention on his workstation.

e) Data Backup and Business Continuity

A regular backup of the data is carried out: daily backup on an external hard drive and weekly external encrypted backup with a specialized service provider. A full server restore test from backups is performed every 3 months.

f) Securing Work Documents

A password is in place on some files for opening and editing. A pseudonymization of the documents is in place. Access to the tools and administration interfaces is restricted to authorised people. However, while we take steps to protect your Personal Data, we cannot guarantee that the Personal Data we process will remain secure.

g) Staff Awareness and Training

Data handling staff are made aware of the requirements of the GDPR, confidentiality and data security, through internal awareness, internal procedures, internal memos and email reminders.

7. Your Rights

In accordance with the regulations in force, you have the right to access, rectify and delete your data as well as post-mortem instructions. You can also request the restriction of processing.

You have the right to object to the processing of your data when this is based on legitimate interest. Finally, you have a right to the portability of your data (when the processing is based on the performance of a contract or consent) and can request the withdrawal of your consent.

However, as an exception to the above, insofar as the processing implemented for the purposes of managing health vigilance is based on compliance with a legal obligation, the persons concerned by the collection of the data (persons exposed to the adverse health event, the person who notified the adverse health event and the health professional who followed the person concerned by the event) do not have the right to object, neither the right to erasure of data, nor the right to data portability. People concerned shall be informed in advance.

8. Contact/Complaint

To exercise your rights and ask us about the processing of your personal data, you can lodge a complaint in writing with our personal data protection officer at the following email address: dpo@venipharm.fr.

If, after contacting us, you feel that your rights are not being respected, you can lodge a complaint with the competent supervisory authority.