Data Protection Policy

1. Policy in brief and purpose

SINTETICA SA (hereinafter “SINTETICA”, “the company” or “the controller” or “we”) attaches great importance to compliance with national and international regulations on the protection of personal data. In particular, the company intends to promote among its Employees, regardless of their role and function, an informed approach to the processing of personal data.

The purpose of this Directive is to ensure, within the activities carried out by and for SINTETICA, respect for and protection of the fundamental rights and freedoms of data subjects, in particular the right to the protection of personal data.

SINTETICA’s activities are governed primarily by Swiss law and by the law of the countries where its branches or business establishments are located. With regard to the protection of personal data, SINTETICA’s activities are subject in the first instance to the Swiss Federal Act on Data Protection (FADP), the total revision of which entered into force on 1 September 2023. In addition, SINTETICA’s activities may also be partly subject to other international rules and regulations on data protection, in particular the European Regulation (known by the English acronym “GDPR”) may become applicable. The express reference to the provisions of the GDPR does not imply, unless it is applicable as mandatory law, a declaration of submission by SINTETICA. As regards the specific provisions on personal data within the pharmaceutical industry, reference is made to the applicable national and international law.

SINTETICA reserves the right to adopt binding rules and/or provisions that further implement or supplement the provisions of this Directive, where it considers it appropriate or necessary to comply with applicable law. The Directive supplements the applicable data protection law, which prevails if it requires a deviation from this data protection Directive or imposes broader requirements. In particular, if personal data are processed outside Switzerland or concern persons outside Switzerland, it must in any case be verified whether laws with stricter regulations apply that take precedence over this Directive (for example, but not limited to, in Germany, France or Spain). This Directive enters into force immediately. It may be amended at any time by SINTETICA. It is an integral part of the employment relationship and is published on the intranet and on the public website.

For any questions in relation to this Directive, SINTETICA makes available a dedicated service, addressed both to Employees and to data subjects (hereinafter the “Advisor”), which can be contacted by email:

- For Switzerland: privacy@sintetica.com

- For Germany and Europe: datenschutz.sintetica@katlex.de

2. Scope of application

1. "Personal data" means all information about persons who are mentioned by name or who can be assigned to a specific person on other grounds. This could include, for example, information about other Employees, customers or suppliers, patients, such as name, sex, photograph, date of birth, e-mail address, information on health status (in particular as regards clinical trial and pharmacovigilance activities).

2. "Processing" means any processing of personal data, such as the obtaining, retention, storage, reprocessing, transmission or destruction of personal data. Sending an e-mail containing personal data, entering data into a sharing platform or a CRM, deleting an e-mail, etc. are processing activities whenever they involve personal data.

3. Personal data may also include "sensitive personal data" or “data warranting special protection” such as data relating to health, religious or racial beliefs, political opinions, trade-union membership, genetic data, biometric data uniquely identifying a natural person,

data concerning a person’s sex life or sexual orientation (sensitive data), personal data relating to criminal offences and/or convictions, or personal data relating to minors under sixteen years of age. Whenever we process sensitive personal data, we must comply with the stricter requirements (see section “Personal data and personality profiles requiring special protection”). 4. The processing of personal data in the context of pharmacovigilance is also subject to specific requirements deriving from Regulation (EU) No 1235/2010 and Directive 2010/84/EU:

a. Adverse event reports: Reports of suspected adverse drug reactions (ADRs) contain sensitive health data which must be treated with the utmost care. The processing is based on specific legal obligations (protection of public health) and does not require the data subject’s consent.

b. Retention periods: In accordance with EMA (GVP) provisions and regulatory obligations, pharmacovigilance reports and the related documentation must be retained for the entire life cycle of the medicinal product and for a minimum period of 10 years after the withdrawal or expiry of the Marketing Authorisation (MA). This obligation constitutes a legitimate exception to the general principle of storage limitation (former Art. 5(1)(e) GDPR).

c. Limited access: Access to pharmacovigilance data is reserved exclusively to authorised personnel and to the appointed pharmacovigilance officers, in compliance with the principle of minimisation.

d. International transfers: Adverse event reports transmitted to the competent authorities through pharmacovigilance networks (e.g. EudraVigilance) or other mandatory channels take place in strict compliance with Chapter V of the GDPR. For Authorities of Third Countries without an adequacy decision, the transfer is carried out by virtue of the need to safeguard important reasons of public interest (pharmacovigilance and patient safety), pursuant to Art. 49(1)(d) of the GDPR.

5. In addition to the general provisions, SINTETICA recognises that its pharmaceutical activities are subject to specific regulations that complement data protection:

a. Regulation (EU) No 536/2014 on clinical trials: The processing of data of participants in clinical trials must comply with the specific provisions of the regulation, including strict pseudonymisation and the obligation to retain the Trial Master File (TMF) for at least 25 years after the conclusion of the study.

b. GxP regulations (Good Practice): All data processing activities relating to clinical trials (GCP), laboratories (GLP) and pharmacovigilance (GVP) must ensure the integrity, inalterability and traceability of data in accordance with the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate).

Regulatory retention obligations: Data relating to clinical trials, adverse event reports and regulatory documentation are retained for the minimum and maximum periods bindingly established by the competent Authorities (EMA, FDA, Swissmedic, AIFA). Such extended retention falls within the specific exceptions provided for by Art. 5(1)(e) of the GDPR for processing for scientific research purposes and for public interest in the healthcare sector.

3. Responsibility for the application of this policy

This policy is binding on the Company and the Employees whenever they process personal data of natural persons in the course of carrying out their activities at SINTETICA, regardless of whether this takes place in electronic or paper form. The provisions of the Directive form part of the contractual obligations of the employment contract with the Employee, which must always be complied with.

4. Elements of the policy

Which principles must be observed for the processing of personal data

Every Employee of SINTETICA must respect the following data protection principles when processing personal data:

—————————————-

The meaning and requirements of the data protection principles, which must always be observed by SINTETICA and its Employees, are explained in greater detail below.

Lawfulness of processing (legal basis)

a. Personal data may only be processed lawfully. This is the case if at least one of the following conditions is met:

• The data subject has given valid consent to the processing of their personal data for the specific purpose (e.g., processing for advertising purposes, newsletters);

• The processing is necessary for the performance of a contract with the data subject, or it is necessary for the implementation of pre-contractual measures taking place at the data subject’s request (e.g., the preparation of offers, the shipment of purchased products to the buyer’s address; the collection and processing of the Employee’s data for the performance of the employment contract (further explanations under point c) below);

• The processing is necessary for compliance with a legal obligation to which SINTETICA is subject (e.g., retention obligations under civil or tax law);

• The processing is necessary to safeguard the legitimate interests of SINTETICA. Processing on the basis of legitimate interests may take place only if, in the individual case, the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not override the legitimate interests. The reasonable expectations of the data subject based on their relationship with SINTETICA shall be taken into account. Interests deserving protection must be examined and documented for each processing operation. Examples of legitimate interests may be: the protection of Employees and their personal data, the protection of our trade secrets and our assets, the security of our systems and our premises, the maintenance and efficient organisation of business operations, the improvement and development of our products and services, compliance with legal and regulatory requirements, the prevention of fraud, offences and crimes as well as investigations in connection with such offences and other inappropriate behaviour, participation in legal proceedings, the establishment, exercise or defence of legal claims. If there is an intention to collect and process personal data on the basis of legitimate interests, the Advisor must be contacted.

b. Consent

To the extent that consent is the basis of the processing, in order for it to be valid (e.g., in the context of advertising), special requirements must be met. Consent is valid only if it is ensured that it has been given voluntarily, for a specific case, in an informed manner and unambiguously, in the form of a statement or another unequivocal act of confirmation. In addition, for each consent, we must be able to demonstrate that the data subject has consented to the processing of their personal data for the specific purposes (e.g., a written or electronic statement, opt-in to receive a newsletter, etc.).

Furthermore, the data subject has the right to withdraw consent at any time and without any prejudice. The data subject must be informed of this right before giving consent, as well as of the fact that the withdrawal of consent does not affect the lawful processing of personal data up to the time of withdrawal.

In case of ambiguity or questions on the lawfulness of processing, the Advisor must be contacted.

c. Processing of data in the employment relationship

In the employment relationship, only those personal data may be collected and processed that are necessary for the establishment, performance and termination of the employment contract. In this context, data processing must always be related to the purpose of the employment contract, unless there is another reason for lawfulness (e.g. the consent of the Employee or a legitimate interest of SINTETICA).

During the recruitment procedure, personal data necessary to assess the candidate’s possible suitability for any employment may be collected. After rejection, the applicant’s personal data must be deleted, taking into account the time limits provided for by the applicable rules (in particular, statutory limitation periods should be considered). If SINTETICA wishes to retain the personal data for a subsequent position or for another recruitment procedure, the candidate’s consent is required, with notification of the retention period (e.g., for a further 12 months). Obtaining references from former employers or extracts from registers (e.g., the criminal record) generally requires the candidate’s consent or a legal basis. For details, please refer to the document “PRIVACY NOTICE ON THE PROTECTION OF PERSONAL DATA OF SINTETICA SA EMPLOYEES”.

d. Implementation of monitoring measures within the employment relationship

Monitoring measures requiring the processing of Employees’ data may, in principle, only be carried out where there is a legal obligation or a legitimate purpose. In addition, monitoring measures must be appropriate and necessary (less intrusive means and proportionality) to achieve the legitimate purpose and may only be carried out if they are appropriate. In this context, the legitimate interests of the Company must be weighed against any protective interest of the Employee affected by the measure in the exclusion of the measure itself. In addition, data subjects must be informed, unless there is a particular reason justifying the implementation of the monitoring measure without prior information (e.g., to prevent an imminent offence in the context of a criminal investigation). The legitimate interests of the Company and the possible interests of the Employees worthy of protection must be determined and documented before adopting any measure.

If the intention is to carry out monitoring measures, the Advisor must be contacted.

e. Telecommunications and Internet

Telephone systems, e-mail addresses, intranet and internet, as well as social networks (where circumstances so require) are made available to Employees as work tools for the management of business operations. They may be used within the framework of the applicable legal provisions and corporate guidelines.

Systematic monitoring of telephone and e-mail communications, as well as of the use of the Internet and Intranet, does not take place.

For the security and defence against attacks on the IT infrastructure and to protect Employees or other interested parties, SINTETICA may implement protective measures that, for example, block technically harmful content or analyse attack patterns. In addition, the use of the IT infrastructure may be recorded for a limited period of time for this purpose (so-called log files).

Personal evaluations of these data may be carried out only in case of concrete and justified suspicion of a violation of the law or of SINTETICA’s guidelines (see point d) above), in compliance with the applicable legal provisions and with the requirements of the ICT AUP (Acceptable Use Policy)

In case of uncertainties or questions on the implementation of monitoring measures, the Advisor must be contacted.

Personal data and personality profiles requiring special protection

The following stricter requirements must be observed when processing personal data that require special protection:

a) Sensitive personal data or data warranting special protection; the processing of sensitive personal data is in principle prohibited, unless:

• the data subject has explicitly consented to the processing of the data;

• the processing is necessary for the fulfilment of legal obligations, in particular in the field of labour law and social security and social protection law; or

• the processing has been explicitly authorised, taking into account the protection of personal data.

b) Personal data of minors: Personal data of minors (under 16 years of age) require the consent or approval of the holder of parental authority or a legal basis that expressly allows the processing, in order for the processing to be lawful.

c) Personal data relating to criminal offences and/or convictions: Personal data relating to criminal offences and/or convictions may only be processed where this is necessary or permitted by law.

Furthermore, these categories of personal data are subject to special protection and security measures which must be implemented in the strictest form, in order to protect personal data in particular against unauthorised processing, access and disclosure (e.g., encryption, minimum access authorisations; see paragraph “Confidentiality and integrity”.). In case of uncertainties or questions on the collection, processing or safeguarding of these categories of personal data, the Advisor must be contacted.

The same applies to information that allows conclusions to be drawn about essential characteristics of persons, such as character traits (so-called personality profiles). This may be the case, for example, with job application dossiers.

If you obtain such personal data, you must inform the data subject in advance (see following paragraph Fairness and transparency).

In view of the potential implications and potential risks linked to the processing of data warranting special protection, any procedure involving such processing must be submitted to the Advisor already at the design stage (privacy by design) as well as at the implementation stage. For this

type of processing, it is also necessary to provide for a regular review at scheduled intervals, in order to ensure its lawfulness over time.

Fairness and transparency

The data subject must be informed in a complete, good-faith and clear manner regarding the processing of data at the time of collection of personal data. The information must be provided in an understandable and easily accessible form and in clear and as simple language as possible. The information must contain at least the information referred to in Annex I of this Directive.

The information must be communicated in writing, electronically, via the website, in applications (e.g., through a privacy notice and, where applicable, cookie notices) or in another adequate form documented for evidentiary purposes.

On the website or in the case of apps, the privacy notice (including cookie notes) must be integrated in such a way that it is easily recognisable, immediately accessible and permanently available for users or data subjects.

If user profiles are created to evaluate the behaviour of users of websites or apps (tracking), data subjects must be informed of this in the privacy notice. In addition, personal tracking may only take place if it is legally permitted or if the data subject has given their consent. If access to personal data is made possible on websites or apps in an area requiring registration/login, the identification (e.g., username) and authentication (e.g., password) of data subjects must be designed in such a way as to obtain adequate data protection for the respective access.

If the personal data are not collected directly from the data subject, but through a third party, we will take reasonable measures to ensure that the third party has communicated the necessary information to the data subject in accordance with this policy. In any event, we will ensure that the information is provided to the data subject within one month of receiving the personal data.

By way of exception, it is not necessary to communicate the information referred to in Annex I if one of the following conditions occurs:

• the data subject is already in possession of the information;

• the provision of this information proves impossible or would require disproportionate effort;

• the obtaining or disclosure of personal data is expressly governed by law; or

• personal data are subject to professional secrecy or another special obligation of confidentiality under the law and must therefore be treated confidentially.

In case of uncertainties or questions on the information requirements, the Advisor must be contacted.

Clear definition of the purpose of processing

Personal data may only be collected for specific, explicit and legitimate purposes which:

• have been previously communicated to the data subject in a transparent manner (see above “Fairness and transparency”);

• are clearly recognisable to the data subject due to the circumstances; or

• are prescribed by law.

Personal data may not be further processed for other purposes that are incompatible with these purposes. The collection of data without a defined and clear purpose is not permitted.

If the intention is to further process personal data for purposes other than those originally specified, data subjects must be informed in advance of the new purposes and of all other relevant information in accordance with Annex I and, if necessary, consent must be obtained.

If there is the intention to use personal data for purposes other than those originally specified and/or if it is unclear whether the new purposes are compatible with the original ones, the Advisor must be contacted.

Data minimisation, data protection by design and by default

Personal data must be appropriate for the purpose and limited to what is necessary for processing. Where possible, personal processing should be avoided and instead, where possible and appropriate, personal data should be pseudonymised or anonymised (e.g., in statistical evaluations or surveys).

The same applies to the selection of data processing systems. Data protection must be integrated into the specifications and architecture of data processing systems from the outset, in order to comply as much as possible with the principles of data protection and privacy, including in particular the principle of data minimisation.

Accuracy

Personal data must be accurate, complete and, where necessary, up-to-date. All reasonable measures shall be taken to ensure that personal data which are inaccurate, incomplete or out-of-date in relation to the purposes for which they are processed are deleted, rectified, completed or updated without delay.

Storage limitation

Personal data may be processed only for as long as is necessary to achieve the purpose for which they were collected, unless longer retention is necessary for the following reasons:

• for the fulfilment of legal obligations (e.g. archiving and documentation obligations, e.g. under civil or tax law);

• to fulfil contractual or pre-contractual obligations; or

• to satisfy the legitimate commercial interests of SINTETICA (e.g., the establishment or defence of legal claims).

In this case, appropriate technical and organisational measures must be implemented (e.g., pseudonymisation, restriction to a very limited group of persons) to adequately protect the personal data.

Where possible, systems should be provided that allow the automatic destruction of personal data once the retention periods have expired.

Retention periods must be re-evaluated on a regular basis, and the procedures put in place for the destruction/deletion of data once retention periods have expired must be verified with the same frequency.

Confidentiality and integrity

Personal data must be processed confidentially and processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

Unauthorised collection, processing or use is prohibited. Unauthorised processing means any processing carried out by SINTETICA or by an Employee without being entrusted with it as part of the performance of their duties and without being authorised accordingly (e.g., the unauthorised transmission of personal data or its accessibility to unauthorised Employees or third parties or its use for private purposes). On the basis of the need-to-know principle, Employees may have access to personal data only if and to the extent necessary for their respective duties.

To this end, we adopt appropriate technical and organisational measures, which include in particular the following measures:

• Pseudonymisation and encryption of personal data: We pseudonymise, encrypt or otherwise encode identifiable information to prevent the identification of the data subject, where reasonably possible and appropriate

• Ensuring the confidentiality, integrity, availability and resilience of systems and services relating to the processing of personal data;

• A careful division and separation of roles and responsibilities, as well as their implementation and maintenance within the framework of authorisation concepts according to the need-to-know principle (each Employee should in principle be able to access only and exclusively the information that is necessary for the performance of their task).

• Rapid restoration of the availability of and access to personal data in the event of a physical or technical incident;

• Privacy by Design and by Default: we take sufficient account of data protection and the protection of the rights and freedoms of data subjects when determining the means for data processing already in the design phase of new projects, activities, services and for the use of new technologies. We collect and use only the personal data that are actually necessary for the specific purpose of processing. In addition, we limit the scope of their processing, the retention period and their accessibility to the necessary minimum;

• Implement a process for regularly reviewing and assessing the effectiveness of technical and organisational measures to ensure the security of data processing.

Processing entrusted to third parties (“Processors”)

Processing on instruction occurs when a third party (Processor) processes personal data on behalf of SINTETICA and in its name and on its instruction, without the Processor being the holder of the business process in question. It is recalled that SINTETICA retains full responsibility for the correct execution of the processing of personal data. The Processor may process personal data only in accordance with SINTETICA’s instructions and only for the purposes defined by SINTETICA or provided for by law. If the Processor is located outside Switzerland or the EU, the requirements set out in the paragraph below “Transfer of data outside Switzerland and the EU” must be observed. In the case of processing by a Processor, the following conditions must be met:

• The Processor must be carefully assessed with regard to sufficient guarantees, on the basis of which the data processor must implement appropriate technical and organisational measures, in such a way that the processing of personal data takes place in accordance with this Directive and with the requirements of applicable data protection law and that the protection of the rights of data subjects is ensured. The verification of safeguards must be repeated regularly during the cooperation;

• A written processing agreement must be concluded with each Processor, which regulates, among other things, the subject and duration of the processing, the type and purpose of the processing, the type of personal data, the categories of data subjects, the guarantee of data security through the implementation of appropriate technical and organisational measures, as well as other obligations of the data processor. Caution: the contract is not a mere formality. Each confirmation and/or guarantee provided by the Processor must be verified and effective. In case of doubt, any waiver of an audit (inspection) as (generally) provided for in contracts between the Controller and the Processor, or of other verifications, may expose the Company to greater risks and liabilities.

• If the intention is to outsource personal data to a Processor, the Advisor must be contacted.

Transfers of data outside Switzerland and the EU

If personal data are transferred to third parties (e.g. branch, contractual partner, authority), this may take place only lawfully, if there is a legal ground in accordance with the section “Lawfulness of processing” (e.g. contract, law or consent). Furthermore, the recipient must be obliged to use the personal data only for the specified purposes. Caution: numerous applications and cloud services involve a transfer of data abroad even when the sender and the final recipient are in the same country. Before a transfer abroad (or outside the EU) and before using cloud-based or potentially cloud-based systems and solutions, specific verifications must be carried out and, where appropriate, a transfer risk assessment (DTIA) must be conducted.

Transfers of personal data outside Switzerland and the EU to a third country with an inadequate level of data protection will not take place unless the data subject has actionable rights and effective remedies and SINTETICA has provided appropriate safeguards, such as, for example:

• EU standard data protection clauses (SCCs and addendum for Switzerland);

• Binding internal data protection rules;

• Approved code of conduct;

• Approved certification mechanism; or

• If there is an exception for specific cases (e.g., the explicit consent of the data subject or for the establishment, exercise or defence of legal claims).

If there is the intention to transfer personal data outside Switzerland and the EU or to give access to personal data to a third party located outside Switzerland and the EU, the Advisor must be contacted.

5. Content

Rights of data subjects

We always process personal data in compliance with the rights of the Data Subject. In principle, the law of the country of domicile of the Data Subject (not nationality) applies. Several countries have adopted, are adopting and will adopt regulations on privacy protection with extraterritorial

scope. This essentially means that the law of the State of residence of the Data Subject applies regardless of where the processing takes place, and therefore also if abroad. Both the GDPR and the new FADP, as well as other regulations, provide for such mechanisms. The rights under the FADP, the new FADP and the GDPR are summarised below. In any case, each request or claim must be contextualised and analysed, in order to formulate a response that is consistent and compliant with applicable law. As a matter of principle, every request must be forwarded to the Advisor.

a) Right to be informed

The data subject has the right to be transparently informed about the personal data being processed concerning them. The information to be provided to the data subject at the time of data collection is listed in Annex I of this Directive.

b) Right to be informed

The data subject has the right to request confirmation from us of the processing of personal data concerning them. In case of such a request, the information listed in Annex II must in principle be provided to the person making the request.

The competent Department will provide a copy of the personal data being processed free of charge. A reasonable fee based on administrative costs may be requested for any further copies requested by the data subject.

If the data subject submits a request in electronic form, the information will be provided in a commonly used electronic format. ATTENTION: the transmission of personal data must take place in a secure manner. Always ask for the explicit consent of the Data Subject for the transmission of data via the internet. Where appropriate, provide for adequate encryption of the data.

In any case, it must be ensured that the provision of information does not adversely affect the rights and freedoms of other persons

c) Right of rectification, completion and erasure

The data subject has the right to obtain from SINTETICA the rectification of personal data concerning them without undue delay, if these prove to be inaccurate. They may also request the completion of incomplete personal data. Furthermore, they may request the erasure of their data if the conditions are met.

d) Right to object and restriction

The data subject has the right to object to the processing of their personal data on legitimate grounds and, if the conditions are met, to ask SINTETICA to restrict the processing

e) Right to data portability

The data subject has the right, if the conditions are met, to obtain the personal data concerning them which they have provided to SINTETICA in a structured, commonly used and machine-readable format, and to transmit them to another Controller.

f) Right to object to direct marketing (including profiling)

If personal data are processed for direct marketing purposes (including profiling), the data subject has the right to object to such processing at any time.

g) Right not to be subject to automated decision-making in individual cases (including profiling)

The data subject has the right not to be subject to a decision based solely on automated processing (including profiling) (i.e., the decision is based on automatic processing without the involvement of a natural person, e.g., automatic rejection in the online application procedure), where this produces legal effects concerning them or affects them in a similarly significant manner. The only exception in which such action is permitted is in the following cases:

• such decision is necessary for the conclusion of a contract;

• this is allowed by applicable law; or

• the data subject has expressly consented to it.

In this case, we will take reasonable measures to safeguard the rights and freedoms, as well as the legitimate interests of the data subject, and they will be guaranteed a review of the decision by a human operator.

h) Handling and responding to such requests

Each department must ensure that the systems and processes used comply with the requirements to guarantee the rights of data subjects.

In handling requests, the identity of the data subject must be ascertained beyond any doubt. If there are reasonable doubts about identity, further information may be requested from the applicant. In addition, it must be examined whether, due to particular circumstances and certain prerequisites, the response to a corresponding request must be delayed, restricted or refused.

The data subject will be informed within one month at the latest of the measures taken on their request.

Corresponding requests from data subjects must be forwarded immediately to the Advisor.

In view of the regulatory obligations specific to the pharmaceutical sector and of the need to protect public health and the scientific validity of research, certain rights of data subjects may be subject to limitations in the following circumstances:

1. Right to erasure (Art. 17 GDPR): The right cannot be exercised (pursuant to Art. 17(3)) where processing is necessary for:

a. Fulfilling legal obligations and regulatory retention obligations (e.g. clinical trial documentation and medicinal product registration dossiers).

b. Maintaining the traceability and safety of medicinal products.

c. Ensuring patient safety through pharmacovigilance systems.

2. Right of access (Art. 15 GDPR): The right to obtain a copy of the data may be limited or deferred over time when such access would risk compromising:

a. The trade secrets and intellectual property rights of SINTETICA SA.

b. The scientific integrity of an ongoing clinical trial (e.g. risk of "unblinding" or premature unblinding). In such cases, full access will be granted only at the end of the study.

c. The integrity and confidentiality of ongoing investigations into suspected adverse events.

3. Right to portability (Art. 20 GDPR): This right applies exclusively to processing based on consent or on a contract. It is therefore not applicable to data processed to fulfil legal obligations (e.g. pharmacovigilance) or for the performance of a task carried out in the public interest.

In all cases in which SINTETICA must limit or refuse the request to exercise a right, the data subject will be informed without undue delay, and in any case as a rule within one month of receipt of the request, of the reasons for non-compliance. At the same time, pursuant to Art. 12(4) of the GDPR, the data subject will be informed of the possibility of lodging a complaint with a Supervisory Authority (e.g. the Federal Data Protection and Information Commissioner, or the Italian Data Protection Authority) and of seeking a judicial remedy.

SINTETICA keeps a Register of all data processing activities and documents that its processing activities comply with data protection laws. This includes a description of the processing activities, as well as the performance of regular audits to verify continued compliance with the applicable legal parameters and conditions. In part, such audits may be carried out with the help of digital systems.

Furthermore, SINTETICA shall keep written documentation of the following documents:

• All policies, instructions and other documents that ensure the protection and security of data.

• All registrations, notifications, authorisations and other interactions with data protection authorities concerning the processing of personal data;

• All contracts with third parties on the protection and security of data, including commissioned data processing or cooperation with subsidiaries or third parties;

• All SINTETICA data processing activities for the purposes of compiling the Register, including verification of compliance with this Directive and with applicable data protection laws, the data protection impact assessment, where relevant, and the decision of the responsible Department on any new or modified data processing;

• All identified or suspected data protection breaches;

• All third-party complaints and legal matters concerning the processing of personal data.

Each department must appoint a person responsible for documenting all the necessary information on the data processing activities of the respective department, in accordance with legal requirements, and reporting it to the Data Protection Advisor. In case of questions or ambiguities, the Advisor must be contacted.

New and modified data processing operations

Each department shall contact the Advisor for any new or modified data processing and shall arrange for the following measures to be taken:

• Description of the data processing for the Register;

• Conduct a compliance audit with applicable data protection policies and laws;

• Carry out a data protection (and/or transfer) impact assessment when using new technologies or when processing entails a high risk for the rights and freedoms of data subjects;

• Implement appropriate measures to address the compliance gaps identified before starting data processing.

Data breach notification

Every Employee must immediately report to the Advisor or to General Management or to another person designated by them, any possible breach of this Directive or of the security of Personal Data resulting in the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The Advisor, with the support of any specialised departments and possible external specialists, will verify the incident to ascertain whether a data protection breach may have occurred or not and, if necessary, will report the possible breach to the competent supervisory authorities and to the data subjects and will take all further measures in accordance with data protection legislation, in order to minimise the effects of the data protection breach for the data subjects and for the Company, as far as possible.

The notification must include all relevant information to clarify the facts, in particular the specialist department concerned, the nature and extent of the breach, if possible an approximate number of data subjects concerned and a description of the likely consequences of the breach for the data subjects.

SINTETICA has an incident response plan in place, where the procedures and the internal and external resources (where applicable) that must be activated in the event of an incident and of a (suspected) breach of the integrity of personal data are foreseen.

Monitoring and sanctions

Compliance with this Directive and with applicable data protection laws is regularly verified through data protection audits and other controls. The audit may be carried out by the Advisor, by internal company resources or by third parties. Every Employee is required, to the extent of their competence, to cooperate with auditors and to provide the necessary information for a proper verification of compliance with the applicable regulations.

Failure to comply with the rules for the protection of data subjects may entail considerable liability and claims for compensation against SINTETICA. For this reason, non-compliance with or violation of the Directive may entail measures under labour law (including dismissal without notice or ordinary dismissal), as well as criminal and/or civil sanctions and claims for damages.

6. Continuous improvement

Any improper conduct or conduct not in compliance with the content of this Policy will be handled as set out in the Compliance Policy.

7. Annexes

Annex I: Right to be informed

Annex II: Right of access

Attachment I - Right to be informed

When we collect personal data, we inform the data subject or data subjects of the following before the time of collection:

a) The name and contact details of SINTETICA and, where applicable, of its representative in the EU, and the contact details of the Advisor for the protection of personal data;

b) Where applicable, the contact details of the data protection officer;

c) The categories of data subjects concerned and the personal data collected from the data subjects;

d) The source of the personal data (if not collected directly from the data subject) and, where applicable, whether they come from publicly available sources (e.g., social media);

e) The purposes for which the personal data are to be processed and the legal basis of the processing, including legitimate interests where applicable (see policy sections on “Lawfulness of processing” and “Clear definition of the purpose of processing”);

f) Where applicable, the recipients or categories of recipients of the personal data; and

g) Where applicable, whether there is the intention to transfer personal data to a third country and how an adequate level of data protection is ensured.

In addition, we will provide data subjects with further information necessary to ensure fair and transparent processing at the time of collection of personal data:

The duration of retention of the personal data or, if not possible, the criteria for determining the duration;
The existence of the rights of data subjects (right of access, rectification, erasure, restriction of processing or right to object to processing, as well as the right to data portability, see policy section “Rights of data subjects” in “Content”);
The right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent up to the time of withdrawal;
The right to lodge a complaint with the competent supervisory authority;
Whether the transmission of personal data is required by law or by contract or necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and what the possible consequences are of failing to provide the personal data; and
The existence of automated decision-making, including profiling, and meaningful information about the logic involved and about the scope and intended effects of such processing for the data subject.

Attachment II - Right of access

When the data subject submits a request for information on the personal data being processed, the following information will be provided to them:

a) The purposes of the processing;

b) The categories of personal data processed;

c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries;

d) Where possible, the envisaged retention period of the personal data or, if not possible, the criteria for determining that period;

e) The existence of a right to rectification or erasure of personal data concerning them or to the restriction of processing by the Controller, or the right to object to such processing;

f) The right to lodge a complaint with the competent supervisory authority;

g) Where personal data are not collected from the data subject, any available information on the origin of the data;

h) The existence of automated decision-making, including profiling, and meaningful information about the logic involved and about the scope and intended effects of such processing for the data subject;

i) Where personal data are transferred to a third country, the data subject will have the right to be informed of the appropriate safeguards in place to ensure adequate data protection.

9. Pharmacovigilance

In case you use emails or other unencrypted Internet channels to communicate adverse reactions or other circumstances subject to mandatory reporting, please note that data transmissions over the Internet without adequate security measures pose increased risks to privacy. For inquiries in relation to privacy and processing of personal data, please feel free to contact us at privacy@sintetica.com.

For reporting adverse events or any other circumstance subject to mandatory reporting, we invite you to use the contact details found at https://sintetica.com/pharmacovigilance.

In any case, we recommend that you absolutely avoid the transmission of personal data that is not indispensable or mandatory. Through data minimization and other technical organizational measures, Sintetica constantly strives for the protection of personal data.

10. Applications and recruiting

For SINTETICA, employees are not only a valuable resource, but first and foremost people. The protection of SINTETICA employees begins at the recruiting stage. Applications are managed through third-party vendor systems, selected with the privacy of candidates in mind. In principle, spontaneous applications transmitted to SINTETICA are reviewed by human resources. The assessment, depending on business needs, may take from 6 to 12 months. To the extent that candidates, in addition to asserting other rights (see Article 12 below) wish to withdraw their applications, have detailed information about data protection measures, they may contact us at: privacy@sintetica.com.

11. Security

The Company implements and regularly updates organizational and technical measures to maintain the security of personal data and to protect it from unauthorized or unlawful processing, accidental loss, alteration, disclosure, or unauthorized access.

The Company may use third parties as data processors to collect and process your personal data. The data processors we engage will process your personal data only in accordance with our instructions and are required by law to take strict security precautions when processing personal data.

The transmission of information over the Internet is not completely secure. Despite our efforts to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission takes place without the Company assuming any responsibility. For this reason, you may send us your personal data by other means, such as by telephone. Once we receive your data, we apply strict procedures and strict security measures to prevent unauthorized access.

12. Privacy statements of third-party suppliers

Please note that if you click on a link to a third-party website, you will be redirected to a website that we do not control and our privacy policy will no longer apply. Your browsing and interaction on another website is subject to the terms of use, privacy statements and notices of those third-party websites. We encourage you to carefully read the terms of use, privacy statements and notices of other websites before submitting personal information through this site. We are not responsible for the informational content and data processing of such third-party websites.

13. Your Rights

You have the right to assert your data protection rights at any time and, with proof of identity, to obtain information about your stored personal data, to correct or supplement it, to object to the processing of your personal data, or to request the deletion of your personal data.

Any request in the above terms should be sent to privacy@sintetica.com

Please note that even after a possible request for deletion of your personal data, we may not be able to follow up on it in view of legal and contractual storage obligations or if it is necessary to enforce a right of ours.

If in doubt, you can contact us at privacy@sintetica.com. Keep in mind that the processing of requests in connection with this article, may take at least 60 days.

14. Changes

SINTETICA SA reserves the right to adapt, supplement or otherwise change this Data Protection Policy at any time and without stating reasons. The updated version of this declaration is available upon request at privacy@sintetica.com.

Version 1.1, September 2023

Data Protection Policy

Headquarters

Pharmacovigilance

Careers