EFFECTIVE DATE: 10 January 2020 V02

PRIVACY POLICY – REMEDICA LIMITED

Introduction

Remedica Limited (hereinafter referred to as “Remedica” or the “Company”) is committed to the protection of your privacy and security of your personal data. References in this Data Privacy Policy to “we”, “us”, “our” and ‘‘Remedica” are references to Remedica.

This Data Privacy Policy (hereinafter referred to also as the ‘‘Policy’’) explains the type of personal data that we collect, and, the manner and/or method that we collect, transfer, process, use and disclose your personal data, as well as, the security practices that we apply in order to protect your personal data. Additionally, the Policy contains information, in connection to third parties that receive your data, as well as, information in association to your rights under local applicable Data Protection Laws, and, the relevant European Regulation of General Data Protection (hereinafter referred to as “GDPR”).

Certain key terms are used in this Policy such as ‘personal data’, ‘processing’, and, ‘Data Protection Laws’. These are defined in the “Key Definitions” section included in Annex 1.

This Policy applies to:

Remedica’s Contractors,

Remedica’s suppliers, associates and partners.

To the parties which control the use of your personal data

Remedica is a private limited company, situated in Aharnon Street, Limassol Industrial Estate, 3056, Limassol, Cyprus. Remedica, as per the definitions and principles of the relevant legal and/or legislative framework, acts under the capacity of the ‘data controller’, of your personal data, since, it collects personal data for the purposes described in this Policy.

Compliance with principles of Data Protection Laws

Remedica adheres to the principles of the applicable Data Protection Laws, including GDPR, and, as a result, your personal data will be:

i. processed lawfully, fairly and in a transparent manner;
ii. collected for specified, explicit and legitimate purposes;
iii. collected in an adequate and, relevant manner, and, shall be limited to what is necessary;
iv. be maintained accurate and up-to-date, provided that in case of any updates and/or changes you will inform the designated individual(s) of Remedica accordingly;
v. kept only for the time period considered as necessary for the specified purpose or purposes; and
vi. Processed in a manner that maintains the integrity and confidentiality of your data.

Personal data collected by Remedica:
The type of data, which Remedica may collect (both in paper and/or electronic format), is the type of data that is considered as appropriate, and, permitted by the applicable Data Protection Laws.
The collected data may include amongst other, the following information:

i. Contact details, including name and surname, address, telephone number, and email;
ii. Identification information, including date of birth, passport number, sex, ID number, and other information relevant to your identification;
iii. Financial information, including bank account numbers, VAT registration number, social insurance number, credit/debit card numbers, other financial information required for receiving payments and fraud prevention;
iv. Business related information, information provided to us in the course of our contractual relationship with you and/or your organization associated with Remedica’s commercial affairs;
v. Recruitment related information, including curriculum vitae, educational or professional background, relevant academic certificates and/or certifications, job title, employment history and other information relevant to potential recruitment; and/or
vi. Any other categories of personal data you may provide to us in the course of our business relationship.

Complementary to the above, special categories of personal data collected by Remedica include:

i. Data regarding the health of an employee connected with sick leave or attendance at medical appointments;
ii. Data regarding the health of individuals visiting Remedica’s offices, where such information is required to facilitate their visit/participation, and, protect their health/wellbeing, taking into consideration the specific industry within which Remedica operates (e.g. information on disability or special dietary requirements).

From where do we collect personal data?

Most of the personal data will be collected directly from you, as a result of your interaction with us. Certain personal information (i.e. name, job title, business email address, business address and/or mobile phone number) may be provided to Remedica by third parties (such as your employer) on your behalf, for the purpose of contacting you in connection to matters associated with Remedica’s business activities. Remedica may also collect personal data from publicly-available sources such as a company website, commercially published directory, etc.

Website Cookie Policy

Remedica’s cookie policy is available and accessible at http://www.remedica.eu/cookie-policy/.

Legal basis for processing your information;

According to the Data Protection Laws, and, GDPR, we are required to ensure that there is an appropriate basis/ground for the processing of your personal data, and we are required to inform you of this basis/ground accordingly. The main bases, upon which we process your personal data, are the following:

i. Performance of a contract or agreement which has been entered into between yourself, and, Remedica– we collect and use your data primarily for the purpose of managing our working relationship with you (i.e. meet our contractual duties), for example, in order to provide services, to communicate with you, and, otherwise to fulfill any contractual obligations owed to you.

ii. As per applicable law– Remedica may be required under local laws to maintain records that are to include personal information, such an example is mandatory reporting. In particular, Remedica processes personal data relating to suppliers, manufacturers, marketing authorization holders, wholesalers, associates, customers, and, persons authorized or entitled to supply medicines to the public, and, other relevant parties, as per their capacity as the legal and/or authorized representatives of the legal entity and/or organization where they are employed and/or which they represent.

iii. Matters associated with legal and/or judicial proceedings.

iv. To fulfill our legitimate business interests– Remedica also may process your personal data to pursue its legitimate business interests, which shall include planning for, conducting and monitoring the activities of Remedica, providing service information, etc.

v. Where you have consented– for certain types of information, Remedica may rely on your consent in order to use such information. In such a case, primarily you shall be requested to provide your explicit, and, specific consent, and, you will be entitled to withdraw your consent at any time by contacting us using the contact details at the bottom of this Policy. Please note that, if you withdraw your consent, we may not be able to continue providing you with the service to which the consent relates.

Remedica will use your data, only for the purpose(s) for which the data was initially collected. In case Remedica has reasonable grounds to believe that it requires the data for another use/purpose, Remedica will notify you in advance of the need for this additional use of your data, and, shall explain the legal basis for this additional use/purpose. Note that we may process your data, without your knowledge or consent, where this is required or permitted by applicable law. Remedica does not carry out automated decision-making processes with personal data.

Personal data of other individuals

In case you provide us with personal data relating to other individuals, you must ensure that these individuals are aware of the fact that their personal data is to be disclosed to Remedica, and, that the said individuals understand how their personal data will be used and processed by us. It is your responsibility to inform them of the content of this Policy, and, ensure that they have understood and accepted why, and, how their personal data will be processed.

With who do we share your personal data?

Remedica currently does not transfer personal data outside the European Economic Area, excluding the below mentioned, which is in association with Remedica’s parent/holding company i.e. Ascendis Health. In case we transfer your personal data to countries not providing an adequate level of personal data protection, we will take steps to ensure that personal data transferred is subject to appropriate safeguards, such as entering into duly approved and/or legislatively accepted data transfer agreements.

Remedica and Ascendis Health (as the parent/holding company of Remedica) have a legitimate interest, in processing such personal data, i.e. for the purpose of implementation of an integrated HR system, and, for the carrying out of their functions as per the capacity of the employer. Such processing is in compliance with the European Union and Cyprus laws governing the processing of personal data. The transfer of personal data, from Remedica to Ascendis Health, is carried out as per below:

Remedica and Ascendis Health have entered into an appropriate Data Transfer Agreement (based on standard contractual clauses for the transfer of personal data from the Community to third countries [controller to controller transfers]);

The above-mentioned framework has been duly approved by the Cyprus Commissioner for Personal Data Protection.

The Controllers of the Personal Data are the following:

(1) Remedica Ltd, Aharnon Street, Limassol Industrial Estate, 3056 Limassol, Cyprus, represented by the Data Protection Officers, Mrs. Despina Nicolaou, and, Mrs. Elina Skoullou, at [email protected]
Direct Telephone: +357 25553113, and, +357 25553221

(2) Ascendis Health Ltd, 31 Georgian Crescent East, Bryanston, South Africa, represented by Mr. Darren Berman

Retention of personal data

Remedica will retain your personal data, in accordance with its record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary, for the purpose for which, the data was initially collected. The data is also kept in compliance with any and/or all legal requirements that are imposed upon Remedica. This means that the retention period of your personal data, will vary, depending on the type of personal data that is retained, and, the purpose of its retention.
The below criteria are applied for the purpose of determining retention periods:

i. Statutory and regulatory obligations – we have certain statutory obligations that state that we are to retain personal data for set periods of time.
ii. Business requirements – As we only collect personal data, for defined purposes, we assess how long we need to keep personal data in order to meet our reasonable business purposes, and, therefore serve the legitimate interests of Remedica.
iii. Remedica will permanently delete your personal data when the relevant retention period has expired.

Security

Remedica takes the security of your data very seriously, and, has implemented an information security procedure that describes the technical, procedural, and, physical measures in place, which aim to the protection of your data from loss, misuse, and unauthorized access or disclosure. Remedica also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current/up to date. Employees who handle personal data are trained on the information security policy and on how to correctly collect, process, store and delete data in accordance with this Data Privacy Policy.

The Company operates a closed-circuit television CCTV system for the purpose of ensuring the safety and security of its premises, the manufacturing process, and, pharmaceutical products. In some areas, we are mandated by the law to operate a CCTV system as it forms part of a secure ‘bonded area’. All areas subject to CCTV recordings are clearly marked and cover entrances, exits, hallways, and manufacturing facilities. CCTV recordings may be used for the investigation of suspected criminal activities such as theft, damage to property, and, vandalism. No CCTV cameras are installed in areas where there is a reasonable expectation of privacy.

Certain doors are fitted with access control features which retain information such as timestamps (when a card is swiped) and card number. The information retained is only used for the safety and security of the Company’s premises and pharmaceutical products.

Your obligations

Should you be aware of any data breach affecting any data held by the Company, please report this to the appointed Data Protection Officer(s) of Remedica, whose contact information is announced in Remedica’s website, and, may be found also herein below.
Employees who process personal data on behalf of the Company have a duty to follow the GDPR, and, all policies enacted by the Company ensuring compliance thereto.

Your rights

You have various rights under the applicable Data Protection Laws, and, GDPR, subject to certain exemptions, in connection with the processing of your personal data:

i. Right to access the data- You have the right to request a copy of the personal data that we hold about you, together with other information in connection to our processing of the that personal data;
ii. Right to rectification– You have the right to request that any inaccurate data which is held about you is corrected, or, if the retained information is incomplete, you may request that we update the information, in such a manner, so that it is rendered complete;
iii. Right to erasure– You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the ‘right to be forgotten’.
iv. Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or, to object to our processing of your personal data for particular purposes.
v. Right to data portability– You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine-readable format.
vi. Right to complain – You have the right to lodge a complaint with the Data Protection Authority if you are unhappy with our processing of your personal data.
vii. Right to withdraw your consent– When we process your personal data on the basis of your consent, you are free to withdraw that consent, at any time, by contacting us, using the contact details below. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent is related.

You may proceed with communicating your wish of exercising your above-mentioned rights, through the use of the contact details set out below.

Changes to this Policy

The provisions of this Data Privacy Policy may be amended by Remedica from time to time so as to reflect any possible amendments to the relevant legal, legislative, and, regulatory framework. Any alteration or addition will be posted on our website at www.remedia.eu.

Queries and complaints

Remedica has appointed Data Protection Officers (DPOs) which you can contact if you have any queries or complaints in connection with our processing of your personal data, using the following contact details:

Mrs. Despina Nicolaou, and, Mrs. Elina Skoullou,

at [email protected]
Direct Telephone: +357 25553113, and, +357 25553221
P.O. Box 51706, 3508 Limassol, Cyprus

You have the right to lodge a complaint to the Office of the Commissioner for the Protection of Personal Data below if you believe we have not complied with the requirements of the GDPR with regard to your personal data.

1 Iasonos str., 1082 Nicosia

P.O.Box 23378, 1682 Nicosia

Tel: +357 22818456

Fax: +357 22304565

Email: [email protected]

Annex 1 – Key Definitions:

“Data Protection Authority” means the Cypriot Data Protection Commissioner which is the supervisory authority in the Republic of Cyprus.

“Data Protection Laws” mean the General Data Protection Regulation (EU) 2016/679 (“GDPR”), The Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data Law 125(Ι) 2018 as amended and any EU or national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the Republic of Cyprus and any successor legislation to the GDPR.

“Consent” of the data subject means any freely given, specific, informed unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – such as a written/electronic statement or an oral statement.

“Data Controller” means the legal person and/or organization which determines the purposes, and, means of the processing of personal data,

“Data Processor” means a person or company which processes personal data on behalf of the Data Controller,

“Personal Data’’ or ‘‘Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; “processing” means any operation which is performed on personal data, where automated or not, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.

“Special Categories of Data” mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.