GedGedeon Richter UK Limited, Gedeon Richter Ireland Limited and Medimpex UK Limited; Company Registration Number: 4325685, 594348 and GB 239 9471 19 respectively; hereinafter “we”, “us” or “Company”) is committed to protecting the privacy of individuals. This Privacy Notice informs you about the processing of the personal data collected by us from the users, subscribers, visitors (hereinafter collectively “Data Subjects”) of our websites (www.gedeonrichter.co.uk; www.medimpexuk.com/; www.esmya.co.uk; www.fibroidsconnect.co.uk/ and www.richterresourcecentre.co.uk/) (hereinafter “Our sites”) services (hereinafter “Services”). Data Subjects below the age 16 (hereinafter “Minors”) are not eligible to use our services and we ask that minors do not submit any personal data to the Company.¹

Please read this Privacy Notice in conjunction with our general Terms of Use and Cookie Notice.

We may revise the Privacy Notice at any time by updating this posting and we will obtain your consent to the changes when necessary. You can determine when the Privacy Notice was last revised by referring to the “Last updated” legend at the top of this Privacy Notice.

WHO WILL BE THE DATA CONTROLLER?

The data controller is the Company. Your data will be processed by the Company in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) applicable to our sites.

WHAT IS THE PURPOSE OF DATA PROCESSING?

We handle personal data in order to provide you with our Services per your request. The personal data collected from you as Data Subject will be handled by our employees, kept confidential and used by us for lawful and relevant purposes for providing our services to you.

Purposes of personal data processing and such use of your personal data may be

• connected to our Services such as
  • carrying out your requests submitted through our sites, respond to your inquiries or requests;
  • publication of job advertisements on our sites and administering job applications;
  • maintaining and administering a database of healthcare professionals and allowing registered healthcare professional users to communicate and access materials on our sites; and
  • providing a communication channel for the notification of adverse reactions to us for pharmacovigilance purposes.
• identification of Data Subjects using our Services;
• create, maintain and manage your subscriber profile;
• tracking the status of your application or request;
• sending personalised communications to you;
• sending you administrative notices or communications applicable to your use of our Services;
• sending personalised newsletters to you;
• protect against and prevent fraud, misuse, and providing security of communications at our Website;
• to provide you with customer support; or
• the handling of complaints and enforcement of our general Terms of Use, Privacy Notice and Cookie Notice.

We may also process your personal data for purposes previously communicated to you from time to time, as long as such other purposes are directly relating to and compatible with the purposes indicated in this Privacy Notice and Cookie Notice.

¹ It is recommended to mention such restriction directly on the Website where users have the possibility to interact and, therefore, submit personal data to the Company.

WHAT IS THE LEGAL BASIS OF DATA PROCESSING?

Unless otherwise indicated to you in this Privacy Notice, processing of your personal data is voluntary and based on your freely given consent. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Failure to provide the requested personal data may result in us being unable to provide to you our Services. If any of our communications constitute direct marketing (including newsletters) we will separately seek your consent to such communications.

In relation to adverse effect notifications, the legal basis of data processing is our legal requirement to comply with European and national pharmacovigilance laws.

If you enter into a contract with us or subscribe to our Services, we will process your personal data pursuant to Article 6 (1) and (b) of the GDPR to the extent processing is necessary in order to administer the Services you request or in order to take steps at your request prior to entering into a contract with us.

Personal data will also be processed to the extent this is required to pursue our legitimate interests as a data controller (e.g. to protect against and to prevent fraud, to manage our professional relations, to provide information about our products, to handle complaints and enforce our terms and conditions).

WHAT PERSONAL DATA MAY WE COLLECT?

In the course of our activities and for the purposes indicated above, we may process (collect) the following personal data of Data Subjects.

• Name (family name and surname). This information allows us to identify you. If you consent to newsletter communications, we must keep record of your name and email address.
• Language preferences. This information allows us sending communications to you in languages you understand.
• Email address. This information allows us to identify you and sending communications to you, including direct marketing messages (if you consent to receiving such communications). We also use your email when asking for feedback in respect of the quality of provision of our Services or provide you with customer support.
• Password. We use this information for authentication purposes.
• Account information. When registering or deregistering to our sites, we collect and store the subscriber’s IP address and the date and time of confirmation in their subscriber profile. We process this data in order to maintain the security of our sites and of the subscribers’ own account and prevent fake signups.
• Job application data. If you apply for a job position, we may keep record of the date and time of your application, your name, birth name, place and date of birth; your place of residence; phone number(s); email address; previous employer(s) name; duration of your previous employment relationship; previous positions, jobs and their descriptions; qualifications; studies; level of education, degree and degree type and time of obtaining the degree; language skills; computer skills; and any other information voluntarily provided by you as an applicant (e.g. portrait, resume, cover letter and the monthly payment required). This information is necessary for us to evaluate your experience and to make a hiring decision. Only our HR Department and the department seeking for the new colleague will have access to the information.
• Adverse reactions information. This information is necessary for us to process, investigate and notify the adverse reactions to the regulator. Your notification must include the name of the reporting person, your phone and email address; your profession; patient information; patient’s initials; date of birth of the patient; age of the patient; sex of the patient; adverse event description, including the symptoms experienced; description of the side effects, adverse conditions, the patient’s medical history, other diseases with free text; adverse events observed, such as death; immediate threat to life; necessary treatment; persistent or significant deterioration of health, or loss of function; developmental or birth defects occurred; medicines information; start and end date of medication; medicines/drugs taken.
• Message information. We will keep records of our communications with you, including any complaints you submit including any read receipt information in order to provide you with customer support and the handling of complaints.
• General usage information. Information that informs us on how you use our Services when you use our sites, including search behaviour and preferences, a record of the searches that you make on our sites and browsing activity (including: IP address, time of visit, visited pages, on-page interactions, limited detail location information, device and software of the user, first-time or repeated visits, traffic source information). We use this information to improve our Services to you, as well as to identify improvement areas of the quality of our Services.

Our Services are not aimed at collecting sensitive personal data from Data Subjects, other than adverse reactions information (health data) for pharmacovigilance purposes.

DO WE USE COOKIES?

The Site uses cookies to distinguish you from other users of the Site. This helps us to provide you with a good experience when you browse the Site and also allows us to improve the Site. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are required for the operation of the Site.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the Site when they are using it. This helps us to improve the way the Site works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to the Site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to the Site, the pages you have visited and the links you have followed. We will use this information to make the Site and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose. You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie	Name	Purpose	Expiration time
ARRAffinity	Microsoft Azure Cloud	Allows the site to be load balanced across more than one server if it needs to be scaled up in the future	End of session
acceptcookies	Accept Cookies	Created when the user accepts cookies or continues to use site	20 years
_gat	Google Analytics	Used to throttle request rate	10 minutes
_ga	Google Analytics	Used to distinguish users	2 years
_athena	Athena session cookie	Created when logged into the Richter Resource Centre	End of session
PHPSESSID	PHP	Stores the user’s session identifier	End of session
wordfence_verifiedHuman	Word Fence	Separate human visitors from bots	1 minute
wp-settings-1111	Word Press	Used to persist a user’s wp-admin configuration. Only set for registered WordPress.com	End of session
wp-settings-time-1111	Word Press	Used to customize your view of admin interface, and possibly also the main site interface	End of session
wordpress_test_cookie	Word Press	Word Press	End of session
viewed_cookie_policy	Word Press	The Cookie law info bar been viewed and accepted	20 Years

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of the Site.
To opt out of being tracked by Google Analytics across all websites visit: http://tools.google.com/dlpage/gaoptout
Except for essential cookies, all cookies will expire by the end of the session.

WHERE IS THE INFORMATION STORED AND WHO WILL SEE THE INFORMATION?

Only those authorised persons and departments within the Company will have access to your personal data who have an essential need to know that data for the fulfilment of their activities. We will not disclose any of your personal data to third parties, any external bodies or organizations, except as set out below, or unless you consent to data transfer or the data transfer is required or permitted by law.

In case of information provided in the course of adverse reaction notification, we will disclose that information to the European Medicines Association; website: https://www.ema.europa.eu/en; phone+31(0)88 781 6000; who will process personal or other data connected to adverse event as a sole data controller besides the Company based on legal obligations addressed to this authority.

We may engage third party vendors as data processors (hereinafter “Data Processor”) to provide services to us, and share your personal data with such third parties as well as with legal and other advisors, consultants that assist us. Nonetheless, in such a case, we always ensure confidentiality of your personal data, for example by concluding a confidentiality and non-disclosure agreement.

HOW LONG WILL PERSONAL DATA BE RETAINED?

We keep personal data for no longer than is necessary for us to fulfil the purposes for which such personal data was processed (collected) unless we are specifically required to process personal data longer by applicable laws.

We will delete and erase personal data if:

• you withdraw consent on which the data processing is based and there is no other legal ground for the processing;
• if you object to the data processing and there are no overriding legitimate grounds for the data processing, or you object to the processing for purposes of direct marketing;
• the personal data have been unlawfully processed; and
• the personal data have to be erased for compliance with a legal obligation to which the Company is subject.

Deletion shall not apply to the extent that processing is necessary for compliance with a legal obligation which requires data processing by the Company or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company (if any); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims of the Company.

In case of registrations or subscriptions of healthcare professionals with our sites that have not been confirmed, we store the personal data for a period of fifteen (15) days. In case of completed registrations or subscriptions, we store your personal data and maintain your account with us until you withdraw your consent to data processing or you request that we delete your personal data or you unsubscribe from our newsletters or other direct marketing communications.

Unsuccessful job application data will be retained for a period of six (6) months counted from your submission of the application, unless you consent that we may retain your personal data for future applications. Successful job application data will be retained until your employment relationship exists counted from your submission of the application.

WHAT INTERNATIONAL DATA TRANSFERS OCCUR?

Unless we inform you otherwise in this Privacy Notice or in any other communication of ours, we do not transfer your personal data to a country or territory outside the European Economic Area.

HOW DO WE ENSURE DATA INTEGRITY?

All practicable and reasonable steps will be taken to ensure that personal data held by us is accurate. Please, keep your personal data up to date, and to inform us of any changes to such personal data you provide to us.

HOW DO WE PROTECT PERSONAL DATA?

We will take all necessary steps to ensure security of the personal data and to avoid unauthorized or accidental access, collection, use, disclosure, copying, modification, disposal, erasure or other unauthorized use. Please note that electronic transmission of information cannot be entirely secure. We use Secure Sockets Layer (“SSL”) and password encryption in order to protect the security of information that we process. Please note that you have the affirmative duty to keep your password information safe and not to share this data with third persons.

Any information we receive about possible adverse events related to our products, will only be accessible to a restricted number of personnel who are in the need of having access to such data in order to perform their employment duties with such data, and the data are protected by appropriate technical and organizational measures.

WHAT ARE YOUR RIGHTS AND REMEDIES?

You have the right to have incomplete, incorrect inappropriate or outdated personal data deleted or updated, marked or blocked. If you believe any of the personal data we hold about you is incomplete, incorrect or outdated, you can contact us and we will make the necessary corrections within twenty-five (25) days. All practicable and reasonable steps will be taken to ensure that personal data held by us is accurate. We will mark personal data if you dispute its correctness or up-to-date status and such claim cannot be verified beyond doubt. You may request that we delete your personal data, but we may be required by law to keep such information and not delete it (or to block or mark this information for a certain time, in which case we will comply with the deletion request only after having fulfilled such requirements).

You have the right to be informed what personal data is processed about you. We will respond to such request for access to personal data as soon as possible, but within twenty-five (25) days from its submission at the latest. We may request the provision of additional information necessary to confirm your identity. You are also entitled to object to the processing of your personal data if processing or transfer of personal data is necessary solely for the performance of a contractual obligation, necessary for the enforcement of the legitimate interest of ours, a data recipient or any other third person (except if the data processing is compulsory); as well as if permitted by law. Such objection will be investigated by us within fifteen (15) days of filing the objection. If you do not agree with our decision as regards any objection, you are entitled to initiate court proceedings within thirty (30) days after receipt of the decision refusing such objection.

If you consider that your privacy and data protection rights have been infringed, you may contact the relevant data protection authority supervising the activities of the Company, to the competent data protection regulatory authority located in the European Union’s relevant Member State where your habitual residence, place of work or place of the alleged infringement is.

Our sites may contain links to third party websites. These linked websites are not under our control, and are regulated by their own privacy policies. We are not responsible for the privacy practices of any such linked websites.

RIGHT TO OBJECT, INCLUDING TO DIRECT MARKETING

In some cases, we may use your personal data to provide you information related to our products and industry or invite you to events. You have the right to, at any time, object to such processing for direct marketing, or object other processing for reasons relating to your particular situation by sending an email to info.uk@gedeonrichter.eu or you can unsubscribe to receiving further newsletter by using the link provided in each newsletter.

HOW CAN YOU CONTACT US ABOUT THIS PRIVACY NOTICE?

For more information regarding privacy and data protection inquiries and requests by Data Subjects, please contact the Company’s dedicated channels (phone: +44 (0) 207 604 8806; email: info.uk@gedeonrichter.eu).

Adverse Events Reporting:

Adverse events should be reported. Reporting forms and information can be found at www.mhra.gov.uk/yellowcard. Adverse events should also be reported to Women’s Health Division of Gedeon Richter (UK) Ltd on 0207 604 8806 or drugsafety.uk@gedeonrichter.eu

Adverse events should be reported to the HPRA Pharmacovigilance, Earlsfort Terrace, IRL – Dublin 2, Tel: +353 1 6764971, Fax: +353 1 6762517, Website: www.hpra.ie, e-mail: medsafety@hpra.ie. Adverse events should also be reported to Women’s Health Division of Gedeon Richter (UK) Ltd on +44 (0) 207 604 8806 or drugsafety.uk@gedeonrichter.eu