Effective date: 04/06/2025

1. Legal references

Pursuant to current legislation on the protection of personal data, including Regulation (EU) 2016/679 (“GDPR”), as well as other applicable data protection laws such as: the Swedish Act (2018:218) with supplementary provisions to the EU General Data Protection Regulation (in Swedish, Lag (2018:218) med kompletterande bestämmelser till EU:s
dataskyddsförordning), the Danish Data Protection Act (Act No. 502 of 23 May 2018) (in Dannish, Databeskyttelsesloven), the Finnish Data Protection Act (1050/2018) with supplementary provisions to the EU General Data Protection Regulation (in Finnish, Tietosuojalaki), the Icelandic Act No 90/2018 on data protection and the processing of personal data (in Icelandic, Lög nr. 90/2018 um persónuvernd og vinnslu persónuupplýsinga), and the Norwegian Data Protection Act (in Norwegian, Personopplysningsloven) (collectively referred to as the “Privacy Legislation”), Recordati AB. (“Recordati” or the “Data Controller”), provides you in your capacity as a healthcare professional (“HCP” or the “Data Subject”) with the following information on the processing of your personal data collected and processed by Recordati as part of the performance of scientific information activities.

Personal data will be processed in compliance with the Privacy Legislation and the relevant applicable provisions issued by the competent data protection authorities.

2. Who processes your personal data

– Data Controller: The data controller is Recordati AB (company within the Recordati Group), with registered office in Berzeliusväg 8, 171 65 Solna, Sweden, registered with the Swedish Companies Registration Office (Sw. Bolagsverket) under org. nr. 556620-8350, which can be contacted at +46 771-670 670.
– Data Protection Officer (hereinafter referred to as “DPO”):
Recordati has appointed a DPO, who can be contacted at the following e-mail address: [email protected], to whom Data Subjects can address any request regarding the processing of their personal data.
– Authorised personnel:
All Recordati employees/collaborators who access, or will access, the personal data of the Data Subject operate/will operate under the direct authority of the Data Controller, and are appointed, pursuant to Article 29 of the GDPR, as persons authorized to process data having received, in this regard, adequate operating
instructions

3. Types of personal data processed

The personal data that will be processed are:
a. personal and identification data of the Data Subject: this includes name and surname, date of birth, gender, fiscal code, professional title of the Data Subject, registration in the register of doctors;
b. contact details of the Data Subject: this includes telephone number, e-mail address, address where the Data Subject carries out the professional activity;
c. further information relating to the HCP profile: this includes , by way of example, interests, aptitude and approach in the scientific, technological or research fields, with respect to (i) technological applications and platforms at the service of medicine, (ii) therapeutic behaviours, (iii) the use of digital communication channels and (iv) interests in pharmaceutical products that Recordati may acquire from the Data Subject during visits and/or interviews with its medical representatives;
d. data relating to the Data Subject’s interaction with Recordati services: this includes for example, opening of emails visualization of medical-scientific content, interactions of the Data Subject with e-mail links and content, duration of the Data Subject’s “engagement” on Recordati web pages, and web contents, participation in webinars, fruition of web content, etc.. Information about the cookies that Recordati processes in relation to the Data Subject’s engagement on Recordati web pages is described in Recordati’s Cookie Policy, which can be accessed on www.recordati.se website.

The Data Controller collects personal data from the following sources:
– From the Data Subject directly, for example when carrying out scientific information activities via in-person meeting, we collect the informaiton listed at a. to c. Iabove
– From your interacton with our online services and digital properties. We collect the information listed at b. to d. above in this way.
– From third party service providers, which provides publicly available information, such as your address, and/or market research results.

4. The purposes, legal bases of the processing and the period of storage of personal data

Recordati will process the Data Subject’s personal data for the following purposes (the “Purposes”):

Unless indicated otherwise, the provision of personal data processed for the purposes indicated above is optional. In the event of refusal to provide your data, objection to processing or withdrawal of the consent previously given, Recordati will not be able to carry out the scientific information activities towards the HCP or the communications, as described above.
At the end of the storage periods identified above, the personal data of the Data Subjects will be deleted, unless there are further legitimate interests of the Data Controller for establishing, exercising or defending a legal claim that make their storage necessary, subject to minimization. In such case, the Data Controller will store the personal data for as long as necessary for this purpose.
The Data Controller also informs the Data Subject that at the time of collection and on the occasion of sending each communication made for the pursuit of the aforementioned Purpose, he/she has the possibility to: (i) withdraw, at any time, any consent given (see point 8 below as to how consent can be withdrawn); (ii) object to the processing of their personal data based on the legitimate interest of the Data Controller, in the manner better described in point 8 below.

5. Profiling

The Data Controller informs the Data Subjects that, with reference to the Purpose referred to in Paragraph 4 letter b) above (i.e. profiling activities), this activity has the sole purpose of identifying, on the basis of specific parameters identified by Recordati, in a precise and effective manner the professional and scientific profiles of the Data Subjects, as well as their specific professional needs so as to allow the same to optimize the performance of the activity of scientific information and the distribution of its contents.
Profiling in this regard will enable the Data Controller to avoid sending mass medical-scientific communications to the recipient HCP, in circumstances where such communications may not be of interest to the HCP. Rather, these communications are limited only to those Data Subjects for which they are more relevant and adherent, according to the needs, interests and professional characteristics of the Data Subjects. Personalized communications may also be indirectly of benefit for the patients of the individual Data Subjects as they may increase the Data Subject’s awareness about specific relevant areas of diseases or medical practices.

In any case, the profiling mentioned above:
– will not take place on the basis of an automated decision-making process from which legal or similarly significant effects derive for the Data Subjects pursuant to art. 22 of the GDPR;
– will not affect the rights of the Data Subjects;
– will not have any prolonged and permanent impact for Data Subjects, considering that the personal data collected by the Data Controller through its medical representatives are periodically updated.

Furthermore, considering that the processing in question is based on the legitimate interest of the Data Controller, the Data Controller guarantees that it has previously carried out an assessment aimed at ensuring the proportionality of the processing so that the rights and freedoms of the Data Subjects are not prejudiced, taking into account their reasonable expectations in relation to the specific processing activity carried out (so-called
“Legitimate Interest Assessment” or “LIA”).
Data Subjects may request further information on the LIA referred to above, by contacting the Data Controller or the DPO at the addresses indicated below.
This is without prejudice to the right of the Data Subject to object to the performance of profiling activities at any time, in accordance with the procedures better described in point 8 below.

6. Recipients

The Data Controller informs the Data Subjects that their personal data may be communicated or made accessible for the Purposes listed above, and according to the legal bases listed above, to the following recipients or categories of recipients, as independent data controllers or, where necessary, data processors specifically selected and appointed pursuant to Article 28 of the GDPR which include:

• suppliers of platforms for customer relationship management (CRM) and related technical assistance and maintenance services (all categories of personal data are shared);
• companies that carry out market analyses/research (the categories of personal data shared are those indicated in par. 3, lett. a. above);
• communication agencies and/or event organization (the categories of personal data shared are those indicated in par. 3, lett. a. above);
• competent authorities, regulatory, prosecuting, law enforcement, tax or governmental authorities by virtue of legal provisions or regulations or European Union legislation (all categories of personal data may be shared);
• in connection with a corporate transaction, a merger, consolidation, reorganisation, financing, change in control or acquisition of all or a portion of the Data Controller’s business by a third party (all categories of personal data may be shared);
• other companies of the Recordati Group, subject to the consent of the Data Subject, when such consent is necessary under applicable Privacy Legislation (the categories of personal data shared are those indicated in par. 3, lett a. and b. above).

The complete list of recipients, including more details on the activities they are carrying out, the industry, sector and sub-sector and their headquarters, is kept at the Data Controller’s registered office and can be consulted upon request to be sent to the addresses indicated in point 8 of this policy.

7. Transfer of the personal data of the Data Subject abroad

The Data Subject’s personal data will not be transferred outside the European Economic Area (EEA).
Any transfer of the pdof the Data Subjects to non-EEA countries that may happen in the future, will only take place within the terms and with the guarantees provided for by the Privacy Legislation and, in particular, pursuant to art. 44 – 49 of the GDPR and the Data Controller will inform the Data Subjects

8. The rights of the Data Subject

The Data Controller informs the Data Subjects that they will always have the right to withdraw their consent at any time, where consent has been given.

Data subjects may also exercise any of the following rights (collectively, the “Rights”):
a) the “right to access” and specifically to obtain confirmation of the existence or otherwise of Personal Data concerning him/her and their communication in intelligible form, as well as a copy of the personal data undergoing processing;
b) the “right to rectification”, i.e. the right to request the rectification or, if interested, the integration of personal data;
c) the “right to erasure”, i.e. the right to request the erasure or, transformation into anonymous form of personal data processed in violation of the law, including those whose retention is not necessary in relation to the Purposes for which the personal data were collected or subsequently processed;
d) the “right to restriction of processing”, i.e. the right to obtain from the Data Controller the limitation of processing in certain cases provided for under the Privacy Legislation;
e) the “right to data portability”, i.e. the right to receive (or to transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
f) the “right to object”, i.e. the right to object, in whole or in part:
– to the processing of personal data carried out by the Data Controller for its own legitimate interest;
– to the processing of personal data carried out by the Data Controller for marketing or profiling purposes.

It is expressly understood, as provided for in Article 21 of the GDPR, that in the event of the exercise of the right to object by the Data Subject, the Data Controller will refrain from further processing the personal data unless the Data Controller demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the Data Subject or for the ascertainment, the exercise or defence of a right in court.
The exercise of the foregoing rights is not subject to any formal constraint and is free of charge. The Data Controller may possibly require Data Subjects to verify their identity before taking further action following the request to exercise the rights referred to above.
In any case, the Data Subject may freely contact the DPO for all matters relating to the processing of his/her personal data and/or if he/she wishes to exercise his/her Rights:
– by ordinary mail, to the address of the registered office of Recordati AB, with registered office in Berzeliusväg 8, 171 65 Solna, Sweden, In attention of the DPO;
– by e-mail to the DPO: [email protected].

9. The rights of the Data Subject

The Data Controller informs the Data Subject that, pursuant to the Privacy Legislation, he/she has the right to lodge a complaint with the competent Supervisory Authority (in particular in the Member State of his/her habitual residence, place of work or place of the alleged violation), if he/she is of the opinion that his/her personal data are processed in such a way as to involve violations of the GDPR. In addition, the Data Subject may contact the competent Supervisory Authority if the exercise of his/her rights is subject to delay, limitation or exclusion by the Data Controller.
In order to facilitate the Data Subject, the name and contact details of the European Union Supervisory Authorities, including the data protection authorities for Denmark, Finland, Iceland, Norway and Sweden, are available at the following link: Our Members | European Data Protection Board (europa.eu).

10. Update and revision

This information notice may be subject to amendments and additions from time to time. The Data Controller will notify the Data Subject directly when substantial amendments and additions will be made. The Data Controller may also notify the Data Subject in other ways from time to time, including by an announcement on the website.