UCB GENERAL PRIVACY POLICY FOR HEALTHCARE PROFESSIONALS Find HERE the Privacy Policy for Healthcare Professionals in your language 1. WHO WE ARE AND HOW YOU CAN CONTACT US UCB or we means UCB S.A., a Belgian company with registered office at 60, Allée de la recherche, 1070 Anderlecht and its affiliates. For more information on the contact details of the UCB affiliate in your jurisdiction, please visit the ‘UCB Worldwide’ overview at https://www.ucb.com/worldwide and select your country.As controller, i.e. the legal entity that decides on the why and how information relating to you (personal data) is collected and processed by us in the context of your or your healthcare organisation’s relationship with UCB, we respect your right to privacy.We will only process your personal data as described in this UGPPH or policy, supplemented by our other privacy policies - to the extent that those may apply to you - e.g. within the framework of your participation as a healthcare professional (HCP) in our Patient Support Programmes (PSPs), studies (including observational studies, clinical trials etc.), or when browsing any one of our websites for which separate website privacy policies are in place. We will at all times process your personal data in accordance with the relevant data protection legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).At UCB we have a data protection officer (DPO), who can be contacted by any of the following means for any privacy-related questions, including regarding how we collect, store and use your personal data:E-mail: dataprivacy@ucb.com; orRegular mail: To the attention of the (global) Data Protection Officer, Allée de la recherche 60, 1070 Anderlecht or to the attention of the local UCB Data Protection Officer at the postal address of the UCB affiliate in your jurisdiction. For more information, please visit https://www.ucb.com/worldwide and select your country. 2. THE REASON BEHIND THIS PRIVACY POLICY As a leading biopharmaceutical company, UCB has close relationships and engages in a continuous dialogue with many HCPs. The UGPPH governs the general collection, use and retention by UCB of personal data relating to (i) HCPs and (ii) HCPs acting as a representative or contact person for a healthcare organization (HCOs), with whom we have a business relationship. As indicated above, additional privacy related information may apply to you within the framework of your participation in e.g. our PSPs, studies or when browsing any one of our websites. You will find these additional privacy terms on the relevant webpage or tool. In other words, in addition to reading this UGPPH, please also carefully read through other privacy related information which may apply to you and this prior to participating in any UCB PSP, study or browsing any one of our websites.The UGPPH consists of five main components and informs you about:Who we are and how you can contact us;The reason behind this policy;The purposes for which we process your personal data, the related legal basis under GDPR and applicable retention periods;What your rights are in relation to the personal data we hold about you and how you can exercise them; andFurther details on how we process (including transfer) your personal data. The UGPPH may be updated periodically to reflect changes in our personal data processing activities. In that case we will inform you of any significant changes by posting a prominent notice on UCB.com (the Website) or by informing you through the same channel we usually use to communicate with you. 3. THE PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA AND APPLICABLE LEGAL BASIS The table below indicates per purpose (i) the categories of personal data we collect and process concerning you, (ii) the source, (iii) how long we retain your personal data, (iv) who we share it with, and (v) the relevant legal basis under GDPR. 1. To manage our professional relationship with you, including: a) planning and following up (including UCB internal reporting) on interactions and communications with you - including call and visit management; b) optimizing our interactions and communications with you based on your preferences (including in terms of content, format, preferred channels and frequency); c) stakeholder segmentation within your geographical area and area of expertise (including identifying key opinion leaders as well as in order to enable us to identify relevant study sites for the conduct of clinical trials); d) avoiding duplication as well as improving the quality of our interactions with you - based on your indicated needs and preferences; read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems): a) General and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details and contact preferences: postal address, phone number(s), e-mail address c) Your professional details: including your job title, medical education, professional background information (including history, role), your expertise, hospital or HCO affiliation, publications, awards, biographies, links to educational organizations, area(s) of scientific interest d) Country specific identifiers (including your local registration number as an HCP in relation to the local healthcare system) 2. Activity data (i.e. data related to our professional interaction with you other than clinical activities): a) Information about calls/visits made to you: last call/visit date, next planned call/visit date, topics that were discussed, key messages from you, product information shared with you b) General/ aggregated information about product prescribing behavior c) Information that would allow stakeholder segmentation within your geographical area and area of expertise d) Information about events/ conferences in which you participated/which you attend e) Customer network information (relations to other HCPs and HCOs) f) Activity information, including whether or not e-mails sent to you by us were opened, if you accepted our invitation to e.g. a conference or online content, etc. g) Any other information you may provide to us e.g. when you complete forms made out to us, or share information within the framework of events or conferences you attend or during visits or calls with our representatives 3. Consent management data: Information on your utilization and preferences relating to communication format, channels and frequency Failure to provide the abovementioned information prevents UCB from managing our professional relationship with you. For some of the analysis set out above (e.g. in order to optimize our interactions and communications with you based on your preferences or in order to identify key opinion leaders or study sites for the conduct of clinical trials) UCB may at times also use artificial intelligence techniques (including machine learning). In that case all appropriate organizational and security measures are put in place – in accordance with data protection laws – to ensure data privacy by design. This includes but is not limited to data minimization, stringent access controls, human intervention, etc. UCB obtains this personal data from: You Our third party processors (as detailed in section 5.A) Trustworthy publicly available (including online) sources (such as PubMed, Clinical Trials.gov, congress websites or university websites) Through monitoring our IT tools and services (such services including e-mails we send to you upon your request/with your permission) UCB retains (*) your personal data for: Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities Activity data: this data is kept for 60 months after the relevant activity took place (e.g. an event, a congress, a visit, a call) Consent management data: this data is kept for 120 months following receipt of your consent UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing necessary for the purpose of the legitimate interests pursued by UCB to conduct and improve its business, i.e. creating value for people living with severe diseases in UCB’s therapeutic areas of interest, to manage our human and financial resources efficiently and to maintain and optimize our professional relationship with you (including planning, following up on and improving our interactions with you). To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). (Your consent will be requested prior to UCB sending any direct marketing e-mails, as further detailed under points 6 and 7 below). close 2. To efficiently manage our relationship with you within the framework of collaboration agreements with our partners (including e.g. other pharmaceutical companies) and avoid duplication in interactions with you, read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems): a) Your identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: postal address, phone number(s), e-mail address c) Your professional details: including your job title, your medical education, your professional background information; 2. Activity data (i.e. data related to our professional interaction with you other than clinical activities): a) Information about calls/visits made to you: last submitted call/visit date, next planned call/visit date, topics that were discussed, key messages from you, product information shared with you b) Information about product prescribing behavior c) Information about events in which you participated/which you attend Failure to provide the abovementioned information prevents UCB from managing our professional relationship with you. UCB obtains this personal data from: You Our third party processors as detailed in section 5.A Our partners with whom we have a collaboration agreement (including e.g. other pharmaceutical companies) UCB retains (*) your personal data for: Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities Activity data: this data is kept for 60 months after the relevant activity took place (e.g. an event, a congress, a visit, a call) UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) Our partners with whom we have a collaboration agreement (including – to the extent applicable – other pharmaceutical companies) UCB relies on the following GDPR legal basis: Processing necessary for the purpose of the legitimate interests pursued by UCB to conduct its business (including for research and development of new medicines creating value for people living with severe diseases in UCB’s therapeutic areas of interest), to manage our human and financial resources efficiently and to maintain a professional relationship with you. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). close 3. To obtain your feedback and professional insights (including through advisory boards, market research and survey tools) on (i) what is important to you and/or your patients, (ii) important trends in patient management in your area of expertise; (iii) how UCB and its products are perceived by you; and (iv) how we can further evolve and customize our services and products, and offer these to you. We may also combine your personal data collected through direct marketing campaigns, with other personal data we collected through other channels for the same purposes as outlined here (including customization of our services/products and related offer) read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems) a) Your general and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: postal address, phone number(s), e-mail address c) Your professional details: including your job title, your medical education, your professional background information, your area(s) of expertise d) Information that would allow stakeholder segmentation within your geographical area and area of expertise e) Aggregated information relating to digital behavior: Information on digital presence, digital audience and digital activity 2. Activity data (i.e. data related to our professional interaction with you other than clinical activities): a) Your insights: including your outlook on therapeutic concepts and approach to the products and/or therapeutic areas of our company b) Any other information or feedback on our company, products and/or therapeutic areas that you may provide at your discretion in the context of our relationship with you Failure to provide the abovementioned information prevents UCB from fulfilling our legitimate interests (indicated below). Please note that if such information is shared in the context of a contract with you, certain data will be required for the purpose of entering into a contract (see further below under point 8). Failure to provide such personal data would prevent UCB from executing a contract with you. UCB obtains this personal data from: You Our third party processors (as detailed in section 5.A) Social media companies in accordance with their terms and conditions Publicly available online sources (such as PubMed, Clinical Trials.gov, congress websites or university websites) UCB retains (*) your personal data for: Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities Activity data: this data is kept for 60 months after the relevant activity took place (e.g. an event, a congress, a visit, a call) Consent management data: this data is kept for 120 months following receipt of your consent UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing necessary for the purpose of the legitimate interests pursued by UCB to conduct its business (including research and development of new medicines creating value for people living with severe diseases in in UCB’s therapeutic areas of interest) and to maintain a professional relationship with you. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). (Regarding the processing of information for the execution of a contract with you, e.g. in relation to your participation in an advisory board or in relation to certain market research, we refer to what is set out below under point 8.) close 4. To respond to your queries and provide you with requested support, read more UCB Collects the following personal data about you: Your general and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases Your contact details: postal address, phone number or e-mail address (depending on the channel through which you choose to contact us) Country specific identifiers (including your local registration number as an HCP in relation to the local healthcare system) Any other information you provide to us and relating to your query or request for support (or that may be legally required) Failure to provide us with the abovementioned information prevents us from responding to your query or request (for assistance). Failure to provide us with information that is legally required, prevents us from complying with our legal obligations. UCB obtains this personal data from: You Our third party processors as detailed in section 5.A UCB retains (*) your personal data for: For the duration of responding to and completing your request. For as long as legally required in relation to any information we must process to comply with our statutory obligations (e.g. in relation to adverse event reporting UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract Processing necessary for compliance with our legal obligations (including in relation to adverse event reporting) close 5. To allow and document the distribution of product samples to you, read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems): a) Your identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: postal address, phone number(s), e-mail address; c) Your professional details: including your job title, your area(s) of expertise; 2. Activity data (i.e. data related to our professional interaction with you other than clinical activities): a) The number and categories of product samples requested and delivered, the date of delivery* b) Your signature acknowledging receipt of the samples c) Any other information which may be legally required Failure to provide the abovementioned personal data will prevent you from being eligible to receive UCB product samples UCB obtains this personal data from: You (To the extent applicable) the HCO you work for Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: 120 months for inventory monitoring (lot tracking) The documentation relating to sample delivery to you is retained in accordance with applicable legal requirements, as well as article 19 of the EFPIA code of practice on medical samples UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: For any personal data that is legally required, processing necessary for compliance with our legal obligations (including but not limited to legislation related to the distribution of medical product samples etc.). Otherwise, processing necessary for the purpose of the legitimate interests pursued by UCB to conduct its business, including to provide you with correct product information and samples and to comply with industry standards and requirements in this respect. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). close 6. To invite you to attend and permit your attendance to academic, scientific and promotional meetings, events, conferences (sponsored by us) linked to your medical expertise and to promote such meetings, events, conferences and other services to you, including based on your previous attendance and other information which will help us, for example, offer you attendance at the events that better suit your interests. We may also combine your personal data collected through these events, with other personal data we collected through other channels for the same purposes as outlined here (including promotion) read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems): a) General and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: postal address, phone number(s), e-mail address c) Your professional details: including your job title, your area(s) of expertise d) Country specific identifiers (including your local registration number as an HCP in relation to the local healthcare system) 2. Activity data (i.e. data related to our professional interaction with you - other than clinical activities - and related to you attendance to said meetings, events and conferences): a) Information about events/ conferences in which you participated/which you attend b) Information about topics that were discussed, key messages from you, product information shared with you, and any interests you have shared regarding such topics, meetings, events and/or conferences c) Travel details and logistics, dietary preferences (as applicable), as well as any other information required to enable your attendance to UCB sponsored or organized conferences, meetings or events, for which you signed up Failure to provide us with the abovementioned information prevents us from inviting you to and allowing your attendance to UCB sponsored conferences, meetings or events. UCB obtains this personal data from: You Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities Activity data: this data is kept for 60 months after the relevant activity took place (e.g. an event, a congress, a visit, a call) Consent management data: this data is kept for 120 months following receipt of your consent UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing based on your consent for information related to the sending and receipt of any communications regarding UCB sponsored academic, scientific and promotional meetings, events, conferences Processing based on performance of a contract for any information required to enable your participation in the UCB sponsored conference, meeting or event for which you signed up. close 7. To enable UCB to send you personalized direct marketing communications by email or other electronic means, regarding medical and scientific updates (including relevant and up to date information about certain diseases and treatments), corporate information and/or products and services we promote, or containing deeplinks to UCB websites containing such information and analyze your interactions with such communications (e.g., which content/links you may have interacted with, or whether you opened our messages at all), to better understand what communications would be interesting for you. We may also combine your personal data collected through direct marketing campaigns, with other personal data we collected through other channels for the same purposes as outlined here (including personalized direct marketing) read more UCB Collects the following personal data about you: 1. Master data (i.e. data used to identify you in our systems): a) General and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: e-mail address c) Your professional details: including your job title, your area of expertise d) You interest area e) Country specific identifiers (including your local registration number as an HCP in relation to the local healthcare system) 2. Electronic identifiers: a) Information collected through cookies and other tracking technologies that will be set when you visit UCB websites or when you interact with our communications (e.g. when you are directed to our websites by clicking on “deeplinks” provided in e-communications to you). (Deeplinks mean hyperlinks inserted in UCB communications, which allow HCPs to visit certain UCB websites dedicated to them and skip the usual log-in). For more information on cookies and other tracking technologies used on UCB websites, please check the cookie policy on that website. 3. Activity Data (i.e. data related to our professional interaction with you other than clinical activities): a) Activity information, including whether or not e-mails sent to you by us were opened, if you accepted our invitation to e.g. online content, etc. 4. Consent management data (i.e. information on your utilization and preferences relating to communication format, channels and frequency): a) Whether you opted in for receiving such communications b) Whether you opted out for receiving such communications Failure to provide the abovementioned information will prevent UCB from sending to you the requested direct marketing communications UCB obtains this personal data from: You Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities Electronic identifiers: for more information on the retention periods of any cookies used, please check the cookie policy on that website Consent management data: this data is kept for 120 months following receipt of your consent UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing based on your consent For cookies and other tracking technologies, processing based on your consent (except for strictly necessary cookies). For more information please consult the cookie policy of the website you are visiting. close 8. In order to enable UCB to: a. [on an aggregate user level – through Google analytics] support and improve the functionality of and better understand usage patterns relating to our websites, we use cookies, including by retaining and evaluating information on recent use you made of our website and how you access different features of our website for analytics purposes so that we can make our websites more intuitive; b. [on an individual level] obtain insights regarding your preferences and interests by tracking your browsing behaviour on the UCB website(s) you visit, so that we may use this information to tailor our interactions (including face-to-face meetings and other communications) with you, and our offers to you. We may also combine your personal data collected through cookies, with other personal data we collected through other channels for the same purposes as outlined here (including to tailor our interactions and offers to you) read more UCB Collects the following personal data about you: On some of our websites we deploy Google Analytics, allowing for de-identified or aggregate tracking of website visitors, whereas on certain other websites we may ask your consent to allow for individual user tracking. The cookie consent(s) will be handled through the cookie banner and preference center on the UCB website you visit. No such cookies will be set until and unless you provide consent. [On an aggregate level – through Google Analytics – to the extent you have accepted the setting of such cookie(s)] Electronic identification data: IP address usage pattern information collected through such cookies Failure to provide the abovementioned personal data may result in (some features of) the UCB website not being accessible. [On an individual level – to the extent you have accepted the setting of such cookie(s)] 1. Electronic identifiers: a) IP address b) Information collected through cookies and other tracking technologies regarding your browsing behavior: UCB webpages visited, duration of visit, time and date of visit. For more information on any cookies and other tracking technologies used, please check the cookie policy on that website. 2. Master data (i.e. data used to identify you in our systems): a) General and identification details: including your full name, title, language, a unique identifier assigned to you by and in our databases b) Your contact details: e-mail address, postal address of the hospital(s) or HCOs you work at c) Your professional details: including your job title, your area of expertise d) You interest area e) Country specific identifiers (including your local registration number as an HCP in relation to the local healthcare system) Failure to provide the abovementioned information will prevent UCB from tailoring its interactions with you in line with your preferences. UCB obtains this personal data from: You UCB retains (*) your personal data for: For cookies, see our Cookie Policy for more information Data regarding your browsing behavior: this data is kept for 12 months Master data: for the duration of our professional relationship with you. In relation to HCP retirement or cessation of professional activities: for a maximum of 36 months after we are informed of your retirement / cessation of professional activities UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: The setting of cookies on your browser will be subject to your consent (except for strictly necessary cookies). For more information, please consult the cookie policy of the UCB website you are visiting. Please note that the processing of information from these cookies will only occur for those UCB websites where such cookies are enabled and only to the extent that you have accepted the placement of those cookies on your browser. In that case the underlying processing of information is necessary for the purpose of the legitimate interests pursued by UCB to (i) conduct its business and improve upon its services and products (including its websites and content); and (ii) to tailor our interactions (including face-to-face meetings and other communications) with you, based on your needs and preferences. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy(**). close 9. (To the extent applicable) to execute a contract with you/ the HCO you are working for and to perform our obligations and exercise our rights under such contract (including billing and invoicing - to the extent applicable to our relationship with you), read more UCB Collects the following personal data about you: 1. HCPs working for an HCO: Your identification details: including your full name, professional identification number, title, language, a unique identifier assigned to you by and in our databases Your contact details: postal address, phone number(s), e-mail address Your professional details: including your job title, your area of expertise, your medical education, your professional background information Payment information (including to the extent applicable bank account number, tax related information Other information which we may be legally required to obtain (e.g. within the framework of clinical trials) or which may be required to enter into or perform the contract 2. Self-employed HCPs: Same personal data as indicated for HCPs working for an HCO* Payment information (including to the extent applicable bank account number, tax related information etc.) The abovementioned data is required/ necessary for the purpose of entering into a contract. Failure to provide such data prevents UCB from executing a contract with you/your HCO. Certain other information may (also) be legally required. Failure to provide us with information that is legally required, prevents us from complying with our statutory obligations. UCB obtains this personal data from: You (To the extent applicable) the HCO you work for Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: For the duration of the abovementioned agreement and following the end of the agreement for a period of five years (for tax and bookkeeping purposes), except where we need to hold to such data longer for the establishment, exercise or defence of legal claims or for compliance with a legal obligation which requires such further processing. UCB shares your personal data with: UCB affiliates and third party processors (as detailed in section 5.A) Regulatory authorities UCB relies on the following GDPR legal basis: 1. In relation to personal data which we are legally required to obtain from/about you: processing necessary for compliance with our legal obligations, 2. In relation to the other personal data: HCPs working for an HCO: Processing necessary for the purpose of the legitimate interests pursued by UCB to conduct its business and to manage the contractual relationship with the HCO you work for/with. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). Self-employed HCPs: Processing necessary for performance of a contract with you or in order to take steps at your request prior to entering into a contract close 10. To enable UCB to (i) comply with its EU/EU Member State legal obligations (including but not limited to pharmacovigilance, archiving and record keeping, transparency laws, etc.), (ii) perform regulatory audits, and (iii) respond to requests from (EU/ EU Member State) regulatory or judicial authorities, read more UCB Collects the following personal data about you: Your identification details: including your full name, function/ title, initials; Your contact details: including your e-mail address, telephone number, postal mail address; Your professional details: including your job title Any other information required as per our legal obligations (e.g. in relation to adverse event reporting, further information on the adverse event and your involvement therein; in relation to transparency reporting, information on transfer of value, etc.) The provision of this information is a statutory requirement. Failure to provide it will prevent UCB from fulfilling its legal obligations. UCB obtains this personal data from: You (To the extent applicable) the HCO you work for/with; Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: For as long as required as per our legal obligations. E.g. in relation to adverse event related information for a period of 10 years following the end of the marketing authorisation for the relevant product UCB shares your personal data with: Competent regulatory and government agencies/authorities UCB affiliates and third party processors (as detailed in section 5.A) The general public in relation to transparency disclosures UCB relies on the following GDPR legal basis: Processing necessary for compliance with our legal obligations (including but not limited to pharmacovigilance laws, transparency laws etc.) close 11. To enable UCB to comply with industry guidelines relating to transparency (as opposed to mandatory law which is described above under point 9), read more UCB Collects the following personal data about you: Your identification details: including your full name, function/ title, initials Your contact details: including your e-mail address, telephone number, postal mail address; Your professional details: including your job title Transfer of value (including expenses and certain other financial information, e.g. amounts paid to you) Consent to receive emails related to transfer of value disclosure (pre-disclosure) Any other information which may be required as per industry guidelines Failure to provide the abovementioned information prevents UCB from complying with applicable industry guidelines. UCB obtains this personal data from: You (To the extent applicable) the HCO you work for/with; Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: For as long as required per the applicable industry guidelines UCB shares your personal data with: Competent regulatory and government agencies UCB affiliates and third party processors (as detailed in section 5.A) The general public UCB relies on the following GDPR legal basis: Processing based on your consent for information related to the sending and receipt of any communications regarding transfer of value disclosure (pre-disclosure). Processing necessary for the purpose of the legitimate interests pursued by UCB to comply with industry requirements/guidelines and to conduct its business in a transparent manner. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**) close 12. To safeguard UCB’s business interests, including against legal claims and in legal proceedings and in order to provide evidence of transactions, read more UCB Collects the following personal data about you: Your personal data (including as set out in this policy), to the extent relevant to the legal claim, legal proceedings or transaction at hand UCB obtains this personal data from: You (To the extent applicable) the HCO you work for/with Our third party processors (as detailed in section 5.A) UCB retains (*) your personal data for: For the duration of the exercise or defence of the relevant legal claim, legal proceedings or transaction UCB shares your personal data with: Competent regulatory and government agencies UCB affiliates and third party processors (as detailed in section 5.A) Our advisors and outside counsel UCB relies on the following GDPR legal basis: Processing necessary for the purpose of the legitimate interests pursued by UCB, which include to conduct its business and defend its interests against legal claims and in legal proceedings. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). close 13. To (i) perform audits based on non- European laws, (ii) comply with non- European laws and regulations and (iii) handle requests from non- European judicial or regulatory authorities, read more UCB Collects the following personal data about you: Your personal data as set out in this privacy policy, to the extent relevant to the audit, compliance with legal requirement or regulatory request UCB obtains this personal data from: You (To the extent applicable) the HCO you work for/with (To the extent applicable) our third party processors UCB retains (*) your personal data for: For as long as required as per our legal obligations. UCB shares your personal data with: Competent regulatory and government agencies UCB affiliates and third party processors (as detailed in section 5.A) UCB relies on the following GDPR legal basis: Processing necessary for the purpose of the legitimate interests pursued by UCB, which include to conduct its business and comply with the laws and regulations that govern its business. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy (**). close (*) We will retain your personal data in accordance with the retention periods set out in the table above. These retention periods, included in our data retention policy, are dictated by: Applicable statutory/legal requirements; Industry guidelines, and For those data categories for which no express statutory or legal requirements apply, certain other determining factors such as the need to prove or enforce a transaction or contract, enforce our policies, etc. We will delete your personal data once the abovementioned retention periods will have expired or if you object to or if you withdraw your consent to our processing of your personal data (to the extent such processing is based on your consent), except where we need to hold on to such data for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, for compliance with a European Union or European Union Member State legal obligation which requires such further processing or where we need to prove or enforce a transaction or contract or enforce our policies. (**) For more information or if you have any questions regarding how we assess this balance, please contact us through any one of the channels set out under Section 1 above (“Who we are and how you can contact us”). 4. YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM A. Your rights Right to erasure read more You have the right to ask us to erase without undue delay personal data concerning you, where one of the following grounds applies: Your personal data are no longer necessary in relation to the purposes for which they were processed; You have withdrawn your consent - for those processing activities based on your consent – and we have no other legal ground for such processing; You object to the processing of your personal data (for more information on the right to object, see further below) and there are no overriding legitimate grounds for such processing; Your personal data have been unlawfully processed; Your personal data must be erased for compliance with a European Union or European Union Member State legal obligation to which UCB is subject; Please note that your right to erasure will not apply to the extent that processing is necessary for: exercising the right of freedom of expression and information; compliance with a European Union or European Union Member State Law to which UCB is subject; reasons of public interest in the area of public health in accordance with article 9(2)(h) and (i) GDPR as well as article 9(3) GDPR; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the relevant provisions of the GDPR; the establishment, exercise or defense of legal claims. For more information, please check section 4.B “How to exercise your rights”. close Right to objection to processing read more You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by UCB which is based on UCB’s pursuit of its legitimate interests as a controller. In that case UCB will no longer process your personal data, unless: UCB demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms; or For the establishment, exercise or defense of legal claims. You have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. For more information, please check section 4.B “How to exercise your rights”. close Right to withdraw consent read more Where the processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal. For more information, please check section 4.B “How to exercise your rights”. close Right of access read more You have the right to obtain confirmation from us as to whether or not we process personal data concerning you, and if so, the right (as far as this does not adversely affect the rights and freedoms of others) to obtain a copy of your personal data from us. For more information, please check section 4.B “How to exercise your rights”. close Right to rectification read more You have the right to ask us to rectify without undue delay any inaccurate personal data concerning you. You can also ask us to complete incomplete personal data regarding you by providing us with a supplementary statement containing such additional information. For more information, please check section 4.B “How to exercise your rights”. close Right to restriction on processing read more You have the right to obtain from UCB restriction of processing by UCB of your personal data where one of the following applies: You contest - in good faith - the accuracy of personal data regarding you and held by us, in that case the restriction of processing will apply for a period enabling us to verify the accuracy of your personal data; The processing is unlawful and you oppose the erasure of your personal data and request restriction of their use instead; We no longer need your personal data, but you require them for the establishment, exercise or defense of legal claims; You have objected to the processing of your personal data by UCB in accordance with the relevant GDPR provision, in that case the restriction of processing will apply for a period enabling us to verify if our legitimate grounds override yours. Please note that notwithstanding the above, we are still allowed to continue storing your personal data (throughout the period of restriction) or to process your personal data for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. If you have requested restriction of processing, we will inform you before the restriction of processing is lifted. For more information, please check section 4.B “How to exercise your rights”. close Right to data portability read more You have the right (insofar this does not adversely affects the rights and freedoms of others) to receive the personal data concerning you, that you have provided to UCB, in a structured, commonly used and machine-readable format and to transmit those data to another controller, without hindrance from UCB, where the processing is: based on your consent or on a contract; and carried out by automated means For more information, please check section 4.B “How to exercise your rights”. close B. How to exercise your rights If you wish to exercise any of the rights mentioned above, please contact UCB as set out under section 1 (“Who we are and how you contact us”). Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity. When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay. Right to lodge a complaint with supervisory authority In accordance with article 77 GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the European Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the GDPR. Please visit the website of the relevant national supervisory authority for more information on how to submit such a complaint. 5. MORE DETAILS ON HOW WE PROCESS YOUR PERSONAL DATA A. Who we share your personal data with. Principle We will disclose your personal data only as described in this UGPPH (as further detailed above), as may be updated from time-to-time. UCB affiliates and third party processors UCB transfers or discloses your personal data to its personnel, affiliates, our third party service providers processing personal data on UCB’s and/or their own behalf for the purposes set out above and our partners (including e.g. other pharmaceutical companies) with whom we have a collaboration agreement and who have a need to know this information. Third party service providers include CRM and cloud service providers, IT services/ consulting/ outsourcing companies, database providers, market research suppliers, homecare delivery suppliers, event agencies and organizers, marketing and data analytics services providers, travel agencies and providers, banks and insurance companies that deliver services to us. These service providers provide their services from locations within and outside of the European Economic Area (EEA). Other third parties include regulatory and government agencies (see further below in this UGPPH), our advisors and external legal counsel, our auditors and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this UGPPH). Compliance with laws and legal proceedings UCB will disclose your personal data where: UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency; To establish or exercise our legal rights or defend against legal claims; To investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law. Other If a third party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws, including the GDPR. UCB will transfer your personal data to its affiliates, including our affiliates outside of the EEA. In that case UCB relies on UCB’s Binding Corporate Rules, which can be accessed through the following link: https://www.ucb.com/UCB_BCRs.pdf. The transfer of your personal data to third party service providers (as set out above under section 5A) in countries outside of the EEA that do not ensure an adequate level of (data) protection, occurs on the basis of Standard Contractual Clauses that have been executed between UCB and the relevant third party service provider. You may - by exercising your rights set out above under section 4.B (How to exercise your rights) - obtain a copy of the relevant safeguard UCB has put in place or ask UCB to redirect you to the place where they have been made available. In the absence of the aforementioned appropriate safeguards, UCB may – to the extent permitted under and in accordance with applicable data protection laws (including the GDPR) - rely on a derogation applicable to the specific situation at hand (e.g. the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise or defense of legal claims). B. International transfers