Clinigen : Global Data Protection Policy

If this Policy is a printed copy it shall be considered an uncontrolled copy

Page 1 of 10

If this Policy is a printed copy it shall be considered an uncontrolled copy

Page 2 of 10

1. Executive Summary

Clinigen Limited and any company, partnership or other person which directly or indirectly is controlled by Clinigen Limited ('Clinigen') processes personal data relating to patients, healthcare practitioners (including physicians and pharmacists), customers, clients, contractors, reporters of adverse events, employees/former employees/recruitment applicants/consultants ('Employees') and suppliers (referred to as 'Data Subject(s)').

Clinigen is committed to protecting the privacy of data subjects' Personal Data. Clinigen has, therefore, implemented a global data protection compliance program to ensure high standards for Clinigen's Data Processing of Personal Data. This Policy sets out the basis of this program and how Employees should manage Clinigen's data subjects' Personal Data.

2. Purpose

This Policy outlines our approach to data protection and the rights of data subjects in relation to their Personal Data. The Policy sets out the commitment made by Clinigen to:

• manage Personal Data;
• comply, and evidence on-going compliance, with applicable data protection laws, in the countries in which Clinigen operates;
• ensure that Personal Data is processed in accordance with data subjects' rights.

3. Scope

This Policy applies to all Clinigen Personal Data, regardless of whether it is in paper or electronic format. All Clinigen Employees are required to adhere to this Policy.

Clinigen shall comply with applicable Personal Data protection laws and requirements in the territories within it operates. This Policy applies to Clinigen globally, as well as certain additional requirements for territories Clinigen operates within where there is additional or differing data protection laws; please see the Territory Requirementsfor more information.

4. Abbreviations and Definitions

Key terms used within this Policy are defined in the table below:

If this Policy is a printed copy it shall be considered an uncontrolled copy

Page 3 of 10

5. Data Protection Principles

5.1 Principles

Clinigen uses the following high-level principles to establish its practices for processing Personal Data:

• Fairness: Clinigen shall process Personal Data in a fair, lawful, legitimate, and transparent manner.
• Purpose Limitation: Clinigen shall only create or collect Personal Data for a specific, explicit, and legitimate purpose(s). Any subsequent processing shall be compatible with such purpose(s), unless Clinigen has obtained the individual's consent, or the processing is otherwise permitted by law.
• Proportionality: Clinigen shall only process Personal Data that is adequate, relevant, and not excessive for the purpose(s) for which it is processed.
• Data Integrity: Clinigen shall keep Personal Data accurate, complete, and up to date as is reasonably necessary for the purpose(s) for which it is processed.
• Data Retention: Clinigen shall keep Personal Data in a form that is personally identifiable for no longer than necessary to accomplish the purpose(s), or other permitted purpose(s), for which the Personal Data was obtained.
• Data Security: Clinigen shall implement appropriate and reasonable physical, technical, and organisational measures to safeguard Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, use, or access.
• Individual Rights: Clinigen shall process Personal Data in a manner that respects data subjects' rights under applicable Personal Data protection laws.
• Accountability: Clinigen shall implement appropriate governance, policies, processes, controls, and other measures necessary to enable it to demonstrate that its processing of Personal Data is in accordance with this Policy and applicable Personal Data protection laws.

5.2 Clinigen's Responsibilities

5.2.1 Related Policies, Procedures and Notices

In its role as Data Controller and/or Data Processor, Clinigen has established related policies and procedures in order to comply with data protection laws and regulations, which include:

• Territory Requirements;
• Employee Privacy Notice;
• Clinigen Corporate Website Privacy Policy;
• Website Cookies Policy;
• Privacy Statement for Pharmacovigilance Data;
• Information Security Policy;
• Global Data Protection Governance Framework; and
• Global Data Breach Management Procedure.

If this Policy is a printed copy it shall be considered an uncontrolled copy

Page 4 of 10

All Employees are required to read this Policy and the related policies, procedures and notices listed in paragraph 5.2.1 above. Certain Employees are required to complete competency training to enable them to comply with data protection requirements. Training completion rates will be monitored centrally.

5.2.3 Third Party Data Processors

When Clinigen is a Data Controller, Clinigen retains responsibility and oversight of all Data Processing activities, even when Data Processing is carried out by a third party, on behalf of Clinigen. Where applicable, Data Processing activities conducted by a third party Data Processor are recorded in Clinigen's ROPAs.

5.2.4 Record Keeping

Clinigen maintains ROPAs, using a data protection compliance platform called "ROBUS". The ROPAs are reviewed at least annually and will be reviewed more frequently in the event of any significant organisational or Data Processing activity changes to Clinigen, to ensure that the ROPAs accurately reflect Data Processing activities.

If a ROPA deems a Data Processing activity to be high risk, Clinigen shall complete a risk assessment called a DPIA (these are also known as 'Personal Information Impact Assessments' or 'Privacy Impact Assessments' in some jurisdictions). A DPIA describes the purpose of the Data Processing, and includes an assessment of:

• the necessity and proportionality of the Data Processing;
• the potential risk to data subjects, as a result of the Data Processing; and
• any risk-mitigation to reduce the risks identified for data subjects.

Employees should complete a risk assessment as a pre-requisite to any new process or project that involves Data Processing and/or any significant change to an existing process or project involving Data Processing. DPIAs are completed using ROBUS and are approved by a member of the Data Protection Compliance Board. Please see the Global Data Protection Governance Framework and/or any applicable Territory Requirements for further information.

5.3 Sensitive Personal Data and Children's Data

Clinigen recognises that some personal data requires additional protection, because it is particularly sensitive in nature. Any processing of sensitive personal data should be documented in a ROPA(s) and a risk assessment completed in ROBUS by the relevant Employee that owns the process utilising the sensitive personal data.

5.3.1 Sensitive personal data

Personal Data regulations and laws often refer to 'special category' or 'sensitive' personal data which is a form of personal data which is sensitive in nature. Examples of sensitive personal data are:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic data or biometric data (for the purposes of identification);
• Health information; and
• Information regarding an individual's sex life or sexual orientation.

If this Policy is a printed copy it shall be considered an uncontrolled copy

Page 5 of 10