BACKGROUND

1. Gedeon Richter Plc., headquartered in H-1103 Budapest, Gyömrői út 19-21., Hungary, Cg. 01-10-040944 (hereinafter referred to as “Richter”) ,with its Affiliate Gedeon Richter Romania S.A., headquartered in 99-105, Cuza Voda st, 540306 Targu-Mures, Romania,  VAT no. RO1200929, reg. J26/15/91, (hereinafter jointly referred to as “we” or “us”) firmly committed to respecting your data protection and privacy rights and protecting your personal data. Therefore, this Privacy Notice aims to explain how we process and protect your personal data whenadverse drug reaction in connection with our product(s)

   - you report an adverse event/adverse drug reaction in connection with our product(s)

   - you request information about one or more of our products, or

   - you submit other claims or questions connected to pharmacovigilance issues, adverse events/adverse drug reactions or medical issues

   We will use the information you (or other person) provided for us about yourself or connected to you, by sending us via any channel (e.g. direct email or websites) a question or an adverse event / adverse drug reaction notification, or by calling us in order to take the necessary actions regarding your request or notification.

   This may include the processing of personal information relating to you as an identified or identifiable natural person (i.e. personal data) which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”). Under the GDPR, you as data subject has the right to submit any question or complaint you may have to Richter (as data controller) or a complaint against Richter to the data protection supervisory authority of your habitual residence. In Romania this data protection supervisory authority is The National Supervisory Authority For Personal Data Processing,  address: 28-30 G-ral Gheorghe Magheru Bld. District 1, post code 010336,    +40.318.059.211, fax: +40.318.059.602, Bucharest, Romania, website:http://www.dataprotection.ro, phone: email address: anspdcp@dataprotection.ro. We recommend to contact Richter as data controller first if you have any questions or complaints before submitting a query to the authority regarding the handling of your personal data by sending an email to the email address dataprotection@gedeon-richter.ro or a postal letter to 99-105, Cuza Voda st, 540306, Tirgu Mures, Romania.

    

2. CONTACT DETAILS OF THE DATA CONTROLLER AND ITS DATA PROTECTION OFFICER

   The data controller status is determined by the fact who is the Marketing Authorisation Holder.  Please, find the information on the Holder of Marketing Authorization in the Patient Information Leaflet of the pharmaceutical product.

    

   The contact details of data controller in respect of products where the Marketing Authorisation Holder (MAH) is Richter:	The contact details of data controller in respect of products where the Marketing Authorisation Holder (MAH) is GR Romania:
   Name: Chemical Works of Gedeon Richter Plc. Seat: H-1103 Budapest, Gyömrői út 19-21., Hungary Postal address: 1475 Budapest, P. O. Box 27, Hungary Company registration number: Cg. 01-10-040944 Tax number: 10484878-2-44 Website: www.richter.hu Chief executive officer: Mr Gábor Orbán	Name: Gedeon Richter Romania S.A. Seat: 540306 Tirgu Mures, str. Cuza Voda 99-105, Romania Postal address: see above Company registration number: J26/15/91 Tax number: RO1200929 Website: www.gedeon-richter.ro Managing Director: Dana Chelărescu
   Data Protection Officer/Data Protection Responsible Person	Data Protection Officer/Data Protection Responsible Person
   email address: dataprotection@richter.hu postal address: 1475 Budapest, P. O. Box 27, Hungary	email address: dataprotection@gedeon-richter.ro postal address: 540306 Tirgu Mures, str. Cuza Voda 99-105, Romania

   
   

   The contact details of data processors in respect of products where the Marketing Authorisation Holder (MAH) is Richter[1]

   The contact details of data processors in respect of products where the Marketing Authorisation Holder (MAH) is GR Romania:

   Name: Gedeon Richter Romania S.A. Seat: 540306 Tirgu Mures, str. Cuza Voda 99-105, Romania Postal address: see above Company registration number: J26/15/91 Tax number: RO1200929 Website: www.gedeon-richter.ro Managing Director: Dana Chelărescu   2. Name: ArisGlobal Limited Seat: 16A, Lincoln Place, Dublin 2, Ireland Website: https://www.arisglobal.com/contact-us/

   Name: Chemical Works of Gedeon Richter Plc. Seat: H-1103 Budapest, Gyömrői út 19-21., Hungary Postal address: 1475 Budapest, P. O. Box 27, Hungary Company registration number: Cg. 01-10-040944 Tax number: 10484878-2-44 Website: www.richter.hu Managing Director: Mr Gábor Orbán   The subcontractor of the Processor: Name: ArisGlobal Limited Seat: 16A, Lincoln Place, Dublin 2, Ireland Website: https://www.arisglobal.com/contact-us/

    
3. DEFINITIONS

   “Adverse event” means any untoward medical occurrence in a patient or clinical trial subject administered a medicinal product and which does not necessarily have a causal relationship with this treatment.

   “Adverse drug reaction” means a response to a medicinal product which is noxious and unintended. A causal relationship between a medicinal product and an occurrence is suspected.

   “Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

   “EudraVigilance” means a centralised European database of suspected adverse reactions to medicines that are authorised or being studied in clinical trials in the European Economic Area (EEA).

   “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

   “Medical Information Service” means an organizational unit within Richter which provides information to customers, healthcare professionals and/or the members of the public on the products marketed by Richter.

   “Pharmacovigilance” a compound word derived from pharmakon (Greek for drug) and vigilare (Latin for to keep watch) that means guarding against the adverse effects of pharmaceutical products. Guarding means ensuring the safe use of drugs, assessing their efficacy and monitoring new and known side effects. The term pharmacovigilance includes any activity carried out in order to ensure the safe use of drugs. According to the World Health Organisation (WHO) definition published in 2002, pharmacovigilance “is defined as the science and activities relating to the detection, assessment, understanding and prevention of adverse effects or any other drug-related problems.”

   “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    

4. HOW SHOULD THE DATA SUBJECT BE INFORMED ABOUT THIS PRIVACY NOTICE?

   As we describe the possible sources of information in Point 5.2 below, it is not an ultimate situation that we receive information directly from the data subjects (persons who are directly concerned by the adverse event or require product-related medical information).

   Informing data subjects about the data processing is a privacy principle. We are bound by this obligation even if the personal data is not received directly from the data subject her/himself. However, in some cases we do not possess enough information about the data subject (including the lack of contact data). In such cases we are not able to directly contact the data subjects and inform them directly, after we receive an information on them from the reporter.

   For cases, when the source of information (i.e. reporter) is not the data subject her/himself, we suggest and encourage the reporter to inform the data subject (directly affected person) about the existence and availability of this Privacy Notice. It is desirable to share the URL link to this Privacy Notice, or at least refer to the content and/or the environment where the Privacy Notice can be found.

    

5. PHARMACOVIGILANCE
   • 5.1.WHAT ARE THE CIRCUMSTANCES OF THE PERSONAL DATA PROCESSING?

   We will process the personal data with the following circumstances.

   Purposes of our data processing	Legal basis of our data processing	What personal data may we handle?	How long do we keep these data?
   Richter handles personal data in order to facilitate that Richter - is able to fulfil its obligations prescribed by the legal regulations in connection with the reported adverse events /adverse drug reactions; - is able to operate the drug safety monitoring system; - is able to fulfil the reporting obligation of adverse drug reactions prescribed by legal regulations. In order to be able to monitor the safety profile of our products, we may - assess the reported adverse event / adverse drug reaction information; - gather further information about the adverse event / adverse drug reaction and the circumstances; - reply to reporters. - follow-up reports.	Richter is obliged by pharmacovigilance legislation to record, process and store information on adverse events / adverse drug reactions and personal data included in such reposts, furthermore to submit these reports according to the applicable legal regulations. Such legal regulations are: - Commission Implementing Regulation (EU) No 520/2012 of 19 June 2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council; - Guideline on good pharmacovigilance practices (GVP) – Module VI – Collection, management and submission of reports of suspected adverse reactions to medicinal products; - 15/2012. (VIII. 22.) Decree of the Minister of Human Capacities (Hungary)	Personal data of the · Patient - Contact details (e.g. name, email address, phone number, address) - Age, sex, sexual life - Weight, height - Ethnic origin - Information of patient’s relatives - Past and current medicinal therapies or remedies - Medical status - Medical history · Reporter - Contact details (e.g. name, email address, phone number, address) - Profession - Relationship with the patient	Richter archives and stores the pharmacovigilance data as long as the product is authorised and for an additional 10 years after the marketing authorisation has ceased to exist. Based on GVP module VI. C.2.2. and paragraph 2 of Article 12 of Commission Implementing Regulation (EU) No 520/2012 of 19 June 2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council

1. • 5.2.WHAT/WHO IS THE SOURCE OF THE ADVERSE EVENT / ADVERSE DRUG REACTION INFORMATION?

   Richter may receive information on adverse events / adverse drug reactions from the below sources:

   However, in most of the cases we will receive personal data from the above sources with direct data sharing, and originally we do not oblige persons to send us an adverse event / adverse drug reaction report, in case we receive any information concerning an adverse event / adverse drug reaction which might be in connection with any of our products, we are obliged by law to collect information on the case and handle it according to the defined pharmacovigilance procedure. This results that we are obliged by law to process personal data, after we will be familiar with such data.

   Please note that healthcare professionals are obliged by law to report about adverse drug reaction they receive information on.

   Please also note that we are always obliged to administer and register the contact details (name and other contact data) of the reporter of adverse event / adverse drug reaction.

   • 5.3.FORMS OF RECEIVING INFORMATION

   Richter may receive information addressed directly to Richter on adverse events / adverse drug reactions in the below forms, through the below listed channels:

   Electronic - written / postal - written / personal - oral

   The pharmacovigilance reporting procedure is strictly regulated by the European Union and national legal regulations. During the handling of the reports we may carry out the following actions:

   According to the pharmacovigilance legislation Richter may share personal data in connection with pharmacovigilance information:

   We will process the personal data with the following circumstances, unless the question/request concerns Pharmacovigilance related issues because in such case, Section  7 shall apply.

    

   Purpose of our data processing	Legal basis of our data processing	What personal data may we handle?	How long do we keep these data?
   To reply to your question and to follow-up your request.	Your previously given informed consent.	Your contact details and the data provided in your request. (e.g.: name, email, phone number, health related data, other data which you share with us in your communication.)	Until your question/request is answered but the data will be kept for five years at the latest.

    

   • 6.2.WHAT/WHO IS THE SOURCE OF THE MEDICAL INFORMATION REQUEST/QUESTIONS?

   Richter may receive medical information, medical enquiry from the below sources.

   Richter may receive medical information requests/questions addressed directly to Richter in the below forms, through the below listed channels:

   Electronic - written / postal - written / personal - oral

   During the processing of the data that we have received, we may carry out the following actions:

   In order to follow-up your questions or reply to your request Richter may share personal data:

   We will process the personal data with the following circumstances, unless the question/request concerns Pharmacovigilance related issues because in such case, Section 5 shall apply or medical information requests/questions because in such case Section 6 shall apply.

    

   Purpose of our data processing	Legal basis of our data processing	What personal data may we handle?	How long do we keep these data?
   To fulfil your request.	Your previously given informed consent.	Your contact details and the data provided in your request. (e.g.: name, email, phone number, health related data, other data which you share with us in your communication.)	Until your question/request is answered but the data will be kept for five years at the latest.

     

   • 7.2.WHAT/WHO IS THE SOURCE OF THE REQUEST?

   Richter may receive requests from the below sources.

   • 7.3.FORMS OF RECEIVING OTHER REQUESTS

   Richter may receive other requests addressed directly to Richter in the below forms, through the below listed channels:

   Electronic - written / postal - written / personal - oral

   During the handling of the requests we may carry out the following actions:

   Richter may share personal data in connection with the request:

   When we handle (including disclose) personal data, we always ensure confidentiality of the personal data, apply restricted access to the personal data, impose contractual safeguards on our partners and service providers, operate internal procedures in order to comply with our data protection obligations, operate sufficient technical and organizational measures to protect the personal data, and we ensure the data protection principles, especially the principle of data minimisation and time and purpose limitation.

2. WHICH RIGHTS DO YOU HAVE OVER YOUR PERSONAL DATA

• you report an adverse event/adverse drug reaction in connection with our product(s),
• you request information about one or more of our products, or
• you submit other claims or questions connected to pharmacovigilance issues, adverse events/adverse drug reactions or medical issues.

• patient;
• healthcare processional (e.g. doctors, pharmacists, nurses, vets, dentists, opticians, chiropodists, midwives, laboratory directors, bio-medical operatives, physiotherapists, nutritionists);
• third person (e.g. family member of the patient, attorney-at-law, colleague);
• public source (e.g. professional articles);
• -other source.

• email communication;
• personal communication;
• phone communication or by fax;
• Richter’s websites, social media;
• postal letter.

   

  • 5.4.WHAT DO WE DO WITH THE INFORMATION ON ADVERSE EVENT / ADVERSE DRUG REACTION?

• Receiving the information on adverse event / adverse drug reaction via e-mail, via websites, via phone calls, via postal letters, via personal information sharing, via public source search.
• Registering the adverse event / adverse drug reaction into our own, national and international databases. processing and
• Assessing the adverse event / adverse drug reaction (i.e. medical evaluation of the adverse event report).
• Follow up questions in connection with the adverse event if the originally provided or available information is not sufficient for the complex evaluation of the case.)asking the adverse event. (I.e.
• Transferring and disclosing data on adverse event / adverse drug reaction to recipients listed in Point 5.5 below.
  • 5.5.DO WE DISCLOSE OR TRANSFER YOUR PERSONAL DATA?

• with Gedeon Richter Plc. as the mother company,;
• with regulatory authorities, national health authorities (National Agency for Medicines and Medical Devices, including submitting the case into EudraVigilance system (however transferring personal data to EudraVigilance system is very rare since anonym data are sufficient);

1. MEDICAL INFORMATION SERVICE
   • 6.1.WHAT ARE THE CIRCUMSTANCES OF THE PERSONAL DATA PROCESSING?

• patient;
• healthcare processional (e.g. doctors, pharmacists, nurses, vets, dentists, opticians, chiropodists, midwives, laboratory directors, bio-medical operatives, physiotherapists, nutritionists);
• third person (e.g. family member of the patient, attorney-at-law, colleague).
  • 6.3.FORMS OF RECEIVING MEDICAL INFORMATION REQUEST/QUESTION

• email communication;
• personal communication;
• phone communication or by fax;
• Richter’s websites, social media;
• postal letter.
  • 6.4.WHAT DO WE DO WITH THE MEDICAL INFORMATION, MEDICAL ENQUIRY?

• Receiving the information via e-mail, via websites (including social media), via phone calls, via postal letters, via personal information sharing.
• Registering the medical information into our own, or the contractual Partner’s databases. processing and
• Assessing the medical information.
• Follow up the medical enquiry.
• Transferring and disclosing personal data to recipients listed in Point 6.5 below.
  • 6.5.DO WE DISCLOSE OR TRANSFER YOUR PERSONAL DATA?

• with entities (Gedeon Richter Plc. as the mother company, other affiliates and representative offices) within Richter group;

1. OTHER REQUESTS
   • 7.1.WHAT ARE THE CIRCUMSTANCES OF THE PERSONAL DATA PROCESSING?

• patient;
• healthcare processional (e.g. doctors, pharmacists, nurses, vets, dentists, opticians, chiropodists, midwives, laboratory directors, bio-medical operatives, physiotherapists, nutritionists);
• third person (e.g. family member of the patient, attorney-at-law);
• -other source.

• email communication;
• personal communication;
• phone communication or by fax;
• Richter’s websites;
• postal letter.
  • 7.4.WHAT DO WE DO WITH THE REQUEST?

• Receiving the request via e-mail, via websites (including social media), via phone calls, via postal letters, via personal information sharing,
• Registering and processing the request into our own databases.
• Assessing the request.
• Follow up the request.
• Transferring and disclosing personal data to recipients listed in Point 7.5 below.
  • 7.5.DO WE DISCLOSE OR TRANSFER YOUR PERSONAL DATA?

• with entities (Gedeon Richter Plc. as the mother company, other affiliates and representative offices) within Richter group;

1. WHAT SAFEGUARDS DO WE USE?

You have the right:

• to request access to your personal data,
• to request transfer of your personal data to you or to another person,
• to restrict the processing of your personal data,
• to correct or erase incorrect or outdated information,
• to delete your personal data (as regards personal data which are processed based on your consent),
• to object the processing of your personal data in specific cases (as regards personal data which are processed based on our legitimate interest and legal regulation).

If you contest the use of your personal data, you can also ask that we restrict the processing of these data.

If we use your personal data based on your consent, you can withdraw this consent in most of the cases.

Please note, that the above-mentioned rights may be limited. We are obliged by law to process pharmacovigilance data. In these cases, we are not allowed to delete some of your personal data.

Of course, if the legal regulations allow us, we will stop the data processing and delete your data for such purpose.

To exercise your rights, please send us your request to one of our contact data as detailed above. Also, you have the right to submit a complaint to the data protection supervisory authority as detailed in the first, background section of this Privacy Notice.

Please also note that we may need to check your identity before we comply with your request. Therefore, we may ask you to provide us with some additional data.