Data Privacy Notice for the STADA Global Compliance Reporting Portal

This data privacy notice contains information on the processing of personal data in connection to the global Compliance Reporting Portal for which STADA Arzneimittel AG, Stadastraße 2-18, 61118 Bad Vilbel, Germany and its affiliates (hereinafter “we”, “STADA” or “us”) are the controller to. Personal data means all information that relates to you personally. The following information is designed to provide transparency by helping you to understand how your personal data are processed. We process the following types of personal data in course of reports: - Information for the personal identification of the reporter - if the report makes such data available - such as first and last name, gender, address, telephone number and e-mail address; - Relationship of the reporter towards STADA (employee, customer, supplier, service provider or other party); - Information on concerned persons, i.e. natural persons who are identified in a report as having committed or witnessed the violation, whom have been are already informed of the violation or whom are in any other way associated with it. Such information is, for example, first and last name, gender, address, telephone number and e-mail address or other information that enables identification of such persons; - Information about violations that may allow conclusions to be drawn about a natural person. The transmission of sensitive information (special categories of personal data within the meaning of Art. 9 GDPR), such as racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as data on the state of health or sex life of the reporter and the person concerned, which are not absolutely necessary for the report and the justification of the suspicion are to omit. If such sensitive data is provided we process these data based on Art. 9 (2) (a) GDPR if they concern the reporter and on Art. 9 (2) (g) GDPR for all other by a report concerned persons. The legal basis for the processing of personal data from the reporter is the reporters consent according to Art. 6 (1) (a) GDPR. If you should decide not to disclose your identity and therefore not provide any personal data, it will not have any consequences. We will process the reported case without the personal data of the reporter. As a reporter you have the right to withdraw your consent regarding your personal data at any time to address mentioned below. All other reported information, especially the data and documents transferred regarding the potential violation can be further processed by us. Legal basis for the processing of personal data from other concerned persons is our legitimate interest regarding investigation of relevant reports concerning potential violations of laws and procedures according to Art. 6 (1) (f) GDPR. Personal data from concerned persons can be obtained by the report of a violation, from internal sources such as the HR department or directly from the concerned person during an investigation. We do not take decisions using an automated system based solely on automated processing, including profiling, which will have legal or other adverse effects on you. STADA will store or delete the data collected in accordance with the relevant regulations. This means that data will be delete if it is no longer required for the purposes stated in this notice and if no legal retention period is applicable (depending on the case for example according to the EU-Whistleblowing Directive and its national implementation or other relevant regulations such as the German Supply Chain Act). However, statutory retention obligations or legitimate interests of STADA may justify longer storage of your data. For example, STADA may continue to retain your data during current litigation, which is the result of possible investigations. We transfer your personal data to the following categories of recipients: - IT service providers - Employees of affiliates of STADA Arzneimittel AG on a case-by-case basis depending on need-to-know principle - Courts, public authorities or other public bodies in case necessary - Service providers in course of investigations (e.g. law firms or auditing companies) - Processors bound by instructions in accordance with Art. 28 GDPR such as IT providers The recipients listed above may be located in a country outside the EU which potentially does not have an adequate level of data protection compared to the level of data protection within the EU. That means that the data protection laws in the country to which we transfer your data may not afford the same protection as in the European Union. As a rule, your data are only disclosed to third countries which do not have an adequate level data protection under what are referred to as EU standard contract clauses. You are entitled under the EU General Data Protection Regulation to enforce the following rights against us: • Right of access • Right to rectification • Right to restriction of processing • Right to erasure/Right to be forgotten • Right to data portability • Right to object You are also entitled to contact the relevant data protection authority. The relevant data protection authority for STADA can be reached under: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Mailbox 3163,65021 Wiesbaden, Germany. If you wish to exercise any of the above rights or to contact our Data Privacy Officer, please write to: compliance@stada.com. If you believe that the way in which we process your personal data is prohibited or you have any other question regarding the processing of your personal data in course of this system please write to us at STADA Arzneimittel AG, Corporate Compliance Office, Stadastraße 2-18, 61118 Bad Vilbel, Germany or compliance@stada.com.