For the purposes of this Global Privacy Notice, Ipsen S.A, headquartered at 70 rue Balard, 75015, Paris, France, and its affiliates, are data controllers for the personal data processing described (referred to as Ipsen, we or us in this notice).
Who is the controller of your personal information?
What personal information do we collect about you?
We will collect or use the following types of personal data:
- Identification data: first name, last name, date of birth, country of residence and tax residence, gender
- Contact Information: postal address, email address, telephone number
- Financial Information: bank or credit card information (for dividend payments), number of shares held, number of voting rights, number of votes, transaction history.
Why are we allowed to collect and use your personal information?
Ipsen processes your personal data for a range of purposes and related to those purposes, we rely on a number of different legal bases for that processing, as detailed in the table below.
| Legal bases | Purposes |
| Legal Obligation Article 6 (1) (c) | We collect and use your personal data to comply with our legal obligations under the French Commercial Code, the EU Market Abuse Regulation (MAR), and the French Monetary and Financial Code (Article L.621 18 2 et seq.), which govern shareholder identification, regulatory reporting, and mandatory disclosures. |
| Legitimate Interests Article 6 (1) (f) | We process your personal data for the following legitimate interests: understanding, analyzing, and monitoring our shareholder base and its evolution; managing the shareholder relationship; financial communication; organizing shareholder events; preventing fraud; responding to information requests; improving our services. |
Where do we get your personal data from?
We obtain your personal data directly from you. We also obtain personal data about you from Société Générale Securities Services (SGSS) via the Sharinbox platform, acting as the authorized account holder and registrar for Ipsen S.A or from other financial intermediaries involved in share acquisitions or transfers.
Société Générale Securities Services (SGSS) is responsible for managing the registered shareholder register, securities accounts and movements, corporate actions, dividend payments, and General Meeting‑related operations (including notices, vote collection, and attendance records). SGSS periodically provides Ipsen with a file listing all registered shareholder positions.
With whom do we share your personal information?
Information related to you will only be accessed by authorized employees at Ipsen, with a relevant and tangible need to access your information.
Ipsen also engages service providers to process your personal data on its behalf. Examples include Société Générale Securities Services (SGSS).
These service providers may only process your personal data in accordance with Ipsen’s instructions and may not use it for their own purposes.
Ipsen may also be required to share certain personal data with competent authorities, including the Autorité des Marchés Financiers (French Financial Markets Authority – AMF), tax authorities, or judicial authorities, in order to comply with legal obligations.
How long do we keep your personal information?
We will only retain your information in order to meet our operational needs and to comply with legislative requirements for retention in line with Ipsen’s retention policies.
The data is retained at least for as long as you remain a shareholder, and until the expiry of the applicable statutory retention periods.
How do we protect your personal information?
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, Ipsen and its third-party service providers have put in place appropriate physical, electronic, and organizational procedures to safeguard and secure the information we collect.
Transfer of personal data outside of your home country?
We work all over the world. Therefore, personal data may be processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data as your home country.
When we transfer personal data to external companies in other countries, or across our International Ipsen entities, we will protect personal data by putting in place appropriate contractual agreements. When we transfer personal data from Ipsen companies in the European Economic Area (“EEA”) to a third country without an adequacy decision from the EU Commission, we will do so on the basis of standard contractual clauses approved by the European Commission. Similarly, we will protect personal data transfers from other countries including the UK and Switzerland using appropriate contractual clauses approved by the relevant authorities in those countries.
What are your rights regarding your information?
You may have the following rights regarding your information depending on the circumstances and applicable legislation:
| Right | What does this mean? |
| 1. The right of access | You have the right to obtain access to the information processed by Ipsen. |
| 2. The right to rectification | You are entitled to have your information corrected if it is inaccurate or incomplete. |
| 3. The right to erasure | This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for Ipsen to keep using it. This is not a general right to erasure; there are exceptions. |
| 4. The right to restrict processing | You have rights to ‘block’ or suppress further use of your information in certain circumstances. When processing is restricted, Ipsen can still store your information, but may not use it further. |
| 5. The right to data portability | You have rights to obtain and reuse your personal data in a structured, commonly used, and machine-readable format in certain circumstances. |
| 6. The right to object | You have the right to object to certain types of processing, in certain circumstances. |
Contact Information
If you would like to exercise any of these rights, please use this form.
If you would like to ask us about how we handle your personal data, you can contact our Global Privacy team by contacting dataprivacy@ipsen.com.
If you are not satisfied with how Ipsen is handling your personal data, or you think that our processing is not compliant with data protection laws you have the right to complain to the relevant data protection supervisory authority.
The data protection supervisory authority is the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority – CNIL), 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France.