Adverse Events, Product Quality Complaints or Medical information enquiries

Who is the controller of your personal information?

For the purposes of this Global Privacy Notice, Ipsen Pharma SAS, headquartered at 65, quai Georges Gorse – 92100 Boulogne-Billancourt, France, and its affiliates, are data controllers for the personal data processing described (referred to as Ipsen, we or us in this notice).

Ipsen is an international group of companies. As our headquarters are based in France, this notice is based on GDPR. For information related to Ipsen activity in your country and adherence to local privacy laws, please refer to the Privacy Notices on your country’s Ipsen website, which can be accessed via www.ipsen.com

What personal information do we collect about you?

Where the requestor or reporter is a Healthcare Professional (HCP), we will collect and process (as relevant):

• Basic information- your name, last name (including prefix or title).
• Contact information – information that enables us to contact you e.g., your personal or business email, mailing address, telephone number.
• Professional information and experience- information related to your qualifications, areas of expertise, place of practice.

Where the requestor or reporter is a patient or a member of the public, we will process (as relevant)

• Basic information- your name, last name (including prefix or title).
• Contact information – information that enables us to contact you e.g., your personal or business email, mailing address, telephone number.
• Contact details of any HCP who can provide further information.
• Patient’s identification data (e.g., initials, age, date/year of birth, gender, weight, height).
• Patient’s health data: treatments administered, test results, nature of any side effect(s), personal or family history, associated diseases or events, risk factors, information on the method of prescribing and use of the medicines and on the therapeutic conduct of the prescriber or health professionals involved in the management of the disease or side effect (s).
• Patient’s family situation (e.g., information relating to family history and descent, conception, progress, and outcome of pregnancy).
• Patient’s habits and behaviours (e.g., addiction, assistance, physical exercise, diet and exercise, dietary behaviour).

Why are we allowed to collect and use your personal information?

The personal data we collect in relation to this privacy notice will be used only for the specific purposes:

• Enable the prevention, monitoring, evaluation and management of adverse events or safety issues related to our medicines.
• Meet our legal obligation to report adverse events/safety issues to health authorities.
• Respond to medical information requests about our medicines.
• Monitor product quality complaints, product quality and potential of a market recall.
• In the context of medical information:

The legal basis for processing the personal data collected in the context of medical information is Ipsen legitimate interest to respond to your requests or inquiries. The processing of special categories of data, corresponding to your health data, is necessary for reasons of important public interest.

If you provide us with special category data of patient (e.g., about health) when you submit a medical information inquiry, you undertake to inform the patient or, where required, to obtain from the individual the consent to process that data.

The condition for processing special category data in the context of medical information is to meet our legal obligations in relation to public health, or, where required, based on the patient’s consent.

• In the context of pharmacovigilance:

The legal basis for processing the personal data collected in the context of pharmacovigilance is to meet relevant legal obligations and applicable health legislation. The processing of special

categories of data, corresponding to your health data, is necessary for reasons of important public interest.

• In the context of product quality complaints:

The legal basis for processing the personal data collected in the context of product quality complaints is to meet relevant legal obligations and applicable health legislation.

If you provide us personal data of a patient when you make a medical information request, report a side effect/safety issue or product complaint/ quality issue you undertake to provide the link to this Privacy Notice to the individual.

How do we protect your personal information?

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, Ipsen and its third-party service providers have put in place appropriate physical, electronic, and organizational procedures to safeguard and secure the information we collect.

With whom do we share your personal information?

We share your personal information on a need-to-know basis and to the extent necessary to follow laws and regulations. We only share your personal information with teams in Ipsen companies who need to see it to do their jobs and fulfil the request made (e.g., to answer a question you have asked the company). This will include service providers who carry out certain activities on our behalf. We will also have to share your personal information with other Ipsen companies to manage our obligations. We will do this only where necessary, and these may include for example:

• Any entity who may acquire us or part of our business or brands.
• Suppliers managing side effects reports.
• Local or Global regulators, courts, governments, and law enforcement authorities.
• Professional advisors such as auditors.

Transfer of personal data outside of your home country?

We work all over the world. Therefore, personal data may be processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data as your home country.

When we transfer personal data to external companies in other countries, or across our International Ipsen entities, we will protect personal data by putting in place appropriate contractual agreements. When we transfer personal data from Ipsen companies in the European Economic Area (“EEA”) to a third country without an adequacy decision from the EU Commission, we will do so on the basis of standard contractual clauses approved by the European Commission. Similarly, we will protect personal data transfers from other countries including the UK and Switzerland using appropriate contractual clauses approved by the relevant authorities in those countries.

How long do we keep your personal information?

We will only retain the personal data, in relation to this privacy notice, for as long as we reasonably need to achieve the purposes described above and as required under applicable laws.

• In the context of medical information:

In no instance will your data be retained for longer than 25 years unless there is any legal or regulatory provision requiring otherwise.

• In the context of pharmacovigilance:

70 years after the product is withdrawn in the last country where the product is marketed.

• In the context of product quality complaints:

Personal data in relation to product quality complaints is kept for a minimum of 5 years.

What are your rights regarding your information?

You may have the following rights regarding your information depending on the circumstances and applicable legislation:

Contact information

If you would like to exercise any of these rights, have any questions about this privacy notice, need more information or would like to raise a concern you can contact us as follows:

• If you are not a patient, please send us a Data Subject rights request by completing this form.
• If you are a patient, please contact Ipsen Global Data Privacy Team at dataprivacy@ipsen.com, you should be aware that your identity will be revealed to the Data Protection Team.

If you are not satisfied with how Ipsen is handling your personal data, or you think that our processing is not compliant with data protection laws you have the right to complain to the relevant data protection supervisory authority.

Ipsen’s lead authority in the EU is the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, FRANCE.

Contact details for data protection authorities in other European countries can be found here: Our Members | European Data Protection Board 

For other countries, please refer to the local Ipsen website for details.

V1.2s Mar 24 AMPN