Introduction

 

This Privacy Notice explains how IPSEN Single-Member LLC (“IPSEN,” “we,” “us”) collects, uses, stores, shares, and protects the personal data of Healthcare Professionals (HCPs) who:

  • collaborate with IPSEN,
  • participate in IPSEN’s activities, programs, scientific events, or projects,
  • provide services to IPSEN,
  • participate in advisory boards, clinical studies, or other scientific activities,
  • are current or potential customers of IPSEN’s products or services,
  • or interact in any way with IPSEN in their professional

 

IPSEN is committed to processing personal data in accordance with:

 

Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), applicable Greek legislation on the protection of personal data, the SFEE Code of Conduct, the EFPIA (European Federation of Pharmaceutical Industries and Associations) Code of Conduct, as well as the IPSEN Group’s internal personal data protection policies.

 

Who is the Data Controller for your personal data?

 The Data Controller is IPSEN Single-Member LLC. For data protection matters, please contact dataprivacy@ipsen.com

 

Your personal data may also be made available to other entities within the IPSEN Group of companies, for the purpose of better managing our interaction with Healthcare Professionals from a global perspective, to help harmonise IPSEN’s key business processes, facilitating a more consistent approach across all markets.

In any case, processing is carried out in accordance with the requirements of the General Data Protection Regulation (GDPR) and the applicable provisions of Greek law.

 

What personal data do we collect about you?

 IPSEN processes the personal data of Healthcare Professionals for various purposes related to its business, scientific, medical, and regulatory activities.

We process only the personal data necessary to achieve the respective processing purposes and for which we have an appropriate legal basis in accordance with the General Data Protection Regulation (GDPR).

Depending on the nature of your relationship or interaction with IPSEN, we may collect and process the following categories of personal data:

 

Contact information

Basic contact information, such as, for example:

  • full name,
  • job title,
  • specialty,
  • professional capacity,
  • email address,
  • mailing address,
  • landline and mobile phone numbers,
  • other contact information you provide to

 

Professional Information

Information related to your professional activities, such as:

  • employer,
  • job title,
  • field of activity,
  • medical specialty or other professional expertise,
  • professional qualifications,
  • academic degrees,
  • resume (Curriculum Vitae),
  • details of professional certification or licensure, where

 

Information regarding your scientific experience and expertise

We may process information regarding:

  • your participation in clinical studies or clinical trials,
  • your participation in scientific conferences,
  • scientific meetings / scientific events,
  • educational events,
  • advisory boards,
  • publications of scientific articles,
  • research projects,
  • scientific presentations,
  • your scientific and therapeutic focus,
  • your membership in scientific societies,
  • committees,
  • universities,
  • research institutions,
  • editorial boards of scientific journals,
  • professional honors,
  • awards,
  • educational activities,
  • other related scientific

 

We may also collect information that is publicly available, such as publications in professional media, scientific websites, or publicly accessible professional profiles and social media accounts.

 

Information required for your participation in events or visits to our facilities

To organise scientific events or other professional activities, we may collect information regarding:

  • travel documents (where required),
  • passport details,
  • visa information,
  • country of residence,
  • citizenship,
  • travel reservations,
  • accommodations,
  • special dietary requirements,
  • information required to organise your

 

In addition, we may process:

  • presentations,
  • speaker materials,
  • scientific material,
  • other documents you submit to us that contain your personal

 

During IPSEN events, the following may be collected:

  • photographs,
  • video footage,
  • audio and video from online meetings, when necessary and in accordance with applicable law.

If you visit IPSEN facilities, we may also collect information regarding:

  • access control,
  • facility security,
  • footage from closed-circuit television (CCTV) systems, where such systems operate

 

Contracts, Payments, and Transfers of Value

We may process information necessary for:

  • entering into and performing a contract,
  • the payment of fees,
  • reimbursing expenses,
  • fulfilling tax

This information may include:

  • bank account information,
  • tax information,
  • VAT information,
  • other financial data required by applicable

We also process information regarding:

  • grants,
  • donations,
  • educational grants,
  • consulting services,
  • any direct or indirect transfer of value, whether monetary or in kind, made by IPSEN to you.

 

Information about our interactions

We may retain information regarding:

  • our professional meetings,
  • visits by Medical/ Scientific, or Commercial teams,
  • scientific discussions,
  • the products or therapeutic areas you are interested in,
  • your participation in events,
  • comments,
  • opinions,
  • feedback,
  • market research results,
  • questionnaires,
  • polls,
  • Q&A sessions,
  • other scientific or business

 

Medical information, adverse event reports, and quality issues

If you contact IPSEN regarding:

  • a medical question,
  • an adverse event report,
  • a product quality complaint,
  • any other pharmacovigilance-related matter

 

we may process information about you or third parties in accordance with applicable pharmacovigilance legislation and IPSEN’s relevant privacy policies.

 

Access to Products or Services

If we provide you with access to IPSEN’s digital services or online platforms, we may process:

  • login credentials,
  • usernames,
  • passwords,
  • electronic identifiers,
  • authentication data,
  • service usage

 

Consent Records

IPSEN maintains a record of the consents you have provided to us, as well as any revocations thereof, where processing is based on your consent in accordance with the GDPR.

 

Why do we collect and use your personal data?

 IPSEN processes the personal data of Healthcare Professionals for various purposes. Depending on the purpose of the processing, we rely on different legal bases in accordance with Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR).

 

Article 6(1)(f) of the GDPR – Legitimate Interests

 We process personal data when this is necessary for the legitimate interests of IPSEN, provided that your interests or fundamental rights and freedoms do not override those interests. In this context, we may process your data for the following purposes:

  • Managing our professional and scientific relationship
  • Handling requests
  • Scientific updates
  • Developing partnerships
  • Determining reasonable fees
  • Organizing scientific events
  • Photographing and videotaping events, where permitted by applicable law and following an assessment of legitimate interest or, where required, based on consent.
  • Participation in scientific activities
  • Verification of professional information
  • Internal audit and corporate transactions

 

Article 6(1)(b) of the GDPR – Performance of a contract

IPSEN processes personal data when it is necessary to:

  • entering into a contract with you,
  • performing our contractual obligations,
  • paying fees,
  • reimbursing expenses,
  • providing services you provide to IPSEN, such as, for example:
  • speeches,
  • participation in Advisory Boards,
  • scientific consulting services,
  • participation in the company’s projects and

 

Article 6(1)(a) of the GDPR – Consent

IPSEN requests your consent when required by applicable law. Specifically, consent may be requested for:

  • sending promotional materials via email,
  • the use of consent-based applications or digital services,
  • processing information regarding specific dietary requirements when such information reveals health data or religious beliefs,
  • use of personal photographs, videos, or testimonials,
  • disclosure of Transfers of Value in accordance with the SFEE Code of Conduct and the EFPIA Code of Practice, when such disclosure is based on your consent (if consent is not provided or is withdrawn, the relevant Transfers of Value may be disclosed in an

 

aggregated/anonymised form, in accordance with the requirements of the SFEE Code of Conduct and the EFPIA Code of Practice).

 

Article 6(1)(c) of the GDPR – Legal obligation

IPSEN processes personal data when required to comply with its legal obligations, such as:

  • compliance with accounting and tax obligations,
  • pharmacovigilance obligations,
  • reporting of adverse drug reactions,
  • managing product quality issues,
  • compliance with regulatory requirements of the competent authorities,
  • other administrative or regulatory obligations provided for by Greek or EU

 

Where do we obtain your personal data?

 IPSEN collects personal data from various sources, depending on the nature of your relationship or interaction with the Company.

Data We Collect Directly From You

We collect personal data that you provide to us directly, including:

  • when entering into or performing a contract,
  • when you register for or participate in scientific events,
  • when you participate in educational programs, Advisory Boards, market research, or other scientific activities,
  • when you communicate with IPSEN employees or partners,
  • through IPSEN’s online applications or digital services,
  • when you submit requests, questions, or information to

 

Data we receive from your employer or the organization you work with

In some cases, we may receive basic professional information from:

  • the hospital,
  • the clinic,
  • the university,
  • the research organization,
  • another organization where you are employed or with which you collaborate, when this is necessary for the organization or implementation of our

Publicly available sources

We may also collect information from publicly available sources, such as:

  • scientific publications,
  • scientific journals,
  • professional directories,
  • university websites,
  • hospital websites,
  • publicly accessible professional profiles,
  • publicly available media reports,
  • publicly available information on professional social media

 

This information is collected exclusively for purposes related to professional and scientific collaboration with IPSEN.

 

Specialised healthcare professional database providers

IPSEN may receive information from specialised healthcare professional data providers, such as, for example:

  • IQVIA OneKey
  • Veeva Link

or other similar providers, in accordance with applicable personal data protection laws. This information is used to:

  • updating contact information,
  • verifying professional status,
  • maintaining accurate and up-to-date contact information,
  • better understand your scientific and professional

 

Verification Information

In certain cases, we may collect or verify information regarding:

  • contact information,
  • financial information,
  • tax information,
  • bank account information,
  • professional certifications,
  • professional license,
  • other information required for compliance purposes or to carry out our

 

Event organisers and other partners

We may also receive personal data from:

  • conference organisers,
  • event planning professionals,
  • travel agencies,
  • hotels,
  • transportation companies,
  • other third-party partners providing services on behalf of IPSEN,

solely to the extent necessary for:

  • organizing scientific events,
  • managing travel and accommodations,
  • the performance of contracts,
  • or other legitimate business activities of

 

Principle of Data Minimization

IPSEN applies the principle of data minimization and collects only personal data that is appropriate, relevant, and limited to what is necessary to achieve the processing purposes described in this Privacy Notice.

 

To whom do we disclose your personal data?

 Access to your personal data is granted exclusively to individuals who have a legitimate business need to know it and only to the extent necessary for them to perform their duties.

IPSEN implements appropriate technical and organizational measures to ensure that access to personal data is restricted exclusively to authorised individuals.

 

IPSEN Employees

Your personal data may be accessed by authorised IPSEN employees, including, as applicable, the following departments:

  • Medical/Scientific,
  • Sales,
  • Market Access,
  • Regulatory Affairs,
  • Pharmacovigilance,
  • Finance,
  • as well as other corporate functions that are required to process your data in order to perform their duties.

Access is granted exclusively on a “need-to-know” basis.

 

IPSEN Group Companies

Your personal data may be shared with other companies within the IPSEN Group when necessary for:

  • coordinating the Group’s international activities,
  • harmonizing business processes,
  • managing relationships with Healthcare Professionals,
  • providing scientific and medical support,
  • fulfilling regulatory obligations,
  • implementing common compliance and corporate governance

 

Processors

IPSEN collaborates with third-party service providers, who act as Data Processors exclusively in accordance with IPSEN’s written instructions and the requirements of the GDPR.

 

For example, these providers may offer services such as:

  • Healthcare Professional Relationship Management (CRM) systems, such as Veeva Systems ,
  • Healthcare Professional databases,
  • IT and system hosting services,
  • cybersecurity services,
  • compliance services,
  • accounting and financial management services,
  • payment services,
  • conference and scientific event organization services,
  • hotel and transportation booking services,
  • courier services,
  • filing and document management services,
  • other specialised services necessary for the operation of

 

These service providers are contractually obligated to implement appropriate personal data protection measures and are not permitted to use your personal data for their own purposes.

 

Disclosure of Transfers of Value

In accordance with the transparency obligations set forth in the SFEE Code of Conduct and the EFPIA Code of Practice, IPSEN may disclose information regarding Transfers of Value made to Healthcare Professionals.

In Greece, this disclosure is made based on your consent, in accordance with IPSEN’s current policy and the applicable requirements of the SFEE.

 

Public Authorities and Regulatory Bodies

IPSEN may disclose personal data:

  • to competent judicial or administrative authorities,
  • to tax authorities,
  • to auditing bodies,
  • to regulatory authorities,
  • to the National Organization for Medicines (EOF),
  • to other competent public authorities,

 

when required by applicable law or upon a lawful request.

 

External auditors and professional advisors

As part of IPSEN’s lawful business operations, personal data may be disclosed to:

  • external auditors,
  • certified public accountants,
  • legal counsel,
  • tax advisors,
  • or other professional advisors

 

to the extent necessary for the provision of their services or for IPSEN’s compliance with its legal obligations.

 

Corporate Restructuring

In the event of a merger, acquisition, reorganization, transfer of business operations, or other corporate transaction, your personal data may be disclosed to the relevant advisors or successors of IPSEN, to the extent necessary to complete the transaction and in accordance with applicable data protection laws.

Transfer of personal data outside your country of residence Transfers within the IPSEN Group

IPSEN may transfer personal data to other companies within the IPSEN Group when

necessary for:

  • coordinating the Group’s international activities,
  • supporting common business processes,
  • providing medical, scientific, or regulatory support,
  • implementing common compliance policies,
  • providing IT and corporate support

 

Transfers to Third-Party Service Providers

IPSEN may also transfer personal data to external service providers acting on its behalf when this is necessary to provide services to IPSEN or to fulfill its business and regulatory obligations.

These service providers process personal data exclusively in accordance with IPSEN’s written instructions and are subject to appropriate contractual obligations regarding confidentiality and data protection.

 

Transfers Outside the European Economic Area (EEA)

In the event of a transfer of personal data from an IPSEN Group company established in the European Economic Area (EEA) to a country outside the EEA, IPSEN ensures that

 

appropriate safeguards are in place in accordance with Articles 44 through 49 of the General Data Protection Regulation (GDPR).

In particular, when the European Commission has not issued an adequacy decision for the destination country, IPSEN applies the Standard Contractual Clauses (SCCs) approved by the European Commission or another appropriate transfer mechanism provided for by the GDPR.

 

Transfers from Other Jurisdictions

For transfers of personal data from other countries, such as the United Kingdom or Switzerland, IPSEN applies the corresponding contractual or other approved safeguards required by the applicable data protection laws of those countries.

 

IPSEN implements appropriate safeguards for transfers outside the EEA, including Standard Contractual Clauses.

 

Protective Measures

IPSEN implements appropriate technical, organizational, and contractual measures to ensure that every international transfer of personal data is carried out in a manner that safeguards the confidentiality, the integrity, and the availability of personal data, and to provide a level of protection that is essentially equivalent to that required by the GDPR. Where required, Transfer Impact Assessments (TIAs) are conducted, and additional technical or organizational safeguards are implemented.

 

Further Information

You may request more information regarding international transfers of personal data or obtain a copy of the relevant safeguards, to the extent permitted by applicable law, by contacting IPSEN at: dataprivacy@ipsen.com

 

How long do we retain your personal data?

 IPSEN retains your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

The retention period for personal data is determined based on:

  • the nature of your relationship with IPSEN,
  • the purpose of the processing,
  • applicable legal and regulatory obligations,
  • the IPSEN Group’s record retention policies,
  • the compliance requirements applicable to the pharmaceutical

 

Operational needs

 IPSEN retains your personal data for as long as necessary to:

  • manage its business relationship with you,
  • fulfill its contractual obligations,
  • organise scientific and educational activities,
  • manage financial transactions and payments,
  • ensure compliance with the IPSEN Group’s internal

 

Legal and Regulatory Obligations

In certain cases, IPSEN is required to retain personal data for a longer period of time in order to comply with:

  • tax and accounting obligations,
  • obligations arising from pharmaceutical legislation,
  • pharmacovigilance obligations,
  • requirements of regulatory or supervisory authorities,
  • documentation and audit obligations,
  • other requirements provided for by Greek or EU

 

Deletion or Anonymization

Once the purposes of processing have been fulfilled and the relevant retention period has expired, IPSEN takes appropriate measures to ensure that personal data:

  • is securely deleted,
  • is anonymised so that it is no longer possible to identify a natural person,
  • is archived, when required by applicable

 

Restriction of Access

During the retention period, IPSEN implements appropriate technical and organizational measures to ensure that access to personal data is restricted exclusively to authorised individuals who have a business need to process it.

 

Record Retention Policy

IPSEN implements an internal Record Retention Policy, which specifies the retention periods for each category of personal data and the procedures for their secure deletion or destruction.

 

Personal data is retained only for as long as necessary for the purposes of processing and to meet IPSEN’s legal obligations.

 

How We Protect Your Personal Data

 IPSEN is committed to protecting your personal data and ensuring that its processing is carried out in accordance with the principles of the General Data Protection Regulation (GDPR) and applicable data protection laws.

To prevent unauthorised access, loss, alteration, unlawful disclosure, or other unauthorised processing of your personal data, IPSEN and its authorised partners implement appropriate technical, organizational, and administrative security measures, taking into account:

  • the nature of the personal data,
  • the scope, context, and purposes of the processing,
  • the risks to the rights and freedoms of natural persons,
  • technological developments and best practices in information

 

Examples of protective measures

IPSEN implements, as appropriate, measures such as:

  • access control to information systems,
  • user authentication,
  • management of access rights based on the need-to-know principle,
  • encryption or pseudonymization of data, where required,
  • protection of networks and information systems,
  • monitoring of security incidents,
  • backup procedures,
  • testing, evaluation, and regular review of the effectiveness of security measures,
  • staff training on data protection and information

 

Obligations of Our Partners

All third-party service providers that process personal data on behalf of IPSEN are contractually obligated to implement appropriate technical and organizational security measures and to process personal data exclusively in accordance with IPSEN’s instructions and the requirements of the GDPR.

 

Continuous Improvement

IPSEN regularly evaluates and updates the security measures it implements to ensure the ongoing protection of personal data and compliance with applicable regulatory requirements.

 

What are your rights regarding your personal data?

 In accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and applicable Greek law, you have certain rights regarding the processing of your personal data by IPSEN.

 

Depending on the circumstances and the legal basis for the processing, you may exercise the following rights:

 

1.  Right of access

You have the right to request confirmation as to whether IPSEN is processing personal data concerning you.

If such processing is taking place, you have the right to access your personal data as well as information regarding:

  • the purposes of the processing,
  • the categories of personal data,
  • the recipients or categories of recipients,
  • the retention period,
  • your rights under the GDPR,
  • any international transfers,
  • as well as any other information required by Article 15 of the

 

2.  Right to Rectification

You have the right to request the rectification of personal data that is inaccurate or incomplete.

IPSEN will take appropriate measures to ensure that the personal data it holds is accurate and up to date.

 

3.  Right to erasure (“right to be forgotten”)

You have the right to request the erasure of your personal data when the conditions of Article 17 of the GDPR are met, such as, for example, when:

  • the data is no longer necessary for the purposes of processing,
  • you withdraw your consent and there is no other legal basis for processing,
  • you object to the processing and there are no overriding legitimate grounds,
  • the processing is

 

This right is not absolute and may be restricted when the retention of the data is required by law or is necessary for the establishment, exercise, or defense of legal claims.

 

4.  Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data in the cases provided for in Article 18 of the GDPR.

During the restriction period, IPSEN may continue to store your personal data but will not process it further, unless permitted by the GDPR.

 

5.  Right to data portability

 When processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

You also have the right, where technically feasible, to request that your data be transferred directly to another data controller.

 

6.  Right to Object

You have the right to object, on grounds relating to your particular situation, to the processing of personal data based on IPSEN’s legitimate interest.

If you exercise this right, IPSEN will cease processing, unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms, or when the processing is necessary for the establishment, exercise, or defense of legal claims.

When your personal data is used for direct marketing purposes, you have the right to object to such processing at any time.

 

7.  Right to Withdraw Consent

When processing is based on your consent, you may withdraw your consent at any time. Withdrawing your consent does not affect the lawfulness of the processing carried out prior to its withdrawal.

Withdrawal may apply, among other things, to:

  • receiving promotional communications,
  • the use of photos or videos,
  • the disclosure of Transfers of Value, when such disclosure is based on your

 

Exercising Your Rights

You may exercise any of the above rights by contacting IPSEN via email at:

dataprivacy@ipsen.com

 IPSEN will review your request and respond in accordance with the deadlines and requirements set forth in the GDPR and applicable law.

If you are not satisfied with how IPSEN is handling your personal data, or you believe that our processing is not compliant with data protection laws, you have the right to lodge a complaint with the competent data protection supervisory authority. In Greece, the competent authority is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifissias 1-3, 115 23 Athens, Greece, www.dpa.gr.