Pharmacovigilance Privacy Notice

In compliance with the provisions set forth by Legislative Decree no. 196/2003, Kedrion S.p.A., in its capacity as the Data Controller, hereby describes the purposes and the ways in which personal data are collected, and within which scope and how they are disclosed.

Purpose and type of data

Data, including sensitive data, provided by users to be processed, shall be processed and used straightaway to fulfil goals that are preliminary to, contingent on and consequential to:

1. Pharmacovigilance.

Pharmacovigilance is that group of operations the purpose of which is to permanently assess any drug safety information and make sure all commercial drugs deliver a favourable risk to benefit ratio to the population.

Pharmacovigilance includes the consistent assessment of drug safety information and any operation aimed at making sure all commercial drugs deliver a favourable risk to benefit ratio to the population.

Kedrion has a duty to meet the applicable pharmacovigilance regulations (LD April 30th 2015, Official Journal, Standard Series no.143 of 23-6-2015), which, in implementation of Directive 2010/84 of the European Parliament and European Council dated December 15th 2010, and Directive 2012/26/EU of the European Parliament and European Council dated October 25th 2012, lays down operating procedures and technical solutions for effective pharmacovigilance, and Form VI of the Good Pharmacovigilance Practices (GVP), paragraphs VI.C.6.2.2.8. and VI.B.4), by processing personal data in perfect compliance with Legislative Decree no. 196/2003.

As well as any relevant regulation, such as filing, organisation and processing. In any case, personal data shall be processed lawfully and in strict compliance with the applicable regulations.

Processing and filing

Data shall be digitally and electronically processed, and partly as hardcopy, by designated staff members. Data shall be filed on electronic and/or hardcopy records and protected by minimum regulatory safety measures.

Pharmacovigilance reporting data are kept on file for ten years, as from the expiration of the Marketing Authorisation (also known as AIC), unless required by the Data Controller for the purpose of defence.

Disclosure

Collected data shall not be disclosed. Such data may only be disclosed to parties other than the Data Controller, Data Supervisors and Data Processors as designated and listed under articles 29 and 30, Legislative Decree no. 196/2003, as amended, to pursue the above goals and within the scope thereof. Data may also be disclosed to public authorities, if such disclosure is compulsory under the industry regulations for a proper handing of reports.

Rights

The person concerned may assert his/her rights as described at articles 7, 8, 9 and 10, Legislative Decree no. 196 dated June 30th 2003, by contacting the Data Controller. In particular, under article 7, the person concerned is entitled to be confirmed whether any personal data exist even if not recorded yet and to be disclosed them in an intelligible form. The person concerned is entitled to be informed of: a) source of personal data; b) data-processing purposes and methods; c) electronic data-processing rationale; d) identity of the Data Controller, Data Supervisors and Data Processors under article no. 5, paragraph 2; e) parties or groups of parties the personal data may be disclosed to or that may come into possession of such personal data as the designated controller, supervisor or processor within the State.

The person concerned is entitled to: a) have the personal data updated, corrected or, if interested, added to; b) have the personal data converted into anonymous data; c) be certified that parties whom the personal data have been disclosed to have been made aware of the operations listed at a) and b) above, as well as their contents, unless such requirement is impossible to fulfil or would involve the use of means that would be clearly disproportionate to the protected right. The person concerned is entitled to partly or fully oppose to: a) have the personal data processed for sending advertising or direct-sale materials or to conduct market surveys or commercial information.

Data Controller, Data Supervisor

Please note that the Data Controller is Kedrion S.p.A., a company duly incorporated in Loc. Ai Conti – 55051 Castelvecchio Pascoli, Barga (LU); the Data Supervisor is Dr Alessandro Curotti, a Company Executive, resident at the company in such capacity (email [email protected]). A full list of Data Supervisors may be provided.

Data collection, Consent

Providing personal data is optional but it is necessary, since, if no response is given, the Data Controller cannot follow up on your request and cannot meet the applicable pharmacovigilance regulations.

Pursuant to art. 24, Legislative Decree no. 196/2003, consent to have the personal data processed is not required, since such personal data are collected to comply with the applicable laws.