Privacy statement (consumers)

Last updated: July 2023 Dear consumer, With this privacy statement, we would like to let you know

• which personal data we collect, store, process, block and erase (this shall be collectively re-ferred to as “processing”),
• the purposes we use them for,
• how you can object to their use or withdraw your consent, as well as
• what other rights you have as a data subject and how you can exercise them.

1. Who is responsible for the data processing and who can I contact?

The data controller, as set out in the GDPR, is Lomapharm GmbH Langes Feld 5 31860 Emmerthal, Germany Phone: +49 (0) 5155 2791-0 Fax: +49 (0) 5155 2791-219 Email: service@lomapharm.de You can contact our company data protection officer by email at datenschutz@lomapharm.de or by post under the above address with the note “the data protection officer”. As a subsidiary of the Bionorica Group, we also receive various services from our parent company (e.g. cross-company IT, communication and database systems, central HR or financial accounting services, etc.) as part of a uniform group management and also process personal data in this context. In terms of data protection law, these processing operations are carried out under the joint responsibility of Lomapharm GmbH and Bionorica SE in accordance with Art 26 DS-GVO. Within the scope of the joint processing, the following key points apply:

• Lomapharm GmbH and Bionorica SE are equally responsible for the lawfulness of the joint processing operations and take appropriate technical and organizational measures to ensure that the rights of the data subjects are guaranteed at all times.
• Lomapharm GmbH undertakes to make the information obligatory under Articles 13 and 14 of the GDPR publicly available also with regard to the joint processing.
• In order to ensure appropriate transparency and reliable assertion of data subject rights, all data subject rights in the case of joint processing can in principle also always be asserted against Bionorica SE as the parent company of the group.
• Lomapharm GmbH and Bionorica SE are equally responsible for the information obligations resulting from Art. 33, 34 DS-GVO vis-à-vis the supervisory authority and the persons affected by a personal data breach.
• Both parties shall be jointly liable to the respective data subject for any damage caused by processing not in compliance with the GDPR in the external relationship.

We would be happy to provide you with an excerpt of our “Agreement on joint processing of personal data pursuant to Art. 26 DS-GVO”. For this purpose, please simply contact the above-mentioned contact.

2. Is there an obligation to make data available?

As a consumer, you are, as a general rule, not obliged to provide us with your personal data. There may be exceptions to this, e.g. when using our online services on the websites of Lomapharm GmbH. In this regard, we refer you to the corresponding privacy statement. This can be accessed on our website and all microsites.

3. What sources and data does Lomapharm GmbH use?

We only process personal data we receive from you personally (e.g. when reporting adverse drug reactions (ADRs)). An exception to this rule are reports of ADRs that we receive from health profes-sionals (e.g. doctors and pharmacists) if you have disclosed personal data to them and have agreed for them to be transferred to us. The personal data we process particularly include:

• personal details (name, address and other contact details) data regarding drug safety (e.g. health data and information on adverse drug reactions),
• other data that are similar to data in the specified categories.

4. Purposes of the processing and legal basis

We process personal data in accordance with the provisions of the European General Data Protec-tion Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) based on the following legal bases:

4.1 As part of the balancing of interests (Art. 6(1)(f) GDPR)

Where necessary, we process personal data to protect our legitimate interests. This includes, for example, the following activities and processes:

• the establishment of legal claims and defence in legal disputes,
• safeguarding the IT security and IT operations of our company,

4.2 On the basis of your consent (Art. 6(1)(a) GDPR)

To the extent that you or a medical professional have given consent to the processing of personal data for specific purposes (e.g. within the context of reporting adverse drug reactions), this pro-cessing of the data shall be lawful on the basis of your consent. Consent given to us can be withdrawn at any time. This also applies to the withdrawal of declarations of consent that were given before the GDPR came into effect. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent that you have given us free of charge and informally via our contact data stated in point 1. If consent is withdrawn by phone, we ask that, if necessary, you provide additional proof of your identity using another means.

5. To what extent is there automated decision-making in individual cases?

We do not use any automated decision-making processes.

6. Who will receive my data?

Within Lomapharm GmbH, the bodies and departments that receive your data are those which re-quire them to perform the task that your consent covers. The service providers used, carefully chosen and monitored by us can also receive data for these purposes, but are bound by the requirements of data protection law that also apply to us, as part of so-called “contracted processing”. These may in-clude, e.g. companies in the IT services or telecommunications sectors. Disclosure to recipients outside Lomapharm GmbH shall only take place if there is a legal basis for this (e.g. a legal obligation). Are data transferred to companies in third countries or an international organisation? Data are generally only transferred to bodies in states outside the European Union (so-called third countries) to the extent that, in addition to the general conditions for transferring data, there exists an adequacy decision (Art. 45 GDPR) or appropriate safeguards (Art. 46 GDPR) and, where necessary, there are additional measures or the requirements of Art. 49 have been fulfilled (e.g. if the corre-sponding consent has been given).

7. How long will my data be stored?

We process your personal data only as long as it is necessary to fulfil the purposes of the processing described above. If the data are no longer necessary for this purpose, they will be erased, unless their processing (for a limited time) is necessary for the following purposes:

• Fulfilling legal retention obligations: This includes the implementing regulation (EU) No 520/2012. The period given there for retention and documentation is at least 10 years after the end of the authorisation of the product concerned.
• Preservation of evidence in the context of legal limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may last up to 30 years, whereas the standard limitation period lasts for three years.

8. What rights do I have as a data subject?

As the data subject, you have the right of access under Article 15 GDPR. If a query is not in writing, we ask that, if necessary, you provide additional proof of your identity using another means. Moreo-ver, you have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, as well as the right to data porta-bility under Article 20 GDPR. The right of access and the right to erasure are subject to the limits ac-cording to Sections 34 and 35 of the German Federal Data Protection Act. In addition, there exists a right to lodge a complaint with a competent data supervisory authority (Article 77 GDPR in conjunc-tion with Section 19 of the German Federal Data Protection Act). Furthermore, you have the right to object under Article 21 GDPR and you can object to processing of personal data on the basis of Article 6(1)(e) or (f) GDPR at any time without giving reasons.