Privacy statement (suppliers and service providers)

Last updated: July 2023 Dear suppliers and service providers, With this privacy statement, we would like to let you know

• which personal data we collect, store, process, block and erase (this shall be collectively re-ferred to as “processing”),
• the purposes we use them for,
• how you can object to their use or withdraw your consent, as well as
• what other rights you have as a data subject and how you can exercise them.

1. Who is responsible for the data processing and who can I contact?

The data controller, as set out in the GDPR, is Lomapharm GmbH Langes Feld 5 31860 Emmerthal, Germany Phone: +49 (0) 5155 2791-0 Fax: +49 (0) 5155 2791-219 Email: service@lomapharm.de You can contact our company data protection officer by email at datenschutz@lomapharm.de or by post under the above address with the note “the data protection officer”. As a subsidiary of the Bionorica Group, we also receive various services from our parent company (e.g. cross-company IT, communication and database systems, central HR or financial accounting services, etc.) as part of a uniform group management and also process personal data in this context. In terms of data protection law, these processing operations are carried out under the joint responsibility of Lomapharm GmbH and Bionorica SE in accordance with Art 26 DS-GVO. Within the scope of the joint processing, the following key points apply:

• Lomapharm GmbH and Bionorica SE are equally responsible for the lawfulness of the joint processing operations and take appropriate technical and organizational measures to ensure that the rights of the data subjects are guaranteed at all times.
• Lomapharm GmbH undertakes to make the information obligatory under Articles 13 and 14 of the GDPR publicly available also with regard to the joint processing.
• In order to ensure appropriate transparency and reliable assertion of data subject rights, all data subject rights in the case of joint processing can in principle also always be asserted against Bionorica SE as the parent company of the group.
• Lomapharm GmbH and Bionorica SE are equally responsible for the information obligations resulting from Art. 33, 34 DS-GVO vis-à-vis the supervisory authority and the persons affected by a personal data breach.
• Both parties shall be jointly liable to the respective data subject for any damage caused by processing not in compliance with the GDPR in the external relationship.

We would be happy to provide you with an excerpt of our “Agreement on joint processing of personal data pursuant to Art. 26 DS-GVO”. For this purpose, please simply contact the above-mentioned contact.

2. Is there an obligation to make data available?

In the context of our business relationship, you only need to provide the personal data that are nec-essary for entering into and conducting a business relationship and the fulfilment of the contractual obligations related to it or that we are legally obliged to collect. Generally speaking, without these data, we would not be able to enter into the contract with you or perform it.

3. What sources and data does Lomapharm GmbH use?

We process personal data that we receive from our suppliers and service providers as part our busi-ness relationship. In addition, we process personal data that we obtain permissibly from publicly ac-cessible sources (e.g. the commercial register, the press and the internet), or that are permissibly transferred to us by other companies or other third parties (e.g. by credit agencies) to the extent that this is necessary for our cooperation. The personal data we process particularly include:

• personal details (name, address and other company contact data)
• order data and data from performing the contract (e.g. information on deliveries and services carried out)
• data from audits being performed (e.g. contact person data)
• data from carrying out tendering processes (e.g. curriculum vitae, certificates)
• as well as other data that are similar to data in the specified categories

4. Purposes of the processing and legal basis

We process personal data in accordance with the provisions of the European General Data Protec-tion Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) based on the following legal bases:

4.1 To fulfil contractual obligations (Art. 6(1)(b) GDPR)

The processing of data takes place for the purpose of fulfilling the contracts concluded with our suppli-ers and service providers, implementing pre-contractual measures taken at the request of our suppli-ers and service providers or carrying out all the tasks necessary in running and/or managing a pharma-ceutical company.

4.2 As part of the balancing of interests (Art. 6(1)(f) GDPR)

Where necessary, we process personal data in a way that goes beyond the fulfilment of the contract itself in order to protect our legitimate interests. This particularly includes the following activities and processes:

• the establishment of legal claims and defence in legal disputes,
• safeguarding the IT security and IT operations of our company,
• checking against sanctions lists that go beyond what is prescribed by law but which are customary.

4.3 On the basis of your consent (Art. 6(1)(a) GDPR)

To the extent that you have given consent to the processing of personal data for specific purposes, this processing of the data shall be lawful on the basis of your consent. Consent that has been given can be withdrawn at any time. This also applies to the withdrawal of declarations of consent that were given before the GDPR came into effect. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent free of charge and informally via our contact data stated in point 1. If consent is withdrawn by phone, we ask that, if necessary, you provide additional proof of your iden-tity using another means.

4.4 On the basis of legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)

Like every company, Lomapharm GmbH is also subject to many legal obligations which make it neces-sary to process personal data. Examples of these include, for instance, obligations in relation to identi-fication in order to prevent money laundering, supplier qualifications, checking against sanctions lists that are prescribed by law and compliance with fiscal documentation obligations.

5. To what extent is there automated decision-making in individual cases?

We generally do not use any fully automated decision-making, as referred to in Article 22 GDPR, to es-tablish or conduct the business relationship. If we implement this procedure in individual cases, you will be informed of this separately, insofar as this is legally required.

6. Who will receive my data?

Within Lomapharm GmbH, the bodies and departments that receive your data are those which re-quire them to fulfil our contractual and legal obligations. The service providers used, carefully cho-sen and monitored by us can also receive data for these purposes, but are, in this regard, bound by the requirements of data protection law that also apply to us, as part of so-called “contracted pro-cessing”. These may include, e.g. companies in the sectors of IT services, logistics, print services, tel-ecommunications, consultancy or marketing agencies. Disclosure to recipients outside Lomapharm GmbH shall only take place if there is a legal basis for this (e.g. a legal obligation or consent).

7. Are data transferred to companies in third countries or an international organisation?

Data are generally only transferred to bodies in states outside the European Union (so-called third countries) to the extent that, in addition to the general conditions for transferring data, there exists an adequacy decision (Art. 45 GDPR) or appropriate safeguards (Art. 46 GDPR) and, where necessary, there are additional measures or the requirements of Art. 49 have been fulfilled (e.g. if the corre-sponding consent has been given).

8. How long will my data be stored?

We process your personal data only as long as it is necessary to fulfil the purposes of the processing described above. If the data are no longer necessary for the fulfilment of the processing purposes described above, they will be erased, unless their processing (for a limited time) is necessary for the following purposes:

• Fulfilling retention obligations under commercial and tax law: These include the German Commercial Code (Handelsgesetzbuch – HGB) and the German Anti-Money Laundering Act (Geldwäschegesetz – GwG). The periods for retention and documentation stated there last up to 10 years.
• Preservation of evidence in the context of legal limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may last up to 30 years, whereas the standard limitation period lasts for three years.

9. What rights do I have as a data subject?

As the data subject, you have the right of access under Article 15 GDPR. If a query is not in writing, we ask that, if necessary, you provide additional proof of your identity using another means. Moreover, you have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, as well as the right to data portability un-der Article 20 GDPR. The right of access and the right to erasure are subject to the limits according to Sections 34 and 35 of the German Federal Data Protection Act. In addition, there exists a right to lodge a complaint with a competent data supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act). Furthermore, you have the right to object under Article 21 GDPR and you can object to processing of personal data on the basis of Article 6(1)(e) or (f) GDPR at any time without giving reasons.