PRIVACY NOTICE – CHIESI FARMACEUTICI S.P.A.

Chiesi Farmaceutici S.p.A. ("Chiesi") wants to inform you that Chiesi will process your Personal Data as a data controller under the provisions of Regulation (EU) 679/2016 ("GDPR").

"Personal Data" is information about an identified or identifiable living individual. Different information collected together can identify a particular person and constitute personal data.

"Processing of Personal Data" covers a wide range of operations performed on personal data, including manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

"Data Subject" is the identified or identifiable living individual to whom personal data relates.

"Initiative" is GRD R&D Annual Meeting taking place in Marbella (Spain) from 19th to 22nd November 2024.

(1) HOW WE COLLECT AND USE YOUR PERSONAL DATA

PURPOSES:

We need to process your Personal Data to manage your registration and assist you with your participation in the Initiative, including booking your accommodation and managing your travel and stay. Moreover, during the Initiative, we may take photos or record videos that we will publish through the internal communication channels of the company, including sharing platforms, such as its websites and company monitors. By registering to the Initiative, you authorize Chiesi and its affiliated companies to use your images and process your data for the above-mentioned purposes. Please note that if you prefer not to be recorded or photographed, you must inform the organization staff in advance.

PROCESSED PERSONAL DATA:

• Identification data such as name, surname, working e-mail, job title, passport/ID number, phone number, and any additional data voluntarily shared by you with your participation in the Initiative.
• Photo, video, pictures, audio recording and other reproductions of your physical likeness.
• Health data, namely, information related to food intolerances or health conditions, or walking difficulties that may require our assistance to better accommodate your participation may require our assistance to accommodate your participation better.

LEGAL BASIS OF THE PROCESSING:

Legitimate interest pursuant to Article 6, first paragraph (f) of the GDPR, Chiesi may rely on its legitimate interest to fulfill your request for registration and participation in the Initiative. For the purpose of your registration and participation in the Initiative, the provision of your personal data is mandatory and, in case of failure to provision or your subsequent objection to the processing, Chiesi will not be able to allow you to participate in the Initiative. Moreover, Chiesi may rely on its legitimate interest to share some information (including images and videos) with other companies of the Chiesi Group. Processing carried out based on the legitimate interest of Chiesi or a third party will only take place on condition that the interests or fundamental rights and freedoms of the data subject are not overridden.

Consent if, for the purpose of your participation in the Initiative and for the accommodation of your meals, you deem it appropriate to communicate to Chiesi special categories of data pursuant to Article 9 of the GDPR (e.g., food intolerances, any special dietary regimes, walking difficulties, etc.), Chiesi may process such information for the purpose of managing these kinds of requests. The legal basis for the processing of your special categories of data is your explicit consent in accordance with Article 9(1)(a) of the GDPR. The provision of your personal data of a special nature or the related explicit consent under Article 9 of the GDPR is optional, but any refusal on your part will not allow Chiesi to manage your requests for this purpose. Such consent will be considered freely given by flagging the relevant checkbox.

We will also retain your Data to comply with applicable laws and regulations and fulfill competent authorities' requests.

(2) HOW WE SHARE AND PROTECT YOUR PERSONAL DATA

How We Share Your Personal Data

• Compliance with laws and regulations: we may disclose your Personal Data to third parties such as governmental agencies, regulators, and courts under the applicable laws to handle legal disputes or requests;
• Service providers: Chiesi may also share your Personal Data with companies providing services on our behalf. We will ensure the legitimacy of the processing by entering into an appropriate data processing agreement with the relevant stakeholders. All processors shall comply with the applicable privacy laws and implement appropriate technical security measures.

How We Protect Your Personal Data

Chiesi implements appropriate security measures to safeguard your Personal Data against unauthorized access, disclosure, or loss, including:

• Reasonable efforts to ensure that Personal Data is collected in compliance with the minimization and purpose limitation principles. We retain your Personal Data for a limited time as specified in the following section (3) unless an extension of the retention period is required or permitted by law;
• A range of technologies to ensure the confidentiality of Personal Data, ranging from encryption, strong passwords, and two-factor authentication to firewalls and dedicated software to protect servers from external attacks;
• Our business partners and service providers are selected based on strict qualification criteria and obligations to comply with our data protection standards secured through specific contractually binding provisions. In addition, we perform audits and other assessments to verify their compliance with the above requirements;
• Privacy and data protection training to verify knowledge and other activities to improve the awareness of privacy matters among employees and contractors.

(3) RETENTION PERIOD OF YOUR PERSONAL DATA

Your Personal Data referred to in section 1) of this notice is stored on the servers of Chiesi or the suppliers' servers (specifically appointed as data processors) located in Italy or within the European Union. We keep your Personal Data until the completion of the Initiative and, in any case, for no more than the time necessary to manage all the activities connected to it. After this period, your Personal Data will be deleted or made anonymous unless otherwise provided for by law.

You may also decide to exercise one of the rights listed in the "DATA SUBJECTS RIGHTS" section below.

(4) DATA SUBJECTS RIGHTS

Access, rectification, cancellation, data portability, restriction of processing, objection to processing, and revocation of consent.

Chiesi provides dedicated contacts to exercise your right to access, modify, object, or limit the processing of your Personal Data, to request their cancellation, portability (if applicable), or revoke your consent in situations specified in the GDPR or other relevant regulations.

We invite you to contact the Data Protection Officer (DPO) to obtain the list of data processors, receive the list of parties with whom your data has been shared and request to exercise your rights listed above: dpoit@chiesi.com

If you believe that Chiesi is not processing your Personal Data under this notice or applicable law, you may exercise your rights by complaining to the Italian Data Protection Authority.

The Data Controller is:
Chiesi Farmaceutici S.p.A., with registered office in Via Palermo 26/A, 43122 Parma.