Our Company strives to conduct its business activities in accordance with privacy principles, as we believe they demonstrate our unwavering commitment to ethical and responsible practices. We recognise that innovation and new technologies are driving constant changes in risks, expectations and legislation, which is why we follow privacy accountability standards and aim to adapt how we implement them in response to these changes in a timely manner.

This Policy sets out our standards for the management and protection of Personal Data by or on behalf of our company, which originates, directly or indirectly, from any country in the European Economic Area (EEA), and Switzerland and is transferred to any other country, including transfers between EEA countries. They apply to our operations in each country, to any activity involving information about individuals that we conduct in each of our subsidiaries and each of our divisions (including any successors to our business), including, but not limited to, research, production, commercial activities, corporate support and data transfers necessary to conduct the above activities, including, but not limited to:

• Research and Manufacturing: initiating, managing and funding research studies / evaluating and engaging researchers, science and ethics committee members and partners to support our research studies and product development / recruiting for research studies / evaluating the safety, efficacy and quality of our products under development and commercially available / meeting our commitments to the safety and quality of our products, including managing and reporting adverse events
• Commercial activities: assessing markets for our products / advertising, marketing, selling, selling, distributing and delivering our products / communicating with our customers and other end users of our products / sponsoring and running events / assessing and encouraging our partners to support our commercial activities / complying with relevant legal, regulatory or ethical requirements.

This Policy also applies to all persons whose data we process, including, but not limited to, customers, prospective, current and former employees and their dependents, ethics committee members, partners, investors and shareholders, government officials and other stakeholders.

All Employees, Management, executives and employees of the Company have substantial responsibilities with regard to the protection of personal data which they must respect.

We recognize that unintentional errors and poor judgment about data protection can cause risks to the privacy of individuals and risks to our Company’s reputation, processes, compliance and finances. Each employee of the Company, and other persons who process data for our company, are responsible for understanding and complying with their obligations under this Policy and existing laws.

Our Values and Standards on Personal Data Protection

We adhere to our Data Protection values in everything we do that involves people, including how we apply our privacy standards. The four principles relating to the protection of personal data include:

Respect

We recognise that privacy concerns are often related to the essential questions of who we are, how we see the world and how we define ourselves. So we try hard to respect the perspectives and interests of individuals and communities and to be fair and transparent in how we use and share information about them.

Trust

We know that trust is vital to our success, so we work hard to build and maintain the trust of customers, employees, patients and other stakeholders to respect and protect their information.

Damage prevention

We understand that the misuse of people-related information can create tangible and intangible harm to individuals, and so we seek to prevent physical, financial, reputational or other privacy-related harm.

Compliance

We have learned that laws and regulations are not always in line with rapid developments in technology, data flows and the associated changes in privacy risks and expectations. So we strive hard to comply with the spirit and regulations of privacy and data protection laws in a way that demonstrates consistency and operational excellence for our business operations globally.

1. We integrate our privacy standards into all activities, processes, technologies and relationships with third parties that use Personal Data. We design privacy controls on our processes and technologies that are consistent with our privacy values and standards and with applicable laws. The 8 principles concerning how we understand and act on personal data entrusted to us by third parties, which are set out below, summarise privacy standards and the basic requirements for high-level processing, activities and their supporting technologies.

Privacy Principle

1. Necessity – Before collecting, using or sharing Personal Data, we determine and record the specific, legitimate business purpose for which it is necessary.

• We determine and record the length of time for which the Personal Data is needed for these specified business purposes.
• We do not collect, use or share more Personal Data than necessary, or retain Personal Data in an identifiable form for longer than necessary for these specified business purposes.
• We anonymise data when business requirements make it necessary for information about the activity or process to be retained for a longer period of time.
• We ensure that these necessary requirements have been incorporated into any supporting technologies and that third parties supporting the activity or processing have been informed.

2. Fairness – We do not process Personal Data in ways that are unfair to the individuals to whom the data relates.

• We determine whether the proposed collection, use or other processing of Personal Data poses a risk of actual or imminent harm to individuals, in accordance with the Harm Prevention Privacy Principle.
• If the nature of the data, types of people or activity involves an inherent risk of actual or undetermined harm to individuals, we ensure that the risk of harm does not outweigh the corresponding benefits to those individuals or our mission to save and improve human lives.
• Where the risk is inversely proportional to the benefits to individuals, we process Sensitive or Personal Data only with the explicit consent of individuals or as required or expressly permitted by existing laws.
• We document the risk analysis and design any required mechanisms to obtain and record evidence of consent to assistive technologies.

3. Transparency – We do not process Personal Data in ways or for purposes that are not transparent.

• All individuals whose Personal Data is processed under this Policy will be entitled to a copy of this Policy. We will make copies of this Policy available on our website. The Data Protection Officer will provide digital and/or physical copies of this Policy upon request at the addresses listed below.
• When Personal Data is collected directly from individuals, we inform them through a clear, conspicuous, and easily accessible privacy notice or similar means before we collect information about (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) with whom it will be shared, including any requirements to disclose Personal Data following lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns, or exercise their rights with respect to the data; and (7) the electronic link to this Policy, where possible and appropriate; and (8) the electronic link to this Policy.
• When Personal Data is collected from other sources and not necessarily under our company’s direction, before the data is obtained, we verify in writing that the data provider has informed individuals of the ways and purposes for which the company intends to use the information. If written verification cannot be obtained from the provider, we use only anonymous data, or before we use Personal Data, we inform affected individuals through a privacy notice or similar means of (1) the corporate entity or entities responsible for the processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) with whom it will be shared, including any requirements to disclose Personal Data in response to lawful requests by government authorities; (5) how long it will be retained; (6) how individuals can ask questions, raise concerns, or exercise their rights regarding the data; and (7) the electronic link to this Policy, where possible and appropriate.
• We ensure that the necessary transparency mechanisms, including, where possible, mechanisms that support individual rights requests, are built into the supporting technologies, and that third parties supporting the activity or processing do not process individual data in ways that are inconsistent with what individuals have been told, through privacy notice or other verifiable means, about how we and others working for us will use the data.

4. Purpose limitation – We only use Personal Data in accordance with the principles of Necessity and Transparency.

• If new reasonable business purposes are identified for Personal Data already collected, we ensure that either the new business purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the individual’s consent to the new use of their Personal Data.
• We do not apply the above principle to anonymous data or where we use Personal Data solely for the purposes of historical and scientific research and (1) an Ethics Review Board, or other competent reviewer, has determined that the risk of such use to the privacy or other rights of individuals is acceptable and (2) there is respect for existing Law.
• We ensure that purpose limitation restrictions are built into the supporting technologies, including any reporting and downstream data distribution capabilities.

5. Data Quality – We keep Personal Data accurate, whole and up-to-date, and in accordance with its intended use.

• We ensure that periodic data checking mechanisms are built into the supporting technologies to validate the accuracy of the data against the source and downstream systems.
• We ensure that Sensitive Data is validated as accurate and up-to-date before using, evaluating, analysing, reporting or otherwise processing it which risks harming individuals if inaccurate or untimely data is used.
• When changes to Personal Data occur from our company or third parties working for our company, we ensure that these changes are communicated in a timely manner where reasonably possible.

6. Security – We build in safeguards to protect Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure or destruction.

• We have implemented a comprehensive information security program and apply security controls that are based on the sensitivity of the information and the magnitude of the risk of the activity, taking into account the best practices of modern technology and the cost of implementation. Our operational security policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.

7. Transfer of Data – We are responsible for maintaining the security and privacy of Personal Data when it is transferred to or from other organisations or across national borders.

(1 ) We only transfer Personal Data or allow it to be processed by third parties if the following conditions are met, and we are responsible for ensuring that the third parties we cooperate with meet these conditions:

• If the third party’s role is to process Personal Data for or on behalf of our company, before the third party receives the Personal Data, we: (1) complete a legal privacy audit to evaluate the privacy practices and risks associated with such third parties; (2) obtain contractual assurances from such third parties that they will process Personal Data in accordance with our company’s instructions, and in accordance with this Policy, including, without limitation, In addition, if the third party processes Personal Data originating from a country or territory with legislation that restricts the transfer of Personal Data, we will ensure that the transfer to the third party meets the conditions for cross-border transfer described in Section 2 below. Where one of our company’s subsidiaries acts exclusively on behalf of another of our company’s subsidiaries to process Personal Data, and where required by law, those subsidiaries of our company will carry out internal data processing in accordance with Principle 8 of this Policy.
• If the role of the third party is to provide Personal Data to our company, before we obtain the Personal Data from the third party, we ensure that the Transparency requirements for collecting Personal Data from other sources and not specifically under the supervision of our company are met, and we obtain assurances through a contract from the third party that it does not violate any law or the rights of any third party by providing Personal Data to our company.
• If the role of the third party is to obtain data from our company for processing that is not specifically under our company’s control, before we deliver the data to the third party, we ensure that the data has been anonymised, and we obtain written assurances from the third party that it will use the data only for the business purposes specified by the agreement and in accordance with existing legislation, and that it will not attempt to reverse the data anonymisation process.

(2 ) We transfer Personal Data across borders by or on behalf of our company in accordance with this Policy. We will apply this Policy to transfers of Personal Data from any other country or territory with laws restricting the transfer of Personal Data.

8. Legally Permissible – We process Personal Data only if it meets the requirements of applicable law.

• While the other 7 privacy principles, as well as the requirements of the Individual Rights described below, are intended to ensure that we meet the requirements for most privacy and data protection laws applicable to our industry around the world, in some countries we need to meet additional requirements, including, but not limited to:

1. 1. Where required, we will obtain specific forms of consent to process certain Personal Data, including, but not limited to, approval of processing by labor councils or other employee unions.
   2. Where required, we will register the processing of Personal Data with the applicable privacy or data protection regulator.
   3. Where required, we will further limit the data retention periods for Personal Data.
   4. Where necessary, we will enter into agreements that include specific contract clauses, including agreements for cross-border data transfers to third parties.
   5. Where required, we will disclose personal data in response to lawful requests from public authorities, including to meet requests related to national security or security authorities.

• In the event of a conflict between this Policy and existing legislation, the standard that provides more protection for individuals will prevail.

2. We will address in a timely manner requests regarding individual rights to access, rectify, amend or delete Personal Data or object to the processing of Personal Data.

• Access, Correction and Deletion – Based on Greek law, individuals have the right to access Personal Data concerning them, and to correct, amend or delete Personal Data that is inaccurate, incomplete or outdated. We will approve all requests by individuals for access, correction and deletion of Personal Data. If a request for access, correction or deletion is defined by existing Legislation that provides greater protection for individuals, we will ensure that the additional requirements based on Legislation are met.

Choice – Consistent with the Privacy Principles of “Respect” and “Trust”, we approve individual requests to object to the processing of Personal Data, including, but not limited to, opting out of participation in programs or activities in which individuals have previously agreed to participate, the processing of Personal Data about them for direct marketing purposes for communications targeted to them that are based on Personal Data, and for any evaluation or

• Except where prohibited by law, we may deny an election where a particular application may impede the company’s ability to: (1) comply with the Law or an ethical obligation, including where we are required to disclose personal information in response to lawful requests by public authorities because of security or national security requirements; (2) investigate, defend or seek legal claims, and (3) enter into contracts, manage relationships, or perform other permitted business activities consistent with the Transparency and Purpose Limitation Principles and entered into based on the data of individuals associated with them. Within fifteen working days of any decision to deny a selection request in accordance with this Policy, we will record and communicate the decision to the applicant.

3. We will respond in a timely manner and escalate all privacy-related questions, complaints, concerns and any Privacy Incident or Security Incident.

o Any individual whose Personal Data we process within the scope of this Policy may ask questions, make complaints or raise concerns to our company at any time, including requesting a list of all our company’s subsidiaries subject to this Policy. We expect that our employees, and other individuals working on behalf of our company, will provide timely notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual, or any notice from an employee or other person working on behalf of our company, should be addressed to the Data Protection Officer, by email or fax.

o Employees and Associates are required to promptly notify the Data Protection Officer of any questions, complaints or concerns about our privacy practices.

o The Privacy Officer will review and investigate, or cooperate with the Compliance Office, Ethics Office or Legal Department to investigate, all inquiries, complaints or concerns related to our privacy practices, whether received directly from our employees or from other individuals or third parties, including, but not limited to, regulatory agencies, compliance officers or other governmental authorities. We will respond to the person or entity that raised the question, complaint or concern to our company within thirty (30) calendar days unless a law or requestor/third party requires a response in a shorter period of time or unless circumstances, such as a parallel government investigation, require a longer period of time. In this case the person or the applicant/third party will be notified in writing as soon as the general nature of the circumstances contributing to the delay allows.

o The Data Protection Officer, in cooperation with the Legal Department and the Compliance Officer will cooperate with the competent Data Protection Authority in the context of a request for any information investigation, inspection or inquiry.

o For complaints that cannot be resolved between our company and the person who made the complaint, our company has agreed to participate in the following dispute resolution processes, investigating and resolving complaints to resolve disputes related to this Policy.

o However, if, at any time, individuals resident in the EEA, or individuals whose Personal Data is subject to EEA Data Protection Legislation and transferred outside the EEA, and whose data is processed in relation to this Policy, have the right, under this Policy, to enforce the conditions of this Policy as an eligible third party, including the right to take legal action to claim damages for the violation of their rights due to this Policy. Individuals residing in the EEZ or individuals whose Personal Data is subject to the EEZ Data Protection Legislation and transferred outside the EEZ (for clarity, including the USA) may have claims under this Policy, from the Company.

• to the courts or data protection authority of the country of the SEZ from which their Personal Data was transferred; or
• to Greek courts or the Greek Data Protection Authority.
• Our company will respond to the person or entity that raised the question, complaint or concern to our company within thirty (30) calendar days unless a law or requestor/third party requires a response in a shorter period of time or unless circumstances require a longer period of time, in which case the person or third party will be notified in writing.

Terms you need to know

• Anonymisation. The alteration, severing, elimination or other restriction or transformation of Personal Data so as to make it impossible to use it to identify, locate or contact the individual.
• Legislation. All laws, rules, regulations and advisory orders having the force of law in any country in which our company operates or in which Personal Data is processed by or on behalf of our company.
• Our company. Our company and its subsidiaries other than joint ventures or JointVentures in which our Company may participate as a Partner
• Personal Data. All data about an identified or unidentified person, including data that identifies the person or that could be used to identify, locate, track or contact the person. Personal Data includes both direct identification information such as name, identification number or unique job title, and indirect identification information such as date of birth, unique mobile or portable identification number, telephone number and coded data.
• Privacy Event. A violation or breach of this Policy or a privacy or data protection law, and includes a Security Incident. The determination of whether a privacy incident has occurred and whether it has physical substance will be made by the Data Protection Officer and the Legal/Compliance Department.
• Processing. The performance of any process or series of processes on data about people, with or without automated means, including, but not limited to, collection, recording, organization, storage, access, adaptation, conversion, retrieval, consultation, use, evaluation, analysis, reporting, distribution, disclosure, and dispersal, transmission, disposal, alignment, combination, interception, deletion, erasure, or destruction.
• Security incident. Access by an unauthorised person to Personal Data or disclosure to an unauthorised person of Personal Data or our reasonable suspicion that this has occurred. Access to Personal Data by or on behalf of our company without the intent to violate this Policy does not constitute a Security Incident, provided that the Personal Data in question was then used and disclosed only as permitted by this Policy.
• Sensitive Data. Any type of data about people that contains an inherent risk of potential harm to individuals, including data defined by law as sensitive, including, but not limited to, data relating to health, heredity, race, national origin, religion, political or philosophical beliefs or convictions, criminal records, precise geographic location information, bank or other financial account numbers, government-issued registration numbers, minors, sexual or reproductive health, or any other data of a personal nature.
• Third Person. Any entity, organisation or person that is not part of our firm, or for whom our firm does not have an audit interest, or who does not work for our firm. Except as expressly set out in this Policy, no subsidiary or division of our company is required to meet the requirements of a third party under this Policy, as all subsidiaries and divisions are required to process data about people in accordance with this Policy, including where one of our company’s subsidiaries supports one or more of our company’s subsidiaries in the processing.

Changes to this Policy
This Policy may be revised from time to time in accordance with the requirements of existing legislation. Whenever this Policy is physically changed, a notice will be posted on our website for 60 days.

Date of entry into force 1.11.2021