Contents

1. PREAMBLE
2. WHO PROCESSES YOUR PERSONAL DATA
3. WHAT TYPES OF PERSONAL DATA WE PROCESS
4. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA
5. HOW WE PROCESS YOUR PERSONAL DATA
6. HOW LONG WE PROCESS YOUR PERSONAL DATA
7. TO WHOM WE TRANSFER YOUR PERSONAL DATA
8. WHAT ARE YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM
9. CHANGES TO THIS PRIVACY POLICY

1) PREAMBLE

This document describes the ways in which we operate the website https://www.pasiphy-study.com/UK ("Website") with respect to the processing of the personal data of its users. The Website is managed by Recordati AG, with registered office in Lindenstrasse 8, 6340, Baar, Switzerland.

When you browse our Website, interact with us, or use our services ("Services"), we may collect and process information and personal data about you. For this reason, in accordance with the applicable provisions of data protection laws, we have created this document ("Privacy Policy") in order to describe what personal data we collect, the purposes and methods for processing it and the security measures we take to protect it.

This Privacy Policy constitutes the information that is provided pursuant to applicable laws and exclusively concerns this Website and the processing of data performed by Recordati AG. Any third-party websites referred to by this Website, including through links, are not covered by the information indicated in this Privacy Policy.

2) WHO PROCESSES YOUR PERSONAL DATA

The data controller is Recordati AG, with registered office in Lindenstrasse 8, 6340, Baar, Switzerland, ("Recordati", "we", "us") a company of the Recordati Group.

Recordati Rare Diseases UK Ltd with registered office in Greengarth, Thicket Grove, Maidenhead Berkshire, SL6 4LW (United Kingdom) is the representative for the processing of personal data in the UK.

The Data Protection Officer of the Recordati Group can be contacted for any privacy issue arising or in connection with the processing of Personal Data at the following email address: groupDPO@recordati.com.

Recordati, is the Sponsor of the clinical study named “A double-blind randomized placebo-controlled dose-finding phase II study to assess the efficacy and safety of Pasireotide s.c. in patients with Post-Bariatric Hypoglycaemia” (the “Study”).

This Website has been created in order to give visibility to the Study.

3) WHAT TYPES OF PERSONAL DATA WE PROCESS

• Navigation data: The computer systems and software procedures used to operate this Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or MAC addresses of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user's operating system and IT environment. These data are used in order to obtain statistical information on the use of the Website and to check its correct functioning. These data could be used to ascertain responsibility in the event of cyber-crimes against the Website, to the extent permitted by applicable legislation.
• Data necessary to access to the website, cookies and other similar technologies: Our Website uses cookies and other tracking technologies; for more information, please visit our Cookie Policy.
• Identification data contact details and other personal information, including data related to your health: The Website includes a section where is possible to fill in a questionnaire (the “Pre-screening Questionnaire”) that requires the users to provide information such as name, surname, email address, telephone number, physical address, age and data related to health (such as whether they had bariatric surgery, what kind of surgery they had and when, whether they suffer from hypoglycaemia, the effects that they are experiencing, whether they are monitoring their glucose level, etc).

4) FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA

We process your personal data for the following purposes and set out the corresponding legal bases below:

Provision of your personal data is not mandatory and will not affect your ability to visit the Website. It may, however, result in the impossibility of sending a request to us.

5) HOW WE PROCESS YOUR PERSONAL DATA

Your personal data will be processed using electronic means.

However, we would like to point out that electronic transmissions, storage of information and practices with respect to the operation of the Website are not 100% secure. Therefore, despite the security measures RRD has put in place to protect your information, we cannot guarantee that data loss, misuse or alteration will never occur.

The security of your personal data is important to us. We adopt - and expect our service providers to adopt - appropriate technical and organizational security measures to prevent the loss or destruction of data, illicit or incorrect use and unauthorized access to data, in compliance with applicable legislation. In addition, the IT systems are configured in such a way that personal and identification data are used only when necessary to achieve the specific processing purposes pursued from time to time.

We implement multiple security technologies and procedures to protect your personal data from the risks described above. However, we would like to point out that electronic transmissions or storage of information are not 100% secure. Therefore, despite the security measures we have put in place to protect your personal data, we cannot guarantee that data loss, misuse or alteration will never occur.

We do not use automated individual decision-making that would have legal effects on you or, similarly, significantly affect you.

6) HOW LONG WE PROCESS YOUR PERSONAL DATA

Personal data is processed for the time necessary to provide the requested information or Services and, in any case, in accordance with any applicable legal or regulatory obligations. Notably:

• The data collected in the pre-screening questionnaire will be kept for as long as the pre-screener campaign runs and up to one month after the end of the contract for the campaign
• For information on the storage of cookies and other technologies, please visit our Cookie Policy.

7) TO WHOM AND WHERE WE TRANSFER YOUR PERSONAL DATA

Your personal data will be processed by our duly authorised staff, based on their respective needs. Your data will also be processed by our suppliers for technical and organizational services functional to the processing purposes indicated above, such as the CRO appointed for the Study; providers of technical assistance services for the Website and hosting services. All the mentioned service providers act as our data processors on the basis of our instructions and in accordance with the provisions of the contracts they have entered into with us.

We may disclose your personal data to public authorities or bodies and to any other legitimate recipient in accordance with the law. In this case, the recipients will act as independent data controllers according to their respective institutional purposes.

If we are involved in a reorganization, acquisition, or sale of our company or parts of it, we will disclose your personal data to the third parties involved in the process, in accordance with applicable law. Any third party that is the recipient of your personal data as part of this procedure may only use it within the limits established by this Privacy Policy and applicable legislation.

To receive the updated list of recipients of your personal data, you can contact us using the contact details indicated above.

If your data is transferred abroad to countries that do not provide the same level of data protection as your country, we will ensure that the transfer is carried out in accordance with applicable law, i.e. by obtaining your consent, when necessary, or by taking any other measures necessary to ensure equivalent protection of the data being transferred, including, but not limited to, through the signing of an International Data Transfer Addendum (Addendum) according to the model developed by the Information Commissioner’s Office. If you would like to receive a copy of these safeguards, please contact us using the contact details set out in section 2 of this Privacy Policy.

8) WHAT ARE YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM

Recordati informs you that you will always have the right to withdraw your consent at any time, as well as to exercise, at any time, the following rights (subject to certain limitations/restrictions) by contacting the data controller or the DPO at the addresses indicated above:

1. the "right of access" to your personal data and, in particular, to obtain confirmation of the existence or otherwise of personal data concerning you;
2. the "right to rectification", i.e. the right to request the rectification of inaccurate personal data or the completion of incomplete personal data;
3. the "right to erasure", i.e. the right to request the erasure, or transformation into anonymous form, of personal data processed;
4. the "right to restriction of processing", i.e. the right to obtain from the data controller the restriction of processing in certain cases provided for pursuant to data protection legislation;
5. the "right to data portability", i.e. the right to receive (or to transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
6. the "right to object", i.e. the right to object, in whole or in part:
7. to the processing of personal data carried out by the data controller for its own legitimate interest; and
8. to the processing of personal data carried out by the data controller for marketing or profiling purposes.

The exercise of the above rights is free of charge. However, we may charge a reasonable fee for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

All enquiries, requests or concerns regarding this notice or relating to the processing Personal Data including all requests detailed above, should be sent to GroupDPO@recordati.com.

Recordati may ask you to verify your identity before taking further action following your request to exercise the above Rights.

You may also lodge a complaint with the Information Commissioner’s Office (ICO) if you are of the opinion that your personal data are processed in such a way as to result in violations of applicable data protection legislation. You may also contact the relevant supervisory authority if the exercise of your rights is subject to delay, limitation or exclusion by the data controller.

For more information on how to lodge a complaint with ICO, please visit its website:

https://ico.org.uk/make-a-complaint/

9) CHANGES TO THIS PRIVACY POLICY

We may update and amend all or part of this Privacy Policy at any time. The version published on the Website is the version currently in force. In the event of a change in the text of this Privacy Policy, we will inform you of such changes with a specific banner, link or pop-up on the home page of the Website.