OPTIMAPHARM PRIVACY POLICY
INTRODUCTION OPTIMAPHARM d.d., and each affiliate and subsidiary thereof (collectively referred to as OPTIMAPHARM) conducts every business transaction (including without limitation, operations, negotiations, and marketing) with integrity and complies with the relevant laws and regulations of each country in which OPTIMAPHARM operates or is looking to operate. All OPTIMAPHARM personnel are expected to conduct OPTIMAPHARM business legally and ethically and with respect to maintaining privacy in communication.

The core aspect of OPTIMAPHARM's business is information related to the provision of clinical trials management or related services for the pharmaceutical and biotech industry corresponding to human clinical research studies. Given the nature of our work, the protection of personal data is critical for our company and our customers. For these reasons, OPTIMAPHARM has a comprehensive privacy program designed to respect and protect data privacy rights.

SCOPE: This Policy takes into consideration the obligations set out in the Data Protection Laws (as defined below) and applies to all Personal Data of Data Subjects either in electronic or paper format, received by OPTIMAPHARM, including Personal Data of the following Categories of Data Subjects:

Vendors - Suppliers, consultants, advisers and other professional experts.

Sponsors and Clients - Past, present and future staff of the Sponsors and Clients of OPTIMAPHARM (including volunteers, agents, interns, contractors, temporary and casual workers).

Investigators and other study site personnel – Persons working with OPTIMAPHARM on clinical and noninterventional studies.

Institution Personnel – Personnel of Institutions (other than Investigators and study site personnel, e.g. Hospital’s finance personnel, administration etc.) working with OPTIMAPHARM on clinical and noninterventional studies.

Employees - Persons that are full-time or part-time employed by OPTIMAPHARM.

Contractors – Persons who have a contract with OPTIMAPHARM to perform certain activities/work for OPTIMAPHARM.

Job Candidates - Persons who apply for a specific job post advertised by OPTIMAPHARM or apply for a future possible job openings directly through OPTIMAPHARM's webpage.

Visitors - Persons who are personally visiting OPTIMAPHARM’s premises for a purpose directly or indirectly connected with business activities.

DEFINITIONS Personal Data, Process/Processing, Controller, Processor/Sub Processor, and Data Subject shall have the same meaning as in the Data Protection Laws as defined below;

Data Protection Laws means, as the case may be, the General Data Protection Regulation 2016/679, the implementing acts by the Member States of the European Union and/or any other applicable law or regulation relating to the protection of Personal Data;

„OPTIMAPHARM” means any entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with OPTIMAPHARM d.d. For purposes of this definition, “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities, by contract or otherwise

NOTICE Where OPTIMAPHARM collects Personal Data directly from Data Subjects, it will explain the purposes for which it collects and uses Personal Data about the Data Subjects, the types of Recipients and Processor/Subprocessor to which OPTIMAPHARM discloses that information, and the rights and options of Data Subjects for limiting the use and disclosure of Personal Data about them. This explanation will be provided as soon as practicable and, in any event, before OPTIMAPHARM discloses the Personal Data or uses such information for a purpose materially different than that for which it was originally collected or processed. Where an OPTIMAPHARM entity receives Personal Data from another OPTIMAPHARM entity or other entities, including when acting as a CRO processing Personal Data under the direction of a customer, it will use such information in accordance with the notices provided by such entities and the choices made by the Data Subjects to whom such Personal Data relates.

Types of Personal Data collected, Purposes of Collection and Uses of Personal Data:

OPTIMAPHARM is collecting and processing Personal Data from its Employees and Contractors for purpose of execution of the employment contracts signed with Employees and Consultancy Agreements signed with Contractors related to the personnel, administrative, payroll, or other employment / contracting business purposes. OPTIMAPHARM is collecting and processing some or all of the following data from Employee and Contractors: Employee's or Contractor’s first name, surname and previous surname (if applicable); gender; fathers’ first name; citizenship; nationality, permanent address; temporary address (current residence, if applicable); date and place of birth; personal ID number; unique citizen number; ID card / passport number and issued by whom (what official authority), photograph, academic and professional qualification; social security number; health insurance number, professional experience; list of previous employers; duration of the previous employments and type of work; bank account details; child’s (children’s) name(s), birth date(s) of child (children) date(s) of birth; educational training.

From Vendors, Sponsors and Clients, for purpose of execution of the services specified in the signed Service Contract/Service Agreement, OPTIMAPHARM is collecting and processing some or all of the following data: name; job title; employer; home address; date and place of birth; social security/national insurance number; VAT number; ID card/passport details; photograph; professional email address; professional telephone number (including mobile telephone number); personal email address; personal telephone number (including mobile telephone number); data related to transactions including transactions' purposes; academic and professional qualifications; tax ID; government identification number; bank account details; educational training; images and sounds;

From Job Candidates, for the purpose of employment, the information that OPTIMAPHARM is collecting and processing may include: any application materials such as candidate’s Curriculum Vitae, application letter and information that candidates submit voluntarily by themselves and that are collected about the candidate during the application process, results of testing (if applicable) and any related correspondence.

From Visitors, for purpose of ensuring controlled access to the Company premises and in accordance with relevant Company’s Security Access Policies, OPTIMAPHARM is collecting full name and address/company name from each visitor entering the Company’s premises by means of completion of the Visitor’s Sign in Log which is part of relevant Company’s Security Access Policies.

From Investigators, for purpose of execution of services related to the conduct of clinical and noninterventional studies as specified in the signed Contract/Agreement or for purpose of study feasibility analysis, OPTIMAPHARM is collecting and processing some or all of the following data: Investigators’ full name; job title; home address; date of birth; email address (personal and/or official); telephone number; fax number; mobile phone number; institution details/address; academic and professional qualifications; medical licence number; employment details; clinical trial experience and performance history; conflicts of interests or potential conflicts in relation to participation in clinical trials (if relevant); tax ID number (if relevant); bank account details; personal identification (ID) number.

From Study Site Personnel, for purpose of execution of services related to the conduct of clinical and noninterventional studies specified in the signed Contract/Agreement, OPTIMAPHARM is collecting and processing some or all of the following data: persons’ full name; job title; home address; date of birth; email address (personal and/or official); telephone number; fax number; mobile phone number; employment details; institution details/address; academic and professional qualifications; clinical trial performance history; tax ID number; bank account details; personal identification (ID) number.

From Institution Personnel OPTIMAPHARM is collecting and processing for the purpose of executing the Contract/Agreement some or all of the following data: persons’ full name; job title; email address (personal and/or official); telephone number; fax number; mobile phone number; institution details/address; academic and professional qualifications. OPTIMAPHARM will use such Personal Data in order to provide the requested information and/or services. Such uses may include processing requested transactions, improving the quality of our services, sending communications about the products and services available through OPTIMAPHARM, and enabling our business partners and Procesors/Subprocesors to perform certain activities on our behalf. OPTIMAPHARM may also use the Personal Data collected above to comply with our legal and regulatory obligations, policies and procedures, and for internal administrative purposes.

RIGHTS OF THE DATA SUBJECT It is Data Subject's legal right to check which Personal Data is collected and processed; to access Personal Data and check whether Personal Data is collected by OPTIMAPHARM accurately and up to date; to require Personal Data to be rectificated or erased (‘right to be forgotten’). Data Subject right is to restrict the processing or portability of Personal Data. In addition, Data Subject has a right to withdraw the consent for collecting and processing Personal Data at any time without affecting the lawfulness of processing based on consent before its withdrawal.

TRANSFER OF PERSONAL DATA OPTIMAPHARM as a controller can transfer Personal Data outside the EU if it is necessary for the execution of contracts between OPTIMAPHARM and the data subject or for fulfilling legal obligations. In that case OPTIMAPHARM, at the time when personal data are obtained, provides the data subject with information about intends to transfer Personal Data to a third country and specifiy which country or international organisation with a name of organisation. Transfer of Personal Data is only allowed to countries which provide adequate level of data protection; through model contracts or binding corporate rules; or by complying with an approved certification mechanism or Privacy Shield Frameworks when transferring personal data from the European Union and Switzerland to the United States.

SECURITY OPTIMAPHARM will employ reasonable and appropriate technical, administrative and physical safeguards designed to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data OPTIMAPHARM is processing.

DATA INTEGRITY AND PURPOSE LIMITATION OPTIMAPHARM endeavors to use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Data Subject and not to keep Personal Data longer than is necessary for the purpose for which it was collected. OPTIMAPHARM will take reasonable steps designed to ensure that only Personal Data that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained is used by OPTIMAPHARM for as long as OPTIMAPHARM retains possession of such information. OPTIMAPHARM’s Personnel have a responsibility to assist OPTIMAPHARM in maintaining accurate, complete and current Personal Data. When acting as a CRO, OPTIMAPHARM endeavors only to process Personal Data that is relevant to the services it provides, and for purposes compatible with those for which the Personal Data was collected; wherever possible, such Personal Data is non-identified. Where OPTIMAPHARM processes Personal Data as a CRO under the direction of its customers (Clients and Sponsors).

ACCESS/CORRECTION/DELETION Under laws in certain countries in which we operate, Data Subjects have a right to access Personal Data about themselves, and to amend, correct or delete Personal Data that is inaccurate, incomplete or outdated. OPTIMAPHARM will, on request, provide a Data Subject with confirmation regarding whether OPTIMAPHARM is processing Personal Data about them, consistent with applicable law. In addition, upon request of a Data Subject, OPTIMAPHARM may take reasonable steps to correct, amend, or delete their Personal Data that is found to be inaccurate, incomplete or processed in a manner non-compliant with this Policy or applicable law, except where the burden or expense of providing access would be disproportionate to the risks to that Data Subjects’s privacy, where the rights of persons other than the Data Subjects would be violated or where doing so is otherwise consistent with applicable law. OPTIMAPHARM, when acting as a CRO, has no direct relationship with medical research subjects participating in a clinical trial and any such Data Subjects who seek access, or who seek to correct, amend, or delete their inaccurate Personal Data should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Data to OPTIMAPHARM for processing.

RECOURSE, ENFORCEMENT AND LIABILITY OPTIMAPHARM encourages Data Subjects covered by this Policy to raise questions about the processing of Personal Data about them by contacting OPTIMAPHARM through the contact information provided below. Any Personnel that OPTIMAPHARM determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, where applicable. Any questions or concerns regarding the use or disclosure of Personal Data should also be directed to OPTIMAPHARM through the contact information given below. The Data Subject rights to object can be realized by submitting the object in writing to the following instances:

1. OPTIMAPHARM d.d., Ulica grada Vukovara 284, 10000 Zagreb, addressed to „Data Protection Officer“
2. Croatian Personal Data Protection Agency, Fra Grge Martića 14, 10 000 Zagreb. E-mail: azop@azop.hr


OPTIMAPHARM will undertake reasonable efforts to investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy.

CONTACT INFORMATION: Questions, comments, concerns or complaints regarding this Policy or OPTIMAPHARM’s processing of Personal Data may be submitted via e-mail to the following addresss: data.protection.officer@optimapharm.eu

RESERVATION OF RIGHTS: OPTIMAPHARM reserves the right to share a Data Subjects’s Personal Data and contracts with Recipients as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.

CHANGES TO THE PRIVACY POLICY: This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for Personal Data is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.

OPTIMAPHARM PRIVACY POLICY EFFECTIVE DATE: 25 May 2018