PATIENTCARE+ PRIVACY POLICY

Last updated: 05 Apr 2024

This PatientCare+ application (“PC+”) is made available to you for download and use by Zuellig Pharma (SG) Solutions Pte Ltd or its licensee. PC+ is made available for download only in the following jurisdictions: Singapore, Malaysia, Thailand, Indonesia, Philippines and Taiwan. This Privacy Policy sets out how Zuellig Pharma (SG) Solutions Pte Ltd and its affiliates (“we”, “us” or “our”) handle the personal data that you share with us through PC+ in accordance with the data protection laws that apply to us. You agree that the data protection laws applicable to us shall be the data protection laws of the jurisdiction in which you are enrolled in a patient program administered by us including any statute, rule, regulations, code, ordinance, decree, legal requirement, by-laws and sub-legislation and/or any order enacted or issued by any national or local legislative body in the jurisdiction (“Applicable Laws”).

This Privacy Policy outlines our general practices in relation to the collection, use, disclosure (hereinafter referred to as “processing”) and protection of the personal data you provide through PC+, or when you communicate with us and/or our authorised agents through various media and communication channels in relation to PC+. This Privacy Policy also explains your rights and the choices available to you regarding the use of, your access to, and how to update and correct your personal data.

In this Privacy Policy, “personal data” generally refers to any information that can be used, directly or indirectly (e.g. in combination with other types of data that we may have access to), to identify an individual (i.e. the “data subject”). Local data protection laws may have differing definitions of this, and to the extent that our definition used here conflicts with the law, the stricter definition will apply.

1. Processing of Personal Data

In the course of your dealings with us, we may process personal data about you or any other person for the purposes stated in this Privacy Policy. This may occur when you voluntarily provide such personal data to us, or, where necessary, we receive such personal data from third parties including but not limited to your authorized healthcare professional, authorized healthcare organization, legal guardian, or from the public domain.

In your interaction with us or by your usage of PC+, we may process the following categories of personal data, including, but not limited to:

• personal contact information, which includes your name, mailing address, email address, social network details, or phone number;
• sensitive personal data such as information relating to your health, medical history, medical condition and the related medical products that you use;
• account login information, which includes your account login ID/email address, screen name, password in unrecoverable form, and/or security question and answer;
• information relating to your citizenship, nationality, identification card or passport details;
• demographic information and interest, which includes your date of birth, age, gender, geographic location, favourite products and services, shopping information, and household or lifestyle information;
• transaction and financial information, which includes bank account and payment card details, payments to and from you, and other details of products and services you have purchased or acquired from us;
• technical data, which includes internet protocol (IP) address, operating system type, web browser type and version, your device information, and information collected through the use of cookies;
• usage data, which includes information about how you use PC+, language preferences;
• marketing and communications data, which includes your preferences for receiving marketing materials from us and our third parties and your communication preferences;
• photographs, audio and/or visual recordings that you choose to upload onto PC+;
• geolocation data;
• your conversations with us (be it via chat or in person phone calls), when you interact with us via our communication channels; and
• other information permitted by Applicable Laws or as notified to you at the point of transacting with us.

Unless prohibited by Applicable Laws , we will usually notify you before collecting your personal data

As the accuracy of your personal data depends largely on the information you provide to us, kindly inform us as soon as practicable if there are any errors in your personal data or if there have been changes to your personal data.

If you provide us personal data about other individuals for any particular purpose, you represent and warrant to us that they have appointed you to act on their behalf and have agreed that you can:

• give consent on their behalf to the processing of their personal data;
• receive on their behalf any data protection notices; and
• warrant that you have obtained their consent for us to store their personal data, or have the right to allow us to process their personal data.

2. Source of Personal Data

The personal data processed by us are obtained from various legitimate and transparent sources, including, but not limited to the following:

• through your access or use of PC+;
• when you create an account with us;
• when you browse, order, purchase or subscribe to our products and/or services;
• when you interact with the links that are in PC+;
• when you apply to participate and/or participate in our programmes;
• any emails or correspondence that we receive from you;
• when you communicate to us and/or our authorised agents through various media and communication channels, and any direct and indirect interactions with us;
• when completing any applications or forms for transactional or other purposes;
• when you participate in any event, prize draws, or competitions organised by us or indirectly through a third party;
• when completing any surveys that we send to you for research purpose;
• data from publicly available sources that we collect in accordance with applicable laws, i.e. data that is published by you, social media profiles, directories, signages;
• data that we obtain legally from authorised third parties, including, but not limited to, credit reporting agencies, regulatory and enforcement agencies, healthcare providers, and other government or government-linked entities;
• our related and/or associated companies, contractors, third-party service providers, and business partners;
• marketing services providers or partners; and
• mailing lists.

3. Lawful Basis and Purpose of Processing Personal Data

We must have a lawful basis to process personal data. We typically rely on at least one of these lawful bases to do so:

• where we have the data subject’s consent for the disclosed purposes;
• where the processing is necessary and related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
• where the processing is necessary for compliance with a legal obligation to which we are subject;
• where the processing is necessary to protect vitally important interests of the data subject, including life and health;
• where the processing is necessary in order to respond to a national emergency, or to comply with the requirements of public order and safety; or
• where the processing is necessary for the purposes of the legitimate interests pursued by us, a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under local laws.

We generally rely on consent to process personal data. In addition, the table below summarises some of the common purposes for which we may process personal data and our legal basis for doing so:

Purpose	Legal basis
To create and administer your account (where applicable) To enable you to access or use PC+ To provide you with our products and services, including to process your order and requests To provide, manage and administer programmes that are offered on PC+ To provide you with discounts, bonuses, rebates and the like for your orders and purchases To provide support for our products and services To contact and communicate with you, including to respond to your requests, enquiries, and to provide you with status updates on your order To communicate information, notices, and updates To fulfil any other request(s) that you may have submitted to us	Where necessary to perform our contract with you Where required to comply with a legal obligation Where it is in our legitimate interests to ensure that services requested of us are effectively and appropriately delivered
To deal with any product safety issue or product complaint, and to contact and communicate with you in relation to the same To undertake remediation activities To resolve disputes or to investigate any complaints you made or made against you	Where required to comply with a legal obligation Where it is in our legitimate interests to ensure that complaints are investigated and appropriately resolved
To do adverse event and safety reporting in respect of any product or service To improve patient care and safety in relation to the use of medicines and all medical and paramedical interventions To improve public health and safety in relation to the use of medicines To detect problems related to the use of medicines and communicate the findings in a timely manner To encourage safe, rational and more effective use of medicines To promote understanding, education and clinical training in pharmacovigilance and effective communication to the public	Where required to comply with a legal obligation Where it is in our legitimate interests to: (a) ensure that pharmacovigilance is done; and/or (b) promote public health and safety
To process invoices and payment For internal functions such as reporting, and audit and risk management To maintain our operations or client relationship management systems To maintain and upkeep customer or company records and development in the ordinary course of business For our internal record keeping For the preparation and execution of all necessary documents, agreements and/or contracts For general operation and maintenance of PC+	Where required to comply with a legal obligation Where it is in our legitimate interests to: (a) ensure the smooth operation of our business; and/or (b) keep accurate records of our business
To develop and improve our product and service offerings by analysing and assessing the information we have access to, such as by conducting data analytics and market research To develop, show, measure, and track advertising (including, but not limited to, content, survey, and promotions of PC+ or products and services of ours, our subsidiaries, related and/or associated companies, business partners, and other third parties) and to collect information about you and on how you interact with it while you use PC+	Where it is in our legitimate interests to: (a) develop new product or service offerings to meet the needs of our customers; and/or (b) improve user experience when using our products and service offerings, including PC+
To implement and/or facilitate risk and fraud controls and payment processing To prevent, detect, or investigate any potential breaches, illegal activities or prohibited content on PC+ To enforce and exercise rights stated in this Privacy Policy or any contract To comply with any legal or regulatory requirements relating to all the commercial transactions, our conduct of the business or activities or our provision of products and/or services, and to make disclosure under the requirements of any law, regulations, directives, court orders, by law, guidelines, circulars or codes applicable to us or any member of our group of companies from time to time To cooperate with regulators and law enforcement bodies	Where required to comply with a legal obligation Where it is in our legitimate interests to: (a) prevent and investigate legal disputes, potential breaches, illegal activities or prohibited content; (b) enforce contractual rights; and/or (c) operate with regulators and law enforcement bodies
To facilitate the conduct of due diligence exercises or the actual transfer of assets in the event of potential, proposed or actual business transfer, whether in whole or in part, sale of business, disposal, acquisition, merger, spin-off, joint venture, assignment, reorganisation of our business, assets or stock or similar transaction	Where required to comply with a legal obligation Where it is in our legitimate interests to undertake any corporate restructuring for the growth or optimisation of our businesses
To send you information or invitations to events, seminars, conferences, initiatives and promotions and talks which may be of interest to you To organise and manage events, including your participation in such events To promote and communicate news and information about PC+, products and services of ours, our subsidiaries, related and/or associated companies, business partners, and other third parties, and such communications may be initiated from us or through third parties	Where it is in our legitimate interests, and subject to obtaining your consent when required under applicable laws, to provide you with marketing information that may be of interest to you

4. Consequences of Refusal or Failure to Provide Personal Data

Unless stated otherwise, the personal data provided to us are wholly voluntary in nature and you are not under any obligation or duress to do so. However, in some circumstances if you do not provide us with your personal data described in this Privacy Policy, we shall not be held liable for any of the consequences arising therefrom. These include:

• the inability for us to provide you with the products and/or services you requested, either to the same standard, or at all;
• the inability to enrol you to the relevant programme(s);
• the inability for us to provide you with the information about the products and/or services that you may want, including information about discounts or special promotions, or our new products and/or services;
• the inability for us to tailor the content of PC+ to your preferences and your experience of using PC+ may not be as enjoyable or useful;
• the inability to complete the relevant transactions with you; and
• the inability to comply with any applicable law, regulation, direction, court order, by law, guideline and/or code applicable to us.

5. Disclosure of Personal Data

In order for us to fulfil the purposes listed above, we may disclose your personal data to the following parties, including, but not limited to:

• the various entities within our group of companies (including those incorporated in the future), licensees, or business partners, including (where applicable) authorised personnel from the sponsor for the patient programme that you are enrolled to;
• our employees, agents, representatives, partnerships, joint venture entities, contractors, third-party service providers, subcontractors, or other parties as may be deemed necessary by us to facilitate your dealings with us;
• our suppliers, manufacturers, and business alliance partners of our products and/or services;
• relevant holders of the marketing authorisation of our products and/or services;
• parties whom we have obligations to report safety issues or product complaints;
• our professional advisers, including but not limited to our lawyers, accountants, auditors, and other financial or professional advisors appointed in connection with our business;
• any person, government authority, statutory authority, industry regulator or other relevant third party whom we are compelled or required to do so pursuant to any law, or if we have good faith belief that such disclosure is necessary to protect and/or defend our rights and interests or in connection with an investigation of fraud, infringement, piracy, tax avoidance and evasion or other unlawful activity;
• potential acquirers and other stakeholders in the event of potential, proposed or actual business transfer, whether in whole or in part, sale of business, disposal, acquisition, merger, spin-off, joint venture, assignment, reorganisation of our business, assets or stock or similar transaction; and
• any other party requested or authorised by you for the above purpose or any other purpose for which your personal data was to be disclosed at the time of its collection or any other purposes directly related to any of the above purposes.

Third parties are legally tasked with processing the personal data in line with the principles specified by us. Third parties are also held legally responsible for securing the personal data at an appropriate level of security in relation to applicable data protection laws and widely accepted industry standards.

6. Protection of Personal Data

We ensure that all appropriate confidentiality obligations and technical and organisational security measures are in place to protect the confidentiality and security of your personal data collected through the various methods described in this Privacy Policy to prevent any unauthorised access, unauthorised or unlawful alteration, disclosure or processing of such information and data, and the accidental loss or destruction of or damage to such information and data.

Some of the security measures we put in place include, but are not limited to:

• storing your personal data in systems that are protected by secured networks;
• putting in place role-based access controls to limit access to such personal data only to employees who have a need to know this information for the purpose of performing their official duties, and authorised third parties who are contractually bound to take reasonable measures to keep your personal data secure;
• regularly monitoring our systems for possible vulnerabilities and attacks, and regularly reviewing our information collection, storage and processing practices to update our physical, technical and organisational security measures; and
• verifying the identity of a requester before they can access or modify the personal data that they have legitimate access or modification rights to.

Compliance with these provisions will be required by all authorised third parties who may access the personal data as described above.

7. Your Rights

In accordance with Applicable Laws, in respect of the personal data which you have submitted to us, you may have the right at any time to:

• request for access to your personal data in our records;
• request to make correction of your personal data in our records in the event the information is inaccurate, misleading, out-of-date or incomplete upon validation and verification of the new information provided;
• request to cease processing your personal data for the purposes of marketing;
• object to the processing of your personal data, request to restrict or limit processing of your personal data, or request portability of your personal data;
• withdraw your consent for us to continue processing your personal data; and
• lodge an inquiry or complaint to the relevant data protection authority about our collection and use of your personal data

Should you wish to exercise any of the abovementioned rights and such right is recognised within your country, please write in to us using the contact information found at Part XIV (Contact Us) below. In respect of requests for access to or to make correction of your personal data in our records, such requests must be supported with submission of the relevant documents as may be required by us. Depending on the nature and sensitivity of the request, we may require you to submit these documents in person so as to verify your identity from time to time to the address found at Part XIV (Contact Us) below. We will only make appropriate corrections based on the verifiable/verification and updated information provided by you. Your request may also be subject to payment of a fee in accordance with applicable legal requirements.

With regard to the withdrawal of consent, you may withdraw, in full or in part, your consent given to us.

You may request for deletion of your personal data by us, and we will use commercially reasonable efforts to honour your request. However, please note that we may be required to keep such information and not delete it for such period of time required by law or in order to fulfil our legal obligations. When we delete any information, it will be deleted from the active database but may remain in our archives. We may also retain your information for fraud prevention and detection or similar purposes.

Your exercise of any of the rights or withdrawal of consent referred to above is, in each case, subject to any applicable legal restrictions, contractual conditions, and a reasonable time period. This may also be subject to whether it would affect the operation of our business and our ability to meet our legal obligations.

We may also, in accordance with Applicable Laws, refuse to comply with your request. If we refuse to comply with such request, we will inform you of our refusal and reason for our refusal.

8. Retention of Personal Data

The personal data you submit to us will only be retained for as long as is required for the purpose for which it was collected or as permitted by Applicable Laws.

Even though our systems are designed to carry out data deletion processes according to the above guidelines, we cannot promise that all data will be deleted within a specific timeframe due to technical constraints. When we no longer need to use your personal data, it is removed from our systems and records or anonymised so that you can no longer be identified from it.

9. International Transfers of Personal Data

PC+ generally processes your data in Singapore. However, to provide our services and to ensure the smooth running of PC+, we may transfer your personal data to our affiliates and authorised employees, agents and third parties in the jurisdictions where we operate or where we deem it appropriate or desirable (unless Applicable Laws provides otherwise) for the purposes stated in this Privacy Policy. In particular, we may transfer your personal data to our overseas affiliate(s) where our information technology storage facilities and servers may be located. There may be a possibility that the data protection levels in other jurisdictions do not completely meet the requirements of Applicable Laws , but all such transfers are performed in accordance with the requirements of Applicable Laws.

10. Links to Other Websites or Applications

PC+ may contain links to and from the websites and applications of our partner networks, advertisers and/or other third parties. If you click on a link to any of these websites or applications, you will leave PC+ and be redirected to the website or application you selected. As we cannot control the activities of third parties, we cannot accept responsibility for any use of your personal data by such third parties, and we cannot guarantee that they will adhere to the same data privacy practices as us. We encourage you to review the privacy policy of these websites or applications before providing any personal data.

11. Language

In the event of any inconsistency between the English version and the local language version of this Privacy Policy, the English version shall prevail.

12. Amendments to Privacy Policy

We reserve the right to modify, update and/or amend this Privacy Policy at any time. We will take reasonable steps to ensure amendments to this Privacy Policy are communicated by posting all amendments prominently on PC+ and other places we deem appropriate for a reasonable period of time. Amendments to this Privacy Policy will be effective immediately once published on any of PC+ unless otherwise noted. We invite you to check this Privacy Policy periodically to be informed of any relevant amendments to it, especially before providing any information to us. Your continued access or usage of PC+ and/or providing your personal data to us, following any amendments to this Privacy Policy, indicates your consent to the practices described in the revised Privacy Policy. If you do not agree, you should immediately discontinue your use of PC+, cease providing to us any of your personal data and notify us in writing in the manner described in Parts VII (Your Rights) and XIV (Contact Us).

13. Contact Us

If you have any feedback or questions about this Privacy Policy and the way we handle your personal data, or you wish to exercise any of your rights above, you may contact us contact us at the following:

Zuellig Pharma (SG) Solutions Pte. Ltd.

47 Scotts Road, #10-00, Goldbell Tower, Singapore 228233

Email: pcdpo@zuelligpharma.com

Attn to: Data Protection Officer