Bormioli Pharma S.p.A. is part of a large group of companies formed by Bormioli Pharma S.p.A. and its subsidiaries (the "bormioli pharma group") that operates in the world of pharmaceutical primary packaging manufacturing.

Bormioli Pharma S.p.A. (hereinafter also "controller" or "company")
registered office: Corso magenta no. 84 - 20123, Milan (mi)
operational/administrative headquarters: viale Giovanni Falcone n.48/a - 43122 Parma (pr), Italy
tel: 0521362620
email: privacy@bormiolipharma.com

subsidiaries that are part of the bormioli pharma group (hereinafter referred to as "subsidiaries"):

• Bormioli Pharma France SA, zae "les cadaux", 457 avenue pierre ottavioli -81370 saint-sulpice, france, rcs castres b 315 131 904 - tva fr 65 315 131 904
• Bormioli Pharma United States Inc, 1201 orange street, suite 600, Wilmington, New castle county - Delaware 19801, registration no.: 7232689
• Remy & Geiser GmbH, remy & geiser-street 1, 98553 schleusingen, vat. no.: de149510995, local court: jena hrb 514441
• Bormioli Pharma (Shanghai) trading co.,ltd.; room 312, 3/f, mayfair tower, no. 83 fumin road, 200040 jing'an district Shanghai - china

Pursuant to Art. 4(1) of the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic features of his or her physical, physiological, genetic, mental, economic, cultural, or social identity.

Personal data (hereinafter also only the "Data") are collected:

• on the occasion of your navigation on the Site;
• directly from you, for the case in which you decide to voluntarily confer them in order to contact Bormioli Pharma S.p.A. through the "Contact Us" form or for the further purposes specified below.

The Data processed by Bormioli Pharma S.p.A. for the purposes described below is information that users provide when they enter information within the website, such as when they provide contact details, respond to online questionnaires, feedback forms or job applications, or submit resumes. Specifically these are: browsing data, first name, last name, date and place of birth, photo (where attached to resume) gender, citizenship, address, vat number/tax code, telephone number, mobile number, e-mail address, username, educational qualification, professional qualification/role, company affiliation, cookies. Full details on each type of data collected are provided in the dedicated sections in this policy and/or through specific disclosures that can be viewed prior to data collection.

The Site's computer systems and the software procedures in charge of its operation acquire, during their normal operation, some Data the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties, make it possible to identify the user/visitor of the Site. This category of data includes IP addresses or domain names of the terminals/devices used by users/visitors, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user/visitor's operating system and computer environment. Browsing data are used in order to obtain anonymous statistical information on the use of the Site and to check its correct functioning, to allow - given the architecture of the systems used - the correct provision of the various functions requested, for security reasons and to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Site and/or third parties. We also collect personal information about users' use of our website, including information captured by our cookies (see the dedicated Cookie Policy).

Through the Website, the user/visitor has the opportunity to voluntarily provide Data such as, for example, the first and last name and e-mail address to contact Bormioli Pharma S.p.A. and/or one of the Subsidiaries forming part of the Bormioli Pharma Group through the "Contact Us" form present in the "Contact Us" section of the Website, as better specified below; by interacting with Bormioli Pharma S.p.A. through the official page on social networks that the user consults, comments on or likes; to obtain login credentials and subsequently access the "Investor relations area" present in the "Investors" section of the Site for as better specified below; for participation in an event organized by Bormioli Pharma S.p.A.; to register in order to send an unsolicited application through the "Unsolicited application" form present in the "Work with us" section of the Site and/or to update any curriculum vitae already sent, subject to the provisions of the "Information regarding candidates" that can be consulted in the "Work with us" section of this Site and to which reference is made.

Unless otherwise specified in the dedicated disclosures in each section, the processing of so-called special data as defined by Art. 9 of the GDPR (e.g., data related to health) or data related to minors is expressly excluded. Such categories of data, if shared by the User, will be deleted immediately.

Bormioli Pharma S.p.A. will process the data voluntarily provided by the user/visitor assuming that they are referable to him/her or to third parties who have expressly authorized him/her to provide them on the basis of a suitable legal basis that legitimizes the processing of the data in question. In this sense, the user/visitor indemnifies Bormioli Pharma S.p.A. with respect to any dispute, claim, request for compensation for damages from processing, etc., that may be received by Bormioli Pharma S.p.A. from third parties whose personal data are conferred by the user/visitor.

Personal data voluntarily provided by the user/visitor as well as navigation data may be processed for the following purposes:

1. to fulfill legal obligations to which Bormioli Pharma S.p.A. is subject;
2. to ascertain, exercise or defend a right in a court of law (for example, in the case of abuse in the use of the Site) or whenever judicial authorities exercise their functions;
3. to ensure the operation of the Site, measure its traffic, and assess usability and interest, without prejudice to that stated in the "cookie policy";
4. for the purposes indicated in the specific dedicated sections of this policy, to which reference is made. In such cases, processing will be carried out insofar as and to the extent that it results:

The processing of personal data is carried out by the Data Controller insofar as and to the extent that it results as being:

• necessary to fulfill a legal obligation to which the Data Controller is subject [Art. 6, par. 1(c) of the GDPR] in relation to the purposes mentioned in number 1);
• necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail [Art. 6, par. 1(f) of the GDPR] in relation to the purposes set out in numbers 2 and 3, subject to the provisions of the "cookie policy".
• necessary for the additional reasons stated in the specific dedicated sections of this policy, to which reference is made.

Through the "Contact Us" form present in the "Contact" section of the Website, the user/visitor may request information both of a general nature and relating to the services and/or products of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group, also as they may be stored in the wishlist through which it is possible to save favorite products for the purpose of later viewing. Where affected by the request received from the user (e.g., for reasons of territorial jurisdiction and/or where it pertains to products and/or services provided by one of the Subsidiaries), the Controller will process the data only for the purpose of forwarding the contact request to the relevant Subsidiary, as requested by the user and in fulfillment of pre-contractual measures.

In this regard, please note that Bormioli Pharma S.p.A.'s products are intended for businesses, as the Company does not make retail sales.

Personal data provided by the user/visitor when filling out the aforementioned "Contact Us" form will be processed for the following purposes:

1. to give feedback to any requests for information coming from the user/visitor about the products and services of Bormioli Pharma S.p.A. and/or other companies of the Bormioli Pharma Group, including the sending of any quotations also directly from the Subsidiary Company of the Bormioli Group that the user/visitor intended to contact;
2. to carry out - via e-mail, paper mail, use of dedicated software/CRM and/or direct telephone contact - surveys and/or questionnaires intended to verify the level of satisfaction with respect to the activities, products and services of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group;
3. to send -by e-mail and/or paper mail and/or CRM system- informative messages and commercial, advertising and promotional communications relating to the activities, products and services of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group, including newsletters and communications functional to participation in company events as well as carrying out market studies and statistical analysis and surveying the degree of customer satisfaction.
   
   The processing of personal data in question is carried out by the Controller insofar as and to the extent that:

• it is necessary for the performance of the contract to which the user/visitor is a party or for the performance of pre-contractual measures taken at the request of the same [Art. 6, par. 1(b) of the GDPR] in relation to the purpose of number 5);
• the user/visitor has given consent in accordance with Art. 130 of the Privacy Code and Art. 6, par. 1(a), and 7 of the GDPR for the purpose of number 6);
• the user/visitor has given consent in accordance with Art. 130 of the Privacy Code and Art. 6, par. 1(a) and 7 of the GDPR for the purpose mentioned in number 7).

The Investor relations area, found in the "Investors" section of the Site, is dedicated to bondholders as well as to all potential investors who wish to learn more about Bormioli Pharma S.p.A. and keep up to date with regard to press releases, webcasts, reports, annual and quarterly presentations, the procedures the Company adopts in order to comply with its obligations under MAR regulations, as well as the performance of the bond issued. Access to the Investor relations area is in any case subject to prior verification - by Bormioli Pharma S.p.A. - of the ownership - by the person requesting it - of the requirements to qualify as a bondholder or potential investor.

Personal data given by the user/visitor when filling out the aforementioned "Investor relations area" form will be processed for the following purposes:

• enable the user/visitor - who requests it and meets certain requirements (bondholder or potential investor) - to obtain access credentials to the "Investor relations area", to access it and to receive e-mails with which any updates to the content (reports) viewable in the aforementioned area and/or any newsletters will be reported.
  
  The processing of personal data in question is carried out by the Controller insofar as and to the extent that:
• it is necessary for the performance of the contract to which the user/visitor is a party or for the performance of pre-contractual measures taken at the request of the same [Art. 6, par. 1(b) of the GDPR] in relation to the purpose under 8).

Personal data collected through the submission of spontaneous applications through the "Spontaneous Application" form in the "Work with Us" section of the Site and/or as a result of the updating of resumes already submitted will be processed in accordance with the "Applicant Information" available in the "Work with Us" section of this Site, to which reference is made. Where affected by the application received from the user (e.g., for reasons of territorial competence and/or if it pertains to an open position published in the interest of one of the Subsidiaries), the Controller may share the application directly with the relevant Subsidiary, as also detailed above and as more fully described in the document "Information regarding candidates".

The Website includes social media buttons and third-party applications. Social media buttons are digital buttons i.e., direct links to Social Network platforms configured in each individual "button." With a click on such links you will have the opportunity to interact directly with the Data Controller's accounts (social pages) such as LinkedIn and You Tube.
The operators of the Social Networks to which the buttons refer are autonomous data controllers. In this regard, Bormioli Pharma specifies that no control is made over such websites and cannot be held responsible for their privacy policies. After leaving the Site, we encourage you to always read the privacy policy of each website you visit. We also encourage you to read the Linkedin Terms of Use and the You Tube Terms of Use.

The user/visitor is free to provide personal data in the dedicated areas of the Site. However, the provision of Data for the purposes set out in this policy - particularly those marked as "mandatory" in the relevant sections - is necessary in order to perfect the specific functions and take advantage of the services offered by the Data Controller, for example, to receive a response to the submitted request for information.

Failure to provide personal data, therefore, may result in the inability to obtain the requested service and/or response.

In this regard, it should be noted that under no circumstances will the failure to provide consent for the purposes set forth in numbers 6) and/or 7) affect the possibility of obtaining the requested service and/or response.

The personal data referred to in this notice may be processed by the employees and/or collaborators of the Data Controller (e.g., sales manager, buyers, chief financial officer, marketing department, etc.) in their capacity as individuals expressly authorized to process personal data referred to in this notice and possibly assigned specific tasks and functions related to the aforementioned processing (pursuant to Art. 2-quaterdecies of the Privacy Code), in each case appropriately instructed and made aware of the constraints imposed by current data protection regulations.

The personal data in question may also be communicated to and processed by suppliers (e.g. external consultants in the context of assistance and consultancy relationships) that perform outsourcing activities on behalf of the Data Controller (including entities that provide services for the management of Bormioli Pharma S.p.A.'s information system and communication networks, including the related technical maintenance) and with whom it is necessary to interact for the provision of the services offered by the Site and, more generally, for the purposes described above, in their capacity as external data processors and with whom, when the conditions are met, the Data Controller has entered into special data processor agreements pursuant to and in accordance with Art. 28 of the GDPR.
The data in question may also be disclosed:

• to the competent authorities in fulfillment of obligations to which the Data Controller is bound;
• to legal advisors/lawyers, accountants, specialized outside firms, etc. for the purpose of studying and resolving any legal problems related to the existing contract position;
• to commercial information companies for the assessment of solvency and payment habits and, more generally, to parties who, for the above purposes, must provide services requested by the Data Controller;
• marketing companies that support the Controller in carrying out surveys and/or questionnaires intended to verify the level of satisfaction with respect to Bormioli Pharma S.p.A.'s activities, products and services and/or in advertising and promotional activities;
• with the Subsidiaries that are part of the Bormioli Pharma Group to which the Controller belongs in their capacity as External Managers and/or Independent Controllers depending on the processing activities involved;
• to supervisory bodies, law enforcement agencies or the judiciary and, more generally, to those entitled to access them under the regulations in force from time to time.

By contacting the Company via e-mail at privacy@bormiolipharma.com and/or by contacting the Chief Privacy Officer ("CPO") - Dr. Viola Rosadi -, subject to the limitations set forth in Art. 2-undecies of the Privacy Code, the user/visitor may ask the Controller to:

• access personal data concerning him or her, to obtain the information referred to in Art. 15 of the GDPR and to receive copies of the personal data being processed (right of access);
• to obtain the rectification of inaccurate personal data concerning him/her without undue delay pursuant to Art. 16 of the GDPR(right of rectification);
• to obtain the deletion of personal data concerning him/her without undue delay where the conditions of Art. 17 of the GDPR (right to erasure);
• to obtain the restriction of processing when any of the conditions and prerequisites set forth in Art. 18 of the GDPR (right to restrict processing);
• to notify each of the recipients to whom his or her personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Articles 16, 17 para. 1, and 18, unless it proves impossible or involves disproportionate effort. The Data Controller is obliged to notify these recipients to the user/visitor if they request it (right of notification in case of rectification or erasure of personal data or restriction of processing);
• insofar as the processing is carried out by automated means and based on the contract with Bormioli Pharma S.p.A., to receive in a structured, commonly used and machine-readable format the personal data concerning him/her and to transmit such data to another data controller without hindrance by Bormioli Pharma S.p.A. (right to data portability);
• to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Art. 6, par. 1(f) of the GDPR(right to object). In this case, Bormioli Pharma S.p.A. will refrain from further processing your personal data, unless the user/visitor demonstrates the existence of compelling lawful grounds for processing that override your interests, rights and freedoms or for the establishment, exercise or defense of a legal claim.

In relation to Data processing based on any consent given by the user/visitor, the user/visitor also has the right to revoke consent at any time, without affecting the lawfulness of the processing based on the consent given prior to revocation.

The user/visitor also has the right to file a complaint with the Supervisory Authority (Data Protection Authority) under Art. 77 of the GDPR and Art. 140-bis et seq. of the Privacy Code.

It should also be noted that - prior to the processing of requests - the Companies may carry out a verification of the identity of the interested party, in order to assess the legitimacy of the request received.

The processing of personal data referred to in this notice takes place using both electronic and manual means and tools and, in any case, after taking the appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk. The personal data of the data subject may be processed by employees of the corporate functions of the Companies deputed to the pursuit of the above purposes. These employees have been expressly authorized for processing data and have received appropriate operating instructions pursuant to Art. 29 GDPR.
The Data Controller also processes the personal data of contacts (former customers, existing and potential customers and people in some way connected to these customers and other business contacts) by means of our CRM systems. These CRM systems support the sales and marketing operations of the Bormioli Pharma Group.
In CRM systems, Bormioli Pharma processes the following categories of personal data for the following purposes:

• Name, job title, business email address, phone and fax numbers;
• Name of the employing company or organization with which the person is associated;
• Management and filing of business and marketing preferences;
• History of the existing business relationship;
• Replies to invitations and confirmations to attend events;

The legal basis for processing personal data of business contacts is:

• The explicit consent of the data subject in the case of marketing activities
• the legitimate interest of the Data Controller to process business information and manage the relationship with business contacts and to provide information on the services offered by Bormioli Pharma Group.

As a rule, the Controller does not transfer personal data referred to in this notice to third countries or international organizations, unless it is required to do so by provisions of law, regulations or European legislation. In the event that such a transfer is to take place, it will be carried out in compliance with the provisions of Chapter V of the GDPR and in strict compliance with the standards of confidentiality and security set forth in the applicable data protection laws.However, as part of the management of the business relationship and/or in order to respond to the request received from the user, personal data may be forwarded and processed by personnel belonging to Subsidiaries that are part of the Bormioli Pharma Group located in third countries, including through access to databases shared and/or managed with such Companies that are part of the Bormioli Pharma Group.

Bormioli Pharma S.p.A. retains the personal data referred to in this statement for a period of time not exceeding the achievement of the purposes for which they are processed or will be subsequently processed in accordance with legal obligations. In general terms, this means that personal data will be retained for the duration of the relationship plus the duration of any applicable statutory limitation period under local laws.

In some circumstances, it may be necessary to retain data for a longer period of time, such as in the case of an ongoing correspondence or complaint or investigation.

It is possible that this Privacy Policy may change over time and we therefore encourage you to consult this page periodically. For this purpose, the disclosure highlights the date of update. Date Last Modified 1.06.2022.

Bormioli Pharma S.p.A. (hereinafter "Controller" or "Company") registered office: Corso Magenta no. 84 - 20123, Milan (MI) operational/administrative headquarters: viale Giovanni Falcone n.48/A - 43122 Parma (PR), Italy T +39 0521 362620 Email : privacy@bormiolipharma.com

Personal data are collected:

• directly from you (e.g., at trade shows and corporate events);
• from public access sources (e.g., documents published in chamber of commerce, customer/supplier website, etc.);
• from SIC (credit information systems) and companies providing business information service.

The personal data processed by Bormioli Pharma S.p.A. for the purposes described below are only common personal data, such as: first name, last name, date and place of birth, company name, place of residence, telephone number, tax code, e-mail address, company of affiliation, tax code, VAT number, bank and payment references, business information, credit information, etc. related to the customer/supplier and/or operational references (collaborators, employees, etc.) of the existing and/or potential customer/supplier, acquired and used within the framework of the management of pre-contractual/contractual business relations with the customer/supplier.
In fact, in the course of the aforementioned relationships, each of the parties may find itself in the condition of having to process personal data referring to employees and/or collaborators of the other party (e.g., the personal data of the legal representative of the client who signs the contract in the name and on behalf of the latter), in which case each party hereby undertakes to proceed to process such personal data in accordance with the provisions set forth in the data protection legislation applicable from time to time.

Personal data will be processed for the following purposes:

1. to acquire information useful for the activation or continuation of relations with Bormioli Pharma S.p.A. as well as to enable an effective management of financial and commercial relationships (such as solvency and/or reliability verification preparatory to the establishment of the contractual and/or commercial relationship);
2. to respond to operational and managerial needs internal to Bormioli Pharma S.p.A., more generally, to the companies of the Bormioli Pharma Group and inherent to the service provided to the customer/supplier (such as registration, management and/or updating of personal and/or contact information, receipt, management and processing of orders, sending of communications pertaining to the contractual and/or commercial relationship and replies to requests from the data subject, internal reporting related to the contractual and/or commercial relationship, logistics activities, delivery and receipt of goods);
3. Research and development activities, event management, including invitations to participate in trade shows and corporate events as well as to conduct internal analysis and research to help us improve service;
4. to honour precontractual, contractual and legal obligations (of an administrative, accounting or fiscal nature which also obligations deriving from calls for tenders or in the field of health and safety in the workplace and qualification of suppliers), and to comply with provisions issued by competent authorities and/or supervisory and control bodies;
5. to ascertain, exercise or defend a right of the Data Controller(e.g. to protect any credit positions) and/or defend against claims of others, in or out of court, prevent any fraud.

The processing of personal data is carried out by the Data Controller insofar as and to the extent that it results as being:

• necessary for the performance of the contract to which the customer/supplier is a party or the performance of pre-contractual measures taken at its request [Art. 6, par. 1(b) of the GDPR] for the purposes of (1), (2) and (3), (4);
• necessary to fulfill a legal obligation to which the Data Controller is subject [Art. 6, par. 1(c) of the GDPR] in relation to the purposes mentioned in number 4);
• necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail [Art. 6, par. 1(f) of the GDPR] in relation to the purposes set out in (1), (2), (3) and (5).

The provision of the data referred to in this notice is necessary in relation to the purposes set out in 1), 2) 3) and 4). Therefore, failure to provide such data, could result in the inability of the Data Controller to follow up on the relationship being established or established.

The personal data referred to in this statement may be processed by the employees and/or collaborators of the Data Controller and/or Subsidiaries that are part of the Bormioli Pharma Group (e.g., sales manager, buyers, customer care staff, etc.) in their capacity as individuals expressly authorized to process the personal data referred to in this statement and possibly attributed with specific tasks and functions related to the aforementioned processing (pursuant to Art. 2-quaterdecies of the Privacy Code), in each case appropriately instructed and made aware of the constraints imposed by current data protection regulations.

The personal data in question may also be communicated to and processed by Group companies and suppliers (e.g., external consultants in charge of processing operations and/or consulting for tax withholding agents, etc.) who perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors and with whom, when the conditions are met, the Data Controller has entered into special Data Processor Agreements pursuant to Art. 28 of the GDPR.
The data in question may also be communicated:

• to the competent authorities in fulfillment of obligations to which the Data Controller is bound;
• to credit institutions, Insurance Companies, business information companies and similar entities in connection with the performance of contractual or pre-contractual obligations;
• to legal advisors/lawyers, accountants, specialized outside firms, etc. for the purpose of studying and resolving any legal problems related to the existing contractual position therein including debt collection activities;
• to companies that collaborate with the Data Controller in order to provide the requested service or sell/recapture the purchased product (e.g., resellers, transporters, etc.) and, more generally, to parties that, for the purposes stated above, must provide services to the Data Controller;
• with the Subsidiaries that are part of the Bormioli Pharma Group to which the Controller belongs in their capacity as External Managers and/or Autonomous Data Controllers depending on the processing activities involved;
• to supervisory bodies, law enforcement agencies or the judiciary and, more generally, to parties entitled to access them under the regulations in force from time to time.

Contacting the Company by e-mail at privacy@bormiolipharma.com and/or contacting the Chief Privacy Officer ("CPO"), subject to the limitations set forth in Art. 2-undecies of the Privacy Code, you may ask the Controller to:

• access personal data concerning you, to obtain the information referred to in Art. 15 of the GDPR and to receive copies of the personal data being processed (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay pursuant to Art. 16 of the GDPR (right to rectification);
• to obtain the deletion of personal data concerning you without undue delay where the conditions of Art. 17 of the GDPR (right to erasure);
• obtain the restriction of processing when any of the conditions and prerequisites apply, as set forth in Art. 18 of the GDPR (right to restrict processing);
• notify each of the recipients to whom your personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Articles 16, 17, par. 1, and 18, unless it proves impossible or involves disproportionate effort. The Data Controller is obliged to notify you of these recipients if you so request (right to notification in case of rectification or erasure of personal data or restriction of processing);
• insofar as the processing is carried out by automated means and based on the contract with Bormioli Pharma S.p.A., to receive in a structured, commonly used and machine-readable format, personal data concerning you and to transmit such data to another data controller without hindrance from Bormioli Pharma S.p.A. (right to data portability);
• object at any time, for reasons related to your particular situation, to the processing of personal data concerning you in accordance with Art. 6, par. 1(f) of the GDPR (right to object). In this case, Bormioli Pharma S.p.A. will refrain from further processing your personal data, unless it demonstrates the existence of compelling lawful grounds for processing that override your interests, rights and freedoms or for the establishment, exercise or defense of a legal claim.
  
  You also have the right to file a complaint with the Supervisory Authority (Data Protection Authority) under Art. 77 of the GDPR and Art. 140-bis et seq. of the Privacy Code. It should also be noted that - prior to the processing of requests - the Company may carry out a verification of the identity of the data subject, in order to assess the legitimacy of the request received.

The processing of your personal data takes place by means of paper, computer or telematic tools and, in any case, after taking the appropriate technical and organizational measures to ensure a level of security of your personal data adequate to the risk. Personal data may be processed by employees of the corporate functions of the Companies deputed to the pursuit of the above purposes. These employees have been expressly authorized for processing data and have received appropriate operating instructions pursuant to Art. 29 GDPR.

The Data Controller also processes the personal data of contacts (former customers, existing and potential customers and people in some way connected to these customers and other business contacts) by means of our CRM systems. These CRM systems support the sales and marketing operations of the Bormioli Pharma Group.

In CRM systems, Bormioli Pharma processes the following categories of personal data for the following purposes:

• Name, job title, mailing address, company email address, telephone and fax numbers;
• Name of the employing company or organization with which the person is associated;
• Management and archiving of sales and marketing preferences;
• History of existing business relationship;
• Replies to invitations and confirmations to attend events.

The legal basis for processing personal data of business contacts is:

• The explicit consent of the data subject in case of use for marketing purposes,The legitimate interest of the Data Controller to process business information and manage the relationship with business contacts and to provide information on services/products offered by Bormioli Pharma Group.

As a rule, the Controller does not transfer personal data referred to in this notice to third countries or international organizations, unless it is required to do so by provisions of law, regulations or European legislation. In the event that such a transfer must take place, it will be carried out in compliance with the provisions of Chapter V of the GDPR. However, as part of the management of the business relationship and/or in order to respond to the request received from the client/supplier, personal data may be forwarded and processed by personnel belonging to Companies that are part of the Bormioli Pharma Group located in third countries, including through access to databases shared and/or managed with such Companies that are part of the Bormioli Pharma Group.

Bormioli Pharma S.p.A. retains the personal data referred to in this statement for a period of time not exceeding the achievement of the purposes for which they are processed. In particular:

• personal data functional for the fulfillment of legal and/or contractual obligations placed on the Data Controller will be retained for the duration of the contractual relationship and for a maximum period of 10 years thereafter (Art. 2220 and 2946 Civil Code; art. 22, paragraph 2, Presidential Decree no. 600/1973; etc.), except in the case of judicial litigation in the presence of which the retention of the data is allowed in any case for the entire duration of the same, until the expiration of the time limits for the admissibility of appeal actions;
• personal data functional to the fulfillment of operational and management requirements internal to Bormioli Pharma S.p.A. and inherent to the service/performance provided to the customer/supplier will be retained for the duration of the commercial and/or contractual relationship and for the maximum period of 5 years thereafter.

Bormioli Pharma France SA (hereinafter referred to as the “DATA CONTROLLER” OR THE “COMPANY”) registered offices: ZAE Les Cadaux – 457, Av. Pierre Ottavioli – 81370 Saint Sulpice – France, identifiée sous le numéro 315131904 RCS Castres. T +33 (0)5.63.41.11.40

We process personal data received from you through our business relationship.
We also, where necessary in providing our services, process personal data that we have obtained by authorised means from other companies or from third parties (e.g.for the purpose of fulfilling orders or contracts or on the basis of your consent).
We also process personal data that we have obtained:

• directly from you (e.g. at trade shows and corporate events);
• from sources accessible to the public (e.g. documents published in chambers of commerce, existing or potential client/supplier website);
• from credit information systems and companies that provide business information services.

The personal data processed by BORMIOLI PHARMA FRANCE SA for the purposes described below consist exclusively of common personal data, such as:

• forename, surname, date and place of birth, company name, place of residence, phone number, tax ID, email address, parent company, tax code, VAT no. and business information;

information relating to existing or potential clients/suppliers and/or to operational contacts (e.g. workers, employees, legal representatives) of the client/supplier in question, acquired and used for the purposes of the establishment and/or in the context of the management of commercial and/or precontractual/contractual relations with said client/supplier (e.g. business correspondence).
During the course of the aforementioned relations, each of the parties may find itself in a position in which it has to process personal data relating to employees and/or workers of the other party (e.g. the personal details of the client’s legal representative, who signs the contract in the name and on behalf of the client), in which case each party undertakes from now on to process said personal data in accordance with the provisions of the data protection regulations applicable from time to time. The business relationship exists between BORMIOLI PHARMA FRANCE SA and the Company for which you works.

The personal data shall be processed for the following purposes:

1. to acquire information that may be useful for the activation or continuation of relations/cooperation with Bormioli Pharma France SA e.g. to obtain information of a technical or commercial nature or that may be informative in general; preparation of the offer, the fulfilment of the contracts, checks on solvency and/or reliability in preparation for the establishment of contractual and/or commercial relations);
2. to meet operational and managerial needs within Bormioli Pharma France SA and relating to the service provided to the client/by the supplier (e.g. registration, management and/or updating of personal and/or contact information; receipt, management and handling of orders; sending of communications pertaining to contractual and/or commercial relations; logistics activities; delivery and receipt of goods);
3. to honour precontractual, contractual and legal obligations (of an administrative, accounting or fiscal nature), and to comply with provisions issued by competent authorities and/or supervisory and control bodies;
4. to assert, exercise or defend a right of the Data Controller (e.g. in protection of creditor positions) and/or in order for the Data Controller to defend itself against third-party claims, in judicial or extra-judicial proceedings, and to prevent possible fraud.

The personal data processing shall be carried out by the Data Controller insofar as and to the extent that:

• it is necessary for the execution of the contract to which the client/supplier is a party or for the execution of precontractual measures adopted at the latter’s request [Article 6, paragraph 1, letter b), of the GDPR] for the purposes set out under points 1), 2) and 3);
• it is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6, paragraph 1, letter c), of the GDPR] in relation to the purposes set out under point 3);
• it is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring data protection prevail [Article 6, paragraph 1, letter f), of the GDPR] in relation to the purposes set out under points 2) and 4).

In the context of our business relationship, the only personal data you have to provide are those needed to establish, carry out and terminate a business relationship, or those which we are legally required to collect. The provision of the data referred to in this privacy policy is necessary in relation to the purposes set out under points 1), 2), 3), and 4). Therefore, failure to provide said data could make it impossible for the Data Controller to pursue the relations established or being established.

The personal data referred to in this privacy policy may be processed by the employees and/or workers of the Data Controller and of the Group companies, in particular of Bormioli Pharma S.p.a. (e.g. sales manager, buyers, customer care agents, marketing department) in their capacity as individuals expressly authorised to process personal data pursuant to this privacy policy and possibly allocated specific duties and functions connected with the aforementioned processing and in any case suitably trained and informed of the obligations imposed by the regulations in force on personal data protection.
The personal data in question may also be communicated and processed by suppliers (e.g. external consultants tasked with processing and/or consultancy operations for withholding agents) performing outsourced activities on behalf of the Data Controller, in their capacity as external data processors, and with which, provided the conditions are met, the Data Controller has entered into dedicated Data Processor Agreements pursuant to and for the purposes of Article 28 of the GDPR.
The data in question may also be communicated:

• to the competent authorities in fulfilment of the obligations to which the Data Controller is bound;
• to legal consultants/lawyers, accountants, specialist external firms, etc. for the investigation and resolution of any legal problems relating to the contractual position in place, including credit recovery activities;
• to credit institutions, insurance companies, business information companies, credit information systems and similar bodies in relation to the execution of contractual or precontractual obligations;
• to Group companies and/or companies that collaborate with the Data Controller to provide the service requested or to sell/deliver the product purchased (e.g. sorters, transporters) and, more generally, to persons who, for the aforementioned purposes, must provide services to the Data Controller;
• other companies in the Bormioli Pharma Group, including subsidiaries and associates to which the Controller belongs;
• other companies to which we transfer personal data in the context of, or in pursuit of, the business relationship with you (depending on the nature of the contract, this may also include credit agencies, banks, loan insurance agencies and business partners);
• to control bodies, forces of law and order and, more generally, persons authorised to access the data pursuant to the regulations in force from time to time.

By contacting the Company by email: privacy@bormiolipharma.com you can ask the Data Controller to:

• access personal data concerning you, obtain information pursuant to Article 15 of the GDPR and receive a copy of the personal data subject to processing (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay, pursuant to Article 16 of the GDPR (right to rectification);
• obtain the erasure of personal data concerning you without undue delay, provided that the conditions set out pursuant to Article 17 of the GDPR are met (right to erasure);
• obtain the restriction of processing where one of the prerequisites of Article 18 of the GDPR is met and under the conditions set out under said Article (right to restrict processing);
• inform each of the recipients to whom your personal data are transmitted of any rectifications or erasures or restrictions of the processing carried out pursuant to Articles 16, 17, paragraph 1, and 18, unless this is impossible or involves a disproportionate effort. The Data Controller is required to communicate these recipients to you should you request this (right to notification in the event of rectification or erasure of the personal data or restriction of processing);
• within the limits in which the processing is carried out, using automated means and based on the contract with Bormioli Pharma France Sa receive, in a structured format that is commonly used and readable by an automatic device, the personal data concerning you and transmit said data to another data controller without impediments from Bormioli Pharma France SA (right to data portability);
• object, on grounds relating to your particular situation, at any time to processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f), of the GDPR (right to object). In this case, Bormioli Pharma France SA shall refrain from further processing of your personal data, unless it can prove the existence of compulsory, legitimate grounds for performing the processing that prevail over your interests, rights and freedoms, or it processes the data for the purposes of asserting, exercising or defending a right in judicial proceedings.

You also have the right to submit a complaint to the competent control body (la Commission Nationale de l’Informatique et des Libertés -CNIL)(www.cnil.fr) pursuant to Article 77 of the GDPR, which can be contacted at the address:

3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
France
Tel: +33 (0)1.53.73.22.22

The processing of your personal data shall take place using paper, digital or electronic means and, in any case, subject to the adoption of adequate technical and organisational measures to guarantee a level of security for your personal data that is adequate to the risk.

Bormioli Pharma France SA shall store the personal data referred to in this privacy policy for a period of time not greater than that required to achieve the purposes for which the data are processed. In particular your data is kept as long as it is needed for the above descripted purposes in compliance with the legally required retention period of tax law, commercial law and civil law.
Where necessary, Bormioli Pharma France SA process and store your personal data for the duration of our business relationship, which may also include the initiation and execution of a contract, and fulfilment of the purposes of the contract.
Additionally, Bormioli Pharma France SA is subject to various obligations relating to conservation and documentation, for instance under the French Civil Code (art.2224). The time limits they set for storage or documentation are ten years.

Remy & Geiser GMBH, company number DE149510995 whose registered office is at Remy & Geiser-Straße 1, 98553 Schleusingen, Germany, Fon: +49 (0) 36841 3380, E-Mail: privacy.remygeiser@bormiolipharma.com

We have appointed a qualified and reliable external Data Protection Officer. If you have any questions regarding the processing of personal data you can contact the DPO who is available in the case of any requests of information, general requests or complaints:
E-MAIL: privacy.remygeiser@bormiolipharma.com

We process personal data received from you through our business relationship.

We also, where necessary in providing our services, process personal data that we have obtained by authorised means from other companies or from third parties (e.g.for the purpose of fulfilling orders or contracts or on the basis of your consent.).

We also process personal data that we have obtained:

• directly from you (e.g. at trade shows and corporate events);
• from sources accessible to the public (e.g. documents published in chambers of commerce, existing or potential client/supplier website);
• from credit information systems and companies that provide business information services.

The personal data processed by Remy & Geiser Gmbh. for the purposes described below consist exclusively of common personal data, such as:

• forename, surname, date and place of birth, company name, place of residence, phone number, tax ID, email address, parent company, tax code, VAT no. and business information;

information relating to existing or potential clients/suppliers and/or to operational contacts (e.g. workers, employees, legal representatives) of the client/supplier in question, acquired and used for the purposes of the establishment and/or in the context of the management of commercial and/or precontractual/contractual relations with said client/supplier ( e.g. business correspondence).

During the course of the aforementioned relations, each of the parties may find itself in a position in which it has to process personal data relating to employees and/or workers of the other party (e.g. the personal details of the client’s legal representative, who signs the contract in the name and on behalf of the client), in which case each party undertakes from now on to process said personal data in accordance with the provisions of the data protection regulations applicable from time to time. The business relationship exists between Remy & Geiser Gmbh and the Company for which you works.

The personal data shall be processed for the following purposes:

1. to acquire information that may be useful for the activation or continuation of relations/cooperation with Remy & Geiser Gmbh (e.g. to obtain information of a technical or commercial nature or that may be informative in general; preparation of the offer, the fulfilment of the contracts, checks on solvency and/or reliability in preparation for the establishment of contractual and/or commercial relations);
2. to meet operational and managerial needs within Remy & Geiser Gmbh and relating to the service provided to the client/by the supplier (e.g. registration, management and/or updating of personal and/or contact information; receipt, management and handling of orders; sending of communications pertaining to contractual and/or commercial relations; logistics activities; delivery and receipt of goods);
3. to honour precontractual, contractual and legal obligations (of an administrative, accounting or fiscal nature), and to comply with provisions issued by competent authorities and/or supervisory and control bodies;
4. to assert, exercise or defend a right of the Data Controller (e.g. in protection of creditor positions) and/or in order for the Data Controller to defend itself against third-party claims, in judicial or extra-judicial proceedings, and to prevent possible fraud.

The personal data processing shall be carried out by the Data Controller insofar as and to the extent that:

• it is necessary for the execution of the contract to which the client/supplier is a party or for the execution of precontractual measures adopted at the latter’s request [Article 6, paragraph 1, letter b), of the GDPR] for the purposes set out under points 1), 2) and 3);
• it is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6, paragraph 1, letter c), of the GDPR] in relation to the purposes set out under point 3);
• it is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring data protection prevail [Article 6, paragraph 1, letter f), of the GDPR] in relation to the purposes set out under points 2) and 4).

In the context of our business relationship, the only personal data you have to provide are those needed to establish, carry out and terminate a business relationship, or those which we are legally required to collect. The provision of the data referred to in this privacy policy is necessary in relation to the purposes set out under points 1), 2), 3), and 4). Therefore, failure to provide said data could make it impossible for the Data Controller to pursue the relations established or being established.

The personal data referred to in this privacy policy may be processed by the employees and/or workers of the Data Controller and of the Group companies, in particular of Bormioli Pharma S.p.a. (e.g. sales manager, buyers, customer care agents, marketing department) in their capacity as individuals expressly authorised to process personal data pursuant to this privacy policy and possibly allocated specific duties and functions connected with the aforementioned processing and in any case suitably trained and informed of the obligations imposed by the regulations in force on personal data protection.

The personal data in question may also be communicated and processed by suppliers (e.g. external consultants tasked with processing and/or consultancy operations for withholding agents) performing outsourced activities on behalf of the Data Controller, in their capacity as external data processors, and with which, provided the conditions are met, the Data Controller has entered into dedicated Data Processor Agreements pursuant to and for the purposes of Article 28 of the GDPR.

The data in question may also be communicated:

• to the competent authorities in fulfilment of the obligations to which the Data Controller is bound;
• to legal consultants/lawyers, accountants, specialist external firms, etc. for the investigation and resolution of any legal problems relating to the contractual position in place, including credit recovery activities;
• to credit institutions, insurance companies, business information companies, credit information systems and similar bodies in relation to the execution of contractual or precontractual obligations;
• to Group companies and/or companies that collaborate with the Data Controller to provide the service requested or to sell/deliver the product purchased (e.g. sorters, transporters) and, more generally, to persons who, for the aforementioned purposes, must provide services to the Data Controller;
• other companies in the Bormioli Pharma Group, including subsidiaries and associates to which the Controller belongs;
• other companies to which we transfer personal data in the context of, or in pursuit of, the business relationship with you (depending on the nature of the contract, this may also include credit agencies, banks, loan insurance agencies and business partners);
• to control bodies, forces of law and order and, more generally, persons authorised to access the data pursuant to the regulations in force from time to time.

By contacting the Company and/or by contacting the Data Protection Officer (“DPO”), by email: privacy.remygeiser@bormiolipharma.com , you can ask the Data Controller to:

• access personal data concerning you, obtain information pursuant to Article 15 of the GDPR and receive a copy of the personal data subject to processing (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay, pursuant to Article 16 of the GDPR (right to rectification);
• obtain the erasure of personal data concerning you without undue delay, provided that the conditions set out pursuant to Article 17 of the GDPR are met (right to erasure);
• obtain the restriction of processing where one of the prerequisites of Article 18 of the GDPR is met and under the conditions set out under said Article (right to restrict processing);
• inform each of the recipients to whom your personal data are transmitted of any rectifications or erasures or restrictions of the processing carried out pursuant to Articles 16, 17, paragraph 1, and 18, unless this is impossible or involves a disproportionate effort. The Data Controller is required to communicate these recipients to you should you request this (right to notification in the event of rectification or erasure of the personal data or restriction of processing);
• within the limits in which the processing is carried out, using automated means and based on the contract with Remy & Geiser Gmbh., receive, in a structured format that is commonly used and readable by an automatic device, the personal data concerning you and transmit said data to another data controller without impediments from Remy & Geiser Gmbh (right to data portability);
• object, on grounds relating to your particular situation, at any time to processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f), of the GDPR (right to object). In this case, Remy & Geiser Gmbh. shall refrain from further processing of your personal data, unless it can prove the existence of compulsory, legitimate grounds for performing the processing that prevail over your interests, rights and freedoms, or it processes the data for the purposes of asserting, exercising or defending a right in judicial proceedings.

The right of access and the right to erasure are subject to the restrictions set out in Artt. 34 and 35 of the BDSG.

You also have the right to submit a complaint to the competent control body Federal Commissioner for Data Protection and Freedom of Information – “BFDI”) pursuant to Article 77 of the GDPR in conjunction with Art. 19 BDSG and Chapter 3, Sect. 60-61 of the BDSG, which can be contacted at the address

Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit, Postfach 900455
99107 Erfurt (Thüringer Data Protection Commissioner)
Tel.: +49 (361) 57-3112900
Mail: poststelle@datenschutz.thueringen.de

The processing of your personal data shall take place using paper, digital or electronic means and, in any case, subject to the adoption of adequate technical and organisational measures to guarantee a level of security for your personal data that is adequate to the risk.

As a rule, the Data Controller shall not transfer the personal data referred to in this privacy policy to third countries or international organisations, unless it is necessary to carry out your instructions or is required to do so pursuant to provisions of law, regulations or European legislation. In the event that such a transfer must take place, it shall be carried out in accordance with the provisions of Chapter V of the GDPR.

Remy & Geiser Gmbh shall store the personal data referred to in this privacy policy for a period of time not greater than that required to achieve the purposes for which the data are processed. In particular your data is kept as long as it is needed for the above descripted purposes in compliance with the legally required retention period of tax law, commercial law and civil law.

Where necessary, Remy & Geiser Gmbh process and store your personal data for the duration of our business relationship, which may also include the initiation and execution of a contract, and fulfilment of the purposes of the contract.

Additionally, Remy & Geiser Gmbh is subject to various obligations relating to conservation and documentation, for instance under the German Commercial Code (Handelsgesetzbuch, HGB)1 and the German Tax Code (Abgabenordnung, AO)2. The time limits they set for storage or documentation are two to ten years.

Finally, the duration of storage is also determined by the statutory limitation periods, normally lasting for three years according to Artt. 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), for example, but in certain cases for up to thirty years.

It would be helpful to start by explaining some key terms used in this policy:

We, us, our: Bormioli Pharma United States Inc., a Delaware corporation, together with our parent company Bormioli Pharma S.p.A., an Italian corporation, and our other affiliates under the control of our parent company, Bormioli Pharma France SA and Remy & Geiser GmbH, Bormioli Pharma (Shanghai) Trading Co.,Ltd. (the “Bormioli Pharma Group”, also “Bormioli”).

Our representative: Andrea Lodetti, Managing Director

Our Chief Privacy officer: privacy@bormiolipharma.com

Personal information: Any information relating to an identified or identifiable individual.

Special category personal information: Personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union membership; genetic and biometric data; and data concerning health, sex life or sexual orientation.

Sensitive Personal Information: Personal information revealing an individual’s social security number, driver's license and passport numbers, account numbers and credentials, precise geolocation, racial or ethnic origin, religious beliefs, or union membership, personal information concerning an individual's health, sex life, or sexual orientation, contents of an individual's mail, email and text messages where the business is not the intended recipient, genetic data, and biometric information

Biometric Information: An individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

We may collect and use the following personal information, including sensitive personal information, that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual:

Categories of Personal Information

• Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)
  
  Personal Information Collected:Forename, surname, company/business name, phone, mobile and fax phone numbers, tax ID, email address, parent company, tax code, VAT number.

• Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
  
  Personal Information Collected: Forename, surname, company name, phone, mobile and fax phone numbers, tax ID, email address, signature, business bank account number and bank transfer instructions, business credit card number.

• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding an individual’s interaction with an Internet Web site, application, or advertisement)
  
  Personal Information Collected: Internet browsing data.

• Professional or employment-related information
  
  Personal Information Collected: Data referring to your employment relationship with Bormioli (employee registration no., work attendance and absence data, professional profile updating and management data, assignment of new tasks and appointments, professional and careers development, performance evaluation, military history, studies completed, foreign languages known and relative level, previous work experience, state of service and assessments, internal and/or external training received).

• Health information
  
  Personal Information Collected: The state of health (absences for illness, maternity, injury, fitness or otherwise for certain tasks expressed by medical staff following preventive/periodic medical examinations or where requested by you).

If you do not provide personal information required to provide products AND/OR services to you, it may delay or prevent us from providing products AND/OR services to you.

We collect personal information from the following categories of sources:

• You, directly in person, by telephone, text, or email and/or via our website
• Third party with your consent (e.g., your bank)
• Advertising networks
• Internet service providers
• Data analytics providers
• Government entities
• Operating systems and platforms
• Social networks
• Data brokers
• Publicly accessible sources (e.g., property records)
• Cookies on our website and contact form on our website

1. Our IT and security systems, including:
2. Door entry systems and reception logs

Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email, and instant messaging systems.

Under data protection laws, we can only use your personal information if we have a proper reason for doing so, for example:

• To comply with our legal and regulatory obligations
• For the performance of our contract with you or to take steps at your request before entering into a contract
• For our legitimate interests or those of a third party

Where you have given consent

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests

Below are described the purposes for which we use (process) your personal information for and our reasons for doing so:

What we use your personal information for:

• To provide products AND/OR services to you
  
  Our reasons: For respond to any requests for information from you on the products and services of Bormioli Pharma Group, including the sending of any quotations
  
  
• For the performance of our contract with you or to take steps at your request before entering into a contract
  
  
• To prevent and detect fraud against you or any member of the Bormioli Pharma Group
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you

• Conducting checks to identify our customers and verify their identity
  
• Screening for financial and other sanctions or embargoes
  
• Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator
  
  Our reasons: To comply with our legal and regulatory obligations

• Gathering and providing information required by or relating to audits, inquiries or investigations by regulatory bodies
  
  Our reasons: To comply with our legal and regulatory obligations

• Ensuring business policies are adhered to, e.g., policies covering security and internet use
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you

• Operational reasons, such as improving efficiency, training, and quality control
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price

• Ensuring the confidentiality of commercially sensitive information
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information
  
  
• To comply with our legal and regulatory obligations
  
  
• Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price

• Preventing unauthorized access and modifications to systems
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you
  
  
• To comply with our legal and regulatory obligations
  
  
• Updating customer records
  
  Our reasons: For the performance of our contract with you or to take steps at your request before entering into a contract.
  
  
• To comply with our legal and regulatory obligations
  
• For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products
  
• Statutory returns
  
  Our reasons: To comply with our legal and regulatory obligations

• Ensuring safe working practices, staff administration and assessments
  
  Our reasons: To comply with our legal and regulatory obligations
  
  
• For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

• Marketing our services to:

1. Existing and former customers
2. Third parties who have previously expressed an interest in our services
3. Third parties with whom we have had no previous dealings
   
   Our reasons: For our legitimate interests or those of a third party, i.e., to promote our business to existing and former customers

• Credit reference checks via external credit reference agencies
  
  Our reasons: For our legitimate interests or those of a third party, i.e., to ensure our customers are likely to be able to pay for our products and services

• External audits and quality checks, e.g., for ISO or Investors in People accreditation and the audit of our accounts
  
  Our reasons: For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
  
  
• To comply with our legal and regulatory obligations
  

For EEA Data Subjects: what has been outlined above does not apply to special category personal information, which we will only process with your explicit consent.

We may use your personal information to send you updates (by email, text message, telephone, or post) about our products AND/OR services, including exclusive offers, promotions or new products AND/OR services.

We have a legitimate interest in processing your personal information for promotional purposes (see above “How and why we use your personal information”). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal information with the utmost respect and never sell OR share it with other organizations outside the Bormioli Pharma Group for marketing purposes.

You have the right to opt out of receiving promotional communications at any time by:

• Contacting us at info@bormiolipharma.com
• Using the “unsubscribe” link in emails or “STOP” number in texts or
• Updating your marketing preferences on our web site: https://www.bormiolipharma.com/en/corporate/cookie-policy

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products AND/OR services in the future, or if there are changes in the law, regulation, or the structure of our business.

We routinely share personal information with:

• Our affiliates, including companies within the Bormioli Pharma Group
• Service providers we use to help deliver our products and/or services to you, such as payment service providers, warehouses, suppliers, external consultants and delivery companies
• Other third parties we use to help us run our business, such as marketing agencies or website hosts
• Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers
• Credit reporting agencies
• Our insurers and brokers
• Our banks
• Public administrations
• Third party companies for the fulfilment of obligations relating to prevention, safety and hygiene at work and for safety and security purposeslawyers and law firms for matters relating to the drafting, modification, performance and termination of the contractual relationship

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. Where necessary we enter into dedicated Processor Agreements pursuant to and for the purposes of Article 28 of the GDPR. We may also share personal information with external auditors, e.g., in relation to ISO or the audit of our accounts.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations (e.g. Board of Auditors, Supervisory Body, auditors, etc).

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

We will not share your personal information with any other third party

In the preceding 12 months, we have shared the following categories of personal information:

• Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)
• Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding an individual’s interaction with an Internet Web site, application, or advertisement)
• Audio, electronic, visual or similar information
• Professional or employment-related information

We will keep your personal information while you have an account with us or while we are providing products AND/OR services to you. Thereafter, we will keep your personal information for as long as is necessary:

• To respond to any questions, complaints or claims made by you or on your behalf
• To show that we treated you fairly –or–
• To keep records required by law

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information. Further details on this are available in our Data Retention policy.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You

• You have the right to know, and request disclosure of:
• The categories of personal information we have collected about you, including sensitive personal information
• The categories of sources from which the personal information is collected
• The categories of third parties to whom we disclose personal information, if any –and–
• The specific pieces of personal information we have collected about you
• Please note that we are not required to:
• Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained
• Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information –or–
• Provide the personal information to you more than twice in a 12-month period

Disclosure of Personal Information Shared, or Disclosed for a Business Purpose

In connection with any personal information we may share, or disclose to a third party for a business purpose, you have the right to know:

• The categories of personal information about you that we shared and the categories of third parties to whom the personal information was shared –and–
• The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose

You have the right to opt-out of the sale of your personal information or sharing of your personal information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your personal information, we will refrain from selling or sharing your personal information, unless you subsequently provide express authorization for the sale or sharing of your personal information.

To opt-out of the sharing of your personal information, please contact the Company with your request to exercise your rights at info@bormiolipharma.com or privacy@bormiolipharma.com.

Right to Limit Use of Sensitive Personal Information

You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to:

Perform the services or provide the goods reasonably expected by an average individual who requests those goods or services

To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the individual's personal information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of an individual's current interaction with the business, provided that the individual's personal information is not disclosed to another third party and is not used to build a profile about the individual or otherwise alter the individual's experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business –and–

As authorized by further regulations

You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes.

To limit the use of your sensitive personal information, please contact the Company with your request to exercise your rightsat info@bormiolipharma.com or privacy@bormiolipharma.com.

Right to Deletion

Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

• Delete your personal information from our records –and–
• Direct third parties to whom the business has shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort

Please note that we may not delete your personal information if it is reasonably necessary to:

• Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us
• Help to ensure security and integrity to the extent the use of the individual's personal information is reasonably necessary and proportionate for those purposes
• Debug to identify and repair errors that impair existing intended functionality
• Exercise free speech, ensure the right of another individual to exercise his or her right of free speech, or exercise another right provided for by law
• Comply with the California Electronic Communications Privacy Act
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us
• Comply with an existing legal obligation –or–
• Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information

Right of Correction

If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.

Protection Against Retaliation

You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things:

• Deny goods or services to you
• Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
• Provide a different level or quality of goods or services to you –or–
• Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services

Right to Be Informed

The right to know or be notified about the collection and use of your personal information.

Right to Access

The right to be provided with a copy of your personal information (the right of access)

Right to Rectification

The right to require us to correct any mistakes in your personal information

Right to be Forgotten

The right to require us to delete your personal information—in certain situations

Right to Restriction of Processing

The right to require us to restrict processing of your personal information—in certain circumstances, e.g., if you contest the accuracy of the data

Right to Data Portability

The right to receive the personal information you provided to us, in a structured, commonly used, and machine-readable format and/or transmit that data to a third party—in certain situations

Right to Object

The right to object:

• At any time to your personal information being processed for direct marketing (including profiling)
• In certain other situations to our continued processing of your personal information, e.g., processing carried out for the purpose of our legitimate interests

Right Not to be Subject to Automated Individual Decision-Making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, see the guidance from the Italian Data Protection Authority (Garante per la protezione dei dati personali) on individual rights under the EU General Data Protection Regulation.

If you would like to exercise any of your rights as described in this Privacy Policy, you can contact the Company with your request at privacy@bormiolipharma.com or write to us at One Liberty Place 36th Floor 1650 Market Street, 19103 Philadelphia PA.

• Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.
• If you choose to contact us directly by email/in writing, you will need to provide us with:

1. Enough information to identify you (e.g., your full name, address and customer or matter reference number)
2. Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill) –and–
3. A description of what right you want to exercise and the information to which your request relates

• We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf.
• Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.

Information may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: “Transferring Your Personal Information Out of the EEA.”

Information may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: “Transferring Your Personal Information Out of the EEA.”

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We hope that we can resolve any query or concern you raise about our use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.

This privacy notice was published on 23/01/2024 in its first release.

We may change this privacy notice from time to time–when we do, we will inform you via our website or other means of contact such as email.

Please contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.

Our contact details are shown below:

Our contact details

Bormioli Pharma United States Inc.

One Liberty Place 36th Floor 1650 Market Street, 19103 Philadelphia PA.

Our Chief Privacy Officer's contact details

Viale Giovanni Falcone n.48/A, 43122, Parma, Italy

privacy@bormiolipharma.com

Do You Need Extra Help?

If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).