Bormioli Pharma S.p.A. is part of a large group of companies formed by Bormioli Pharma S.p.A. and its subsidiaries (the "bormioli pharma group") that operates in the world of pharmaceutical primary packaging manufacturing.

Bormioli Pharma S.p.A. (hereinafter also "controller" or "company")
registered office: Corso magenta no. 84 - 20123, Milan (mi)
operational/administrative headquarters: viale Giovanni Falcone n.48/a - 43122 Parma (pr), Italy
tel: 0521362620
email: privacy@bormiolipharma.com

subsidiaries that are part of the bormioli pharma group (hereinafter referred to as "subsidiaries"):

• Bormioli Pharma France SA, zae "les cadaux", 457 avenue pierre ottavioli -81370 saint-sulpice, france, rcs castres b 315 131 904 - tva fr 65 315 131 904
• Bormioli Pharma United States Inc, 1201 orange street, suite 600, Wilmington, New castle county - Delaware 19801, registration no.: 7232689
• Remy & Geiser GmbH, remy & geiser-street 1, 98553 schleusingen, vat. no.: de149510995, local court: jena hrb 514441
• Bormioli Pharma (Shanghai) trading co.,ltd.; room 312, 3/f, mayfair tower, no. 83 fumin road, 200040 jing'an district Shanghai - china

Pursuant to Art. 4(1) of the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic features of his or her physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data (hereinafter also only the "Data") are collected: on the occasion of your navigation on the Site; directly from you, for the case in which you decide to voluntarily confer them in order to contact Bormioli Pharma S.p.A. through the "Contact Us" form or for the further purposes specified below.

The Data processed by Bormioli Pharma S.p.A. for the purposes described below is information that users provide when they enter information within the website, such as when they provide contact details, respond to online questionnaires, feedback forms or job applications, or submit resumes. Specifically these are: browsing data, first name, last name, date and place of birth, photo (where attached to resume) gender, citizenship, address, vat number/tax code, telephone number, mobile number, e-mail address, username, educational qualification, professional qualification/role, company affiliation, cookies. Full details on each type of data collected are provided in the dedicated sections in this policy and/or through specific disclosures that can be viewed prior to data collection.

The Site's computer systems and the software procedures in charge of its operation acquire, during their normal operation, some Data the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties, make it possible to identify the user/visitor of the Site. This category of data includes IP addresses or domain names of the terminals/devices used by users/visitors, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user/visitor's operating system and computer environment. Browsing data are used in order to obtain anonymous statistical information on the use of the Site and to check its correct functioning, to allow - given the architecture of the systems used - the correct provision of the various functions requested, for security reasons and to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Site and/or third parties. We also collect personal information about users' use of our website, including information captured by our cookies (see the dedicated Cookie Policy).

Through the Website, the user/visitor has the opportunity to voluntarily provide Data such as, for example, the first and last name and e-mail address to contact Bormioli Pharma S.p.A. and/or one of the Subsidiaries forming part of the Bormioli Pharma Group through the "Contact Us" form present in the "Contact Us" section of the Website, as better specified below; by interacting with Bormioli Pharma S.p.A. through the official page on social networks that the user consults, comments on or likes; to obtain login credentials and subsequently access the "Investor relations area" present in the "Investors" section of the Site for as better specified below; for participation in an event organized by Bormioli Pharma S.p.A.; to register in order to send an unsolicited application through the "Unsolicited application" form present in the "Work with us" section of the Site and/or to update any curriculum vitae already sent, subject to the provisions of the "Information regarding candidates" that can be consulted in the "Work with us" section of this Site and to which reference is made. Unless otherwise specified in the dedicated disclosures in each section, the processing of so-called special data as defined by Art. 9 of the GDPR (e.g., data related to health) or data related to minors is expressly excluded. Such categories of data, if shared by the User, will be deleted immediately. Bormioli Pharma S.p.A. will process the data voluntarily provided by the user/visitor assuming that they are referable to him/her or to third parties who have expressly authorized him/her to provide them on the basis of a suitable legal basis that legitimizes the processing of the data in question. In this sense, the user/visitor indemnifies Bormioli Pharma S.p.A. with respect to any dispute, claim, request for compensation for damages from processing, etc., that may be received by Bormioli Pharma S.p.A. from third parties whose personal data are conferred by the user/visitor.
Personal data voluntarily provided by the user/visitor as well as navigation data may be processed for the following purposes:

• To fulfill legal obligations to which Bormioli Pharma S.p.A. is subject;
• to establish, exercise or defend a right in court (for example, in the case of abuse in the use of the Site) or whenever judicial authorities exercise their functions;
• to ensure the operation of the Site, measure its traffic, and assess usability and interest, without prejudice to that stated in the " cookie POLICY";
• for the purposes indicated in the specific dedicated sections of this policy, to which reference is made. In such cases, processing will be carried out insofar as and to the extent that it results:
• necessary to fulfill a legal obligation to which the Data Controller is subject [Art. 6, par. 1(c) of the GDPR] in relation to the purposes mentioned in number 1);
• necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail [Art. 6, par. 1(f) of the GDPR] in relation to the purposes set out in numbers 2 and 3, subject to the provisions of the " cookie POLICY".
• necessary for the additional reasons stated in the specific dedicated sections of this policy, to which reference is made.

Personal data voluntarily provided by the user/visitor as well as navigation data may be processed for the following purposes:

1. to fulfill legal obligations to which Bormioli Pharma S.p.A. is subject;
2. to ascertain, exercise or defend a right in a court of law (for example, in the case of abuse in the use of the Site) or whenever judicial authorities exercise their functions;
3. to ensure the operation of the Site, measure its traffic, and assess usability and interest, without prejudice to that stated in the "cookie policy";
4. for the purposes indicated in the specific dedicated sections of this policy, to which reference is made. In such cases, processing will be carried out insofar as and to the extent that it results:

The processing of personal data is carried out by the Data Controller insofar as and to the extent that it results as being:

• necessary to fulfill a legal obligation to which the Data Controller is subject [Art. 6, par. 1(c) of the GDPR] in relation to the purposes mentioned in number 1);
• necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail [Art. 6, par. 1(f) of the GDPR] in relation to the purposes set out in numbers 2 and 3, subject to the provisions of the "cookie policy".
• necessary for the additional reasons stated in the specific dedicated sections of this policy, to which reference is made.

Through the "Contact Us" form present in the "Contact" section of the Website, the user/visitor may request information both of a general nature and relating to the services and/or products of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group, also as they may be stored in the wishlist through which it is possible to save favorite products for the purpose of later viewing. Where affected by the request received from the user (e.g., for reasons of territorial jurisdiction and/or where it pertains to products and/or services provided by one of the Subsidiaries), the Controller will process the data only for the purpose of forwarding the contact request to the relevant Subsidiary, as requested by the user and in fulfillment of pre-contractual measures. In this regard, please note that Bormioli Pharma S.p.A.'s products are intended for businesses, as the Company does not make retail sales. Personal data provided by the user/visitor when filling out the aforementioned "Contact Us" form will be processed for the following purposes:

• to give feedback to any requests for information coming from the user/visitor about the products and services of Bormioli Pharma S.p.A. and/or other companies of the Bormioli Pharma Group, including the sending of any quotations also directly from the Subsidiary Company of the Bormioli Group that the user/visitor intended to contact;
• to carry out - via e-mail, paper mail, use of dedicated software/CRM and/or direct telephone contact - surveys and/or questionnaires intended to verify the level of satisfaction with respect to the activities, products and services of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group;
• to send -by e-mail and/or paper mail and/or CRM system- informative messages and commercial, advertising and promotional communications relating to the activities, products and services of Bormioli Pharma S.p.A. and/or related products of the Subsidiaries that are part of the Bormioli Pharma Group, including newsletters and communications functional to participation in company events as well as carrying out market studies and statistical analysis and surveying the degree of customer satisfaction. The processing of personal data in question is carried out by the Controller insofar as and to the extent that:
• it is necessary for the performance of the contract to which the user/visitor is a party or for the performance of pre-contractual measures taken at the request of the same [Art. 6, par. 1(b) of the GDPR] in relation to the purpose of number 5);
• the user/visitor has given consent in accordance with Art. 130 of the Privacy Code and Art. 6, par. 1(a), and 7 of the GDPR for the purpose of number 6); - the user/visitor has given consent in accordance with Art. 130 of the Privacy Code and Art. 6, par. 1(a) and 7 of the GDPR for the purpose mentioned in number 7).

The Investor relations area, found in the "Investors" section of the Site, is dedicated to bondholders as well as to all potential investors who wish to learn more about Bormioli Pharma S.p.A. and keep up to date with regard to press releases, webcasts, reports, annual and quarterly presentations, the procedures the Company adopts in order to comply with its obligations under MAR regulations, as well as the performance of the bond issued. Access to the Investor relations area is in any case subject to prior verification - by Bormioli Pharma S.p.A. - of the ownership - by the person requesting it - of the requirements to qualify as a bondholder or potential investor. Personal data given by the user/visitor when filling out the aforementioned "Investor relations area" form will be processed for the following purposes:

• enable the user/visitor - who requests it and meets certain requirements (bondholder or potential investor) - to obtain access credentials to the "Investor relations area", to access it and to receive e-mails with which any updates to the content (reports) viewable in the aforementioned area and/or any newsletters will be reported. The processing of personal data in question is carried out by the Controller insofar as and to the extent that:
• it is necessary for the performance of the contract to which the user/visitor is a party or for the performance of pre-contractual measures taken at the request of the same [Art. 6, par. 1(b) of the GDPR] in relation to the purpose under 8).

Personal data collected through the submission of spontaneous applications through the "Spontaneous Application" form in the "Work with Us" section of the Site and/or as a result of the updating of resumes already submitted will be processed in accordance with the "Applicant Information" available in the "Work with Us" section of this Site, to which reference is made. Where affected by the application received from the user (e.g., for reasons of territorial competence and/or if it pertains to an open position published in the interest of one of the Subsidiaries), the Controller may share the application directly with the relevant Subsidiary, as also detailed above and as more fully described in the document "Information regarding candidates".

The Website includes social media buttons and third-party applications. Social media buttons are digital buttons i.e., direct links to Social Network platforms configured in each individual "button." With a click on such links you will have the opportunity to interact directly with the Data Controller's accounts (social pages) such as LinkedIn and You Tube.
The operators of the Social Networks to which the buttons refer are autonomous data controllers. In this regard, Bormioli Pharma specifies that no control is made over such websites and cannot be held responsible for their privacy policies. After leaving the Site, we encourage you to always read the privacy policy of each website you visit. We also encourage you to read the Linkedin Terms of Use and the You Tube Terms of Use.

The user/visitor is free to provide personal data in the dedicated areas of the Site. However, the provision of Data for the purposes set out in this policy - particularly those marked as "mandatory" in the relevant sections - is necessary in order to perfect the specific functions and take advantage of the services offered by the Data Controller, for example, to receive a response to the submitted request for information. Failure to provide personal data, therefore, may result in the inability to obtain the requested service and/or response. In this regard, it should be noted that under no circumstances will the failure to provide consent for the purposes set forth in numbers 6) and/or 7) affect the possibility of obtaining the requested service and/or response.

The personal data referred to in this notice may be processed by the employees and/or collaborators of the Data Controller (e.g., sales manager, buyers, chief financial officer, marketing department, etc.) in their capacity as individuals expressly authorized to process personal data referred to in this notice and possibly assigned specific tasks and functions related to the aforementioned processing (pursuant to Art. 2-quaterdecies of the Privacy Code), in each case appropriately instructed and made aware of the constraints imposed by current data protection regulations. The personal data in question may also be communicated to and processed by suppliers (e.g. external consultants in the context of assistance and consultancy relationships) that perform outsourcing activities on behalf of the Data Controller (including entities that provide services for the management of Bormioli Pharma S.p.A.'s information system and communication networks, including the related technical maintenance) and with whom it is necessary to interact for the provision of the services offered by the Site and, more generally, for the purposes described above, in their capacity as external data processors and with whom, when the conditions are met, the Data Controller has entered into special data processor agreements pursuant to and in accordance with Art. 28 of the GDPR.
The data in question may also be disclosed:

• to the competent authorities in fulfillment of obligations to which the Data Controller is bound;
• to legal advisors/lawyers, accountants, specialized outside firms, etc. for the purpose of studying and resolving any legal problems related to the existing contract position;
• to commercial information companies for the assessment of solvency and payment habits and, more generally, to parties who, for the above purposes, must provide services requested by the Data Controller;
• marketing companies that support the Controller in carrying out surveys and/or questionnaires intended to verify the level of satisfaction with respect to Bormioli Pharma S.p.A.'s activities, products and services and/or in advertising and promotional activities;
• with the Subsidiaries that are part of the Bormioli Pharma Group to which the Controller belongs in their capacity as External Managers and/or Independent Controllers depending on the processing activities involved;
• to supervisory bodies, law enforcement agencies or the judiciary and, more generally, to those entitled to access them under the regulations in force from time to time.

By contacting the Company via e-mail at privacy@bormiolipharma.com and/or by contacting the Chief Privacy Officer ("CPO") - Dr. Viola Rosadi -, subject to the limitations set forth in Art. 2-undecies of the Privacy Code, the user/visitor may ask the Controller to:

• access personal data concerning him or her, to obtain the information referred to in Art. 15 of the GDPR and to receive copies of the personal data being processed (right of access);
• to obtain the rectification of inaccurate personal data concerning him/her without undue delay pursuant to Art. 16 of the GDPR(right of rectification);
• to obtain the deletion of personal data concerning him/her without undue delay where the conditions of Art. 17 of the GDPR (right to erasure);
• to obtain the restriction of processing when any of the conditions and prerequisites set forth in Art. 18 of the GDPR (right to restrict processing);
• to notify each of the recipients to whom his or her personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Articles 16, 17 para. 1, and 18, unless it proves impossible or involves disproportionate effort. The Data Controller is obliged to notify these recipients to the user/visitor if they request it (right of notification in case of rectification or erasure of personal data or restriction of processing);
• insofar as the processing is carried out by automated means and based on the contract with Bormioli Pharma S.p.A., to receive in a structured, commonly used and machine-readable format the personal data concerning him/her and to transmit such data to another data controller without hindrance by Bormioli Pharma S.p.A. (right to data portability);
• to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Art. 6, par. 1(f) of the GDPR(right to object). In this case, Bormioli Pharma S.p.A. will refrain from further processing your personal data, unless the user/visitor demonstrates the existence of compelling lawful grounds for processing that override your interests, rights and freedoms or for the establishment, exercise or defense of a legal claim.

In relation to Data processing based on any consent given by the user/visitor, the user/visitor also has the right to revoke consent at any time, without affecting the lawfulness of the processing based on the consent given prior to revocation.

The user/visitor also has the right to file a complaint with the Supervisory Authority (Data Protection Authority) under Art. 77 of the GDPR and Art. 140-bis et seq. of the Privacy Code.

It should also be noted that - prior to the processing of requests - the Companies may carry out a verification of the identity of the interested party, in order to assess the legitimacy of the request received.

The processing of personal data referred to in this notice takes place using both electronic and manual means and tools and, in any case, after taking the appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk. The personal data of the data subject may be processed by employees of the corporate functions of the Companies deputed to the pursuit of the above purposes. These employees have been expressly authorized for processing data and have received appropriate operating instructions pursuant to Art. 29 GDPR.
The Data Controller also processes the personal data of contacts (former customers, existing and potential customers and people in some way connected to these customers and other business contacts) by means of our CRM systems. These CRM systems support the sales and marketing operations of the Bormioli Pharma Group.
In CRM systems, Bormioli Pharma processes the following categories of personal data for the following purposes:

• Name, job title, business email address, phone and fax numbers;
• Name of the employing company or organization with which the person is associated;
• Management and filing of business and marketing preferences;
• History of the existing business relationship;
• Replies to invitations and confirmations to attend events;

The legal basis for processing personal data of business contacts is:

• The explicit consent of the data subject in the case of marketing activities
• the legitimate interest of the Data Controller to process business information and manage the relationship with business contacts and to provide information on the services offered by Bormioli Pharma Group.

As a rule, the Controller does not transfer personal data referred to in this notice to third countries or international organizations, unless it is required to do so by provisions of law, regulations or European legislation. In the event that such a transfer is to take place, it will be carried out in compliance with the provisions of Chapter V of the GDPR and in strict compliance with the standards of confidentiality and security set forth in the applicable data protection laws.However, as part of the management of the business relationship and/or in order to respond to the request received from the user, personal data may be forwarded and processed by personnel belonging to Subsidiaries that are part of the Bormioli Pharma Group located in third countries, including through access to databases shared and/or managed with such Companies that are part of the Bormioli Pharma Group.

Bormioli Pharma S.p.A. retains the personal data referred to in this statement for a period of time not exceeding the achievement of the purposes for which they are processed or will be subsequently processed in accordance with legal obligations. In general terms, this means that personal data will be retained for the duration of the relationship plus the duration of any applicable statutory limitation period under local laws.

In some circumstances, it may be necessary to retain data for a longer period of time, such as in the case of an ongoing correspondence or complaint or investigation.

It is possible that this Privacy Policy may change over time and we therefore encourage you to consult this page periodically. For this purpose, the disclosure highlights the date of update. Date Last Modified 1.06.2022.

Bormioli Pharma S.p.A. (hereinafter "Controller" or "Company") registered office: Corso Magenta no. 84 - 20123, Milan (MI) operational/administrative headquarters: viale Giovanni Falcone n.48/A - 43122 Parma (PR), Italy T +39 0521 362620 Email : privacy@bormiolipharma.com

Personal data are collected:

• directly from you (e.g., at trade shows and corporate events);
• from public access sources (e.g., documents published in chamber of commerce, customer/supplier website, etc.);
• from SIC (credit information systems) and companies providing business information service.

The personal data processed by Bormioli Pharma S.p.A. for the purposes described below are only common personal data, such as: first name, last name, date and place of birth, company name, place of residence, telephone number, tax code, e-mail address, company of affiliation, tax code, VAT number, bank and payment references, business information, credit information, etc. related to the customer/supplier and/or operational references (collaborators, employees, etc.) of the existing and/or potential customer/supplier, acquired and used within the framework of the management of pre-contractual/contractual business relations with the customer/supplier.
In fact, in the course of the aforementioned relationships, each of the parties may find itself in the condition of having to process personal data referring to employees and/or collaborators of the other party (e.g., the personal data of the legal representative of the client who signs the contract in the name and on behalf of the latter), in which case each party hereby undertakes to proceed to process such personal data in accordance with the provisions set forth in the data protection legislation applicable from time to time.

Personal data will be processed for the following purposes:

1. to acquire information useful for the activation or continuation of relations with Bormioli Pharma S.p.A. as well as to enable an effective management of financial and commercial relationships (such as solvency and/or reliability verification preparatory to the establishment of the contractual and/or commercial relationship);
2. to respond to operational and managerial needs internal to Bormioli Pharma S.p.A., more generally, to the companies of the Bormioli Pharma Group and inherent to the service provided to the customer/supplier (such as registration, management and/or updating of personal and/or contact information, receipt, management and processing of orders, sending of communications pertaining to the contractual and/or commercial relationship and replies to requests from the data subject, internal reporting related to the contractual and/or commercial relationship, logistics activities, delivery and receipt of goods);
3. Research and development activities, event management, including invitations to participate in trade shows and corporate events as well as to conduct internal analysis and research to help us improve service;
4. Research and development activities, event management, including invitations to participate in trade shows and corporate events as well as to conduct internal analysis and research to help us improve service;
5. to ascertain, exercise or defend a right of the Data Controller(e.g. to protect any credit positions) and/or defend against claims of others, in or out of court, prevent any fraud.

The processing of personal data is carried out by the Data Controller insofar as and to the extent that it results as being:

• necessary for the performance of the contract to which the customer/supplier is a party or the performance of pre-contractual measures taken at its request [Art. 6, par. 1(b) of the GDPR] for the purposes of (1), (2) and (3), (4);
• necessary to fulfill a legal obligation to which the Data Controller is subject [Art. 6, par. 1(c) of the GDPR] in relation to the purposes mentioned in number 4);
• necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail [Art. 6, par. 1(f) of the GDPR] in relation to the purposes set out in (1), (2), (3) and (5).

The provision of the data referred to in this notice is necessary in relation to the purposes set out in 1), 2) 3) and 4). Therefore, failure to provide such data, could result in the inability of the Data Controller to follow up on the relationship being established or established.

The personal data referred to in this statement may be processed by the employees and/or collaborators of the Data Controller and/or Subsidiaries that are part of the Bormioli Pharma Group (e.g., sales manager, buyers, customer care staff, etc.) in their capacity as individuals expressly authorized to process the personal data referred to in this statement and possibly attributed with specific tasks and functions related to the aforementioned processing (pursuant to Art. 2-quaterdecies of the Privacy Code), in each case appropriately instructed and made aware of the constraints imposed by current data protection regulations.

The personal data in question may also be communicated to and processed by Group companies and suppliers (e.g., external consultants in charge of processing operations and/or consulting for tax withholding agents, etc.) who perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors and with whom, when the conditions are met, the Data Controller has entered into special Data Processor Agreements pursuant to Art. 28 of the GDPR.
The data in question may also be communicated:

• to the competent authorities in fulfillment of obligations to which the Data Controller is bound;
• to credit institutions, Insurance Companies, business information companies and similar entities in connection with the performance of contractual or pre-contractual obligations;
• to legal advisors/lawyers, accountants, specialized outside firms, etc. for the purpose of studying and resolving any legal problems related to the existing contractual position therein including debt collection activities;
• to companies that collaborate with the Data Controller in order to provide the requested service or sell/recapture the purchased product (e.g., resellers, transporters, etc.) and, more generally, to parties that, for the purposes stated above, must provide services to the Data Controller;
• with the Subsidiaries that are part of the Bormioli Pharma Group to which the Controller belongs in their capacity as External Managers and/or Autonomous Data Controllers depending on the processing activities involved;
• to supervisory bodies, law enforcement agencies or the judiciary and, more generally, to parties entitled to access them under the regulations in force from time to time.

Contacting the Company by e-mail at privacy@bormiolipharma.com and/or contacting the Chief Privacy Officer ("CPO"), subject to the limitations set forth in Art. 2-undecies of the Privacy Code, you may ask the Controller to:

• access personal data concerning you, to obtain the information referred to in Art. 15 of the GDPR and to receive copies of the personal data being processed (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay pursuant to Art. 16 of the GDPR (right to rectification); to obtain the deletion of personal data concerning you without undue delay where the conditions of Art. 17 of the GDPR (right to erasure);
• obtain the restriction of processing when any of the conditions and prerequisites apply, as set forth in Art. 18 of the GDPR (right to restrict processing);
• notify each of the recipients to whom your personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Articles 16, 17, par. 1, and 18, unless it proves impossible or involves disproportionate effort. The Data Controller is obliged to notify you of these recipients if you so request (right to notification in case of rectification or erasure of personal data or restriction of processing);
• insofar as the processing is carried out by automated means and based on the contract with Bormioli Pharma S.p.A., to receive in a structured, commonly used and machine-readable format, personal data concerning you and to transmit such data to another data controller without hindrance from Bormioli Pharma S.p.A. (right to data portability);
• object at any time, for reasons related to your particular situation, to the processing of personal data concerning you in accordance with Art. 6, par. 1(f) of the GDPR (right to object). In this case, Bormioli Pharma S.p.A. will refrain from further processing your personal data, unless it demonstrates the existence of compelling lawful grounds for processing that override your interests, rights and freedoms or for the establishment, exercise or defense of a legal claim.
• You also have the right to file a complaint with the Supervisory Authority (Data Protection Authority) under Art. 77 of the GDPR and Art. 140-bis et seq. of the Privacy Code. It should also be noted that - prior to the processing of requests - the Company may carry out a verification of the identity of the data subject, in order to assess the legitimacy of the request received.

• The processing of your personal data takes place by means of paper, computer or telematic tools and, in any case, after taking the appropriate technical and organizational measures to ensure a level of security of your personal data adequate to the risk. Personal data may be processed by employees of the corporate functions of the Companies deputed to the pursuit of the above purposes. These employees have been expressly authorized for processing data and have received appropriate operating instructions pursuant to Art. 29 GDPR. The Data Controller also processes the personal data of contacts (former customers, existing and potential customers and people in some way connected to these customers and other business contacts) by means of our CRM systems. These CRM systems support the sales and marketing operations of the Bormioli Pharma Group. In CRM systems, Bormioli Pharma processes the following categories of personal data for the following purposes:
• Name, job title, mailing address, company email address, telephone and fax numbers;
• Name of the employing company or organization with which the person is associated;
• Management and archiving of sales and marketing preferences;
• History of existing business relationship;
• Replies to invitations and confirmations to attend events.

The legal basis for processing personal data of business contacts is:

• The explicit consent of the data subject in case of use for marketing purposes,The legitimate interest of the Data Controller to process business information and manage the relationship with business contacts and to provide information on services/products offered by Bormioli Pharma Group.

As a rule, the Controller does not transfer personal data referred to in this notice to third countries or international organizations, unless it is required to do so by provisions of law, regulations or European legislation. In the event that such a transfer must take place, it will be carried out in compliance with the provisions of Chapter V of the GDPR. However, as part of the management of the business relationship and/or in order to respond to the request received from the client/supplier, personal data may be forwarded and processed by personnel belonging to Companies that are part of the Bormioli Pharma Group located in third countries, including through access to databases shared and/or managed with such Companies that are part of the Bormioli Pharma Group.

Bormioli Pharma S.p.A. retains the personal data referred to in this statement for a period of time not exceeding the achievement of the purposes for which they are processed. In particular:

• personal data functional for the fulfillment of legal and/or contractual obligations placed on the Data Controller will be retained for the duration of the contractual relationship and for a maximum period of 10 years thereafter (Art. 2220 and 2946 Civil Code; art. 22, paragraph 2, Presidential Decree no. 600/1973; etc.), except in the case of judicial litigation in the presence of which the retention of the data is allowed in any case for the entire duration of the same, until the expiration of the time limits for the admissibility of appeal actions;
• personal data functional to the fulfillment of operational and management requirements internal to Bormioli Pharma S.p.A. and inherent to the service/performance provided to the customer/supplier will be retained for the duration of the commercial and/or contractual relationship and for the maximum period of 5 years thereafter.

Bormioli Pharma France SA (hereinafter referred to as the “DATA CONTROLLER” OR THE “COMPANY”) registered offices: ZAE Les Cadaux – 457, Av. Pierre Ottavioli – 81370 Saint Sulpice – France, identifiée sous le numéro 315131904 RCS Castres. T +33 (0)5.63.41.11.40

We process personal data received from you through our business relationship.
We also, where necessary in providing our services, process personal data that we have obtained by authorised means from other companies or from third parties (e.g.for the purpose of fulfilling orders or contracts or on the basis of your consent).
We also process personal data that we have obtained:

• directly from you (e.g. at trade shows and corporate events);
• from sources accessible to the public (e.g. documents published in chambers of commerce, existing or potential client/supplier website);
• from credit information systems and companies that provide business information services.

The personal data processed by BORMIOLI PHARMA FRANCE SA for the purposes described below consist exclusively of common personal data, such as:

• forename, surname, date and place of birth, company name, place of residence, phone number, tax ID, email address, parent company, tax code, VAT no. and business information;

information relating to existing or potential clients/suppliers and/or to operational contacts (e.g. workers, employees, legal representatives) of the client/supplier in question, acquired and used for the purposes of the establishment and/or in the context of the management of commercial and/or precontractual/contractual relations with said client/supplier (e.g. business correspondence).
During the course of the aforementioned relations, each of the parties may find itself in a position in which it has to process personal data relating to employees and/or workers of the other party (e.g. the personal details of the client’s legal representative, who signs the contract in the name and on behalf of the client), in which case each party undertakes from now on to process said personal data in accordance with the provisions of the data protection regulations applicable from time to time. The business relationship exists between BORMIOLI PHARMA FRANCE SA and the Company for which you works.

The personal data shall be processed for the following purposes:

1. to acquire information that may be useful for the activation or continuation of relations/cooperation with Bormioli Pharma France SA e.g. to obtain information of a technical or commercial nature or that may be informative in general; preparation of the offer, the fulfilment of the contracts, checks on solvency and/or reliability in preparation for the establishment of contractual and/or commercial relations);
2. to meet operational and managerial needs within Bormioli Pharma France SA and relating to the service provided to the client/by the supplier (e.g. registration, management and/or updating of personal and/or contact information; receipt, management and handling of orders; sending of communications pertaining to contractual and/or commercial relations; logistics activities; delivery and receipt of goods);
3. to honour precontractual, contractual and legal obligations (of an administrative, accounting or fiscal nature), and to comply with provisions issued by competent authorities and/or supervisory and control bodies;
4. to assert, exercise or defend a right of the Data Controller (e.g. in protection of creditor positions) and/or in order for the Data Controller to defend itself against third-party claims, in judicial or extra-judicial proceedings, and to prevent possible fraud.

The personal data processing shall be carried out by the Data Controller insofar as and to the extent that:

• it is necessary for the execution of the contract to which the client/supplier is a party or for the execution of precontractual measures adopted at the latter’s request [Article 6, paragraph 1, letter b), of the GDPR] for the purposes set out under points 1), 2) and 3);
• it is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6, paragraph 1, letter c), of the GDPR] in relation to the purposes set out under point 3);
• it is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring data protection prevail [Article 6, paragraph 1, letter f), of the GDPR] in relation to the purposes set out under points 2) and 4).

In the context of our business relationship, the only personal data you have to provide are those needed to establish, carry out and terminate a business relationship, or those which we are legally required to collect. The provision of the data referred to in this privacy policy is necessary in relation to the purposes set out under points 1), 2), 3), and 4). Therefore, failure to provide said data could make it impossible for the Data Controller to pursue the relations established or being established.

The personal data referred to in this privacy policy may be processed by the employees and/or workers of the Data Controller and of the Group companies, in particular of Bormioli Pharma S.p.a. (e.g. sales manager, buyers, customer care agents, marketing department) in their capacity as individuals expressly authorised to process personal data pursuant to this privacy policy and possibly allocated specific duties and functions connected with the aforementioned processing and in any case suitably trained and informed of the obligations imposed by the regulations in force on personal data protection.
The personal data in question may also be communicated and processed by suppliers (e.g. external consultants tasked with processing and/or consultancy operations for withholding agents) performing outsourced activities on behalf of the Data Controller, in their capacity as external data processors, and with which, provided the conditions are met, the Data Controller has entered into dedicated Data Processor Agreements pursuant to and for the purposes of Article 28 of the GDPR.
The data in question may also be communicated:

• to the competent authorities in fulfilment of the obligations to which the Data Controller is bound;
• to legal consultants/lawyers, accountants, specialist external firms, etc. for the investigation and resolution of any legal problems relating to the contractual position in place, including credit recovery activities;
• to credit institutions, insurance companies, business information companies, credit information systems and similar bodies in relation to the execution of contractual or precontractual obligations;
• to Group companies and/or companies that collaborate with the Data Controller to provide the service requested or to sell/deliver the product purchased (e.g. sorters, transporters) and, more generally, to persons who, for the aforementioned purposes, must provide services to the Data Controller;
• other companies in the Bormioli Pharma Group, including subsidiaries and associates to which the Controller belongs;
• other companies to which we transfer personal data in the context of, or in pursuit of, the business relationship with you (depending on the nature of the contract, this may also include credit agencies, banks, loan insurance agencies and business partners);
• to control bodies, forces of law and order and, more generally, persons authorised to access the data pursuant to the regulations in force from time to time.

By contacting the Company by email: privacy@bormiolipharma.com you can ask the Data Controller to:

• access personal data concerning you, obtain information pursuant to Article 15 of the GDPR and receive a copy of the personal data subject to processing (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay, pursuant to Article 16 of the GDPR (right to rectification);
• obtain the erasure of personal data concerning you without undue delay, provided that the conditions set out pursuant to Article 17 of the GDPR are met (right to erasure);
• obtain the restriction of processing where one of the prerequisites of Article 18 of the GDPR is met and under the conditions set out under said Article (right to restrict processing);
• inform each of the recipients to whom your personal data are transmitted of any rectifications or erasures or restrictions of the processing carried out pursuant to Articles 16, 17, paragraph 1, and 18, unless this is impossible or involves a disproportionate effort. The Data Controller is required to communicate these recipients to you should you request this (right to notification in the event of rectification or erasure of the personal data or restriction of processing);
• within the limits in which the processing is carried out, using automated means and based on the contract with Bormioli Pharma France Sa receive, in a structured format that is commonly used and readable by an automatic device, the personal data concerning you and transmit said data to another data controller without impediments from Bormioli Pharma France SA (right to data portability);
• object, on grounds relating to your particular situation, at any time to processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f), of the GDPR (right to object). In this case, Bormioli Pharma France SA shall refrain from further processing of your personal data, unless it can prove the existence of compulsory, legitimate grounds for performing the processing that prevail over your interests, rights and freedoms, or it processes the data for the purposes of asserting, exercising or defending a right in judicial proceedings.

You also have the right to submit a complaint to the competent control body (la Commission Nationale de l’Informatique et des Libertés -CNIL)(www.cnil.fr) pursuant to Article 77 of the GDPR, which can be contacted at the address:

3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
France
Tel: +33 (0)1.53.73.22.22

• object, on grounds relating to your particular situation, at any time to processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f), of the GDPR (right to object). In this case, Bormioli Pharma France SA shall refrain from further processing of your personal data, unless it can prove the existence of compulsory, legitimate grounds for performing the processing that prevail over your interests, rights and freedoms, or it processes the data for the purposes of asserting, exercising or defending a right in judicial proceedings.

You also have the right to submit a complaint to the competent control body (la Commission Nationale de l’Informatique et des Libertés -CNIL)(www.cnil.fr) pursuant to Article 77 of the GDPR, which can be contacted at the address:

3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
France

Tel: +33 (0)1.53.73.22.22

The processing of your personal data shall take place using paper, digital or electronic means and, in any case, subject to the adoption of adequate technical and organisational measures to guarantee a level of security for your personal data that is adequate to the risk.

Bormioli Pharma France SA shall store the personal data referred to in this privacy policy for a period of time not greater than that required to achieve the purposes for which the data are processed. In particular your data is kept as long as it is needed for the above descripted purposes in compliance with the legally required retention period of tax law, commercial law and civil law.
Where necessary, Bormioli Pharma France SA process and store your personal data for the duration of our business relationship, which may also include the initiation and execution of a contract, and fulfilment of the purposes of the contract.
Additionally, Bormioli Pharma France SA is subject to various obligations relating to conservation and documentation, for instance under the French Civil Code (art.2224). The time limits they set for storage or documentation are ten years.

Remy & Geiser GMBH, company number DE149510995 whose registered office is at Remy & Geiser-Straße 1, 98553 Schleusingen, Germany, Fon: +49 (0) 36841 3380, E-Mail: privacy.remygeiser@bormiolipharma.com

We have appointed a qualified and reliable external Data Protection Officer. If you have any questions regarding the processing of personal data you can contact the DPO who is available in the case of any requests of information, general requests or complaints:
E-MAIL: privacy.remygeiser@bormiolipharma.com

We process personal data received from you through our business relationship.

We also, where necessary in providing our services, process personal data that we have obtained by authorised means from other companies or from third parties (e.g.for the purpose of fulfilling orders or contracts or on the basis of your consent.).

We also process personal data that we have obtained:

• directly from you (e.g. at trade shows and corporate events);
• from sources accessible to the public (e.g. documents published in chambers of commerce, existing or potential client/supplier website);
• from credit information systems and companies that provide business information services.

The personal data processed by Remy & Geiser Gmbh. for the purposes described below consist exclusively of common personal data, such as:

• forename, surname, date and place of birth, company name, place of residence, phone number, tax ID, email address, parent company, tax code, VAT no. and business information;

information relating to existing or potential clients/suppliers and/or to operational contacts (e.g. workers, employees, legal representatives) of the client/supplier in question, acquired and used for the purposes of the establishment and/or in the context of the management of commercial and/or precontractual/contractual relations with said client/supplier ( e.g. business correspondence).

During the course of the aforementioned relations, each of the parties may find itself in a position in which it has to process personal data relating to employees and/or workers of the other party (e.g. the personal details of the client’s legal representative, who signs the contract in the name and on behalf of the client), in which case each party undertakes from now on to process said personal data in accordance with the provisions of the data protection regulations applicable from time to time. The business relationship exists between Remy & Geiser Gmbh and the Company for which you works.

The personal data shall be processed for the following purposes:

1. to acquire information that may be useful for the activation or continuation of relations/cooperation with Remy & Geiser Gmbh (e.g. to obtain information of a technical or commercial nature or that may be informative in general; preparation of the offer, the fulfilment of the contracts, checks on solvency and/or reliability in preparation for the establishment of contractual and/or commercial relations);
2. to meet operational and managerial needs within Remy & Geiser Gmbh and relating to the service provided to the client/by the supplier (e.g. registration, management and/or updating of personal and/or contact information; receipt, management and handling of orders; sending of communications pertaining to contractual and/or commercial relations; logistics activities; delivery and receipt of goods);
3. to honour precontractual, contractual and legal obligations (of an administrative, accounting or fiscal nature), and to comply with provisions issued by competent authorities and/or supervisory and control bodies;
4. to assert, exercise or defend a right of the Data Controller (e.g. in protection of creditor positions) and/or in order for the Data Controller to defend itself against third-party claims, in judicial or extra-judicial proceedings, and to prevent possible fraud.

The personal data processing shall be carried out by the Data Controller insofar as and to the extent that:

• it is necessary for the execution of the contract to which the client/supplier is a party or for the execution of precontractual measures adopted at the latter’s request [Article 6, paragraph 1, letter b), of the GDPR] for the purposes set out under points 1), 2) and 3);
• it is necessary for compliance with a legal obligation to which the Data Controller is subject [Article 6, paragraph 1, letter c), of the GDPR] in relation to the purposes set out under point 3);
• it is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring data protection prevail [Article 6, paragraph 1, letter f), of the GDPR] in relation to the purposes set out under points 2) and 4).

In the context of our business relationship, the only personal data you have to provide are those needed to establish, carry out and terminate a business relationship, or those which we are legally required to collect. The provision of the data referred to in this privacy policy is necessary in relation to the purposes set out under points 1), 2), 3), and 4). Therefore, failure to provide said data could make it impossible for the Data Controller to pursue the relations established or being established.

The personal data referred to in this privacy policy may be processed by the employees and/or workers of the Data Controller and of the Group companies, in particular of Bormioli Pharma S.p.a. (e.g. sales manager, buyers, customer care agents, marketing department) in their capacity as individuals expressly authorised to process personal data pursuant to this privacy policy and possibly allocated specific duties and functions connected with the aforementioned processing and in any case suitably trained and informed of the obligations imposed by the regulations in force on personal data protection.

The personal data in question may also be communicated and processed by suppliers (e.g. external consultants tasked with processing and/or consultancy operations for withholding agents) performing outsourced activities on behalf of the Data Controller, in their capacity as external data processors, and with which, provided the conditions are met, the Data Controller has entered into dedicated Data Processor Agreements pursuant to and for the purposes of Article 28 of the GDPR.

The data in question may also be communicated:

• to the competent authorities in fulfilment of the obligations to which the Data Controller is bound;
• to legal consultants/lawyers, accountants, specialist external firms, etc. for the investigation and resolution of any legal problems relating to the contractual position in place, including credit recovery activities;
• to credit institutions, insurance companies, business information companies, credit information systems and similar bodies in relation to the execution of contractual or precontractual obligations;
• to Group companies and/or companies that collaborate with the Data Controller to provide the service requested or to sell/deliver the product purchased (e.g. sorters, transporters) and, more generally, to persons who, for the aforementioned purposes, must provide services to the Data Controller;
• other companies in the Bormioli Pharma Group, including subsidiaries and associates to which the Controller belongs;
• other companies to which we transfer personal data in the context of, or in pursuit of, the business relationship with you (depending on the nature of the contract, this may also include credit agencies, banks, loan insurance agencies and business partners);
• to control bodies, forces of law and order and, more generally, persons authorised to access the data pursuant to the regulations in force from time to time.

By contacting the Company and/or by contacting the Data Protection Officer (“DPO”), by email: privacy.remygeiser@bormiolipharma.com , you can ask the Data Controller to:

• access personal data concerning you, obtain information pursuant to Article 15 of the GDPR and receive a copy of the personal data subject to processing (right of access);
• obtain the rectification of inaccurate personal data concerning you without undue delay, pursuant to Article 16 of the GDPR (right to rectification);
• obtain the erasure of personal data concerning you without undue delay, provided that the conditions set out pursuant to Article 17 of the GDPR are met (right to erasure);
• obtain the restriction of processing where one of the prerequisites of Article 18 of the GDPR is met and under the conditions set out under said Article (right to restrict processing);
• inform each of the recipients to whom your personal data are transmitted of any rectifications or erasures or restrictions of the processing carried out pursuant to Articles 16, 17, paragraph 1, and 18, unless this is impossible or involves a disproportionate effort. The Data Controller is required to communicate these recipients to you should you request this (right to notification in the event of rectification or erasure of the personal data or restriction of processing);
• within the limits in which the processing is carried out, using automated means and based on the contract with Remy & Geiser Gmbh., receive, in a structured format that is commonly used and readable by an automatic device, the personal data concerning you and transmit said data to another data controller without impediments from Remy & Geiser Gmbh (right to data portability);
• object, on grounds relating to your particular situation, at any time to processing of personal data concerning you pursuant to Article 6, paragraph 1, letter f), of the GDPR (right to object). In this case, Remy & Geiser Gmbh. shall refrain from further processing of your personal data, unless it can prove the existence of compulsory, legitimate grounds for performing the processing that prevail over your interests, rights and freedoms, or it processes the data for the purposes of asserting, exercising or defending a right in judicial proceedings.

The right of access and the right to erasure are subject to the restrictions set out in Artt. 34 and 35 of the BDSG.

You also have the right to submit a complaint to the competent control body Federal Commissioner for Data Protection and Freedom of Information – “BFDI”) pursuant to Article 77 of the GDPR in conjunction with Art. 19 BDSG and Chapter 3, Sect. 60-61 of the BDSG, which can be contacted at the address

Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit, Postfach 900455
99107 Erfurt (Thüringer Data Protection Commissioner)
Tel.: +49 (361) 57-3112900
Mail: poststelle@datenschutz.thueringen.de

The processing of your personal data shall take place using paper, digital or electronic means and, in any case, subject to the adoption of adequate technical and organisational measures to guarantee a level of security for your personal data that is adequate to the risk.

As a rule, the Data Controller shall not transfer the personal data referred to in this privacy policy to third countries or international organisations, unless it is necessary to carry out your instructions or is required to do so pursuant to provisions of law, regulations or European legislation. In the event that such a transfer must take place, it shall be carried out in accordance with the provisions of Chapter V of the GDPR.

Remy & Geiser Gmbh shall store the personal data referred to in this privacy policy for a period of time not greater than that required to achieve the purposes for which the data are processed. In particular your data is kept as long as it is needed for the above descripted purposes in compliance with the legally required retention period of tax law, commercial law and civil law.

Where necessary, Remy & Geiser Gmbh process and store your personal data for the duration of our business relationship, which may also include the initiation and execution of a contract, and fulfilment of the purposes of the contract.

Additionally, Remy & Geiser Gmbh is subject to various obligations relating to conservation and documentation, for instance under the German Commercial Code (Handelsgesetzbuch, HGB)1 and the German Tax Code (Abgabenordnung, AO)2. The time limits they set for storage or documentation are two to ten years.

Finally, the duration of storage is also determined by the statutory limitation periods, normally lasting for three years according to Artt. 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), for example, but in certain cases for up to thirty years.