CelltrionHealthcare

Last Updated: December 31, 2020

This Privacy Notice is for healthcare professionals, customer/prospective customers, suppliers, and service providers, including representatives or contact persons of legal entities. This Privacy Notice is provided by Celltrion Healthcare Co., Ltd. (hereinafter "Celltrion Healthcare" or "we") and its subsidiaries/branches to explain who we are, how we collect, share and use personal data about you, as well as how you can exercise your privacy rights. If you have any questions or concerns about our use of your personal data, or would like to exercise any of your rights — including, but not limited to, objecting to the processing of your personal data in the methods that we describe here — then please contact us using the details provided at the end of this Privacy Notice. Celltrion Healthcare does its best to protect your privacy rights.

Celltrion Healthcare is a global pharmaceutical company, whose ultimate parent company is headquartered in Incheon, Republic of Korea (South). For more information about us, please visit our website at https://www.celltrionhealthcare.com

"Personal Data" may refer to any data that identifies one as an individual or relates to an identifiable individual.

If you are a Healthcare Professional ("HCP"), we may request additional Personal Data.

* HCP refers to any member of the medical, dental, pharmacy or nursing professions or any other person who, in the course of his or her professional activities, may prescribe, purchase, supply, or administer a medicinal product.

Personal Data that we may request includes:

• General information (such as name, gender, date of birth, nationality)

• Identification information (such as ID card, SSN, passport numbers)

• Contact details (such as postal address, telephone numbers, email addresses)

• Function (such as title, position, company name)

• Financial information

If you are an HCP, we may also request additional data related to our professional interaction with you such as:

• Professional biography/credentials;

• Data related to licenses, specialties, professional affiliations, publications, credentials, and other occupational achievements; or

• Data related to your use of our products, your interactions with us, and services for those you care for

If we ask you to provide any other personal information not described above, then the specific information requested and the reasons why we require them will be made clear to you at the point we collect your personal information.

We may also collect Personal Data from other sources, including data brokers, publicly accessible databases, joint marketing partners, and other third parties. In this case, such collections will be conducted under the consent of data subjects.

Providing us with, or giving us permission to collect, any Personal Data relating to individuals other than yourself requires you to have valid authority to do so pursuant to relevant legislation.

In general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice; for any other purpose not mentioned, we will explain to you at the time your personal information is collected. However, we may also use your personal information for other purposes not incompatible with the purposes we have disclosed to you (such as archiving purposes, scientific or historical research purposes, or statistical purposes) if and where this is permitted by applicable data protection laws.

We use Personal Data in order to:

• Perform the noticed purpose when we obtained your prior consent;

• Perform contractual obligations;

• Comply with legal/regulatory obligations.

We also use Personal Data as necessary for our legitimate interests and do not override your data protection or fundamental rights and freedoms.

Our purpose of processing includes:

• Developing and managing our (contractual) relationship with you, such as:

• providing our services and responding to your inquiries.

• sending administrative information to you, such as changes to our terms, conditions, and policies, as well as market information that we believe may be of interest to you.

• improving the quality of our interactions and services.

• developing transactional transparency such as "know your customers" (KYC) data required by financial institutions, banking records, invoices, remittances, and receipts related to our suppliers or service providers.

• ensuring transparency on transfer of value.

• Engaging with you, an HCP; as follows:

• verifying your eligibility to access specific products, services and data that may be provided only to certain licensed HCPs.

• interacting with you based on your professional expertise and opinion through digital and/or other means.

• involving you in programs/panels of healthcare professionals.

• reaching out to you for your professional expertise, in the context of surveys relating to products or services of our entities or business partners.

• collaborating with you on medical events, publications, or advisory meetings.

• seeking your views on products and services promoted by us, or an affiliate or business partner for development and improvement purposes.

• Complying with legal/regulatory obligations or for our legitimate interests as follows:

• analyzing or predicting your preferences in order to improve our interactions with you, (i.e., to deliver to you the content, products and offers via our Site, emails or digital tools that we believe will be relevant to your professional interests).

• conducting data analysis and audits.

• identifying usage trends in the use of our Sites and analyzing the effectiveness of our communications.

• detecting, preventing, and investigating fraud including (cyber) security monitoring and prevention.

• developing, enhancing, or modifying our products and services.

• validating your ability to access or use certain products or services.

• understanding how our products and services impact you and those in your care.

• operating and expanding our business activities.

The Personal Data that you and other individuals provide may be aggregated. We may use and disclose such aggregated data for any purpose. Aggregated data does not personally identify you or any other individual.

We disclose Personal Data to third parties as follows:

• Our subsidiaries and affiliates worldwide for the purposes described in this Privacy Notice.

• Service providers to provide services including, but not limited to: website hosting, data analysis, information technology, infrastructural provision, customer service, email delivery, and auditing

• Other companies with whom we collaborate regarding particular products or services. These may include our co-promoting partners for products that we develop and market jointly

• To any other person with your consent to the disclosure.

We also disclose your Personal Data as we believe to be necessary or appropriate:

• (i) To comply with applicable law, as well as our regulatory monitoring and reporting obligations (which may also include laws outside your country of residence), (ii) to respond to requests from both public and government authorities (which may also include authorities outside your country of residence), (iii) to cooperate with law enforcement, or (iv) for other legal purposes.

If you are a resident of the European Economic Area, our legal basis for collecting and using the personal information as described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will generally collect personal information from you only where we have your consent to do so, where it is required to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may need to collect personal information from you to satisfy legal obligations or in order to protect your vital interests or those of another person (e.g. to inform patients of possible adverse side effects related to medication they are taking).

If we ask you to provide personal information to comply with a legal requirement or for contacting purposes, we will make this clear at the relevant time and advise you whether or not the provision of your personal information is mandatory (as well as of the possible consequences of not providing your personal information).

Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will alert you and clarify what those legitimate interests are at the relevant time.

If you have any questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the "CONTACT US" heading below.

If you would like to request to review, correct, update, suppress, restrict, or delete Personal Data that you have provided to us, or if you would like to request to receive an electronic copy of your Personal Data for the purpose of transmitting it to another company, you may contact us as indicated in the "CONTACT US" section. We will respond to your request in compliance with applicable law.

In your request, please let us know what Personal Data you would like to have changed, whether you would like to have it suppressed from our database, or set certain limitation on our use of your data. We may need to verify your identity before implementing your request. We will try our best to respond to your request as soon as reasonably practicable.

When asked to provide Personal Data, you may decline. However, choosing not to provide necessary information may limit our ability to supply you with requested services.

Please note that we may need to retain certain type of Personal Data for record keeping purposes.

We seek to use reasonable organizational, technical and administrative measures in order to protect your Personal Data. This includes encrypting your personal information in transit and at rest.

We will retain your Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained and as outlined in this Privacy Notice. The criteria used to determine our retention periods include: (i) the length of time you maintain an ongoing relationship with us (if the personal data is not related to a specific contract, the personal data will be stored for 24 months after our last interaction with you); (ii) whether or not there is a legal obligation to which we are subject; (iii) whether or not retention is advisable in light of our legal position (such as in regard to the enforcement of the Terms of Use, applicable statutes of limitations, litigation, or regulatory investigations).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, if your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it can be safely deleted.

Your personal information may be transferred to, and processed in countries other than the one in which you are resident. These countries may have data protection laws that are different from the laws in your country.

Celltrion Healthcare is headquartered in the Republic of Korea (South). We may transfer your personal information with legitimate purpose to our subsidiaries/affiliates, third party service providers, and business partners located around the world.

However, we have taken appropriate safeguards to ensure that your personal information will remain protected in accordance with this Privacy Notice. This includes implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies, which requires all group companies to protect personal information they process from the EEA in accordance with European Union data protection laws.

Appropriate safeguards have also been implemented with our third party service providers and partners. Further details, along with our Standard Contractual Clauses, can be provided upon request.

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you of the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. This Privacy Notice was last updated as of the "Last Updated" date shown above.

If you have any questions or concerns about our use of your personal information, please contact our data protection officer using the following details: DPO.CTHC@celltrionhc.com

Last Updated: December 31, 2020

This Privacy Notice is provided by Celltrion Healthcare Co., Ltd. (hereinafter "Celltrion Healthcare" or "we") and its subsidiaries/branches to explain who we are, how we collect, share and use Personal Data about you, the employee, as well as how you can exercise your privacy rights. If you have any questions or concerns about our use of your Personal Data, or would like to exercise any of your rights — including, but not limited to, objecting to the processing of your Personal Data in the ways that we describe here — then please contact us using the details provided at the end of this Privacy Notice. Celltrion Healthcare does its best to protect your privacy rights.

Celltrion Healthcare is a global pharmaceutical company whose ultimate parent company is headquartered in Incheon, Republic of Korea (South). For more information about us, please visit our website at https://www.celltrionhealthcare.com

"Personal Data" is any data that identifies you as an individual or relates to an identifiable individual. There are also "special categories" of more sensitive Personal Data which require a higher level of protection.

Personal Data that we may collect and use includes:

• Your name, address, contact details such as email addresses and telephone numbers, date of birth, and gender;

• The terms and conditions of your employment;

• Details of your qualifications, skills, experience, education, and employment history (including duty services like military service), including start and end dates, previous employers and organizations;

• Information about your remuneration, including entitlement to benefits such as pensions or insurance coverage;

• Details regarding your bank account and social security number;

• Information about your marital status, next of kin, dependents and emergency contacts;

• Information about your nationality and entitlement to work in the employed country;

• Details regarding your schedule (work days and working hours) and attendance at work;

• Details regarding periods of leave taken by you, including holidays, sickness absences, family matters, and other absences, as well as the reason for the absence;

• Details regarding any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and/or the related correspondence; or

• Assessments of your performance, including appraisals, performance reviews, performance improvement plans and related correspondence.

We may also collect, store and use "personally identifiable information" (such as your driver license number, passport number, and social security number) and the following "special categories" of sensitive personal information including:

• Information about medical or health conditions, including whether or not you have a disability for which the organization needs to make reasonable adjustments;

• monitoring information in order to maintain fair and equal opportunity, including information about your ethnic origin, sexual orientation, health, and religion or belief; or

• Biometric data, including fingerprints, hand geometry, and samples.

Your Personal Data may be collected through application forms or CVs, your passport or other personal identity, documents completed by you at the start of or during employment, any correspondence with you, or through interviews, meetings or other assessments.

In addition, we may collect personal data about you from third parties, such as references supplied by former employers and information from employment background check providers.

Providing us with, or giving us permission to collect, any Personal Data relating to individuals other than yourself requires you to have valid authority to do so pursuant to relevant legislation

In general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice; for any other purpose not mentioned, we will explain to you at the time your personal information is collected. However, we may also use your personal information for other purposes not incompatible with the purposes we have disclosed to you if and where this is permitted by applicable data protection laws.

We use Personal Data in order to:

• Manage the employment relationship;

• Perform contractual obligations under your employment contract; or

• Comply with legal/regulatory obligations.

We also use Personal Data as necessary for our legitimate interests and do not override your data protection or fundamental rights and freedoms at any time before, during and after the end of the employment relationship.

Our contractual obligations include:

• Payment in accordance with the employment contract; or

• Administration and operation (such as benefit, tax, pension, and insurance).

Our legal/regulatory obligations include, but are not limited to:

• Checking an employee's entitlement to work in the employed country; or

• Complying with labor laws and other applicable laws related with employment.

Our legitimate interests include:

• Running recruitment and promotion processes;

• Maintaining accurate and up-to-date employment records, contact details (including details regarding who to contact in the event of an emergency), and records of employee contractual and statutory rights;

• Operating and keeping a record of disciplinary and grievance processes in order to ensure acceptable conduct within the workplace;

• Operating and keeping a record of employee performance and related processes in order to plan for career development, and for succession planning and workforce management purposes;

• Operating and keeping a record of absence and absence management procedures in order to allow effective workforce management and ensure that employees are receiving the appropriate pay or other benefits to which they are entitled;

• Obtaining occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meeting its obligations under applicable laws, and making sure that employees are receiving the appropriate pay or other benefits to which they are entitled;

• Operating and keeping a record of other types of leave (including maternity, paternity, parental and shared parental leave), in order to maintain effective workforce management, to ensure that the organization complies with its duties in relation to leave entitlement, and to make sure that employees are receiving the appropriate pay or other benefits to which they are entitled;

• Managing effective general HR and business administration;

• Providing references on request for current or former employees;

• Responding to and defending against legal claims; or

• Maintaining and promoting equality in the workplace.

Some special categories of Personal Data, such as information about health or medical conditions, are processed in order to carry out obligations related to employment law (such as those in relation to employees with disabilities).

The organization processes other special categories of Personal Data, such as information about ethnic origin, sexual orientation, health or religion or belief; this is done for the purposes of monitoring equal opportunity. Data that the organization uses for such purposes is anonymized. Employees are entirely free to decide whether or not to provide such data and there are no negative consequences of refusing to do so.

Personal Data is stored in the company's HR management and IT systems.

We disclose your Personal Data only when strictly necessary as follows:

• To selected employees (including your managers and those at the HR/GA/Finance/Account/IT Departments, all of whom have signed a confidentiality agreement) and our subsidiaries/affiliates for the purposes described in this Privacy Notice; or

• Service providers acting on behalf of us and our subsidiaries/affiliates, such as payroll service providers, travel agencies, and IT system and data hosting providers. We may also share your data with third parties in order to obtain pre-employment references from other employers as well as employment background checks from third party providers. These third parties are contractually and legally required to protect the confidentiality and security of your personal data, in compliance with applicable law.

We also use and disclose your Personal Data as we believe to be necessary or appropriate:

• (i) To comply with applicable law and our regulatory monitoring and reporting obligations (which may include laws outside your country of residence), (ii) to respond to requests from public and government authorities (which may include authorities outside your country of residence), (iii) to cooperate with law enforcement, or (iv) for other legal reasons.

If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information as described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will generally collect personal information from you only when we need the personal information in order to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information.

If we ask you to provide personal information to comply with a legal requirement, we will make this clear at the relevant time and advise you whether or not the provision of your personal information is mandatory (as well as of any possible consequences of not providing your personal information).

Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will alert you and clarify what those legitimate interests are at the relevant time.

If you have any questions or need further information concerning the legal basis on which we collect and use your personal information, please let us know using the contact details provided under the "CONTACT US" heading below.

If you would like to request to review, correct, update, suppress, restrict or delete Personal Data that you have provided to us through an HR manager, or if you would like to request to receive an electronic copy of your Personal Data for the purpose of transmitting it to another company, you may contact us as indicated in the "CONTACT US" section. We will respond to your request in compliance with applicable law.

In your request, please tell us what Personal Data you would like to have changed, whether you would like to have it suppressed from our database, or set certain limitation on our use. We may need to verify your identity before implementing your request. We will try our best to respond to your request as soon as reasonably practicable.

When asked to provide Personal Data, you may decline. However, choosing not to provide necessary information may limit our ability to supply you with requested services.

Please note that we may need to retain certain types of Personal Data for record keeping regarding your requests and resolutions responded.

We seek to use reasonable organizational, technical and administrative measures in order to protect your Personal Data. This includes encrypting your personal information in transit and at rest.

We will retain your Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained and as outlined in this Privacy Notice. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing employment relationship with you; (ii) whether or not there is a legal obligation to which we are subject (such as keeping records of employment and payroll); (iii) whether or not retention is advisable in light of our legal position (such as in regard to the enforcement of the employment contract, applicable statutes of limitations, litigation or regulatory investigations).

When we have no ongoing legitimate purpose to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, if your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it can be safely deleted.

Your personal information may be transferred to, and processed in countries other than the one in which you are resident. These countries may have data protection laws that are different from the laws in your country.

Celltrion Healthcare is headquartered in the Republic of Korea (South). We may transfer your personal information with legitimate purpose to our subsidiaries/affiliates and third-party service providers located around the world.

However, we have taken appropriate safeguards to ensure that your personal information will remain protected in accordance with this Privacy Notice. This includes implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies, which requires all group companies to protect personal information they process from the EEA in accordance with European Union data protection laws.

Appropriate safeguards have also been implemented with our third-party service providers and partners. Further details, along with our Standard Contractual Clauses, can be provided upon request.

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you in consistence with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. This Privacy Notice was last updated as of the "Last Updated" date shown above.

If you have any questions or concerns about our use of your personal information, please contact your HR manager or our data protection officer using the following details: DPO.CTHC@celltrionhc.com

Last Updated: December 31, 2020

This Privacy Notice is for individuals who report adverse events, submit complaints or request medical information, or are the subject of such reports/submits/requests.

This Privacy Notice is provided by Celltrion Healthcare Co., Ltd. (hereinafter "Celltrion Healthcare" or "we") and its subsidiaries/branches to explain who we are, how we collect, share and use personal data about you, as well as how you can exercise your privacy rights. If you have any questions or concerns about our use of your personal data, or would like to exercise any of your rights — including, but not limited to, objecting to the processing of your personal data in the methods that we describe here — then please contact us using the details provided at the end of this Privacy Notice. Celltrion Healthcare does its best to protect your privacy rights.

Celltrion Healthcare is a global pharmaceutical company, whose ultimate parent company is headquartered in Incheon, Republic of Korea (South). For more information about us, please visit our website at https://www.celltrionhealthcare.com

"Personal Data" may refer to any data that identifies one as an individual or relates to an identifiable individual.

Personal Data that we may collect and use includes:

• Information regarding individuals that report adverse events or make medical information queries or product quality complaints, such as healthcare professionals and caregivers. It includes your name, phone number, email and/or postal address, and place of work (for healthcare professionals);

• Information about the patient, including name, hospital record numbers, age, date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, and strictly necessary occupational data for the evaluation of the adverse event; or

• Strictly necessary or relevant data, for the purposes described in this Privacy Notice, refers to patient health or lifestyle data including, but not limited to, the nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet, eating behavior, sexual life/contraception, and consumption of tobacco, alcohol, and drugs.

We may ask for additional information as needed. If we ask you to provide any other personal information not described above, then the specific information requested and the reasons why we require them will be made clear to you at the point we collect your personal information.

Providing us with, or giving us permission to collect, any Personal Data relating to individuals other than yourself requires you to have valid authority to do so pursuant to relevant legislation.

In general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice; for any other purpose not mentioned, we will explain to you at the time your personal information is collected. However, we may also use your personal information for other purposes that are not incompatible with the purposes we have disclosed to you (such as archiving purposes, scientific or historical research purposes, or statistical purposes) if and where this is permitted by applicable data protection laws.

We will only process your personal data as required by contractual or legal/regulatory obligations; or for our legitimate interest

We use Personal Data in order to:

• Monitor the safety of medicinal products and medical devices, which includes detecting, assessing, following up on and preventing adverse events, and reporting adverse events to health authorities;

• Respond to queries regarding medical information including, but not limited to, relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions;

• Respond to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage;

• Answer other questions or requests and improve our products and services;

• Comply with our policies and local legal, regulatory, and compliance requirements; or

• Conduct audits and defend litigation.

The Personal Data that you and other individuals provide may be aggregated. We may use and disclose such aggregated data for any purpose. Aggregated data does not personally identify you or any other individual.

We do not share or transfer personal data to third parties other than those indicated in this Privacy Notice.

Personal data may be accessed by or transferred to:

• Our employees (including those at Medical, Quality, Legal and Compliance Departments) and other Celltrion Group companies (especially Celltrion Inc., the manufacturer of our products)

• Other pharmaceutical and medical device companies if the adverse event, request for information, or complaint relates to one of their products

• Service providers acting on behalf of us and our subsidiaries/affiliates, such as IT system and data hosting providers, and adverse event processing service providers. These third parties are contractually and legally obliged to protect the confidentiality and security of personal data, in compliance with applicable law

Personal data may be shared with:

• Healthcare professionals involved in an adverse event, request for information, or complaint

• A national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request; Including The European Medicines Agency (EMA) which controls the EudraVigilance database (for more information visit https://www.ema.europa.eu), the U.S. Food and Drug Administration (FDA) which controls the Adverse Event Reporting System (for more information visit https://open.fda.gov/data/faers/) and the Korea Institute of Drug Safety & Risk Management (KIDS) which controls the Korea Adverse Event Reporting System (for more information visit https://kaers.drugsafe.or.kr/)

We also disclose your Personal Data as we believe to be necessary or appropriate:

• (i) To comply with applicable law, as well as our regulatory monitoring and reporting obligations (which may also include laws outside your country of residence), (ii) to respond to requests from both public and government authorities (which may also include authorities outside your country of residence), (iii) to cooperate with law enforcement, or (iv) for other legal purposes.

If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information as described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will generally collect personal information from you only where we have your consent to do so, where it is required to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some case, we may need to collect personal information from you to satisfy legal obligations or in order to protect your vital interests or those of another person (e.g. to inform patients of possible adverse side effects related to medication they are taking).

If we ask you to provide personal information to comply with a legal requirement or for contacting purposes, we will make this clear at the relevant time and advise you whether or not the provision of your personal information is mandatory (as well as of the possible consequences of not providing your personal information).

Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will alert you and clarify what those legitimate interests are at the relevant time

If you have any questions or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the details provided under the "CONTACT US" heading below.

If you would like to request to review, correct, update, suppress, restrict or delete Personal Data that you have provided to us, or if you would like to request to receive an electronic copy of such Personal Data for the purpose of transmitting it to another company, you may contact us as indicated in the "CONTACT US" section. We will respond to your request in compliance with applicable law.

In your request, please tell us what Personal Data you would like to have changed, whether you would like to have it suppressed from our database, or set certain limitation on our use of your data. We may need to verify your identity before implementing your request. We will try our best to respond to your request as soon as reasonably practicable.

When asked to provide Personal Data, you may decline. However, choosing not to provide necessary information may limit our ability to supply you with requested services.

Please note that we may need to retain certain type of Personal Data for record keeping purposes.

We seek to use reasonable organizational, technical and administrative measures in order to protect your Personal Data. This includes encrypting your personal information in transit and at rest.

We will retain your Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained and as outlined in this Privacy Notice. The criteria used to determine our retention periods include: (i) the length of time you maintain an ongoing relationship with us; (ii) whether or not there is a legal obligation to which we are subject; or (iii) whether or not retention is advisable in light of our legal position (such as in regard to the applicable statutes of limitations, litigation or regulatory investigations).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, if your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it can be safely deleted.

Your personal information may be transferred to, and processed in, countries other than the one in which you are resident. These countries may have data protection laws that are different from the laws in your country.

However, we have taken appropriate safeguards to ensure that your personal information will remain protected in accordance with this Privacy Notice. This includes implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies, which requires all group companies to protect personal information they process from the EEA in accordance with European Union data protection laws.

Appropriate safeguards have also been implemented with our third-party service providers and partners. Further details, along with our Standard Contractual Clauses, can be provided upon request.

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you of the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. This Privacy Notice was last updated as of the "Last Updated" date shown above.

If you have any questions or concerns about our use of your personal information, please contact our data protection officer using the following details: DPO.CTHC@celltrionhc.com