Clinical Research Privacy Statement

Updated: November 4th , 2019, version 1.1 

This Orion Corporation Clinical Research Privacy Statement explains how we process your personal information if you participate in one of our clinical studies.We collect, process and transfer personal data from study subjects, study animal owners and study site personnel. Each data subject in Orion’s clinical studies receives the study specific privacy information notice before their participation in a study. Because we are dedicated to being transparent about the processing of your personal data at all times, we have adopted the policies and practices described in this Orion Corporation Clinical Research Privacy Statement. To read more about Orion Corporation’s management of privacy on websites and services, please see the Orion Corporation Privacy Statement. Our Privacy Statement is located on our homepage and is also available on the webpages where personal data are requested.

 

Purposes and Lawfulness of Collection, Use and Disclosure of Personal Data

The purpose for processing the personal data you provide if you participate, or an animal owned by you participates in one of Orion Corporation’s clinical studies is to enable Orion Corporation to:

conduct the research, manage and administer the study,
draft reports for scientific publications,
make reports to government agencies,
monitor the safety of the study subjects and others,
obtain, maintain and process marketing authorizations in different countries in accordance with the regulations and instructions of authorities.

In addition, the processing of personal data enables Orion to

use the site personnel’s personal information to ensure qualifications and experience of persons performing the clinical study,
communicate about the clinical study,
make payments for the services provided, and
store contact details in resource database for possible future clinical study interest.

For the above-mentioned purposes, your personal data may be disclosed to Orion’s service providers, contract research organizations and academic research organizations, government regulatory agencies and service providers of the study site. We may disclose the study site personnel’s personal data to the Ethics Committees which assess the protocol from the ethics’ perspective.

Orion Corporation uses other companies (service providers) when data is collected and processed from studies. We may share your information with other companies working with Orion Corporation, who assist us by performing data processing and technical operations such as data storage and hosting, or disclose the data to another pharmaceutical company, if we decide to continue the study in

collaboration with such other company. Orion Corporation may also disclose the coded study data to another pharmaceutical company if it decides to sell or license the clinical research project to another company. For the above-mentioned purposes it is necessary to transfer personal data outside of the European Economic Area ("EEA").

If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee, in which case we would require the new owner, successor or assignee to treat your personal data in accordance with this Privacy Statement.

Legal Basis of Processing

The legal basis for the processing of your personal data in relation to clinical studies may vary depending on the local requirements of the country where the study is conducted.

The processing of your personal data in relation to human clinical studies is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of healthcare and of medicinal products, in accordance with European Union or Member State law (legal basis for processing).

We may also use the data collected for further scientific research and in these cases processing is necessary for scientific research purposes in accordance with the European Union General Data Protection Regulation ("GDPR") Article 89(1) based on Union or Member State law and that such research use is compatible with the original purpose of processing. We may also share the study data in anonymized form, as required by Efpia (European Federation of Pharmaceutical Industry and Associations) in its Rules for Clinical Trial Data Sharing.

In some countries, we use consent of the study subject as the legal basis for processing as required by the relevant authorities.

With regard to animal studies and studies conducted at Orion Corporation’s Clinical Pharmacology Unit (studies on healthy volunteers and certain other studies), the legal basis of processing is the legitimate interests of Orion Corporation as the data controller. "Legitimate interests" mean the interests of Orion Corporation in conducting and managing the studies; we need to be able to process your personal details for purposes of recruitment of study subjects to clinical studies or as the owner of the study animal in order to manage the study. When processing your personal information on the basis of our legitimate interests we comply with laws regulating the processing of personal data and we strive to ensure that any possible effect that processing might have on you is not unreasonable. Orion Corporation’s legitimate interests do not automatically override your rights and interests; we will not use your personal data for activities where our interests are overridden by the impact on you.

Personal Data We Collect

Orion Corporation collects personal data for the above-mentioned purposes. In human clinical studies Orion Corporation collects study subjects’ study number, subject’s sex, year of birth or age, certain physical traits and habits, relevant medical history, investigator’s observations, information describing the behavior of the products/medicines in the human body, effects of the

product/medicine, and information on the results of tests measuring efficacy and safety of a product as described in the patient information leaflet.

Orion Corporation also collects data on the study site personnel, including the investigator’s CV, name, work contact address, telephone number, e-mail address and bank account details for processing of possible payments by Orion Corporation and other study site personnel’s names, work related contact addresses, telephone numbers and e-mail addresses of e.g. study nurse and pharmacist.

In animal health clinical studies Orion Corporation collects study animal’s owner’s name and contact information (including name, address, telephone number and email address).

Orion Corporation maintains also contact lists of its service providers, consultants, affiliates, licensing partners and other third parties involved in the clinical studies. Contact lists contain company names and addresses, names of responsible persons within those companies and their contact details (phone numbers and e-mail addresses).

Pseudonymisation

Pseudonymisation, normally coding, is a safeguard measure that helps to protect your personal data. It means that personal data is processed in such a way that it can no longer be attributed to you without the use of additional information. The additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed directly to you.

This safeguard measure is implemented by giving the study subject a number, in other words a code, which prevents Orion Corporation from recognizing and identifying the study subject. Identification is possible only when the study subject´s number is combined with the code key kept by the investigator. The personal data of study subjects in Orion Corporation’s clinical studies is pseudonymized at the study site and this means that Orion Corporation does not in fact have access to the directly identifiable personal information of the study subjects.

Sources of Personal Data

In the context of human clinical studies sponsored by Orion Corporation and partners, which are performed according to a study protocol, subject data may be collected from healthcare service systems based on a data subject’s freely given informed consent, and it is derived directly from the data subject or the investigator, or from the results of testing or examinations of said clinical studies.

Transfers of Personal Data

The personal data collected may be processed in your country of residence or transferred to another country where Orion Corporation, its affiliates, subcontractors, regulatory authorities or other recipients of personal data are located, both inside and outside the European Economic Area (EEA). This means that your personal data may be processed or stored in a country that has less stringent data protection standards than those of the EEA. We will ensure that your personal data will be

treated in accordance with this Privacy Statement at all times even if it is being transferred outside the EEA. The personal data transferred outside the EEA is protected based on the adequacy decision made by the European Commission, or by appropriate contractual arrangements. For more information, please contact Orion Corporation.

Protection of Data Files

Any manual data file will be stored in an area with restricted access, available only for designated authorized persons. Any electronic data file will be stored in a system with restricted password protected access, available only for the designated authorized persons who need the information based on their role.

Retention of Personal Data

The personal data shall be retained by Orion Corporation for a minimum of fifteen years after completion of the clinical study or for two years after the last marketing authorisation approval or when two years has passed from the suspension of the development of the research product.

For active substances with a marketing authorization approval Orion Corporation is obligated to store the data for at least ten years after the end of the expiration of the marketing authorization or longer if any local legislation so requires.

Pharmacokinetic samples collected and analysed during a clinical study will be destroyed at the latest on completion of the clinical study report. Some samples defined in the study protocol, e.g. pharmacogenetic samples, may be stored in Orion Corporation´s sample collection repository for a maximum of twenty years, after which the samples will be destroyed.

Your Rights

Right to Withdraw Consent

In cases where the legal basis for processing the personal data is the consent of the study subject, the study subject has the right to withdraw the consent at any time. The request regarding the withdrawal of consent must be made to the investigator of the research center (study site) where the clinical study concerning the medicinal product or medical device is or was conducted as described more specifically in the subject information leaflet. You should note, however, that withdrawal of consent does not make the processing of personal data performed prior to such withdrawal unlawful. In all cases where the study subject wishes to withdraw their consent to participate in a study, or to withdraw their consent for personal data processing where consent is the legal basis for processing of their personal data, the personal data collected until the discontinuation or the withdrawal of the consent will be included in the study data of a clinical study and used to evaluate the safety of the medicine as mandated by clinical trials legislation. Thus, the withdrawal of consent will only affect the use of the study subject’s samples for further analysis, which will not be performed in cases where consent is withdrawn.

Rights of Access, Rectification and Objection

Subject to legal exceptions, you have the right of access, after having supplied sufficient search criteria, to the data on yourself in the study register, or to a notice that the register contains no such data.

In case you wish to obtain more information regarding the processing of your personal data, you can make a request to this effect by contacting the study doctor at the study site where the clinical studies concerning the medicinal product or medical device are performed or were previously performed. You may request access to your personal data collected by the study site and to rectify any data that is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. Since Orion Corporation as the controller has only information related to your coded number, it is impossible for Orion Corporation to recognize or identify you or provide further information regarding the processing of your personal data. If, however, your questions relate to processing of personal data by Orion Corporation for a certain study in general, you should contact Orion Corporation’s contact person named below.

Orion Corporation Contact Information and Contact Person for the Registers:

Orion Corporation (Business ID 1999212-6)

Address: Orionintie 1, 02200 Espoo, Finland

Contact person for clinical studies and animal health studies: Eeva Puotunen, Head of Clinical Study Operation Units

Telephone: +35810 426 7335; Email: eeva.puotunen@orionpharma.com

Contact person for healthy volunteer studies at Clinical Pharmacology Unit: Minna Nissilä, Manager of Clinical Pharmacology Unit

Telephone: +35810 426 4390; Email: minna.nissila@orionpharma.com

Contact information of the Data Protection Officer: privacy@orion.fi

If you have concerns regarding Orion Corporation’s processing of your personal data, you have the right to make a complaint to the Data Protection Ombudsman, the Finland supervisory authority for data protection issues (https://tietosuoja.fi/en/home). We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.

Questions Regarding the Privacy Statement

If you have any questions about our Privacy Statement, or any concern about privacy at Orion Corporation, please contact us by e-mail at privacy@orion.fi.

We may update or revise this Orion Corporation Clinical Research Privacy Statement at any time. When we change the Statement in a material way, a notice will be posted on our website along with the updated Privacy Statement.