TABLE OF CONTENTS

I.-Introduction

II.-Definitions

III.-General Principles for the Processing of Personal Data

IV. Purpose

V.-Personal Data Protection Policy

VI.-Rights

I.- INTRODUCTION

The security and confidentiality of information and data are a high priority for “Atron Health SA” (hereinafter referred to as the “Company”).

To achieve the above, the Company applies all modern and appropriate technical and organizational measures for processing purposes, the response of which it controls at regular intervals.

The PERSONAL DATA PROTECTION POLICY provides information on personal data collected and processed by the Company in the course of its business, both in hard copy and in electronic form.

This Policy describes the types of personal data or personal information that the Company collects, how it uses, processes and protects the information it collects, how long it stores such information, to whom it is shared, to whom it is transmitted, and rights that data subjects may exercise in relation to the use of their personal data, in accordance with the applicable personal data legislation and in any case with the European Regulation 2016/679 (hereinafter “the Regulation”).

II. DEFINITIONS

PERSONAL DATA:Any information relating to an identified or identifiable person (= DATA SUBJECT) , namely a person whose identity can be directly or indirectly established. The crucial element is the link between such information and the person and not the quality of information such as for example the name, identity number, Social Security Number etc.

SPECIAL CATEGORY OF PERSONAL DATA (or sensitive personal data): Any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data.

HEALTH DATA: Personal data related to a person’s past, current or future physical or mental health, including the provision of health care services, from which information about the person’s health can be inferred.

PROCESSING: Collection, registration, organization, structure, storage, customization, modification, retrieval, information retrieval, use, transmission, dissemination, deletion or destruction.

DATA CONTROLLER (D.C.): Any natural or legal person in the public or private sector who holds and processes personal data. The D.C. determines the purpose and method of processing.

DATA PROCESSOR (D.P.): Any natural or legal person in the public or private sector who processes personal data on behalf of a data controller.

RECIPIENT: The natural or legal person to whom the data are disclosed.

SUPERVISORY AUTHORITY: An Independent public authority set up by the Member State concerned. In Greece it is the HELLENIC DATA PROTECTION AUTHORITY

Data Subject’s CONSENT Any freely given, specific, informed, unambiguous indication of the data subject’s wishes by which he/she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.

 III.- GENERAL PRINCIPLES for the Processing of Personal Data

According to the Regulation, every company must:

– Collect personal data in a fair and lawful manner,

– Keep only the data they need,

– Keep the data safe,

– Retain such data only for the time required for the purposes of collection and processing,

– Inform data subjects of data retention,

– Take all appropriate organizational and technical measures to ensure data security and protect it against accidental or unauthorized destruction, accidental loss, alteration, unauthorized dissemination or access, and

– Be able at any time to prove all of the above.

IV. – PURPOSE

The purpose of this Policy is to provide information and guidance to the Company’s suppliers, customers and affiliates regarding the retention of their Personal Data, that is, what personal information the Company retains, for how long and for what purpose.

Regarding the Company’s Employees (prospective, existing and former employees), the Company’s Personnel Personal Data Retention Policy applies.

V.-PERSONAL DATA PROTECTION POLICY

1.- Legal Basis for Processing

– The Company’s compliance with its statutory obligations, in particular pharmaceutical legislation and medical legislation on human tissue and cell transplant.

– Fulfillment of the Company’s contractual obligations.

– Ensuring the proper functioning of the Company in the context of its activity.

– Satisfying information and communication requests of data subjects.

– Safeguarding the Company’s personnel, facilities and equipment.

– Fulfillment of the Company’s contractual obligations to third parties, such as product manufacturers.

2.- Type of personal data and method of processing

The Company shall, as appropriate, keep the following personal data:

a) Health Professionals

b) Patients

c) Suppliers / Partners

3.- Purposes of Processing

– Grants for Health Professionals (H.P.) participation in EOF (National Organization for Medicines) conferences.

– Information, promotion and commercial communication of Company products and services.

– Provision of Information to H.P. about scientific events, conferences or seminars organized by EOF.

– Execution of an order or performance of a contract.

– Fulfillment of legal obligations of the Company towards an Insurance Institution, a Clinic or Public Hospital

– Collecting directly from EOPYY (Greek National Health Service Organization) or the Insurance Fund the price of the materials sold.

– The Company’s compliance with its statutory obligations, in particular pharmaceutical legislation and medical legislation on human tissue and cell transplant (e.g. side effects).

– Compliance with manufacturer’s requirements.

– Fulfillment of the Company’s obligations.

– Achieving the legitimate business objectives of the Company.

– Responding to requests from Suppliers, Partners and Customers (including patients) of the Company.

In any event, personal data is voluntarily submitted to the Company by the data subjects themselves or through their representatives. This does not include cases where such data are disclosed to the Company by public services to enable it to take actions that fall within its competence.

4.- Personal Data Retention Period

The data shall only be kept by the Company for as long as it is strictly necessary to fulfill the purpose of collection in accordance with the relevant legislation and then shall be destructed.

5.- Method of Processing

The Company collects only the personal data that is necessary, where appropriate.

Furthermore, the processing of case-by-case data is done in both paper and electronic form and is recorded in the Company’s corporate system in accordance with applicable legislation – including the provisions on data security and confidentiality and in accordance with the principles of fair and lawful processing.

6.- Disclosure of Personal Data

The data shall be processed by authorized personnel of the Company. In addition, such data may be disclosed and made available, on a case-by-case basis, to legal or natural persons, with whom the Company may from time to time cooperate, such as e.g. a law firm or insurance company or manufacturers and holders of marketing authorizations or conference organizers, etc., public services and information systems, such as ERGANI, EOF, etc., Banks, insurance organizations, auditors in compliance with the Company’s external and internal regulations or where required by law.

As part of the Company’s business, personal data may be disclosed to Company suppliers or Company partners who provide services to the Company. However, in this case, the legal or natural persons will process such data only for the purpose of providing the Services to the Company and not for their own benefit, in the capacity of data processors and shall be bound by a Statement of Privacy and Confidentiality.

Exceptionally, personal data may be disclosed to third parties, including the competent police authorities and prosecutors, to the extent that there is a statutory obligation in this respect or pursuant to a decision or order of a judicial authority.

7.- Transmission of Personal Data

Such data shall not be transmitted to a third country or international organization. In the event of any transmission outside the European Economic Area, the Company is committed to taking the necessary measures to ensure that the data transmitted to third parties is the minimum necessary and that the conditions for lawful and fair processing are always met.

VI.-Rights

Every data subject has the right to know and have access to his/her personal data held by the Company in accordance with this Policy, to verify the accuracy of the personal data provided to the Company and to update his/her personal information.

The data subject may at any time contact the Company and in particular the Data Protection Officer (contact telephone: 210-2134774 & e-mail: jd@atronhealth.gr) to exercise its rights under the General Data Protection Regulation (Articles 15-22), including, inter alia, to request access to its data (in order to be informed of the data and the reason why it is processed by the Company and its recipients), to verify the content of his/her data, its origin, accuracy and location, to obtain a copy of his/her data, to request the completion, updating, modification of his/her data, in cases specified by law, to request the restriction of data processing, the request for deletion of data etc. These rights are in principle exercised at no cost to the subject.

In addition, if the data subject has consented by submitting a Statement of Consent, he/she may at any time withdraw his consent by a simple revocation statement ( e-mail dpo: jd@atronhealth.gr, contact telephone: 210-2134774, company address: L. Veikou 8 & Lesvou 2, PC: 11147, Galatsi, Athens ), without prejudice to the legality of the processing based on the subject’s consent prior to the withdrawal of consent or the Company’s compliance with its statutory obligations.

Finally, any data subject may at any time directly contact the Personal Data Protection Authority if he/she considers that the Company’s use of his/her data is inappropriate (www.dpa.gr) .-