Data Privacy Policy – October 2020

Scope

This data privacy policy applies worldwide and may concern BlueReg’s customers, prospects, suppliers, service providers, employees, trainees and job applicants.

Objective

The processing of personal data is governed by the provisions of the EU General Data Protection Regulation 2016/679 (GDPR) of the 27th April 2016, and by those of Law 78-17 of the 6th January 1978 and its modifications and the texts facilitating their implementation.

BlueReg offers a wide range of consulting services in drug development, drug registration, post-marketing, pharmacovigilance, publishing, writing, CMC and regulatory monitoring.

In the course of carrying out our activities, we may collect and process your personal data.

We are conscientious about respecting your privacy, and so have drawn up this Data Privacy Policy (hereinafter the “Data Privacy Policy”) in order to present to you in a transparent manner the use we make of your data, the description of your rights and the way in which the law protects you.

This Data Privacy Policy, which is accessible online, is subject to change at any time. Therefore, we invite you to consult the online version on a regular basis and before any interaction with our services. The date of the last revision of this Data Privacy Policy is located at the top of this Data Privacy Policy.

Concepts as defined by the Commission Nationale Informatique et Libertés (hereinafter “CNIL”) and/or the European Regulation n° 2016/679 on data protection (hereinafter “GDPR”).

What is a personal Data ?

Personal Data” is any information relating to an identified or identifiable natural person, directly or indirectly:

• by reference to an identifier, such as a name, an identification number (e.g., customer code, social security number), an online identifier (e.g., email, web cookie, login), a telephone number, a date of birth, etc.

• by reference to one or more elements specific to its physical identity (e.g. biometric photograph, fingerprint, handwriting).

• by cross-checking information such as date of birth, postal address, biometric data, etc.

What is a treatment?

Processing shall mean any operation, or set of operations, whether or not involving the use of automated processes, applied to data or sets of Personal Data, regardless of the process used: collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, blocking, erasure or destruction.

What is a subcontractor in the sense of the regulations on the protection of personal data?

A “Sub-Processor” is a natural or legal person, public authority, service or other body that processes Personal Data on behalf of, under the instruction of, or under the authority of the Data Controller.

What is a controller?

The “Controller” is the person who determines the purposes and means of the Processing. He implements appropriate technical and organisational measures to ensure and be able to demonstrate that the Processing is carried out in accordance with the regulations in force. The Data Controller of the Personal Data concerning you is BlueReg, whose registered office is located at Les 2 Arcs, Bât A, Route des Crêtes, CS 60327, 06906 Sophia-Antipolis Cedex, registered with the RCS of Grasse under the number 818 395 782, (hereinafter “BlueReg“, “We“, “Our“). You can contact the Data Controller via the page: GDPR data request form

The processing of your personal data

Why do we collect Personal Data?

BlueReg collects and processes your Personal Data in the course of carrying out its activities in order to provide you with a quality service in a secure environment.

BlueReg undertakes to collect only Personal Data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

The collection and Processing of your Personal Data is necessary for the execution of all pre-contractual measures and for the execution of contracts or assignments between you and BlueReg. In addition, we collect Personal Data about you that are necessary to comply with our legal, regulatory and contractual obligations.

We also process your Personal Data in order to ensure the defence of our legitimate interests. These interests include the use of your Personal Data in connection with litigation or other legal matters involving BlueReg and/or any subsidiary of BlueReg.

For the purposes of this Policy, pre-contractual measures are defined as any action taken by BlueReg in the presentation of our service offerings that may require the collection of Personal Data in order to be able to meet your expectations.

The provision of Personal Data is essential for the conclusion and performance of contracts. If you do not provide us with your Personal Data, we will not be able to respond favourably to your requests, nor to provide you with the products and services to which you have subscribed.

Minors

We do not knowingly collect personal data from persons under the age of 16 without the prior, verifiable consent of a parent or guardian. Such parent or guardian may have the right, upon request, to view the information provided by the child and to require that it be deleted. In addition, all minors must seek their parent’s or guardian’s permission before using or disclosing personal data on any medium.

How and on when do we collect Personal Data?

The processing of the Personal Data listed above is necessary to carry out the pre-contractual measures, to create an estimate and to execute a Contract.

In addition, for purposes other than those set out in the Contract, we may collect Personal Data about you based on your free, specific, informed and unambiguous consent. This consent is manifested by a positive statement or act (such as ticking a box on a form).

When we collect Personal Data about you through third parties (e.g. business introducers), we ensure that you are informed of our commitments and your rights.

The categories of recipients of your data

Your Personal Data may be communicated to the following recipients, when this communication is necessary for the fulfillment of the purpose of the Processing of your Personal Data:

• Internal recipients within BlueReg and its subsidiaries: our customer services, finance, legal, HR, marketing and sales departments, all staff, management and internal control functions.

• Third Party Recipients :

o event agencies, communication, advertising, marketing and affiliate platforms
o business introducers
o third party application maintenance, software service and hosting providers
o IT and telephone service providers
o Social organizations
o Persons authorised as authorised third parties (e.g. supervisory authorities, auditors, etc.).
o in the event of litigation: investigators, legal advisers, debt collection agencies, bailiffs, lawyers, notaries and parties to the litigation.

We do not sell your Personal Information to third parties.

The transfer of your Personal Data outside the EEA

We may transfer your Personal Data outside the European Economic Area (“EEA”) to our service providers and customer services. In this case, these transfers are governed either by the standard contractual clauses of the European Commission or by the recipient’s adherence to the so-called “Privacy Shield” mechanism, or by the establishment of internal company rules or by any other mechanism guaranteeing an adequate level of protection.

Retention Periods of Personal Data

BlueReg keeps your Personal Data for the time necessary to fulfill the purposes for which it was collected. We retain your Personal Information for three (3) years after we have terminated our relationship with you. However, in some cases, your Personal Information may be retained longer, for example in the event of litigation, or to comply with our accounting, legal or regulatory obligations. In any case, this data is destroyed or anonymised once the said purposes have been fulfilled. Anonymisation is a protection mechanism that aims to irreversibly transform Personal Data so that they can no longer identify the person concerned.

Our commitment to the protection of Personal Data

BlueReg is committed to ensuring the protection of your Personal Data from the design of our products, services, sites and applications. We use technical and organizational measures appropriate to the sensitivity of your Personal Information. We protect them against any malicious intrusion, loss, alteration or disclosure to third parties or unauthorized persons. Your data transfers are encrypted using the Secure Socket Layer (SSL) protocol. However, despite our best efforts to ensure that your Personal Data is kept in a secure environment, we cannot fully protect against the risk of hacking or illegal disclosure of your data.

We take steps to limit intrusive and malicious actions. In the event of a data breach involving your Personal Data, we will notify the CNIL of the breach as soon as possible, and if possible no later than 72 hours after becoming aware of it. When such a breach is likely to create a high risk to your rights and freedoms, we will inform you of the data breach as soon as possible. Our employees are aware of the processing of Personal Data made available to them in the context of their duties and are required to comply with the internal rules developed by BlueReg in accordance with applicable European and national regulations.

We deal exclusively with third parties who respect privacy and limit their access to only the Personal Data necessary to carry out their assignments. The exchange of information is carried out through secure protocols. In order to ensure a high level of security of your Personal Data, our subcontractors are subject to control and audit measures.

We protect the IT developments carried out on our tools by limiting transfers outside our infrastructures. Our information system is accessible only to authorized persons.

We do not disclose any Personal Data about you to business partners without first obtaining your consent and informing you of the possibility of exercising your right to object.

Your rights concerning your Personal Data

What are your rights?

With regard to the processing of Personal Data, you have a number of rights in accordance with the applicable regulations. You can action the following rights from the following page: GDRP data request form

• access to your Personal Data;
• the rectification of existing your Personal Data;
• the deletion of your Personal Data, if such deletion does not contravene other regulatory or contractual requirements;
• the portability of your Personal Data (the right to portability offers you the possibility to recover part of your data in a structured, commonly used and machine-readable format);
• the opposition to the processing of your Personal Data;
• the limitation of the processing of your Personal Data in order to verify their accuracy, to oppose their deletion or to exercise or defend your rights in court;
• the withdrawal of your consent, if you have consented to the processing of your Personal Data;
• the right to give instructions on the processing of Personal Data concerning you after your death;
• lodging a complaint with the Commission Nationale de l’Informatique et des Libertés.

What’s a cookie?

The Commission nationale de l’informatique et des libertés (hereinafter the “CNIL”) defines a cookie as “(…) a small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using a software or mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.).

The term “cookie” includes for example :

  • HTTP cookies;
  • flash cookies;
  • the result of the fingerprint calculation in the case of “fingerprinting” (calculation of a unique identifier of the machine based on elements of its configuration for tracing purposes) ;
  • web bugs;
  • any other identifier generated by a software or operating system, for example.

What Cookies do we use? (AR)

Important Consent Information

The deposit or reading of certain Cookies does not require your prior consent, either because they do not process any Personal Data concerning you, or because they are strictly necessary for the provision of the service you request. Filing or reading other Cookies than those mentioned in the previous paragraph is impossible without your prior consent. You can at any time prevent us from storing or reading the Cookies we use, either by deleting them from your devices or by changing your browser settings.

How to set up your browser, smartphone and software components?

Any settings you may make will be likely to modify your browsing on our websites as well as your access conditions to certain services requiring the use of Cookies.

You can allow or disallow cookies to be stored on your device and change your device settings at any time.

If you have enabled your browser software to accept cookies, they are stored in a dedicated area on your device.

If you refuse to accept Cookies on your device or if you delete Cookies stored on your device, you will no longer be able to benefit from a certain number of functionalities that are necessary to navigate in certain areas of our websites. Where applicable, we decline all responsibility for the consequences linked to the impaired functioning of our websites resulting from the impossibility for us to record or consult the Cookies necessary for their functioning and that you have deleted or refused.

More generally, we invite you to consult the “Your traces” section of the CNIL website: http://www.cnil.fr/vos-libertes/vos-traces/les-cookies/.

1. How to set up your browser?

Most browsers accept Cookies by default. However, you can choose to block these Cookies or have your browser notify you when a site tries to install a Cookie on your device.

Please refer to your browser’s help menu to set Cookies to your preferences. Below are links to the cookie setting instructions for all major browsers:

o Internet Explorer: https://support.microsoft.com/fr-fr/help/17442

o Firefox : https://support.mozilla.org/fr/kb/activer-desactiver-cookies

o Safari: https://support.apple.com/kb/PH21411?viewlocale=fr_FRocale=fr_CA

o Chrome: https://support.google.com/accounts/answer/61416?hl=fr

o Opera :http://help.opera.com/Windows/10.20/fr/cookies.html

2. How do you configure your privacy settings in your smartphone?

You may decide to reset your Ad ID and change your smartphone’s privacy settings.

To configure your privacy settings :

o Android system: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroidl=fr
o Apple system: https://support.apple.com/fr-fr/HT201265

3. How do you set your analytical cookies?

You can set your browser to reject third-party Cookies by default. You can also choose to block only certain suppliers:

o Google Adwords: plug-ins are available to systematically block cookies
o YouronlineChoices offers to control cookies on a company-by-company basis: http://www.youronlinechoices.com/fr/controler-ses-cookies/
o XITI: you can refuse Cookies by default by logging on to http://www.xiti.com/fr/optout.aspx.

How to make a request to BlueReg ?

Any request for information, correction or declaration of events related to personal data processing should be addressed on the page:
GDPR data request form