DATA PROTECTION

The information below is also available as a PDF document

1. PURPOSE

   The purpose of this Policy is to define how Sirtex collects, uses and discloses personal information.

2. SCOPE

   This Policy applies to all personal information collected and used by Sirtex Medical Pty Ltd and all its subsidiary companies in all countries of operation.

3. ASSOCIATED DOCUMENTS / APPENDICES
   1. CPOL023 - Storage and Management of US Patient Protected Health Information
4. DEFINITIONS
   1. GDPR: General Data Protection Regulation. The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
   2. LGPD: Law No. 13,709/2018 (General Data Protection Law) aims to guarantee privacy and protect the personal data of individuals collected and processed in Brazil or collected in Brazil and processed in other countries.
   3. Personal information: For the purposes of this Policy “personal information” (or “personal data”) means any information related to an identified or identifiable natural person. This includes, for example, your name, your address and your IP address.
   4. Processing: Any operation or set of operations performed on any personal information, whether or not by automatic means, including but not limited to collection, generation, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, evaluation or control of the information, deletion, modification, communication, transfer, dissemination or extraction.
   5. Data controller: The natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data (“data controller” or “controller”).
   6. Data operator: The natural or legal person, public or private, who processes personal data on behalf of the data controller (“data operator” or “operator”).
5. RESPONSIBILITIES
   1. All Sirtex personnel are responsible for reading, understanding and complying with all formal Sirtex policies, procedures and protocols, including those related to privacy and personal data for Processing to take place in accordance with the applicable legislation.
6. TRAINING
   1. All Sirtex personnel will be aware of this policy and suitably trained in their responsibilities under this policy.
7. POLICY
   1. Introduction

      Sirtex Medical Pty Ltd. and all of its subsidiaries are committed to protecting the privacy of information, and to handling personal information in a responsible manner in accordance with all appropriate legislation concerning privacy in countries and regions in which Sirtex operates and/or where Sirtex products are distributed, including but not limited to the GDPR, the LGPD, and the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), (collectively referred to as privacy legislation).

      This Privacy Policy explains how Sirtex collects, uses and discloses personal information, how any person may access that information, and how any person may seek the correction of any information. It also explains how any person may make a complaint about a breach of privacy legislation. Personal information related to patients using Sirtex products (including PHI) is also governed by CPOL023 (Sirtex Policies and Procedures for Storage & Management of U.S. Patient Protected Health Information).

      EU residents may find specific information on the data processing, including the relevant legal bases and their rights regarding the processing, in Section 7.20 of this Policy.

      Residents of Brazil can find specific information on data processing, including the relevant legal bases and their rights in relation to processing, in Section 7.21 of this Policy.

      By providing personal information to Sirtex, any person:

      a.    confirms that they understand that their personal information, including health information, will be collected and processed as described in this Privacy Policy, and in accordance with any other explanation they may be given at the time of providing the information; and

      b.    consents and agrees to such collection and processing.

      
      In addition, if any person is providing personal information to Sirtex on behalf of someone else (for example, as their caretaker, parent or legal guardian), that person confirms that they have authority to consent to the use of the information as described in this Privacy Policy.

      If any person does not consent to the collection, use and disclosure of their personal information (including health information) as set forth in this Privacy Policy, they should not provide personal information to Sirtex.

      From time to time Sirtex may make changes to the policy, processes and systems in relation to how Sirtex handles personal information. Sirtex will update this Privacy Policy to reflect any changes, which will be available on the Sirtex website.

   2. Types of Personal Information Sirtex Collects

      
      The type of personal information that may be collected will depend on Sirtex’s relationship with the person, and the circumstances of collection.

      1. General Information

         
         The information Sirtex collects from any person may include personal details, for example:

         1. name and gender;
         2. address;
         3. age, date of birth, weight and height;
         4. e-mail address;
         5. phone number(s) and fax number(s);
         6. other contact information;
         7. health information relating to the person (including details of medical history, diagnosis, treatment and prognosis); and/or
         8. details of relevant health care professional(s).

         
         The information Sirtex collects from any person may also include:

         1. details of any specific products, services or clinical trials they want to learn about;
         2. photographs/images (where authorized); and
         3. information provided in “free text” fields when completing information sheets and forms, such as pre-treatment evaluation forms.

         
         Information about health of persons is referred to in this Privacy Policy as "health information"

      2. Contractors, Officers & Employees

         
         For contractors, officers and persons seeking employment with Sirtex, Sirtex may collect the following information:

         1. name, gender and date of birth;
         2. residential address, email address, contact telephone numbers and emergency contact details;
         3. personal resumes which may contain details of education and work history, personal interests, details of referees and other information relevant to the individual;
         4. documents provided as evidence of skills, qualifications, training, work history, identity and legal right to work;
         5. bank account details, superannuation details and tax file number, employee records (including leave entitlements, salary details and performance review information); and
         6. doctors’ certificates in the case of sick leave.

             

      3. Health Professionals

         
         If the person is a healthcare professional interacting with Sirtex in their professional capacity, Sirtex may collect personal information about them including:

         1. medical specialty;
         2. clinical interests;
         3. details of the clinics worked at or owned;
         4. details of Sirtex products purchased;
         5. language; and
         6. details of education, qualifications and experience;

         so to better provide tailored information around Sirtex products and services.

   3. From whom does Sirtex collect personal information?

      
      Wherever practicable Sirtex will only collect information from any person personally. However, Sirtex may also need to collect information from other sources such as treating health care providers, careers and guardians. Where personal data is obtained from a third person other than the data subject, the data subject must be informed about the data processing after obtaining the information.

      In the case of persons seeking employment with Sirtex, information in an applicant’s resume may be verified by contacting referees. Sirtex may also obtain information about an individual seeking employment from a recruiter.

      Salary survey data may be collected from third parties which is used to assess and determine salaries to be paid to officers of Sirtex and staff.

      Sirtex will only collect information from third parties when it is not reasonable and practical to collect the information from any person directly.

   4. When does Sirtex collect Personal Information?

      
      Information may be collected by medical and non-medical staff. Sirtex collects information about any person when they:

      1. request information about Sirtex products, services and/or clinical trials;
      2. telephone, email or write to Sirtex;
      3. use Sirtex website;
      4. apply to, and/or participate in a clinical trial;
      5. apply to, and/or participate in conducting clinical trials;
      6. attend Sirtex presentations or training sessions;
      7. complete Sirtex application forms or feedback forms;
      8. fill in application forms or information forms on websites linked to Sirtex;
      9. apply for work experience or employment with Sirtex;
      10. commence employment with Sirtex; and/or
      11. accept an offer of employment or enter into a contract with Sirtex.

      Sirtex may also need to collect personal and sensitive information in order to comply with legal obligations.

   5. How Sirtex stores information

      
      Personal information is stored and held in a combination of hard copy and electronic files maintained by Sirtex, and on personal devices, including laptop computers and Internet servers stored in the cloud.

      Sirtex may combine information made available from a variety of sources. This enables Sirtex to analyze the data in order to gain useful insights which can be used for the purposes mentioned in Section 7 of this Privacy Policy.

   6. How is Personal Information Used?
      1. Use of Personal Information

         Sirtex uses personal information that is reasonably necessary for one or more functions (the primary purpose), or for a related secondary purpose that would be reasonably expected by any person, or to which any person has consented.

         Sirtex may use any person’s information for the following purposes:

         1. to establish their identity;
         2. to provide the products, information and/or services requested;
         3. to evaluate whether an individual is suitable to participate in a clinical trial;
         4. to evaluate whether an individual is suitable to conduct a clinical trial;
         5. to engage individuals to participate in clinical trials;
         6. to engage medical staff to conduct clinical trials;
         7. for medical research purposes;
         8. to comply with regulatory requirements, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to Sirtex products;
         9. to contact any person to satisfy any of our legal or regulatory obligations;
         10. to create a profile from the interactions Sirtex has with any person to help Sirtex understand what information that person might be interested in receiving (subject to receiving any appropriate consent which may be required);
         11. to invite any person to participate in surveys and provide feedback to Sirtex (subject to receiving any appropriate consent which may be required);
         12. to deal with queries, requests or complaints;
         13. to provide a personalized experience when any person interfaces with Sirtex (subject to receiving any appropriate consent which may be required);
         14. to contact any person with information and notices related to their use of Sirtex websites (subject to receiving any appropriate consent which may be required);
         15. to improve the content, functionality and usability of Sirtex websites; and
         16. to manage the relationship between Sirtex and officers, contractors and employees (including making salary and superannuation payments, managing performance and managing a person’s career with Sirtex).

         When collecting personal data Sirtex will inform the data subject as to which specific categories of personal data are being collected and for which purposes.

      2. Job Applicants

         Data provided by any person to support their job application is used for the purpose of managing the Sirtex recruitment process. Sirtex may keep a record of the application in order to contact that person about future job opportunities and send emails about job opportunities with Sirtex. Any person can request to have their applicant profile and personal information changed or deleted at any time by contacting Sirtex using the contact details provided for in Section 7.23 of this Privacy Policy.

      3. Job Applicants

         Data provided by any person to support their job application is used for the purpose of managing the Sirtex recruitment process. Sirtex may keep a record of the application in order to contact that person about future job opportunities and send emails about job opportunities with Sirtex. Any person can request to have their applicant profile and personal information changed or deleted at any time by contacting Sirtex using the contact details provided for in Section 7.23 of this Privacy Policy.

   7. Direct Marketing

      Sirtex does not generally engage in direct marketing activities. However, on occasion Sirtex may communicate with individuals by email and other forms of communication. If any person does not want to receive emails and/or other communications from Sirtex, they can inform Sirtex at any time. Any person may opt out of electronic communications by contacting Sirtex using the contact details provided for in Section 7.23 of this Privacy Policy.

   8. Sensitive Information

      Sirtex only collects sensitive information reasonably necessary for one or more of the uses specified in Section 7.2 of this Privacy Policy, if Sirtex has the consent of the individual to whom the sensitive information relates, or if the collection is:

      1. necessary to lessen or prevent a serious threat to life, health or safety;
      2. necessary pursuant to a legal requirement;
      3. required for another permitted general situation (as defined in international privacy legislation); or
      4. for a permitted health situation (as defined in international privacy legislation).
   9. Disclosure
      1. Subsidiaries and Related Bodies Corporate

         Sirtex will treat personal information as strictly private and confidential. Sirtex may however on occasion exchange personal information with Subsidiaries and/or Related Bodies Corporate of Sirtex Medical Pty Ltd, and with Sirtex distributors who are required to comply with this Privacy Policy. These entities may use the personal information for the purposes specified in Section 7 of this Privacy Policy.

      2. Third Parties

         It may be necessary for Sirtex to disclose personal information to certain third parties in order to assist Sirtex with one or more functions or activities, or where permitted or required by law. Third parties may include:

         1. clinics or hospitals (where treatment is received
         2. clinics or hospitals (where treatment is received, and/or clinical trials are performed);
         3. medical practitioners and related staff;
         4. health insurers and health service providers;
         5. those to whom Sirtex outsource certain functions, for example information technology support;
         6. auditors and insurers;
         7. government and law enforcement agencies and regulators; and
         8. entities established to help identify illegal activities and prevent fraud.
      3. Sale of Business / Restructure

         If all or any part of Sirtex business is sold, restructured or integrated with another group of companies, personal information may be transferred to another party. Those parties will be bound by the requirements of this Privacy Policy and will be required to use the personal information in the same ways as set out in this Privacy Policy.

      4. Service Providers

         Sirtex service providers are required by contract to protect the confidentiality of the personal information Sirtex shares with them, and to use it only to provide services on behalf of Sirtex.

      5. When does Sirtex disclose Personal Information?

         Sirtex may disclose personal information from time to time, only if one or more of the following apply:

         1. person has consented;
         2. the person would reasonably expect Sirtex to use or disclose their personal information in that way;
         3. Sirtex is authorized or required to do so by law;
         4. disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety;
         5. where a permitted general situation applies (as defined in international privacy legislation) or a permitted health situation applies (as defined in international privacy legislation) or;
         6. disclosure is reasonably necessary for a law enforcement related activity or by a Government body or agency, or by a Court of law.
      6. Officers, employees or contractors

         Sirtex does not disclose personal information about officers, employees or contractors to any third parties (including overseas entities), unless prior consent is obtained from the relevant individual. Personal information about officers, employees or contractors may however be disclosed if required:

         1. pursuant to a legal requirement; or
         2. by an enforcement agency, Government body, or by a Court of law.
   10. Overseas Recipients
       1. Sirtex Businesses worldwide

          Sirtex Medical Pty Ltd has business operations in numerous locations worldwide. By sharing personal information with Sirtex, that personal information may be transferred to, or be accessible by businesses in other countries that form part of the Sirtex group.

          The countries in which such recipients are likely to be located are Australia, Singapore, Brazil, United States & Germany.

       2. Service Providers

          Information may be provided to service providers located throughout the world. The locations of the service providers may change from time to time.

          The countries in which service providers are likely to be located are Australia, Singapore, Brazil, United States & Germany.

       3. Transfer of Personal Information to a Foreign Recipient

          Sirtex may transfer personal information to a foreign recipient, only if:

          1. Sirtex reasonably believes that the recipient is subject to law, or a binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the laws in the originating country; and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
          2. the disclosure is required or authorized by law or a court/tribunal order; or
          3. the transfer is necessary for the performance of a contract / arrangement with the individual (from which the information was collected); or
          4. the transfer is for the benefit of the individual (and the other requirements are met); or
          5. the individual consents to the transfer.
       4. Assessment of Foreign Privacy Laws

          When disclosure is to be made to a known overseas entity, Sirtex will take reasonable steps to assess the privacy laws of the country where information will be disclosed to determine whether the overseas recipient is required to comply with privacy laws that are at least as stringent as the originating country’s requirements in relation to information. Sirtex service providers are required to enter into a contract pursuant to which they agree to protect the confidentiality of the personal information Sirtex shares with them, and to use the information only to provide services on behalf of Sirtex.

   11. Cookies used on our websites

       Sirtex websites, like most websites on the Internet, use cookies. A cookie is a small text file that is placed on your computer or mobile device when you visit the website. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, for example so you don’t have to re-enter them whenever you come back to the website or browse from one page to another. Cookies can be “persistent” or “session” cookies. While persistent cookies remain on your computer when you go offline, session cookies will be deleted as soon as you close your web browser.

       Sirtex makes use of Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"), which uses cookies to analyze how users use the website. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States, under a data processing agreement between Sirtex and Google. However, note that we have activated the IP anonymization function on our Sirtex websites. As a result, the users’ IP address is truncated by Google within member states of the European Union or other Contracting States to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.

       At the request of Sirtex, Google will use this information for the purpose of measuring any person’s activity on our website, compiling statistical reports on overall website activity for Sirtex on an anonymous basis and providing other services relating to website activity and internet usage. The IP address transmitted by Google Analytics as part of Google Analytics will not be merged with other Google data.

       Any person may refuse the use of cookies by selecting the appropriate settings on their browser. Some browser manufacturers provide comprehensive help relating to cookie management in their products. Please see below for more information:

       1. Google chrome: https://support.google.com/chrome/answer/95647?hl=en-GB
       2. Internet Explorer and/or Edge: https://support.microsoft.com/en- us/help/260971/description-of-cookies
       3. Mozilla Firefox : https://support.mozilla.org/en-US/kb/cookies-information-websites- store-on-your-computer
       4. Safari (Desktop) : https://support.apple.com/kb/PH5042?locale=en_US
       5. Safari (Mobile) : https://support.apple.com/en-us/HT201265
       6. Android Browser : https://support.google.com/nexus/answer/54068?visit_id=0- 636612941590933601-131731679&hl=en&rd=1
       7. Opera : https://www.opera.com/help

       In addition, any person can prevent the collection of the data generated by the cookie by Google, as well as the processing of this data by Google, by downloading and installing the Google-published browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

   12. Data Quality

       Sirtex takes all reasonable steps to ensure the personal information Sirtex holds, uses and discloses is accurate, complete and up-to-date. These steps include ensuring that the personal information is accurate, complete and up-to-date at the time of collection, and when using or disclosing the personal information.

       On an ongoing basis Sirtex maintains and updates personal information when Sirtex is advized by any person or when Sirtex becomes aware through other means that the personal information has changed. Please contact Sirtex if any of the details provided to Sirtex change. Any person should also contact Sirtex if they believe that the personal information Sirtex has about them is not accurate, complete or up-to- date.

   13. Security

       Sirtex has put in place safeguards to protect the personal information Sirtex holds from misuse, interference, loss and unauthorized access, modification or disclosure by using industry standard software protection programs. Personal information is only accessible by officers and employees of Sirtex (strictly on a need to know basis), unless it is disclosed to another party in accordance with this Privacy Policy.

       Employee personal information is retained in secure hard copy and electronic files, and is only accessible by human resources staff, accounts staff and directors on a need to know basis.

       Whilst Sirtex endeavors to take all appropriate measures, Sirtex cannot guarantee the security of personal information sent online. Persons must bear this in mind when providing personal information online to Sirtex.

   14. Information that is no longer required

       If Sirtex no longer needs the personal information for any purpose for which it may use or disclose the information (for example when an employee has been terminated), and the information is not otherwise required to be kept under applicable law or court order, Sirtex will take reasonable steps to destroy or permanently de-identify the information as appropriate.

   15. Unsolicited Information

       Sometimes Sirtex may be provided with personal information without having sought it through normal means of collection. Sirtex refers to this as “unsolicited information”. Where Sirtex collects unsolicited information Sirtex will only hold, use and/or disclose that information if Sirtex could otherwise do so had Sirtex collected it by normal means. If that unsolicited information could not have been collected by normal means then Sirtex will destroy, permanently delete or de-identify the information as appropriate.

   16. How to gain access to personal information Sirtex holds

       Persons may request access to the personal information Sirtex holds about them, or request that Sirtex change and/or update the personal information Sirtex holds, by contacting Sirtex in writing. Upon request, Sirtex will give any person access to the personal information held about them, unless specific limitations apply (for example, if the request is frivolous or vexatious, or providing access would be unlawful).

       Sirtex will respond to a request for access to personal information within a reasonable period after the request is made and give access to the personal information in the manner requested, if it is reasonable and practicable to do so.

       If Sirtex does not agree to provide any person with access, or to amend their personal information as requested, the person will be notified accordingly. Where appropriate Sirtex will provide the reason/s for the decision, and the mechanisms available to complain about the refusal. If the rejection relates to a request to change a person’s personal information, that person may make a statement about the requested change and Sirtex will attach this to their record.

       Where the request to access personal information is made by or on behalf of a current or former employee, disclosure of such information shall be made in line with the prevailing privacy legislation in that jurisdiction.

   17. Complaints

       If any person has a complaint about the privacy of their personal information, Sirtex requests that they contact Sirtex in writing by email, letter, and facsimile or by personal delivery to any one of the Sirtex contact details as set out below. Any person may also make a complaint verbally. Upon receipt of a complaint Sirtex will consider the details and attempt to resolve the matter in accordance with Sirtex complaints handling procedures.

       Sirtex will respond to the complaint within a reasonable time (usually no longer than 30 days), and Sirtex may seek further information from the person in order to provide that person with a full and complete response.

       If any person is dissatisfied with Sirtex’s handling of a complaint or the outcome, they may make an application or complaint to the applicable governmental authority in their jurisdiction overseeing data privacy matters.

       If you are in Brazil, please refer to Section 7.21 for details on how to submit complaints and/or for information on your rights relating to the processing of your personal data.

   18. Overseas Transfer of Data

       If any person chooses to provide Sirtex with personal information, that person understands and consents to the transfer of their information to Sirtex locations and systems in Australia and around the world.

   19. Links to other websites

       Sirtex websites may contain links to other websites. Sirtex does not share personal information with those websites, and Sirtex is not responsible for their privacy practices. Sirtex is not responsible or liable for, and does not endorse, the data privacy practices or the content of any other linked sites.

   20. Information for EU Residents

       In the course of visiting our websites, contacting us, or applying for a job we may process the following personal information:

       1. Contacting us

          Any person can contact Sirtex using the contact form provided on the website, via e- mail or phone, e.g. for requesting information about Sirtex products, services or clinical trials. In this case Sirtex processes the details from the inquiry form, including the contact details (e.g. name, e-mail address, country of origin) the sender’s role, the topic of the request and any other information provided by the sender in the inquiry. Sirtex will use this information to respond to the communications, fulfil the requests, or provide other support. The legal basis is Art. 6 (1) 1 lit. b GDPR. The information will be deleted after the inquiry is concluded.

       2. Visiting the Sirtex websites

          If a person visits a Sirtex website without using the service offered by Sirtex and without providing Sirtex with personal data, Sirtex automatically collects information about the user in so-called server log files. This information includes the browser type and browser version, the operating system used, the referrer URL, the host name of the accessing computer, time of service request, and the IP address. The user’s browser automatically sends this information to Sirtex.

          The legal basis for the processing of personal data is Art. 6 (1) 1 lit. b GDPR and Art. 6(1) 1 lit. f GDPR. We have a legitimate interest in ensuring the security, stability and effective use of our website. We assume that the problem-free use of the website is in your interest as well.

          Regarding the use of cookies on Sirtex websites please see Section 7.11 above.

       3. Job applications

          For persons seeking employment Sirtex collects the following personal data:

          1. applicant’s name, gender, date of birth, residential address, e-mail address, telephone number and marital status;
          2. personal resumes which may contain details of education and work history, personal interests, details of referees and other information relevant to the individual;
          3. documents provided as evidence of skills, qualifications, training, work history, identity and legal right to work.

          Where the applicant is a health professional, this may additionally include the data listed in Section 7.2.3.

          Personal data provided by any person to support their job application is used for the purpose of managing the Sirtex recruitment process. The legal basis is Art. 6 (1) 1 lit. b GDPR.

          If the application process is completed without an offer for employment the personal data will be deleted six months after the conclusion of the recruitment process, unless the applicant agrees that Sirtex will keep a record of the application in order to contact that person about future job opportunities, and send emails about job opportunities with Sirtex. The legal basis is Art.6 (1) 1 lit. a GDPR. The consent is given freely and can be withdrawn any time with effect for the future.

          If an employment contract is concluded Sirtex uses the above-mentioned personal as well the following additional to prepare and perform the employment contract:

          1. copy of passport, nationality, health insurance provider, social security number, start date of employment;
          2. bank account details, superannuation details and tax file number, employee records (including leave entitlements, salary details and performance review information); and
          3. doctors’ certificates in the case of sick leave.

          The legal basis for processing is Article 6 (1) (1) (b) GDPR. The personal data will be stored for the duration of the employment. Legal retention obligations remain unaffected.

       4. Application and/or participation in a clinical trial

          If a person is interested in applying for and/or participating in a clinical trial, Sirtex will then provide more information on the intended data processing prior to the application, including with regard to health data where an explicit consent will generally be necessary. Sirtex may then process the data listed in Section 7.2.1. The data will be used by Sirtex to evaluate whether an individual is suitable to participate in a clinical trial. The details of the clinical trial, including the relevant data processing, will be outlined in the Patient Information Sheet & Consent Form that any person will be provided before participating in a clinical trial. The personal data, particularly the health data, will only be processed for the clinical trial after the person consented. The legal basis is Art. 6 (1) 1 lit. a GDPR.

       5. Application and/or participation in conducting a clinical trial

          If a person is interested in applying for and/or participating in the conduct of a clinical trial, Sirtex will then provide more information on the intended data processing prior to the application, including with regard to health data where an explicit consent will generally be necessary. Sirtex processes the personal data listed in Section 7.2.3 of health professionals for the purposes of applying to, and/or participating in conducting clinical trials. The legal basis is Art. 6 (1) 1 lit. b GDPR. The data will be deleted as soon it is not needed anymore for the above-mentioned purposes.

       6. Attending Sirtex presentations or training sessions

          If a person is interested in attending a Sirtex presentation or training session Sirtex will process the person’s name and contact details (address, e-mail-address). If the person is health professional, Sirtex may additionally use the personal data listed in Section 7.2.3.

       7. Advertisement

          Sirtex may use some of the personal information (e.g. in particular health information) to create a profile from the interactions Sirtex has with any person to help Sirtex understand what information that person might be interested in receiving, to invite any person to participate in surveys and provide feedback to Sirtex, to provide a personalized experience when any person interfaces with Sirtex and/or to contact any person with information and notices related to their use of Sirtex websites. In these instances, an explicit consent is necessary.

          The legal basis is Art. 6 (1) 1 lit. f GDPR. Sirtex has a legitimate interest to analyse our customers’ interests and provide direct marketing upon receipt of appropriate consent.

       8. Automated decision making

          Please note that we do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you.

       9. Sharing of personal information

          It may be necessary for Sirtex to disclose personal information to certain third parties in order to assist Sirtex with one or more functions or activities, or where permitted or required by law. Third parties may include the following categories of recipients:

          1. clinics or hospitals (where treatment is received and/or clinical trials are performed);
          2. medical practitioners and related staff;
          3. health insurers and health service providers;
          4. those to whom Sirtex outsource certain functions, for example information technology support;
          5. auditors and insurers;
          6. government and law enforcement agencies and regulators; and
          7. entities established to help identify illegal activities and prevent fraud.

          Where Sirtex shares some of the above-mentioned personal information with third party agents that perform services on Sirtex’ behalf (e.g. technical service providers) Sirtex will conclude data processing agreements to ensure that service providers only use use the information shared with them for the specific tasks requested from them and consistent with this Privacy Policy, and for no other purposes. The legal basis for this data transfer and processing activity is Art. 28 GDPR in conjunction with the respective data processing agreement.

          Where the transfer is necessary to fulfill a contract, the legal basis is Art. 6 (1) 1 lit. b GDPR. If Sirtex is required to transfer data by law the legal basis is Art. 6 (1) 1 lit. c GDPR.

          Where the third party is located outside the European Union and/or the European Economic Area, particularly Australia, Singapore, USA. Sirtex will only transfer data to recipients in these countries if an adequate level of data protection at the location of the recipient is ensured, e.g. because the recipient the recipient and Sirtex concluded standard contractual clauses (for processors: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A32010D0087, for controllers: https://eur-lex.europa.eu/legal- content/EN/ALL/?uri=CELEX:32004D0915).

       10. Legal disclosure

           Sirtex may use the personal information listed above to comply with regulatory requirements, such as maintaining a record of medical queries, complaints, adverse events and recalls relating to Sirtex products and/or to contact any person to satisfy any of our legal or regulatory obligations. This may also include disclosure of personal information if such disclosure may prevent the investigation of a crime, facilitate an investigation related to public safety, protect the security or integrity of our service, or enable us to take precautions against liability or to protect our rights. The legal basis for such disclosure is Article 6 (1) 1 lit. c (“compliance with legal obligation”) and lit. f (“legitimate interest”) GDPR. It is our legitimate interest to comply with the legal requirements of EU Member States and Australian law.

       11. Subject data rights

           Data subjects based in the European Union may be entitled to exercise some or all of the following rights:

           1. require (i) information whether his/her personal information is retained and (ii) access to and/or duplicates of his/her personal information retained, including the purposes of the processing, the categories of personal information concerned, and the data recipients as well as potential retention periods;
           2. request rectification, removal or restriction of his/her personal information, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn;
           3. refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw his/her consent to processing of their personal information at any time;
           4. object, on grounds relating to his/her particular situation, to processing of his/her personal information, in case such processing is either based on Sirtex’ or a third party’s legitimate interests or on a performance of a task carried out in the public interest. In this case, the data subject shall provide Sirtex with information about his/her particular situation. After the assessment of the facts presented by the data subject Sirtex will either stop processing his/her personal information or present him/her Sirtex’ compelling legitimate grounds for an ongoing processing; and/or
           5. object to the use of his/her personal data for direct marketing at any time;
           6. take legal actions in relation to any potential breach of his/her rights regarding the processing of his/her personal information, as well as to lodge complaints before the competent data protection regulators.
           7. require (i) to receive the personal information concerning him/her, which the data subject has provided to Sirtex, in a structured, commonly used and machine-readable format and (ii) to transmit those data to another controller without hindrance from Sirtex’ side; where technically feasible the data subject shall have the right to have the personal information transmitted directly from Sirtex to another controller.
           You may (i) exercise the rights referred to above or (ii) pose any questions or (iii) make any complaints regarding our data processing by contacting us under the contact details set out in Section 7.23.
   21. Information for Brazil Residents
       1. Contact in Brazil

          If you need any information, clarification or assistance regarding the processing of your personal data in Brazil, Sirtex has the following means of communication available:

          E-mail: privacy@sirtex.com

          Data Protection Officer (DPO): The Data Protection Officer (DPO) is the person appointed by Sirtex who is responsible for meeting the demands of personal data subjects. If you have any questions about how Sirtex uses your personal information, please contact the person indicated below:

          Name: James Kim E-mail: james.kim@sirtex.com

       2. Subject Data Rights

          You, as the holder of personal data, may exercise before Sirtex, upon request, when Sirtex is the controller of said data, all the rights described in the applicable legislation, including:

          1. Information: The right of the data subject to receive clear and easy-to-understand information about how Sirtex uses their personal data;
          2. Access: The data subject's right to obtain access to their personal data processed by Sirtex;
          3. Correction: The data subject's right to have their personal data corrected if it is found to be inaccurate, out of date or incomplete;
          4. Anonymization, Deletion or Blocking: Rights of the data subject to request the anonymization, deletion or blocking of the use of personal data processed by Sirtex in an excessive, unnecessary manner or in non-compliance with data protection legislation;
          5. Revocation of Consent: The right of the data subject to request the deletion of personal data when the processing of the data is carried out by Sirtex on the basis of the data subject's consent (revocation of consent);
          6. Portability: The data subject's right to request that their personal data be sent to another service/product provider; and
          7. Objection: The data subject's right to object to Sirtex's processing of their data in breach of applicable law, when not based on the data subject's consent.

          Sirtex will always use its best efforts to respond to requests from personal data subjects as quickly as possible. However, if the request requires a specific timeframe or cannot be fulfilled, Sirtex will inform you of the estimated timeframe for its fulfillment or the technical and/or legal reasons for its non-fulfillment, as the case may be, while always complying with the applicable legislation.

       3. Retention/Deletion of Personal Data

          As a general rule, personal data collected by Sirtex, both in its capacity as data controller and data operator, is retained for as long as it is necessary and appropriate to achieve the purposes for which it was collected, subject to the terms and conditions of the applicable laws and may be deleted at the end of its processing or when the customer or user so requests. Sirtex inform will inform any partners and/or suppliers that it has subcontracted directly for the performance of the contract with the customer of the obligation to delete or return any personal data shared with them when this is the case.

   22. Updates to this Privacy Policy

       Sirtex may update or amend this Privacy Policy at any time by posting a revized version on the Sirtex website. Unless stated otherwise, this current Privacy Policy applies to all information that Sirtex has about any person.

   23. Contact

       Should any person wish to access their information, change their contact preferences, receive further information about this Privacy Policy, express concerns about how Sirtex handles their personal information, or wishes to revoke the consents they have given for the use of their personal information, they can contact Sirtex by:

       1. Post/Mail: Sirtex Medical Pty Ltd
          c/o of Sirtex Medical, Inc., Human Resources Department, 300 Unicorn Park Drive,
          Woburn, MA 01801, United States of America
       2. Emailing: privacy@sirtex.com; or
       3. Calling: +1 781 721 3800.

       If practical, any person can contact Sirtex anonymously (i.e. without identifying themselves) or by using a pseudonym. However, if any person chooses not to identify themselves, Sirtex may not be able to give that person the information or provide the assistance they might otherwise receive if it is not practical to do so.

8. REVISION HISTORY

   CR#	Rev.	Issue Date	Description of Change
   2084	0	Nov 2016	New CPOL
   2416	1	Aug 2018	Updated to reflect requirements of GDPR and ensure HIPAA Compliance.
   -	-	Dec 2018	Minor changes as part of annual policy review
   -	-	Oct 2020	Regional localization and minor changes as part of general policy review
   2701	2	16 Dec 2020	Minor changes as part of annual policy review, also reformatted CPOL into new SOP/WI template.
   3549	03	07 May 2024	Updated to reflect Brazilian privacy requirements. Updated to current document template .