Prescient Healthcare Group Privacy Notice

This Privacy Notice, effective as of 1 May 2024, amends the prior version effective as of 19 January 2022.

Introduction

Prescient Healthcare Group (“Prescient”) is a global business providing biopharma product and portfolio strategy services to biopharmaceutical clients. Prescient takes its legal, professional and ethical obligations to protect personal data very seriously. We are committed to respecting individuals’ privacy and any information that is capable of identifying someone as an individual (“personal data”).

This Privacy Notice provides information about how we collect, use, disclose, store and protect personal data that are subject to applicable data protection laws, including the European Union (EU) General Data Protection Regulation and the United Kingdom (UK) General Data Protection Regulation (collectively referred to as the “GDPR”), in connection with our websites and our business activities.

This notice describes how we handle personal data when engaging in the following activities:

• Hosting our websites www.prescienthg.com and https://inflexionrx.com
• Sending emails to our clients and those who have completed a webform to receive emails
• Providing consulting services for our clients
• Any other business activities during which we may gather personal data from or about an individual

Prescient’s Location

Our company headquarters are located in London, UK, which serves as our main establishment for the purposes of compliance with the UK Data Protection Act 2018/UK GDPR:

Prescient Healthcare Group (UK) Ltd.
CP House, 97-107 Uxbridge Road
Ealing, London, W5 5TL
United Kingdom

UK’s Information Commissioner’s Office (ICO) registration number: ZA254200

Prescient’s EU-based representative for the purposes of compliance with the EU General Data Protection Regulation is:

Prescient Healthcare Group Deutschland GmbH
Kurt-Blaum-Platz 8
63450 Hanau
Germany

Prescient’s other office locations include:

• Spain
• The United States
• India

What information do we collect?

Prescient takes a data minimisation approach and will not collect more data than needed for the purpose for which they were gathered.

The type of information we may collect includes:

For market research:

• Names
• Email addresses
• Postal addresses
• Phone numbers
• Job titles
• Qualifications and work experience
• Financial information (for example, bank details to process relevant payments)
• Health information
• Socioeconomic background information
• Sexuality or sex life information
• Gender
• Racial or ethnic background information

For other types of research:

• Names
• Email addresses
• Phone numbers
• Job titles
• Qualifications and work experience

For job applicants:

• Names
• Email addresses
• Postal addresses
• Phone numbers
• Job titles
• Qualifications and work experience
• Right to work in a specific country

For vendors:

• Names
• Email addresses
• Postal addresses
• Phone numbers
• Job titles
• Qualifications and work experience
• Financial information (for example, bank details to process relevant payments)
• Debarment list inclusion in line with client contractual obligations

For clients:

• Names
• Email addresses
• Postal addresses
• Phone numbers
• Job titles

as well as any other information provided to us or uploaded to our systems in connection with our services and activities.

When an individual visits Prescient websites, we collect information related to the device, such as the device’s IP address, location data, referring website, what pages the device visited and the time that the device visited our website.

For further information, please read the section below headed “Cookies and Other Tracking Technologies”.

How do we get this information?

Prescient obtains personal data directly from individuals as well as from third parties.

How do we use this information?

Prescient uses the personal data we collect for business purposes such as:

• To provide the services requested by our clients
• To tell prospective clients about our services
• To manage our website and services
• To process job applications
• To conduct research commissioned by our clients
• To carry out business development
• To invoice our clients
• To pay our vendors
• To comply with legal and contractual obligations, such as adverse event reporting

What lawful basis do we use to process personal data?

Prescient requires a lawful legal basis for collecting, processing, transferring and deleting personal data. We will do this only:

• With data subject’s consent;
• To perform a contract;
• To comply with a legal obligation; or
• To fulfil a compelling legitimate interest of Prescient in a manner that is not outweighed by an individual’s rights and freedoms. The legitimate interests that Prescient relies upon are to: run our website effectively, collect information about website visitors, conduct direct marketing, recruit talent, send out and reply to requests for research work, sign legal documents, invoice work, process purchase orders, conduct research commissioned by our clients, create and maintain a do-not-call list, develop business, pay vendors, perform internal audits and comply with contractual agreements.

How do we store, share and disclose information to third parties?

Personal data are securely stored within our environment. Personal data may also be stored with our third-party service providers. We do not rent or sell personal data to anyone. In limited circumstances, we may share and disclose information (including personal data) with third-party service providers that perform business operations on our behalf, such as:

• Auditors and legal advisors
• IT service providers
• Website marketing consultants
• Cloud storage service providers
• With clients in relation to the research work performed

If an individual does not wish to provide personal data to us, we may not be able to provide the services requested.

Privacy Rights

Depending on an individual’s country of citizenship, rights may be available to the individual under applicable data protection laws, including:

• Right to be informed. Data subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR
• Right of access. Data subjects have the right to access and receive a copy of their personal data and other supplementary information relating to themselves. If personal data are transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients
• Right to rectification. Data subjects have the right to have inaccurate personal data rectified, or completed if they are incomplete. Right to erasure (‘right to be forgotten’). Data subjects may request their data to be erased without undue delay if the processing of such data has no legal basis, or if the legal basis has ceased to apply, or if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed
• Right to restriction of processing. Data subjects have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances
• Right to data portability. Data subjects have the right to receive their personal data provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
• Right to object. Data subjects have the right to object to the processing of their personal data in certain circumstances. Data subjects have an absolute right to stop their data being used for direct marketing. The right to object does not apply if a legal provision requires the data to be processed

Individuals from the UK and EU also have the right to lodge a complaint with the ICO in the UK or the corresponding EU Supervisory Authority about the processing of personal data.

Prescient maintains appropriate registrations with the UK’s ICO, which can be viewed on the ICO’s website. Prescient maintains an appropriate registration with the applicable German supervisory authority, the Hessian Commissioner for Data Protection and Freedom of Information.

Prescient’s EU-based representative for the purposes of compliance with the EU General Data Protection Regulation is Prescient Healthcare Group Deutschland GmbH.

If an individual based in the EU wishes to raise a question to Prescient, or otherwise exercise rights in regard to personal data, they may do so by:

• sending an email to Prescient at dataprotection@prescienthg.com or
• mailing the inquiry to Prescient at Prescient Healthcare Group Deutschland GmbH, Kurt-Blaum-Platz 8, 63450 Hanau, Germany

Retention

We keep different categories of personal information for different time periods according to our retention policy.

International Data Transfers

Whenever we transfer personal data to another jurisdiction, we take appropriate steps to protect personal data, including the following:

• Entering into agreements within our group of companies or any third parties we work with which include clauses that offer adequate protection for personal data
• Otherwise ensuring that information will only be transferred to third parties in jurisdictions that have at least the same data privacy protection for personal data as the jurisdiction from which the personal data originate

Data Security

Prescient uses technical, organisational and administrative security measures and has implemented an information security management system conforming to the ISO27001:2022 standard to protect any personal data we hold, transmit, store or otherwise process from accidental or unlawful destruction, loss, unauthorised disclosure or access, to ensure the ongoing confidentiality, integrity and availability of information assets.

Prescient’s organisational and administrative security measures are monitored, reviewed and regularly enhanced to ensure continual improvement.

Children

We do not intend to collect or solicit personal data from anyone under the age of 13. From time to time, our market research work may require the processing of children’s personal data. Those involved and their parent or guardian will receive further privacy information relevant to their participation.

Cookies and Other Tracking Technologies

We use cookies on our websites.

What are cookies?

A cookie is a small piece of data (text file) that a website – when visited by a user – asks their browser to store on their device in order to remember information, such as language preference or login information. Those cookies are set by Prescient and called first-party cookies. We may also use third-party cookies, which are cookies from a domain different than Prescient’s. For example, we use third-party cookies for our advertising and marketing efforts, as well as to understand how users browse our website.

Why do we use cookies?

We use cookies and other tracking technologies for the following purposes:

Help us and third parties obtain information about visits to our website
Analyse visiting patterns to improve our website
Deliver advertising, communications and content from us and third parties, on our website and those of third parties
Remember language and other preferences of users
Help users obtain information
Measure how many people use our website and how they use it
Keep our website running efficiently

What types of cookies do we use and how do we use them?

Below is a detailed list of the cookies we use on our website. Our websites are regularly scanned to maintain a list that is as accurate as possible. We classify cookies in the following categories:

• Strictly Necessary Cookies
• Performance Cookies
• Functional Cookies
• Targeting Cookies

Individuals can opt out of each cookie category except for Strictly Necessary Cookies.

By using our website, users may consent to the collection, use and storage of personal data by Prescient. If a user does not consent to the use of our cookies by accepting the cookies banner, then no personal data will be collected.

To stop receiving promotional email communications from Prescient, please follow the instructions in those emails or click here to unsubscribe.

Updates to the Privacy Notice

We’re constantly trying to improve our websites and services and we recognise that data protection and data privacy is an ongoing responsibility, so we will update this Privacy Notice from time to time when we implement new practices or adopt new privacy policies. We will alert users to material changes by, for example, placing a notice on our website and/or by sending an email (if we have an email address registered with us) when we are required to do so by applicable law.

Contact Us

Prescient Healthcare Group (UK) Ltd.
CP House, 97-107 Uxbridge Road
Ealing, London W5 5TL
United Kingdom

To contact our Data Protection Officer: dataprotection@prescienthg.com