PRIVACY POLICY

Our commitment

SANOFI fully understands the importance of privacy and the protection of personal data in the digital era and is committed to ensure an adequate level of data protection for all persons with whom Sanofi has dealings. This includes, notably:

Patients and their relatives or close ones,

participants in clinical trials,

healthcare professionals,

users of our products and services, including websites and apps users,

representatives of our contractors and business partners,

representatives of the scientific community etc.

job applicants.

What you will find in this document

This Global Privacy & Data Protection Policy (“Policy”) describes SANOFI’s global practices to ensure an adequate protection of personal data, i.e. any information relating to an identified or identifiable natural person, for all data processing carried out in the framework of its business and activities (“Personal Data”).

The objective of this Policy is to help you understand:

THE PURPOSES: for what reasons and purposes SANOFI processes your Personal Data

ON WHAT GROUND: on what basis does SANOFI process your Personal Data

WHERE FROM: from what sources does SANOFI collect your Personal Data

WHO: who are the authorized parties that SANOFI may disclose your Personal Data to

WHERE: where SANOFI and its authorized parties may process your Personal Data

HOW SECURE: what SANOFI does to protect your Personal Data

HOW LONG: SANOFI’s approach to defining the term of retention of your Personal Data

YOUR RIGHTS: what your rights are and how you can exercise them

HOW TO CONTACT US: where and how you can reach us if you wish to exercise your rights or if you have a question

What processing activities does this Policy cover?

This Policy is intended to apply to all processing activities SANOFI conducts towards the persons it deals with in its professional business activities. Specific privacy and data protection information notices (“Privacy Notice”) and/or consent forms will, if necessary, be communicated to you regarding specific situations where SANOFI may process your Personal Data. These Privacy Notices shall describe in more detail how your Personal Data will be processed in relation with the processing in question. If the legislation of your country so requires, this Policy and/or Privacy Notices may be supplemented by local mandatory provisions, as the case may be.

SANOFI’s role

For the purposes of this Policy SANOFI means Sanofi and all its affiliates. Each Privacy Notice shall set out which SANOFI entity determines for what reasons (i.e. the purposes) your Personal Data is processed as well as the resources (i.e. the means) allocated to such processing.

Validity and evolution of this Policy

This Policy may be modified by SANOFI, from time to time, in particular to adapt its terms to evolutions or changes of applicable legislations and/or to SANOFI’s practices. Changes will be available on this page. We invite you to check this Policy periodically.

The purposes: SANOFI will always collect your Personal Data for explicit and legitimate purposes

SANOFI collects your Personal Data for the following purposes:

to carry out our business operations ; carry out marketing and sales ; respond to your requests; to keep track of our interactions and meetings, such as when you contact us for information and support ;

to comply with legal or regulatory obligations that apply to SANOFI ; monitor safety ; manage adverse events ; carry out prevention and investigatory activities ; carry out administrative formalities, registration, declarations or audits.

to provide patient support, healthcare support services, patient engagement and prescription information ; manage claims, including insurance claims ;

to conduct research and development; carry out clinical studies, registries and trials ; manage and validate the recruitment and participation of individuals to studies, trials and other operations ; analyze demographic data ; offer special programs, activities, trials, events or promotions via our services ; carry out market or consumer studies ;

to provide you access to online services, application and platforms ; manage your online accounts ;

to allow us to identify or authenticate you ; provide or verify your credentials including via passwords, password hints, security information and questions, government-issued ID, healthcare professional number, driver’s license data, and passport data.

to improve and develop our products and services ; identify usage trends and develop new products and services ; understand how you and your device interacts with our services ; track and respond to safety concerns ; determine the effectiveness of our promotional campaigns, conduct surveys;

to personalize your experience when using our services ; ensure that our services are presented in the way that best suits you ; understand your professional and personal interests in our content, products and services or other content and adapt our content to your needs and preferences ; present you products and offers tailored to you ;

to allow us to communicate with you ; respond to your requests or inquiries ; provide support for products and services ; provide you with important information, administrative information, required notices, and promotional materials ; send you news and information about our products, our services, our brands, our operations ; organize and manage professional events and congresses, including your participation to such events ;

to process payments we may need to issue in a specific situation; to process payments we may need to issue in a specific situation;

to offer donations and sponsorships ;

to respond to legal requests from administrative or judicial authorities, in accordance with applicable laws ; comply with a subpoena, required registration, or legal process

to protect our rights and interests ; protect the health, safety, and security of SANOFI personnel and premises ; carry out internal audits, asset management, system and other business controls ; manage business administration (finance and accounting, fraud monitoring and prevention) ; maintain the security of our services and operations ; protect our rights, privacy, safety or property, to allow us to pursue available remedies or limit the damages that we may incur as necessary ; to protect ourselves against possible fraudulent actions.

On what ground? SANOFI will always process your Personal Data lawfully

Depending on the data processing at stake, SANOFI will generally process your Personal Data on either one of the following legal basis:

your prior consent : where you have clearly expressed your approval of SANOFI’s processing of your Personal Data. In practice, this will generally mean that SANOFI will ask you to sign a document, or to fill-in an online “opt-in” form or to follow any relevant procedure to allow you to be fully informed and then either clearly accept or refuse the data processing envisaged.

a contractual relationship between you and SANOFI: in such case, the processing of your Personal Data is generally necessary to the execution or the performance of the contract; this means that if you do not wish SANOFI to process your Personal Data in that context, SANOFI may or will be obliged to refuse to enter into such contract with you or will not be able to provide the products or services covered in this contract.

legal obligationsapplicable to SANOFI’s activities ; for instance, SANOFI is required to implement pharmacovigilance procedures to monitor adverse effects of marketed products, which generally involves the collection and retention of Personal Data.

the “legitimate interest”of SANOFI in the sense of applicable data protection law. In such a case, SANOFI shall consider your fundamental rights and interests in determining whether the processing is legitimate and lawful.

SANOFI may, on a case-by-case basis, rely on other legal grounds, such as the protection of your vital interests, in accordance with applicable data protection law, as set forth in the applicable Privacy Notice.

Where does the Personal Data come from? SANOFI will always collect Personal Data from trusted sources

SANOFI may collect your Personal Data from different sources:

Data that you communicate to us through various media, through registrations, applications surveys or direct and indirect interactions with SANOFI. For example, data you provide to register to scientific events sponsored by SANOFI, to submit an online application, to send us a request for information, etc.

Data that we collect automatically, for instance when following your interactions with our websites, platforms, applications and services through certain technologies, such as cookies.

Data that we collect in accordance with applicable law from public sources available, including data that is published by you in all supports.

Data that we obtain legally from third parties, for example, when we may need to confirm contact or financial information or to verify licensure of healthcare professionals. In such case, we generally receive such Personal Data from third-parties that are authorized to do so in the framework of their own privacy and data protection policies or in accordance with the law. As applicable, we will inform you in the Privacy Notice of the identity of those third-parties and will invite you to refer to their privacy and data protection policies to inquire on the origin of such Personal Data and the condition of their collection.

About children Personal Data

While in some instances we may collect Personal Data about children with the consent of his/her parent or guardian for the provision of our services such as clinical activities or for patient support programs, we do not otherwise knowingly solicit Personal Data from, or market to, children. If a parent or guardian becomes aware that his or her child has provided us with personal information, he or she should contact us as described in the “How to Contact Us” section below. We will take steps to delete such information from our database in accordance with applicable legal requirements.

Who has access to Personal Data: SANOFI will share your Personal Data only with authorized parties

For the purposes described above, SANOFI may need to share your Personal Data with the following authorized third-parties:

Sanofi and its affiliates

our partners (healthcare professionals and organizations, distributors, other members of the healthcare and pharmaceutical industry)

selected suppliers, service providers or vendors acting upon our instructions for website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing, etc.

legal or administrative authorities, as required by applicable laws including laws outside your country of residence

potential acquirers and other stakeholders in the event of a merger, legal restructuring operation such as, acquisition, joint venture, assignment, spin-off or divestitures.

sponsors of sweepstakes, contests and similar promotions

SANOFI may need to share your Personal Data with other third-parties, in which case you will be duly informed through the applicable Privacy Notice.

In any case, SANOFI will require that such third-parties:

undertake to comply with data protection laws and the principles of this Policy;

will only process the Personal Data for the purposes described in this Policy ; and

implement appropriate technical and organizational security measures designed to protect the integrity and confidentiality of your Personal Data.

Where Personal Data may be transferred: SANOFI will ensure that transfers of your Personal Data outside EU are safeguarded

SANOFI is a multinational organization with affiliates, partners and subcontractors located in many countries around the world. For that reason, SANOFI may need to transfer (via access, visualization, storage..) your Personal Data in other jurisdictions, including from the European Economic Area to outside the European Economic Area, in countries which may not be regarded as providing the same level of protection as the jurisdiction you are based in.

Safeguards for international transfers of Personal Data: In cases where SANOFI needs to transfer Personal Data outside the European Union, it shall ensure that adequate safeguards, as required under applicable data protection legislation, will be implemented (including, notably, the European Commission’s Standard Contractual Clauses, as applicable).

In this respect and in particular, for intra-group transfers of Personal Data implemented for clinical studies and pharmacovigilance purposes, SANOFI has implemented and shall apply its “Binding Corporate Rules” validated by the EU Data Protection Authorities.

How secure: SANOFI will implement security measures to protect your Personal Data

We have implemented a variety of technological and organizational procedures and measures to ensure the integrity and confidentiality of your Personal Data from unauthorized access, use and disclosure. These measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

For instance, we store your Personal Data on servers that have various types of technical and physical access controls, which may include, for instance, if appropriate, encryption. We may also aggregate, pseudonymize or anonymize Personal Data to ensure that no personally identifiable information is communicated to third parties.

How long: we will retain your Personal Data for no longer than necessary

SANOFI will retain your Personal Data only for the period necessary to fulfill the purposes outlined in this Policy.

As an exception, SANOFI may be required to retain your Personal Data for longer periods as required or permitted by law, or as necessary to protect its rights and interests. In such a case, you will be informed of the intended retention period in the applicable Privacy Notice.

Your rights: SANOFI will ensure that you can exercise your rights pertaining to your Personal Data

You can exercise your rights as provided by data protection laws.

To that end, SANOFI informs you that you are entitled:

to have access upon simple request to your Personal Data – in which case you may receive a copy of such data (if requested), unless such data is made directly available to you, for instance within your personal account ;

to obtain a rectification of your Personal Data should your Personal Data be inaccurate, incomplete or obsolete ;

to obtain the deletion of your Personal Data in the situations set forth by applicable data protection law (‘right to be forgotten’);

to withdraw your consent to the data processing without affecting the lawfulness of processing, where your Personal Data has been collected and processed on the basis of your consent ;

to object to the processing of your Personal Data, where your Personal Data has been collected and processed on the basis of legitimate interests of SANOFI, in which case you will need to justify your request by explaining to us your particular situation;

to request a limitation of the data processing in the situations set forth by applicable law ;

to receive your Personal Data for transmission from SANOFI to a third-party or to have your Personal Data directly transferred by SANOFI to the third-party of your choice, where technically feasible (data portability right allowed only where the processing is based on your consent)

If you would like to exercise any of these rights, please contact us as described in the “How to Contact Us” section below and we will take necessary steps to respond as soon as possible.

You may also file a complaint before a competent data protection authority regarding the processing of your Personal Data. While we suggest that you contact us beforehand, if you wish to exercise this right, you should contact directly the competent data protection authority.

How to contact us

SANOFI welcomes any questions or comments you may have regarding this Policy or its implementation. Any such questions or comments should be submitted using the contact information below:

CONTACT

You can send any request pertaining to SANOFI’s use of your Personal Data to our Data Protection Officer at the following email address: ZALocalPrivacyOffice@sanofi.com