Medicys Limited is committed to protecting the information we collect from each participant. The following Notice outlines how we use that information. This Notice was established in 2018 and was last updated on August 4, 2022.

Medicys Limited is a member of, and complies with, the Codes of Conduct and Legal and Ethical Standards as prescribed by the BHBIA, EphMRA and ESOMAR. These guidelines are extremely comprehensive, and act as a pillar of our business processes (including how we protect the rights of respondents, handle data, and record adverse events and product complaints).

PURPOSES OF DATA PROCESSING

Medicys Limited is an independent company headquartered in the United Kingdom, conducting genuine research studies for a broad range of clients and in many different healthcare subject areas.

We use your information only for our research administration purposes. We do not engage in further activities; as such your details will never be passed on to any third party.

We use Personal Data that we collect directly from research participants, publicly available websites and publications or from list suppliers, for the following business purposes, without limitation:

Maintaining and supporting our services (healthcare research, including the recruitment of participants), delivering and providing the requested services including payment of honoraria to participants, and complying with our contractual obligations related thereto; satisfying governmental reporting, tax, and other requirements; storing and processing data, including Personal Data, in computer databases and servers located in the United Kingdom, the EEA and US (cloud-based services, forms, IT, telecom and streaming services); verifying identity of research participants; as requested by research participants; for other business-related purposes permitted under applicable local law and regulation; and as otherwise required by law.

LEGAL BASES FOR DATA PROCESSING

Our legal bases for processing your Personal Data are:

1) your consent;

2) any other applicable legal bases, such as our legitimate interest in offering services (participation in research events and studies) of value to you (see our Legitimate Interests Assessment here)

DATA RETENTION

Medicys has responsibility to maintain records relating to our research activities, in accordance with the regulatory environment, client requests and suggested industry guidelines, and will retain respondent information and data according to the following retention guidelines:

Initial registration information for as long as your community membership is active and for a period of 5 years thereafter to allow you to re-activate your participation without loss of data.

All information collected during the research process, including survey results, will be retained by Medicys for a period of 24 months, except audio and video recording, which will be retained for a period of 3 months.

Honorarium payment information will be kept for 6 years.

We will also retain your information as necessary with our legal obligations, to resolve disputes and enforce our agreements, for as long as is permitted under applicable law. This may include the consent form / recruitment agreement you signed prior to your participation and any information detailed in connection with adverse event reporting, both of which may be kept indefinitely for accounting and/or auditing purposes

To discuss our retention policy, please e-mail: privacy@medicysltd.co.uk

COLLECTION AND USE OF PERSONAL DATA

Before we confirm your participation in a research interview, we will ask you a series of questions the answers to which will be used to ascertain if the research is relevant to you. If you qualify for participation, you will receive confirmation, usually via e-mail, followed by a consent form. Following your participation, you will receive an honorarium as a token of our appreciation for your input and time.

To manage this process, and the associated research activities, we collect and retain securely personal information about you.

Such information might include: Your name; contact details including postal address, email address, phone and fax number; job title; certain demographic information such as your DOB and gender; in the case of healthcare professionals, the name of your hospital or practice, and trust; in the case of patients and caregivers, any medical conditions that you may declare for research purposes, and your financial information for the purpose of processing your honorarium.

We also collect non-identifying data, such as survey results and pre-screening data, which on their own cannot identify you.

We may also ask you if you are satisfied that you do not need, or that you have already obtained, any consent from your employer, organisation or professional association to participate in research.

This Notice does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.

Methodologies We employ three key research methodologies: Face to Face (interviews, focus group discussions, ethnography) normally held at a market research venue or in person at home or at a neutral venue; Telephone (interviews) where we would call you, and conduct the interview by phone; Online (a survey completed on your device, usually in the form of a questionnaire that you can complete in your own time); Video (interviews) conducted using a video conference service (with webcam).

Before each interview we will provide you with a Recruitment Agreement outlining the nature and purpose of the study, and your role in the research process.

Recordings and Observation of Research On occasion the interviews may be audio and video recorded. You will be made aware if this is the case at the time of recruitment, and why it is proposed.

On occasion, your interview will be directly observed either in person via a one-way mirror or video link, or via audio-video conferencing. We will obtain your consent for this to happen, at the screening process of each project. Those viewing the session must observe the confidentiality of all information exchanged, and client observers will be introduced openly and honestly to you.

Audio and Video recordings may also be used for the purposes of Pharmacovigilance, quality control and auditing.

Proprietary Information On occasion during a study or interview, proprietary information regarding products, services and their development may be disclosed. In participating, all such information must be kept confidential, and not disclosed to third parties, or used for any other purpose. Acceptance of this requirement for confidentiality is required to participate in the research process.

Software/App Installation With online surveys, or during telephone interviews, we may ask that you install software, apps or screen sharing capability for use during the interview e.g. to view materials and stimuli, or we may use electronic identifiers (cookies) to ensure a survey is completed only once.

There would be no direct association between the data stored in a cookie, and your personal identifying information. Of course, you may leave the survey and withdraw at any time if you wish, without penalty should you find this in anyway disconcerting. You can also adjust your settings to restrict the use of cookies on your device.

Specifically, for Online Surveys: Depending on survey specific configuration, browser cookies (known as session cookies) and other tracking methods such as flash, HTML5 Local Objects and Etag, may be used to track your survey participation solely for the purposes of deduping (removing duplicate responses). When a survey page is generated by you via a link we send you, a unique internal session ID is included in the web page body as the primary method of tracking your activity once the survey has started. To achieve this, the server hosting the survey will automatically recognize your domain name, and IP address/s. However, no other personal information about you is revealed in this process.

Specifically, for Screen Sharing and online communities/diaries: Information about a participant may be collected and stored to fulfill the service as requested by our client(s); Additional data may be collected during the screener sharing process, including usage and log data about how the services are accessed and used; information about the device you are using the Services on; IP addresses; location information; language settings; what operating system you are using; unique device identifiers and other diagnostic data to help us support the Services.

Specifically, for web-conferencing, tele-conferencing and video conferencing: In normal circumstances, a meeting code or ID will be provided in advance of the interview. The services used include, but are not limited to: Zoom, Focus Vision Intevu, ZipDx, BT Conferencing, Mercuri, MR View and Civicom.

Research with Persons under 16 years of age: Research with persons under 18 will only take place with the explicit, written consent of the parent or legal guardian (assent and consent)

Cookie Information: Further information relating to our use of cookies can be found here: Cookie Policy

DISCLOSURE OF YOUR INFORMATION

In certain circumstances your information may be disclosed to others who are assisting us in undertaking the research study. In such situations we take reasonable precautions to ensure that the privacy protections afforded by this Notice are echoed by the recipient of the disclosed information.

Adverse Event Reporting For example: We are obliged by law to report all Adverse Events or Product Complaints that arise during a study, and will inform you at the point of recruitment if your consent is required to waive the confidentiality afforded to you under this policy. Everything else you contribute during the interview will remain confidential.

Sub-contracting For example: We may need to employ the services of sub-contracted suppliers in the completion of the study. In such cases only the minimum of data needed to complete the task will be shared. In such cases, all suppliers will be obliged in writing to maintain the privacy of your information in accordance with this Policy and agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Notice.

Such suppliers could include: Moderators (the person/s that conducts the actual interview); Transcribers (the person/s that transcribes and/or translates the audio recordings taken at the time of the interview); Support Staff (the person/s at a research venue, who check you in and welcomes you); Data Support Staff (the person/s managing the aggregated survey results); Translators (person/s that translates your verbatim responses into the language of any observers); IT/Telephone Services (person/s managing our consent templates and processes, our video conferencing services, our screen sharing services etc.)

Incentive Fulfilment You will be paid an incentive for your time: this will be in the form electronic fund transfer or e-voucher. Depending on the incentive form, in some cases your personal information may be transferred to third parties such as Fast Pay, Amazon or Western Union to enable them to perform the incentive fulfilment process on behalf of Medicys Limited. In order to pay your incentive, we collect information including your method of payment preferences, contact details and banking details. The information we collect, and the system we use to collect it is: Cognito

Securing your Consent We always obtain your consent in advance of an interview or study. Such consent may be collected orally (via the screening process), prior to or during the interview (by the moderator or project team) or in advance using our online electronic document system. The system allows for each participant to receive a copy of the consent document they have signed. In order to obtain your electronic consent, and then for you to have a copy delivered to you, we ask for you to verify your e-mail address. The system we use is: Signable

Contacting you We may contact you by text, say to facilitate your participation or confirm your invitation. The system we use is: Textlocal

Clients of the research For example: Medicys Limited may need to release your personal identifying information to our immediate client for purposes of conducting the interview. In such cases, your confidential information will only be used for the purpose of conducting an interview and will be kept confidential by agreement. How we use your contribution for a particular client study will be explained fully during the screening process. We shall obtain your written consent to the key aspects of the research process before you participate.

Bertrand Law In France (for HCPs) we are obliged to comply with the regulations on transparency. Your details including your name and last name, occupation, specialty and qualifications together with your professional address, your licence number, together with details of the compensation you have received will be posted on the following public website: https://www.transparence.sante.gouv.fr

Anti-Gift In France, in order to comply with the French regulatory Anti-Gift law framework we are currently using the “information notice for declaration purposes” as provided by ASCO and as shared with EphMRA (www.ephmra.org). As such, incentive payments are being declared anonymously to the relevant order (CNOM, CNOP etc). For those from public and/or university hospitals evidence of permission may be required, and may be submitted via the IDAHE, EPS etc. platforms if requested.

Disclosure (HCPs only, If a Client Company is aware of your identity) In accordance with the ABPI Code of Practice certain information must be publicly disclosed if an honoraria or expenses is paid for your participation, and the client company (the pharmaceutical company sponsoring this research) is aware of your identity. This information includes your name and practice address. The purpose of disclosure is to enhance the transparency surrounding the relationships between the pharmaceutical industry and the healthcare profession. If you do not give your permission for this, you may still participate in the research and your personal data will not be passed on for disclosure purposes. In this case the pharmaceutical company is obliged to publicly disclose aggregate information relating to honoraria and expenses. Your research responses remain confidential and anonymous whether you consent to your name and practice address (i.e. your personal data) being used for disclosure or not.

Physician Payments Sunshine Act (HCPs only) The studies we manage are administered in accordance all applicable law and practices including Section 6002 of the Patient Protection and Affordable Care Act (also known as the “Physician Payments Sunshine Act”). Please note that the studies are conducted in a manner that will minimize the risk of you becoming unblinded (known to commissioning client company). However, in the unlikely event that your identity becomes known to anyone from the commissioning client company, the payment will then become reportable and as such we will need to share your contact details and incentive that you would be given, with the study sponsor to assist with their annual reporting requirements.

Other reasons

Medicys Limited may also disclose Personal Data under the following circumstances: To respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims; When we believe it is necessary to share information to investigate or prevent fraud, or to act regarding illegal activities, situations involving potential threats to the physical safety of any person, or as otherwise required by law; To transfer information about you if Medicys is acquired by or merged with another company. In this event, Medicys will notify you before information about you is transferred and becomes subject to a different Privacy Policy.

Please be aware that in rare situations, it may be necessary disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

CHOICE WITH RESPECT TO USES AND DISCLOSURES OF PERSONAL DATA

Medicys recognizes that EU individuals have the right to limit the use and disclosure of their Personal Data, and we are committed to respecting those rights.

We offer individuals the opportunity to opt out of disclosures of Personal Data to a Third Party or the use of Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.

We comply with data privacy principles in respect to disclosures of Sensitive Data including, when applicable, obtaining the explicit consent (i.e., opt in consent) of an individual prior to disclosing Sensitive Data to a Third Party or using Sensitive Data for purposes other than those for which it was originally collected or subsequently authorized by the individual.

At any point you can ask to withdraw, request access to the information we currently hold, amend or rectify that information and request that we no longer contact you or retain your information, without cost to you.

INTERNATIONAL TRANSFERS

Sometimes, personal data is transferred outside of the UK/EEA for the purposes of market research analysis, data storage, survey collection and data analysis and for the payment of incentives. By submitting your personal data, you acknowledge and agree to the fact that your personal data may be stored, processed and transferred outside of the UK/EEA. You also acknowledge that the transfer of personal data via the Internet is not entirely secure, though we will do our best to ensure its protection. Furthermore, the personal data we store is protected by security measures and processes, in order that your data be protected from disclosure or nefarious access.

Where necessary, further transfers of personal data will be outlined via our research participant consent process. For transfers of personal data (video and audio files, contact telephone numbers of the purpose of interviewing) to client agencies located outside the UK/EEA: In this situation your personal data is protected under an appropriate privacy mechanism and/or EC adequacy decision and/or by EU approved standard contractual clauses and/or binding corporate rules and/or by Confidentiality Agreement, held by our client. We will always request your consent for this to happen. For any questions, e-mail: privacy@medicysltd.co.uk.

DATA SECURITY

Medicys Limited has designated the IT Department to oversee its information security program. The IT Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to privacy@medicysltd.co.uk

Medicys will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. Medicys personnel will receive training, as applicable, to effectively implement this Notice. All information we retain is treated as strictly confidential, managed only by key members of our team.

Adequate precautions are taken to protect personal data, any sensitive data and confidential information against unauthorized access including but not limited to user identification and password only access, pseudonymizing, encryption and firewall protection.

California Consumer Privacy Act (CCPA) The CCPA effective from 1st January 2020 affords data privacy protection to residents of California. The personal data collected and used by Medicys is that provided willingly when participating in our research. How, and why, we collect and use your data is explained in sections “Collection and Use of Personal Data” and “Purposes for Data Processing”. As a reminder we do not sell or resell personal data for any purpose outside of that agreed in the recruitment agreement and consent form. You have the right of access, the right to delete your data, to opt-out at any time, and not to be discriminated against at any time when exerting these rights. Californian data subjects can exercise these rights by contacting: privacy@medicysltd.co.uk

YOUR RIGHTS

Right to Access You have the right to obtain confirmation about whether Personal Data is included about you in our databases.

Upon request, Medicys will provide an individual access to his or her Personal Data within a reasonable time frame.

Medicys will permit an individual to know what Personal Data about them is included in our databases and to ensure that such Personal Data is accurate and relevant for the purposes for which Medicys collected the Personal Data.

You may review your own Personal Data stored in the databases and correct, update, modify, or delete any data that is incorrect or incomplete.

Your right to access your Personal Data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy, or where the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted, we will provide you with an explanation of our determination and respond to any inquiries you may have.

You may access and modify your Personal Data by contacting Medicys by phone, post or email. In making modifications to your Personal Data, you must provide only truthful, complete, and accurate information.

Rectification and Erasure You may request that we rectify or delete any of your personal data that is incomplete, incorrect, unnecessary or outdated.

Objection You may object, at any time, to your personal data being processed for research purposes.

Restriction of Processing You may restrict processing of your personal data for certain reasons, such as, for example if you consider your personal data collected by us to be inaccurate or you have objected to the processing and the existence of legitimate grounds for processing is still under consideration.

Data Portability You may request the data you provided to us in a commonly used and machine-readable form.

Right to Withdraw Consent You have the right to withdraw your consent at any time, without affecting the lawfulness of our processing based on such consent before it was withdrawn, including processing related to existing contracts for our products and services.

To exercise any of the above mentioned rights, please contact us as set forth below. We will process any requests in accordance with applicable law and within a reasonable period.

We recommend that you include documents that prove your identity and a clear and precise description of your request. Please note that in some cases, especially if you wish us to delete or cease the processing of your personal data, we may no longer be able to provide our services to you.

Via Email: privacy@medicysltd.co.uk Via Postal Mail: Medicys Limited, 152 Staplehurst Road, Sittingbourne, Kent ME10 1QZ, United Kingdom Via UK Phone: 44 (0) 1795 42 66 55

REQUESTS FOR PERSONAL DATA

Medicys will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise:

(a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from Research participants.

CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with applicable data protection and privacy laws and principles. We will notify you if we make changes that materially affect the way we handle Personal Data, via the invitation, confirmation and project consent process we employ, and we will allow you to choose whether your Personal Data may be used in any materially different manner.

QUESTIONS OR COMPLAINTS

If you have any questions or complaints about this Privacy Notice or our data collection practices, please contact us at the details listed below and specify your country of residence and the nature of your question or complaint.

Via Email: privacy@medicysltd.co.uk Via Postal Mail: Medicys Limited, 152 Staplehurst Road, Sittingbourne, Kent, ME10 1QZ, United Kingdom Via UK Phone: 44 (0) 1795 42 66 55

If you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with your local supervisory authority responsible for data protection matters.

Medicys Limited is a registered Data Controller with the Information Commissioners Office. If you have a concern about our information rights practices, you can contact the ICO using their helpline: 0303 123 1113 or visit their website: https://ico.org.uk/concerns/. Our registration number is Z1909295.

EU REPRESENTATIVE

The UK’s data protection regime has been formally deemed ‘adequate’ by the European Commission. An adequacy decision allows organisations that transfer personal data from the EU (and the European Economic Area (EEA)) to the UK, to continue to do so; there is no need for alternative transfer mechanisms (such as standard contractual clauses (SCCs)) to be put in place.

For EU data subjects, and relevant supervisory authorities, with questions or concerns please contact our EU representative lead person Marie Payraudeau, m.payraudeau@medicysltd.co.uk, +33 (0) 6 45 50 29 98

Request a quote