Contract Cadence™ The EU

General Data Protection Regulation("GDPR")

–Information to Principal Investigator

-Reference #ZA535069

(Effective as of 01 July 2022)

Contract Cadence

GDPR Compliance Statement

Introduction

You are receiving this information because you are a Principal Investigator (study team),affiliated within the European Economic Area("EEA"),currently engaged in a clinical trial supported by Contract Cadence. Therefore, the EU General Data Protection Regulation(GDPR) will apply to the collection of trial data performed as part of this clinical trial. The purpose of this communication is to clarify how GDPR applies to clinical research, and to request your collaboration in executing the actions described below.

The GDPR replaces the current Data Protection Directive 95/46/EC as of 25th May,2018. It was designed to harmonize data privacy laws across Europe, to strengthen the privacy rights of EU residents, and to reshape the way organizations across the region approach data privacy protection.

You as Principal Investigator (study team), as well as your institution, and we, as Supporters of this clinical trial, have committed in our mutual Clinical Trial Agreement to comply with applicable data protection laws. In particular, when processing Personal Information 1 of your investigation staff and of trial subjects, that data should be protected in accordance with applicable laws and regulations, including the GDPR.

The information in this document is intended for you, as Principal Investigator and for your investigational staff. It is not to be provided to trial subjects, although it provides guidance to you and your investigational staff on how to respond to questions from trial subjects.

Requested actions

No Topic Action to be performed by the Principal Investigator
1 Collection of Personal Information concerning Principal Investigator and investigational staff Read the privacy notice for Principal Investigator and investigational staff. See appendix 2.Provide a copy of the privacy notice for Principal Investigator and investigational staff to the investigational staff members engaged in the research.
2 Increase awareness concerning the additional responsibilities under GDPR Read the section about additional responsibilities under GDPR, and the Frequently Asked Questions (FAQ)in appendix 1.

1 Personal Information (a/k/a"personal data") is defined as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

No Topic Action to be performed by the Principal Investigator
3 ncrease awareness concerning the additional responsibilities under GDPR Inform any investigational staff appropriately about the new obligations under GDPR. In particular it is important that there is a general awareness of what to do incase an individual who participates in the clinical trial(“Trial Subject”)makes a request concerning the processing of his/her data, or needs to be informed of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information data transmitted, stored or otherwise processed(“Privacy Incident”).
4 Personal Information concerning trial subjects (Not Applicable in capacity of Contract Cadence™) If requested by the Supporter (or CRO),execute activities to inform trial subjects as instructed. Use the Notice Log, in Appendix 4, to document providing the Notice to trial subjects.
5 Personal Information concerning Trial Subjects (Not Applicable in capacity of Contract Cadence™) In case of questions from trial subjects concerning the data, please action accordance with the Frequently Asked Questions(FAQ) in Appendix 1.
6 Acknowledgement Once you have completed action 1,2 and 3 above, and acknowledged your commitment to address action 4 and 5 as may be requested, please click Acknowledge button as understanding, verification and acceptance. See Appendix 3.

Key additional responsibilities under GDPR

Transparency obligations under GDPR

One of the core building blocks of GDPR's enhanced rights for individuals is the requirement for greater transparency with respect to the purpose and use of the personal data collected about them. Information must be provided to data subjects in a concise, transparent, and easily accessible form, using clear and plain language. The Supporter has developed the following process to address this requirement.

Providing Trial Subjects (if applicable)with additional information as required under GDPR:

The Supporter/CRO will provide the Clinical Site with a Notice of Privacy Rights for Clinical Trial Participants With few exceptions, the Principal Investigator or his/her investigational staff must provide a physical copy of this Notice to Trial Subjects that are currently engaged in the Trial. Typically, this is done at the next time the trial subject is visiting the clinical site

Once the trial subject receives the Notice, this is documented using the Notice Log. See Appendix 4.See Appendix 1–Frequently Asked Questions.

Providing investigational staff with additional information as required under GDPR:

Provide a copy of the Privacy Notice towards Principal Investigator and investigational staff to all current staff members. See appendix 2.

Data Subject Rights (If applicable)

GDPR provides data subjects within the European Economic Area(EEA) with expanded rights intended to strengthen and enhance the data subjects’ abilities to control how their personal information is processed. However, it should be recognized that the applicability of these rights depends on the legal basis for the processing, as well as limitations that may be introduced by other laws. See Appendix 1 – Frequently Asked Questions for more information on how to address data subject right request from Trial Subjects.

Incase of a Data Breach/Privacy Incident2

GDPR is introducing a mandatory data breach notification requirement as specified in GDPR article 33. We recognize that this Data Breach notification requirement may apply to the Supporter, third parties performing activities on behalf of the Supporter, as well as the Principal Investigator or Institution, depending on the nature of the data breach and the data that is impacted. Consequently, we would appreciate your timely notification to use of any Privacy Incident that may result in a breach. See Appendix 1 – Frequently Asked Questions for information on how to handle a Privacy Incident.

Data Protection Impact Assessments

GDPR introduced a requirement to perform a data protection impact assessment (DPIA) for certain types of processing activities, for example, when processing Personal Information using new technologies. The DPIA should also take into account the nature, scope, context and purposes of the processing., In the event the data protection impact assessment indicates that the processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk, the supervisory authority should be consulted before the processing of Personal Information. See appendix 1–Frequently Asked Questions on how this requirement may apply to an ongoing Clinical Trial.

2 A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information data transmitted, stored or otherwise processed.

Appendix 1– Frequently Asked Questions

A. Data Subject Rights(N/A for current use case of Contract Cadence™)

What do I do if a Trial Subject asks for access to his/her coded information, which has been provided to the Supporter?

The right to access may apply, but may be limited while the study is ongoing, providing access to data may not be permitted, considering regulations and laws that apply to clinical research. E.g.some data may not be provided until after the study is completed. You may reach out to the Project Manager for guidance and support as may be required.

What should I do if a Trial Subject requests a copy of their Personal Information(including any coded data)in a commonly used electronic format?

The right to portability is dependent on the legal basis for the processing of data. We recognize that this right may apply, depending on the local position of the data protection authority. If this right applies, the right is limited in that all-in formation cannot be provided until the trial is completed, due to regulatory requirements that apply in Clinical Research. You may contact the Project Manager for guidance and support as may be necessary.

What should I do if a Trial Subject requests that his/her data be corrected?

Any correction of data should be done in accordance with Good Clinical Practice3 on how changes to clinical data should be carried out. The standard processes how to manage data changes at the Clinical Site should be applied. In case of questions you may contact the Project Manager for additional guidance. 3 See ICH GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R1)Section4.9.3.

What should I do if a Trial Subject asks that his/her data(including any coded data) to be deleted?

Data that is collected and processed per the Clinical Study Protocol cannot be deleted due to laws and regulations that apply in clinical research. For situations where Personal Information of the Trial Subject is processed and such processing is not required by the clinical study protocol, the deletion right may apply and should be assessed on a case by case basis. Please contact Supporter/CRO in such situations.

What should I do if a Trial Subject objects to the processing of his/her Personal Information?

A Trial Subject may have the right to object to certain processing of his/her data.

If a Trial Subject objects to all processing of his/her data, it may be required that he/she withdraw from participating in the trial, since the processing of some personal data is a critical part of any trial.

Any objection from a Trial Subject should be forwarded to the Project Manager, to ensure that the Supporter can appropriately evaluate such an objection and provide guidance to the site.

What do I do if a Trial Subject would like to get a copy of the safeguards that the Supporter is using for any transfer of the coded data to parties based outside of the European Economic Area?

Contact the Project Manager. The Project Manager may need to engage the Supporter’s Data Protection Officer to respond to the request.

B. Privacy Notice/Informed Consent (N/A for current use case of Contract Cadence™)

I understand that the Trial Subject may have the right to receive additional information about the processing of their Personal Information (including any coded data).How will this be managed?

The Supporter has developed a Notice of Privacy Rights for Clinical Trial Participants document that must be provided to all Trial Subjects, as described in the section about "Providing Trial Subjects with additional information as required under GDPR" above.

Further guidance may be provided by the Project Manager considering that the situation may be different per country, and there is a dependency with the local ethic committees and the position of the local data protection authority.

Will Trial Subjects need to sign this Notice of Privacy Rights for Clinical Trial Participants?

No, the Trial Subject does not need to sign the Notice. However, when the Trial Subject is provided the Notice of Privacy Rights for Clinical Trial Participants, it must be documented using the Notice Log. See Appendix 4.

Do I need to provide this Notice of Privacy Rights for Clinical Trial Participants to Trial Subjects that have completed their last visit, and there is no additional data that will be collected from the Trial Subject?

No; however, you must use the Notice Log, in Appendix 4 to document that the Trial Subject will not receive the Notice of Privacy Rights for Clinical Trial Participants because he/she has completed the trial.

How do I handle Trial Subjects who will not have any more visits, but where additional data will be collected e.g. via phone or similar?

The Notice of Privacy Rights for Clinical Trial Participants should be sent by mail to the Trial Subject. This must be documented in the Notice Log. See Appendix 4.

Will Trial Subjects need to sign a new Informed Consent Form due to GDPR?

We do not believe this will be required. Rather, Trial Subjects will be provided with a Notice of Privacy Rights for Clinical Trial Participants that will inform them of their rights under GDPR. However, we recognize that the situation may be different from country to country, and there is a dependency with the local ethic committees and the position of the local data protection authority. Further guidance may be provided by the Project Manager.

What is the legal basis for the processing of Personal Information about Trial Subjects?

On16th of April2018,he Article29 Working Party 4 issued a guidance on consent (wp259rev.01),in which it was stated that the consent obtained in clinical research from Trial Subjects is not necessarily the legal basis for processing their Personal Information.

The Supporter’s position is that processing of Personal Information concerning Trial Subjects is based on the regulations and laws that apply to clinical research. Such regulations require the study site to collect and the Supporter to analyze such data before they are submitted to regulatory authorities. In addition, the legal basis can be the performance of the scientific research that is referenced in the consent form signed by the Trial Subject.

There are other legal grounds that may apply as well in certain situations, such as that the processing is required for the vital interest of the subject e.g.in case of a significant patient safety concern, or due to a public interest in the area of public health.

We recognize that there are still discussions about this topic within the industry and realize that the local positions may potentially differ. 4 The article29 working party is an advisory body made up of a representative from the data protection authority of each EU Member State ,the European Data Protection Supervisor and the European Commission.

What do I do in case of a Privacy Incident?

For any privacy incident that relates to data where the owner is the Supporter as defined in the Clinical Trial Agreement, you should immediately inform the Project Manager. The information to the Project Manager should include the nature of the privacy incident, the categories and approximate number of Trial Subjects whose data was compromised, and Personal Information records impacted by such privacy incident. We request you as Principal Investigator and the Institution to fully cooperate with the Supporter, to investigate and resolve any such privacy incident and provide Supporter any information necessary to provide notifications to the impacted Trial Subjects.

Incase a privacy incident relates to a system, or processing activity under the sole control of the Institution, the Institution will be responsible for managing such Incident. However, you should also inform the Project Manager incase any source data that may relate to the Clinical Trial may be impacted in such a privacy incident.

Is there a need to do a Data Protection Impact Assessment, and will the Clinical Site need to be engaged in such an activity?

The Data Protection Impact Assessment requirement does not apply retrospectively, so it is not likely that the Clinical Site will need to support such an effort for any processing of Personal Information under the Clinical Trial Agreement. However, incase new technology, such as a wearable device collecting health data, is introduced in an ongoing trial, such change may require a Data Protection Impact Assessment. You will be requested by the Supporter incase there is a need for the Clinical Site to support the execution of any Data Protection Impact Assessment.

Who is the data controller and for what kind of data?

The Supporter is a data controller for any processing the data that is provided to the Supporter, and that may be specifically processed as instructed by the Supporter using tools that is provided by the Supporter to perform the research.

The Clinical Site is a data controller for data processing activities under the sole responsibility of the site such as entering of data in the Electronic Medical Record System, and processing data for the care of the patient.

The Clinical Site may be seen as a data processor for processing activities that is specifically executed as required by the Study Protocols instructed by the Supporter using tools provided by the Supporter. Entering key‐coded data in the eCRF would be an activity, where the Clinical Site is acting as a data processor.

Appendix 2– Privacy Notice for Principal Investigator and investigational staff (“Notice”)

This Notice explains the personal information handling practices of Supporter with respect to information about the Principal Investigator and any investigational staff. It explain show Supporter collects personal information, and with whom Supporter may share it. It also explains the rights the Principal Investigator and any investigational staff have with regard to this personal information. This Notice applies to all personal information, regardless of whether the information is stored electronically or in hard copy.

This Privacy Notice should be provided by the Principal Investigator to any investigational staff.

Privacy Notice–Principal Investigator and investigational staff

Personal Information Collection

Supporter and agents processing personal information on behalf of Supporter, collect and process personal information about you. This information may come directly from you, from the Institution that you are affiliated with for purposes of this clinical research, or from public or third‐party information sources.

The types of personal information that Supporter collects depends on the role you have with Supporter and/or its affiliates, as well as applicable laws, and may include the following categories of information:

Name;

Contact information (e.g. address, telephone number, e‐mail address);

Age and/or date of birth;

Government identification number(if applicable);

Training and qualifications, including information that you have a valid, active medical or professional license, as applicable, and are not debarred by a competent health authority;

Organizational or institutional affiliations;

Professional programs and activities in which you may have participated.

Financial information relating to, among other matters, compensation and reimbursement payments for clinical trial activities.

Engagement or interaction with Supporter or its affiliates, or their products and services;

Information obtained via survey sand other direct interactions with you.

How Supporter Uses and Discloses Personal Information

Personal information about you will be processed for the following purposes to meet Supporter’s and/or its affiliates’ obligations under applicable laws and regulations, and as necessary to fulfill the Clinical Trial Agreement:

To assess if you are suitable for acting as Principal Investigator or investigational staff in relation to the clinical trial.

To provide training, and access to tools and other resources that may be required for the execution of the clinical trial;

To manage the clinical trial, including to monitor and audit clinical trial activities.

To prepare and submit regulatory filings, correspondence, and communications to government authorities concerning the clinical trial;

To conduct safety reporting and pharmacovigilance activities relating to the clinical trial.

To publish results of the clinical trial as defined in the Clinical Trial Agreement.

investigational staff in order to comply with transparency reporting laws, including but not limited to the US Physician Payments Sunshine Act and implementing regulations, as well as industry codes of practice or standards to which Supporter and/or Supporter’s affiliates are subjector

As otherwise required under applicable law, or necessary to fulfill the Clinical Trial Agreement.

Personal information about you will be processed for the following purposes based on Supporter’ sand its affiliates’ legitimate interest under law:

To consider, from time to time, potential sites and investigators for future clinical trials; and To conduct surveys, manage internal studies, improve processes and practices related to the execution of clinical trials and other activities related to medical research.

To accomplish the above-mentioned purposes, personal information is made available to:

Other affiliates of the Contract Cadence Family of Companies and the irrespective agents.;

Government Authorities and ethics committees in jurisdictions around the world;

Agents, such as contract research organizations or other third‐party service providers, processing Personal Information on behalf of Supporter.

Cross Border Transfer

Your personal information may be stored and processed in any country where Supporter and its affiliates have facilities or agents, including the United States. Some non‐European Economic Area (EEA) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here:

https://www.littler.com/gdpr/EEA.For transfers from the EEA to countries not considered adequate by the European Commission, Supporter has ensured that adequate measures are in place, including by ensuring that the recipient is bound by the EU Standard Contractual Clauses, or has certified to the EU‐US Privacy Shield, or has implemented an EU‐approved code of conduct or certification, to protect personal information. You may obtain a copy of these measures by contacting our EU Data Protection Officer in accordance with the “Contacting Supporter” section below.

Data Subject Rights

If you would like to review, correct, update, restrict, or delete personal information that Supporter may have in its systems, or if you would like to request to receive an electronic copy of your personal information for purposes of transmitting it to another company (to the extent these rights are provided to you by applicable law), you may contact Supporter as specified in the “Contacting Supporter “section. Supporter will respond to the request in accordance with applicable law. Please note, however, that certain personal information may be exempt from requests pursuant to applicable data protection laws, or other laws and regulations.

Retention Period

Supporter will retain your personal Information for as long as needed or permitted considering the purpose(s)for which it was obtained. The following criteria are used to determine the proper retention period:(i) the length of time Supporter has an ongoing relationship with you;(ii) whether there is a legal obligation to which Supporter or its affiliates are subject; and(iii) whether retention is advisable in light of Supporter’s legal position(such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

Contacting Supporter

The Supporter can be contacted as specified below:

info@turboregs.com

You may also contact the Data Protection Officer responsible for the relevant country or region, if applicable, at swadesh@turboregs.com. In case of contacting the Data Protection Officer, information such as country location, as well as clinical trial number/name should be included to allow the request to be managed appropriately.

Lodging a Complaint with a Regulator

You may lodge a complaint with a supervisory authority competent for your country or region. Contact information can be located here: http://ec.europa.eu/justice/data‐protection/article‐29/structure/data‐protec