Therapeutic ingenuity.
It’s in our blood.

PRIVACY POLICY (EU)

Last Updated: February 1, 2020

Portola FRG GmbH, having its corporate offices at Fraunhoferstr. 12, 82152 Planegg, Germany (‘Portola’; ‘we’; ‘us’) and its subsidiaries and affiliated companies are committed to respecting and protecting your privacy. This Privacy Policy (“Policy”) applies to our collection and use of personal data collected through our websites (“the Sites”) and through offline business-related interactions with you (except as provided below). The purpose of this Policy is to inform you - either as (i) our customer, vendor or supplier, or (ii) as a user of the Sites, as well as individuals related to you whose personal data we may collect or process in course of our relationship with you (e.g., if our customer or vendor is a legal entity, we may collect information of legal representatives, employees, contact persons, etc.)(‘you’ or ‘your’) - about the collection and use of your personal data (as described below), as well as your rights in accordance with applicable privacy and data protection laws. This Policy does not cover information we may collect through our clinical trials, which are governed by separate terms and agreements. Also, this Policy does not apply to the collection and use of personal data by Portola Pharmaceuticals, Inc., which has published its own Privacy Policy. https://www.portola.com/privacy-policy/

PERSONAL DATA WE PROCESS

Personal data refers to any information relating to an identified or identifiable individuals. We collect and process the following personal data about you:

Personal data collected through our website (‘Site Data’)

We automatically collect basic technical information from all visitors to the Sites. We collect technical information during your visit to the Site through automatic data collection tools, which include cookies and other similar technologies. Via these tools, we collect and further process information that may be considered personal data under applicable privacy and data protection laws, including:

• Your Internet Protocol (IP) address, which is the number automatically assigned to your computer or other device whenever you access the internet and that can sometimes be used to derive your general geographic area;
• Other unique identifiers, including mobile device identification numbers;
• Your browser type and operating system;
• Sites you visited before and after visiting the Site;
• Pages you view and links you click on within the Site;
• Information about your interactions with e-mail messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and
• Standard Server Log Information.

Personal data about our Customers’ staff (‘Customer Data’)

We process personal data about the staff of our current, former and prospective customers (‘Customers’) – for example, we process personal data about the healthcare practitioners (‘HCPs’) we deal with.

We collect the following personal data about these individuals:

• Contact information, such as name, e-mail address, and phone number;
• Professional information, such as professional title, position or function, education background, credentials, specialty, and work history;
• The content of any communications that you send to us;
• Information described to you at the point of collection or pursuant to your consent; and
• Information that we may collect from you offline in connection with business-related interactions with you, such as if you provide information to us at an industry event, business meeting, or contact us by telephone.

To the extent permitted by applicable privacy and data protection laws, we may also receive personal data about you from other sources, which may include commercially available sources, such as public databases and data aggregators. In these cases, we will obtain your consent before using your personal data or make sure that we have another valid legal basis for processing your data.

Personal data about our suppliers’ and vendors’ staff (‘Vendor Data’)

We process personal data about the staff of our current, former and prospective vendors (‘Vendors’) to enable Vendors to deliver their service to us.

We collect the following personal data about these individuals:

• Contact information, such as name, e-mail address, and phone number; and
• Professional information, such as professional title, position or function, education background, credentials, specialty, and work history.

HOW WE USE PERSONAL DATA

Subject to applicable privacy and data protection laws, we use personal data to:

• Operate and improve our Sites, products, information, and services;
• Understand you and your preferences to enhance your experience and enjoyment using our Sites, products, and services;
• Respond to your comments and questions and provide customer service;
• Provide and deliver products, information, and services you request;
• Send you related information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
• Communicate with you about upcoming events and news about products, information and services offered by Portola and our selected partners;
• Protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
• Comply with and enforce applicable legal requirements, relevant industry standards and our policies; and
• As otherwise described to you at the point of collection or pursuant to your consent.

We may also use personal data in other ways for which we provide specific notice at the time of collection.

PROVIDING PERSONAL DATA

Where we ask you to provide us with your personal data, we will indicate whether providing the personal data is a statutory or contractual requirement, or a requirement necessary to enter into an agreement with us, as well as whether you are obliged to provide the personal data and what the possible consequences are if you fail to provide the data.

In some limited cases, it may be a contractual requirement for us to collect Vendor Data or Customer Data (for example, because the relevant member of staff is a designated ‘point of contact’). If these personal data are not collected, this could result in a breach of contract by Portola or the Vendor or Customer.

DISCLOSURE OF PERSONAL DATA

We are committed to maintaining your trust, and we want you to understand when and with whom we may share the personal data we collect. We disclose your personal data to others as follows:

To our affiliates and subsidiaries

We share your personal data with our affiliates and subsidiaries. In particular we may share your personal data with Portola Pharmaceuticals, Inc. in the U.S.

To our service providers

We may share personal data with service providers that perform certain functions or services on our behalf (such as to host the Sites, fulfill orders, provide products and services, manage databases; perform analyses, provide customer service, or send communications for us).

To other recipients

We also share personal data with others if:

• We are required to do so by law or regulation (e.g., by a regulatory authority);
• Law enforcement authorities or other government entities provided us with a lawful disclosure request;
• We believe disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity; or
• We plan to sell or transfer all or a portion of our business or assets (including in the event of a reorganization or liquidation).

LEGAL GROUNDS FOR DATA PROCESSING

We process your personal data:

• If you have consented to such processing;
• To the extent that it is necessary for the performance of your agreement with us or in order to take steps at your request prior to entering into an agreement with us;
• To the extent that it is necessary to comply with our legal obligations; or
• To the extent that it is necessary for the purposes of our legitimate interests as a company which develops and commercializes therapeutics. We have carefully balanced our legitimate interests against your rights and freedoms. You can obtain more information about how we have done so by contacting us using the details in the ‘HOW TO CONTACT US’ section below.

YOUR DATA PROTECTION RIGHTS

Subject to possible restrictions under applicable privacy and data protection laws, you can exercise the following rights:

• Right to access: you have the right to obtain confirmation as to whether or not your personal data are being processed and, where this is the case, access to the personal data (Article 15 GDPR). You also have the right to ask us for copies of your personal data. This right always applies. However, there are some exemptions, which means you may not always receive all the information we process.
• Right to rectification: you have the right to ask us to rectify personal data about you that you think are inaccurate (Article 16 GDPR). You also have the right to ask us to complete data you think are incomplete. This right always applies.
• Right to erasure: This is also known as the ‘right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your data where there’s no compelling reason for us to keep using the data (Article 17 GDPR). This is not a general right to erasure; there are exceptions.
• Right to restriction of processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances (Article 18 GDPR).
• Right to data portability: This right only applies to personal data you have given us. You have the right to ask that we transfer the data you gave us to another organization or give the data to you. The right only applies if we are processing personal data based on your consent or under, or in talks about entering into, a contract and the processing is automated (Article 20 GDPR).
• Right not to be subject to a decision based solely on automated processing: you have the right not to be subject to a decision based solely on automated processing of your data - this means without any human intervention - which produces legal effects for you or similarly affects you (Article 22 GDPR). However, we may base our decision on automated processing of your data if you explicitly consented to it. In that case, you have the right to obtain human intervention, to express your point of view and to contest the decision.
• Right to revoke consent: Where we have obtained your consent for the processing of your personal data, you have the right to withdraw your consent at any time. This will not affect the lawfulness of the processing that we carried out prior to the withdrawal.
• Right to lodge a complaint: If you have concerns about the way we handle or process your personal data, you have the right to lodge a complaint with your local Data Protection Authority (Article 77 GDPR).
• Right to object: When we process your personal data for purposes of pursuing our legitimate interests, you have the right to object to such processing (Article 21 GDPR) at any time. If you exercise this right, we will stop the processing unless we have strong and legitimate reasons to continue using your data.

To exercise these rights, please submit a request in writing using the contact details set out below in the ‘HOW TO CONTACT US’ section.

INTERNATIONAL DATA TRANSFERS

We may transfer the personal data we collect about you outside of the European Economic Area (‘EEA’). In particular, we transfer personal data to our affiliates and subsidiaries in the U.S.

Those countries may not offer the same level of protection as the countries within the EEA, and so we will ensure that appropriate data transfer mechanisms are in place where required by law. These include data transfer agreements based on the European Commission’s ‘Standard Contractual Clauses’ (as permitted under Article 46(2) GDPR).

You can obtain more information about how we transfer personal data outside of the EEA by contacting us using the contact details in the ‘HOW TO CONTACT US’ section below.

DATA RETENTION

In general, we will store your personal data as long as necessary to fulfil the purposes for which we collected the data:

• Site Data – Site Data is stored no longer than required by applicable laws.
• Customer Data – Customer Data is stored for as long as required by applicable laws.
• Vendor Data – Vendor Data is stored for as long as required by applicable laws.

In exceptional cases (e.g., in pending litigation matters or where the law requires us to) these personal data may need to be kept for longer periods of time.

Our Site provides links to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we advise you to review. To the extent any linked websites or apps are not owned or controlled by us, we are not responsible for their content.

LINKS TO OTHER WEBSITES

The Sites may contain links to other websites or online services that are operated and maintained by third parties and that are not under the control of or maintained by us. Such links do not constitute an endorsement by us of those other websites, the content displayed therein, or the persons or entities associated therewith. This Privacy Policy does not apply to this third-party content. We encourage you to review the privacy policies of these third-party websites or services.

SECURITY OF PERSONAL DATA

We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. However, no method of security or method of transmission over the Internet can be guaranteed to be 100% secure. You should always use caution when transmitting personal data over the Internet.

HOW TO CONTACT US

If you wish to contact us about this Policy:

• You may contact us at: Portola FRG GmbH, Fraunhoferstr. 12, 82152 Planegg, +49 89 25 00 60 -500
• You can also contact Portola’s Data Protection Officer using the following details: Portola FRG GmbH, Fraunhoferstr. 12, 82152 Planegg, +49 (0) 89 2500 60 540, [email protected]

CHANGES TO THIS POLICY

This Policy is subject to occasional revision, and if we make any substantial changes in the way we use your personal data, we will notify you by prominently posting notice of the changes on our website. We also indicate at the top of the Policy when it was most recently updated.