- Supplier:  the natural or legal person with whom or which the Menarini Group Companies currently have a contractual or pre-contractual relationship (customers, providers, business partners, etc.);

- Data Subjects: employees, associate workers, and natural persons who either act in the name and on behalf of the Counterparty to the Contract or in any case interact with the Menarini Group Companies for reasons connected with the negotiation, execution and performance of the contractual or pre-contractual relationship.

The personal data concerning Suppliers and Data Subjects will be processed by A. Menarini GmbH, Thurgauerstrasse 36/38, 8050 Zurich, Switzerland, which may be reached at dataprivacy@menarini.ch and which will act as the data controller (“Data Controller”). The data protection officer (“Data Protection Officer” or “DPO”) of the Menarini Group may be reached at dpo@menarini.com.

The Data Controller will process the personal data:

Processing will be carried out on the data provided directly by the Data Subjects or by the Supplier.

In addition, in case the Data Subject / Supplier is assigned an electronic account by the Data Controller (e.g., an e-mail account), data concerning access and activity logs will also be collected, in order to protect the security of company IT assets, in particular from cyber-threats. The Data Controller may provide additional information regarding the personal data processing activities and the rules for usage of such accounts by means of separate documents / policies, made available to the the Data Subjects / Suppliers to whom the account is assigned.

Personal data will only be processed for purposes related to the assessment, negotiation, execution and performance of the contractual or pre-contractual relationship, (including due diligence assessment), to fulfil specific legal obligations, to ensure that Suppliers meet Menarini ethical standards or to defend a right in court.

The legal bases for the abovementioned purposes, if required, are performance of a contract or preparation work for the conclusion of a contract, a legal obligation or legitimate interests.

The provision of personal data for the purposes indicated above is optional. However, if personal data are not provided, it will not be possible to establish a contractual or pre-contractual relationship with the Data Controller.

Personal data may only be accessible to the staff of the Data Controller duly authorised to process them, and especially to the staff of the administration bodies and other persons who need to process them in the performance of their duties. The personal data may be transferred, also outside of Switzerland or in non-EU countries (“Third Countries”), to: (i) institutions, authorities, public bodies for their institutional purposes; (ii) third parties and providers used by the Data Controller for the provision of services necessary to pursuit the above purposes; (iii) third parties in the event of mergers, acquisitions, sale of a business or business unit, audits or other extraordinary operations; (iv) the corporate bodies and companies of the Menarini Group responsible for the pursuit of supervisory activities and the application of the Code of Conduct of the Menarini Group; and (v) other Menarini Group Companies for the same purposes as indicated above and / or for administrative and accounting purposes, based on legitimate interests.

The persons receiving the personal data shall process them as Data Controllers, Data Processors or authorised processors for the purposes indicated above and in compliance with the applicable law on personal data.

With regard to the possible transfer of data to Third Countries, the Data Controller represents that the processing will be carried out in accordance with one of the methods permitted by applicable law, such as, without limitation, the consent of the Data Subject, the adoption of Standard Contractual Clauses approved by the European Commission, amended as required by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) the selection of subjects participating in international programmes for the free movement of data or operating in countries considered safe by the European Commission and/or the FDPIC or the Swiss Federal Council.

Personal Data will be kept only for the time necessary for the purposes for which they were collected, in accordance with the principle of data minimisation. The Data Controller may store some personal data even after the termination of the contractual relationship, for the time necessary to fulfil any contractual and legal obligations. The maximum period is in line with the general statute of limitations for contractual claims of 10 years from the time the debt is due.

Data Subjects may obtain from the Data Controller, at any time, access to personal data; rectification or erasure of personal data; restriction of the processing and portability in the cases provided for by applicable data potection laws. Data Subjects may object to the processing of personal data. Requests must be addressed in writing to the Data Controller or to the DPO at the contact details indicated above. Data subjects may also lodge a complaint with the DPO or the competent supervisory authority (for Switzerland the FDPIC), if they believe that the processing of their data infringes applicable data potection laws.