PRIVACY NOTICE FOR RESEARCH PARTICIPANTS

Effective Date: 08 AUG 2024

1.0 Introduction

CARE ARTHRITIS LTD. (“CARE”, “we”, “us”, “our”) sponsors ethically approved clinical trials. We take the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual patients (“Data Subjects”) whose Personal Data we may receive in connection with the clinical trials (“Trial” or “Trials”) we sponsor.

Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.

This Notice does not apply to Personal Data collected by any other means, like Personal Data collected through our public website. This Notice does not apply to Personal Data of our employees or medical staff assisting with Trials.

Your participation is voluntary, and you will be asked to sign a separate informed consent form that describes the Trial and confirms that you wish to participate. By consenting to the Trial, you also agree to allow us to use your Personal Data as described in this Notice.

Because at least part of the Trial (e.g., your participation) may take place in the European Union (“EU”), the EU’s data privacy law, known as the General Data Protection Regulation (“GDPR”), may apply. This Notice tells you what Personal Data the researchers collect, why this Personal Data is collected, and how the researchers use that information.

2.0 Controllership

Within the scope of this Notice, CARE generally acts as a data controller for the Personal Data processed in the context of the Trials we sponsor. This means that we alone determine the purpose and means of the processing of your Personal Data.

In some jurisdictions, we are considered a “joint controller” with another organization, such as the study site where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with CARE, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in.

3.0 Personal Data We Collect and Process

“Personal Data” means any information which can identify you. When you enroll in the Trial and/or throughout the research, we will obtain the following kinds of information about you:

• Medical Data: Medical histories and questionnaires, as well as various test results (may include genetic test results), lab results, scans, images, and bio samples.
• Location Data: Medical records often reveal location data, in that they reveal when an individual received treatment in a certain facility.
• Demographic Data: The medical records collected and processed in connection with the study and the administrative records created and processed during your enrolment into the study will reveal certain demographic data about you, including your name, initials, health insurance number, contact information, ethnicity, race, month/year of birth and sex.

Note that the Personal Data we collect will include the following details about you, which the GDPR considers particularly sensitive, such as:

• racial or ethnic origin;
• gender identity;
• genetic data;
• biometric data for the purposes of unique identification; and
• health data.

We will only ever collect personal information that is appropriate and necessary for the specific research project being conducted. The specific information that we will collect about you will be described in the study specific informed consent form given to you by the study site.

4.0 Confidentiality: How We Use Your Personal Data

We use the Personal Data you provide to help you participate in the Trial. We are committed to protecting the confidentiality, integrity, security, and privacy of the Personal Data you give us. All records from this Trial will be kept confidential. Your responses will be kept private.

You will not be identified on any study-related document by name, address, telephone number or any other direct identifier. Your name will not be associated with your study data, results, or samples. A unique participant identification number assigned to you will also be used as code for this study and will appear on all your study-related documents and samples. The study doctor will keep a list that matches participant identification numbers to participant names, but the study doctor will not send that list to CARE.

Under the GDPR, we process (i.e., use, store, analyze, etc.) your Personal Data with your consent, for scientific or historical research purposes, or as otherwise explained in the Basis of Processing section below. Please note, in certain limited circumstances, we may be required to share your Personal Data to comply with the law, regulatory requirements, or an enforceable governmental request, to prevent fraud or abuse related to the Trial, or to protect our legal rights. We may process your Personal Data for the purposes of:

• managing and facilitating the Trial;
• enabling your participation in the Trial;
• answering the research questions for the Trial and aggregating data to generate statistics relating to the Trial and/or study drug or health treatment;
• arranging for the delivery of drugs to you and collection of unused drugs from you in relation to the Trial or participation in an Expanded Access Program;
• to process reimbursement payments for your time and travel related to study participation;
• sending you reminders about your appointments at the study site, or to take your medication on time;
• monitoring and reporting on any adverse events, such as negative side effects;
• developing new medicinal drugs or health treatments;
• complying with legislation governing Trials;
• disclosing your Personal Data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law;
• responding to your inquiries and requests; and
• communicating with you on the status of the Trial.

We also process your Personal Data for the specific purposes described in the informed consent form provided to you by Trial personnel.

5.0 Basis of Processing

We may process your Personal Data on the basis of:

• Consent: We may ask for your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history.
• Contract: We may process your Personal Data to fulfill a contract we have with you.
• Compliance with Legal Obligations: We may need to process your Personal Data for us to comply with applicable laws or regulations, such as the laws regulating the safety and reliability of our Trials.
• Legitimate Interests: We may process your Personal Data based on our legitimate interests in facilitating and managing our Trials (which are to carry out and evaluate clinical trials to understand conditions and develop medicines, to ensure safety of its products, to inform decisions from regulatory authorities on access and reimbursement of new treatments for the benefit of patients, and to advance scientific research and medical discovery) and these interests do not prejudice or harm your rights and freedoms.
• Public Interest: We may process your Personal Data for reasons of public health interests to ensure adequate standards of quality and safety of the drugs or treatments we are developing.

Where we process your Personal Data based on your consent, you may withdraw your consent at anytime. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfill our contractual obligation towards you.

Where we process Personal Data on the basis of our legitimate interests, we will always do so after a careful assessment which requires balancing your right to privacy and our legitimate interests.

Since we process special categories of Personal Data, such as your health status and medical history, the GDPR requires that we must have an additional ground to process this type of information. CARE may process your special categories of Personal Data on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. Please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.

6.0 Automated Individual Decision-Making

If you participate in a Trial we sponsor, you will be assigned a unique patient identification number. This number may be used as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making, including profiling". But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you.

7.0 Your Rights with Respect to Your Personal Data

You may ask to exercise your rights as a data subject, which are described below, by contacting the Principal Investigator listed in the informed consent or using the information in the “Contact Us” section below. Please note that even if you request access, review, or deletion of your information, it may not occur until after completion of the Trial in order to protect the integrity of the research. In addition, we may not be able to delete certain information about you if necessary to comply with the law.

If we process your Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. This means that you have the right to ask us to confirm whether or not we process your Personal Data, and, where that is the case, obtain a copy of or access to your Personal Data and other related information (such as the purposes for which we collected your Personal Data, and the categories of third parties that we share it with). You can also ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have about you, and to complete any incomplete Personal Data.

You may also have the right to ask that we limit/restrict our processing of your Personal Data (e.g., if you ask us to only use or store your Personal Data for certain purposes). You have this right in certain circumstances, such as where you have reason to believe the data is inaccurate or the processing activity is unlawful.

You have the right to object to our processing of your Personal Data. We will always strive to fulfill your request. However, please note that there are occasions when doing so may not be possible, like when the law tells us we cannot do that, or where we need your Personal Data to complete the transaction for which we collected the Personal Data.

As discussed under Basis of Processing above, if we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

You may also have the right to “data portability”, which means that you may have the right to ask us to provide you with a copy of your Personal Data. If you exercise this right, we will provide you with a copy of your Personal Data in a structured, commonly used and machine-readable format.

You also have the right to lodge a complaint with a data protection regulator in one or more EEA member States, including the Member State of your habitual residence, place of work, or of the alleged infringement of the GDPR. Contact information for the relevant regulators is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

8.0 Retention of Your Personal Data

After the Trial is completed, or after you have decided to stop participating, we may retain your Personal Data for as long as necessary for the following reasons:

• to fulfill the objectives of the research; and
• to ensure the integrity of the research.

Your data may be used for other scientific research into further development of the study medication after completion of this Trial. For this purpose, your data will be stored for a maximum of 10 years.

We may also keep your Personal Data for longer periods if required by law or to protect our legal rights. Once your information has been entered into the Trial records, we cannot remove it without affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least 25 years after the conclusion of the Trial. We will ensure that your Personal Data is safeguarded at all times.

9.0 Sharing Personal Data with Third Parties

We may share Personal Data with our service providers who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing as described above, or as required by law. Our service providers include parties providing:

• contract/clinical research organization services;
• patient recruitment services;
• quality assurance, safety and pharmacovigilance software and related services;
• data storage and archiving software and related services;
• data analytics and reporting software and services;
• services related to the collection, storage, testing, and transportation of biological material;
• software that randomly decides which treatment you will receive during the Trial;
• study participant expense reimbursement services; and
• electronic data capture software and hardware.

10.0 International Transfers of Personal Data

Some of the above mentioned third parties may be located in countries outside of the EU or the EEA. In some cases, the European Commission may not have determined that those countries’ data protection laws provide a level of protection for your Personal Data. When the GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data. These safeguards may include the model data protection clauses approved by the European Commission (i.e., the Standard Contractual Clauses). To access these model clauses, please contact our Data Protection Officer.

11.0 Other Disclosures of Your Personal Data

We may disclose your Personal Data:

• to regulators or competent authorities, to the extent necessary to comply with applicable laws, regulations, and rules (including, without limitation, federal, state, or local laws);
• to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties);
• if, in the future, we sell or transfer, or consider selling or transferring, part or all of our company, business, shares, or assets to a third party, and we disclose your Personal Data to such third party in connection with the sale or transfer; or
• in the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose, or assign your Personal Data in connection with the foregoing events.

If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

12.0 Privacy of Children

We obtain parental or legal guardian consent before processing personal data about children.

13.0 Safeguards Protecting Your Personal Data

The security and privacy of your Personal Data is deeply important to us. CARE takes appropriate steps, including technical, administrative, and physical security measures, to protect Personal Data against loss, misuse, and unauthorized access, disclosure, and deletion. For example, CARE employs:

• Policies and procedures that outline how to collect and use your information safely.
• Trainings which ensure that our staff understand the importance of data protection and how to protect your data
• Security standards and technical measures that ensure your information is stored safety and securely
• Contracts with companies or contractors have confidentiality clauses to set out each party’s responsibilities for protecting your information.
• If we use companies outside of Canada, we will ensure that they have adequate data protection laws or contractual mechanisms for international transfers have been put in place.

The informed consent form further describes how the Principal Investigator maintains the confidentiality of your data.

14.0 Contact us

If you have any questions about this Notice or our processing of your Personal Data, or you wish to stop participating in the Trial, please first speak with your study doctor. You may also contact our Data Protection Representative directly using the contact details listed below or contact CARE’s Compliance Department (compliance@carearthritis.com). Please allow up to four weeks for us to reply.

15.0 Data Protection Representative

While you may contact us at any time, our data protection representative can be contacted about matters related to the processing of your Personal Data.

16.0 European Union Legal Representative and Data Protection Representative (DPR)

We have appointed RegIntel as our representative in the EU for data protection matters. To contact RegIntel, please use the contact information below:

Contact Name: Patrick Kennedy Martin
RegIntel Ltd.,
Templetown, Carlingford,
County Louth A91X097
Ireland
Phone: +353 429376740
Email: bmartin@regintel.com

Data Protection Representative Contact Details:
RegIntel Ltd. and Affiliates
Email: DataProtectionRepresentative@regintel.com

17.0 Changes to this Notice

If we change this Notice, we will publish the revised Notice on our website. We will also update the “Effective” date.