Privacy Policy

Personal data protection policy

I. SCOPE
The present "Personal Data Protection Policy" applies to all activities involving the processing of personal data carried out by MICHELL Y CIA S.A. (hereafter "Michell"). It also applies to individuals from whom Michell requires any processing of their personal data, for which the company is responsible.

II. DEFINITIONS

"ANPDP": National Authority for Personal Data Protection.

"Data Bank": The organized set of personal data referring to an identified or identifiable person, which will be subject to processing.

"Personal Data": Any information about a natural person that identifies or makes them identifiable through means that can be reasonably used. Personal Data includes private data referred to by Law No. 29733 - Personal Data Protection Law (hereafter the Law) and its Regulations.

"Sensitive Personal Data": Personal data consisting of biometric data that can identify the holder by themselves; data related to racial and ethnic origin; economic income, political, religious, philosophical, or moral opinions or beliefs, union membership, and information related to health or sexual life (article 2, ordinal 5 of the Law).

"Processor": The natural or legal person, public or private, who by itself or in association with others, carries out the Processing of personal data on behalf of Sanofi. "Holder": The person to whom the Personal Data being processed belongs.

"Transfer": Any national or international transmission, provision, or communication of personal data to a private legal entity, a public entity, or a natural person other than the personal data holder.

"Processing": Any operation or technical procedure, automated or not, that allows the collection, registration, organization, storage, preservation, processing, modification, extraction, consultation, use, blocking, deletion, communication by transfer or dissemination, or any other form of processing that facilitates the access, correlation, or interconnection of personal data.

This Policy shall be reviewed at least every 2 years or earlier if business conditions and the regulatory environment warrant it. Sanofi reserves the right to modify the content of the Policy without prior notice in order to reflect any legislative, technical, technological changes or changes in the pharmaceutical industry. Once the Policy is updated, it will be available for consultation, and Holders will be notified of the changes indicating the date the modifications took effect.

II. GENERAL INFORMATION
Michell processes personal data in compliance with Law 29733 – Personal Data Protection Law, its Regulation, approved by Supreme Decree 003-2013-JUS, and its complementary and modifying norms (all these hereafter defined as the "Personal Data Protection Normative").

The personal data that we process are stored in personal data banks owned by Michell.

III. OBJECTIVE
This Policy aims to inform the public about our commitment to personal data protection, as well as the guidelines under which we carry out the processing of the same in the exercise of our commercial activities, the purpose for which we do so, and the procedures for the holders of the same to exercise their ARCO rights (access, rectification, cancellation, and opposition) mentioned in the Personal Data Protection Normative.

IV. PURPOSE OF PROCESSING PERSONAL DATA
Michell processes personal data of employees, customers, suppliers, and all those who have some relationship with our company, with the purpose of complying with current legislation, executing the legal relationship that the holders of personal data maintain with our company, as well as any other lawful purpose previously informed to the holders of personal data.

V. GOVERNING PRINCIPLES
Michell commits to respecting the governing principles established in the Personal Data Protection Normative. These are:

Principle of legality: The processing of personal data is carried out in accordance with the law, and the collection of personal data by fraudulent, unfair, or illicit means is prohibited.

Principle of consent: The consent of the holder is required for the processing of personal data.

Principle of purpose: Personal data must be collected for a specific, explicit, and lawful purpose, and their processing should not extend to a different purpose than for which they were collected.

Principle of proportionality: The processing of personal data must be adequate, relevant, and not excessive in relation to the purpose for which they were collected.

Principle of quality: The personal data to be processed must be truthful, accurate, and, as far as possible, updated, necessary, relevant, and appropriate concerning the purpose for which they were collected.

Principle of security: The owner of the personal data bank and the processor must adopt the necessary technical, organizational, and legal measures to ensure the security of personal data.

Principle of recourse availability: The holder of personal data must have the necessary administrative or judicial means to claim and enforce their rights when they are violated by the processing of their personal data.

Principle of adequate protection level: For the cross-border flow of personal data, a sufficient level of protection for the personal data to be processed must be guaranteed, or at least, comparable to that provided by the Personal Data Protection Law or by international standards in the matter.

VI. CONSENT
Michell requires the free, prior, express, unequivocal, and informed consent of the holder of the personal data for their processing, except in cases of exemption expressly established by Law. Michell does not require consent to process personal data obtained from publicly accessible sources, whether free or not; likewise, it may process personal data from non-public sources, provided that these sources have the consent to process and transfer said personal data.

VII. TRANSFER OF PERSONAL DATA
Michell may transfer personal data locally and internationally to Michell and Cía. Companies for any of the purposes indicated in section IV of this Policy in cases where it is legitimized to do so.

Michell may transfer personal data to legally empowered public entities within the scope of their competencies in compliance with current or future regulations or at their request.

VIII. RIGHTS OF THE HOLDERS
Mechanisms must be implemented so that the Holder of the data or the representatives of minors can make requests regarding:

Right to Information:
The purpose for which their data will be processed. Who are or can be their recipients. The identity and address of the owner of the personal data bank. The transfer of personal data. The consequences of providing their personal data and their refusal to do so. The time of data conservation.

Right of Access:
To obtain information, free of charge, about oneself that is the subject of processing in data banks. How their data was collected. The reasons that motivated their collection. At whose request the collection was made. Transfers made or foreseen to be made.

Right to Rectification, Cancellation, and Opposition:
When an omission, error, or falsehood has been noticed. When they are no longer necessary or relevant for the purpose for which they were collected. When the established term for their processing has expired. The company reserves the right to maintain the information in order to comply with special regulations on money laundering prevention. Any request for rectification must be accompanied by the corresponding supporting documentation.

IX. PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF THE HOLDER OF PERSONAL DATA Holders may revoke their consent or exercise their legal rights by presenting their ID or another official identity document and completing the ARCO Rights Form.

1. The Holder must first send an email to LPDP@michell.com.pe indicating that they wish to make a claim.

2. The Personal Data Protection Committee will forward an email with a link, which will redirect to a virtual ARCO Rights Form.

Note: All Holders must scan their ID or another official identity document. And in case the personal data holder requires to exercise their rights through a representative, they must present a notarized power of attorney scanned that empowers them as such and their identity document scanned.

Note: The attention to requests and claims by the holders of personal data must consider the following deadlines:

Information

08 days counted from the day after the submission of the request.

Access

20 days counted from the day after the submission of the request.

Rectification, Cancellation, and Opposition

10 days counted from the day after the submission of the request.

Protection of rights. (APDP)

15 days counted from the notification of the request by the APDP (National Authority for Personal Data Protection).

 

XI. SECURITY OF PERSONAL DATA
In compliance with current regulations, Michell adopts the appropriate legal, organizational, and technical measures to ensure the security of personal data, avoiding their alteration, loss, improper processing, or unauthorized access. For this purpose, it makes available all necessary human and technological resources, applying them in proportion to the nature of the stored data and the risks to which they are exposed. Michell will only carry out processing on personal data that are stored in repositories that meet the security conditions required by the current regulations on personal data protection.

XII. MODIFICATIONS
This Policy has been updated on July 13, 2018, and may be modified by Michell. Should there be any modification to this Policy, it will be published on our website: (www.michell.com.pe)