Astellas ISR Portal - End User License Agreement

Investigator Sponsored Research (“ISR”) Privacy Notice

Last updated: March 2020

This Privacy Notice explains how we collect, share and use personal data about individuals in our Astellas Investigator Sponsored Research web site and how you can exercise your privacy rights. This Privacy Notice is applicable to investigators and/or co-investigators and other healthcare professionals who want to submit to Astellas a funding application for research projects they carry out independently (ISRs).

The data controller is the local affiliate in your country of residence, where your personal data will be processed according to our internal processes. The contact details of each data controller globally can be found here

What personal data does Astellas collect and why?

We ask you to provide certain information voluntarily. The types of personal data we ask you to provide include:

• personal details such as your name, gender and contact details (postal and email address);

• professional details such as your place of practice, job title, the medical field in which you are active, your license and certification details, your work experience, your professional qualifications and scientific activities (such as previous clinical trial experience, and participation in past or pending research studies with Astellas and other companies), your publications of academic or scientific research and articles, and registrations and membership in associations and boards; and

• in case of approved applications, any financial information about our interactions with you including payments and transfers of value to you within the context of any ISR potentially funded by Astellas.

Why do we process your personal data?

We process your personal data in our website for one or all of the following purposes relating to an ISR application you may submit, i.e. to:

• Confirm your qualifications and experience. We do this in order to comply with the suitability requirements for individuals conducting ISR;

• Communicate with you about ISRs;

• Review internally your ISR application;

• Handle your personal data for human resources and logistics purposes in case your application is approved, such as indicatively: handling of administrative and managerial tasks relating to an ISR; time-tracking; compensation; traveling, expense tracking and reimbursement; ensuring compliance with Astellas policies; conducting business analytics and drafting analyses and reports for management in Astellas; enabling internal and external contacts and communications about ISRs that Astellas is supporting;

• Conduct ISRs in an efficient and compliant manner with full respect to the relevant legislation.

Who does Astellas share my personal data with?

We disclose your personal data to the following categories of recipients:

• to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal data for purposes that are described in this Privacy Notice or notified to you when we collect your personal data. A list of our current group companies is available here

• to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;

• to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Notice;

• to any other person with your consent to the disclosure.

Legal basis for processing personal data (EEA-based visitors only)

If you are a visitor from the European Economic Area, we collect and process the personal data described above in order to take steps at your request to evaluate and assess internally your ISR application prior to entering into a contract with you in case your ISR application is approved. If you execute a contract with us, we rely also on the relevant contract to process personal data about you in order to execute the relevant contract.

In all cases, we will collect and process personal data from you only where we have your consent to do so.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided under the “How to contact us” heading below.

Cookies and similar tracking technology

This website is hosted in an external portal operated by Salesforce. You can refer to the Salesforce Privacy Statement link . Section 4.2 includes information on cookies that are collected by Salesforce.

How does Astellas keep my personal data secure?

We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data.

International data transfers

Your personal data is transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, the servers that we use to host your personal data are located in EU, the USA and Japan, and our group companies and third party service providers and partners operate around the world. This means that when we collect your personal data we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the EEA in accordance with European Union data protection law.

We implement similar appropriate safeguards with our third party service providers and partners and further details can be provided upon request.

Data retention

We retain personal data we collect from you where we have an ongoing legitimate business need to do so (for example, to assess your application or to review the progress of your application or the progress of a funded ISR or to comply with applicable legal, tax or accounting requirements).

We retain personal data we collect from you only according to our internal data retention policies.

Your data protection rights

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with all applicable data protection laws

•If you wish to access, correct, update or request deletion of your personal data, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.

• In addition, if you are a resident of the European Union, you can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.

• Similarly, if we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

•You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area are available here.)

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Use of this Website by minors

We do not intend for our websites or online services to be used by anyone under the age of 18.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

How to contact us

If you want to exercise any of your data protection rights, please use this link. If you have any questions or concerns about our use of your personal data, please contact our data protection officer using the following