DATA SUBJECT RIGHTS

IDEOGEN Group GmbH Version 2.0 | March 2026

Applies to: www.ideogen.com, IDEOGEN Partner Platform, all IDEOGEN Group GmbH digital touchpoints and services

Table of Contents

  • Introduction and Scope
  • How to Submit a Request
  • What You Can Request — Your Rights Explained
  • Identity Verification
  • Response Timeframes
  • Format of Response
  • Exceptions and Limitations
  • Complaints and Escalation
  • Internal Workflow (Brief Summary)
  • Contact Details

1. Introduction and Scope

IDEOGEN Group GmbH ("IDEOGEN," "we," "us") is committed to respecting and upholding the rights of individuals with respect to their personal data. This procedure explains how you can exercise your rights as a data subject under:

  • ** (GDPR)** — applicable to processing activities that affect individuals located in the European Economic Area (EEA);
  • Swiss Federal Act on Data Protection (nFADP/nDSG), effective 1 September 2023 — applicable to processing activities of IDEOGEN Group GmbH (Switzerland) and affecting Swiss residents;
  • Other applicable national data protection laws as relevant to IDEOGEN's EU subsidiary operations.

This procedure covers data subject requests (DSRs) submitted in relation to all personal data processed by IDEOGEN Group GmbH as data controller. Where an IDEOGEN Group subsidiary (see Privacy Policy Section 6.1) acts as an independent controller in respect of your data, you should direct your request to that entity directly; we will however assist in routing your request where technically feasible.

2. How to Submit a Request

You may submit a data subject request to IDEOGEN through any of the following channels:

2.1 Email (Preferred)

[email protected]

Subject line: "Data Subject Request — [Type of Request]" (e.g., "Data Subject Request — Access Request")

2.2 Post

Data Protection Officer IDEOGEN Group GmbH Hurdnerstrasse 119 CH-8640 Hurden SZ Switzerland

Please mark the envelope: "CONFIDENTIAL — Data Subject Request"

2.3 Web Form

A dedicated data subject request form is available at www.ideogen.com/privacy/dsr-request (implemented as part of the website relaunch). The form guides you through the type of request, identity verification, and the scope of your request.

2.4 What to Include in Your Request

To enable us to locate your personal data and respond efficiently, please provide:

  • Your full name;
  • Your contact email address or postal address for our response;
  • The type of right you wish to exercise (e.g., access, erasure — see Section 3);
  • Sufficient information to identify the data you are requesting or the processing activity you wish to affect (e.g., the email address you used to contact us, your partner account reference, the date of a medical inquiry);
  • Any relevant context that will assist us in locating your data (e.g., approximate dates of interaction, product names in relation to a PV report).

You do not need to quote specific legal provisions or formal language. A plain-language description of what you want is sufficient.

3. What You Can Request — Your Rights Explained

The following is a plain-language explanation of each right available to you under GDPR and/or Swiss nFADP.

3.1 Right of Access

What it means: You can ask us to confirm whether we hold any personal data about you, and if so, to provide you with a copy of that data along with information about how we use it, how long we keep it, who we share it with, and where it came from.

What you receive: A copy of the data we hold about you, presented in a clear and intelligible format, together with the information described in .

3.2 Right to Rectification

What it means: You can ask us to correct personal data that is inaccurate or to complete data that is incomplete.

Examples: Updating your business contact details on the Partner Platform; correcting a spelling error in your name; adding a missing organisation affiliation.

3.3 Right to Erasure ("Right to be Forgotten")

What it means: You can ask us to delete your personal data. This right applies in certain circumstances, including where the data is no longer needed, where you withdraw consent and there is no other legal basis, or where you object to processing and there are no overriding legitimate grounds.

Limitations: This right does not apply where we are required by law to retain the data (e.g., pharmacovigilance records, commercial/accounting records), or where the data is needed for the establishment, exercise, or defence of legal claims. See Section 7 for full limitations.

3.4 Right to Restriction of Processing

What it means: You can ask us to "freeze" how we use your personal data in certain situations — for example, while you contest the accuracy of the data, while we assess your objection, or while you need data that would otherwise be deleted for a legal claim.

Effect: We will continue to store the data but will not process it further (beyond storage) unless you consent, or processing is needed for legal claims or the protection of another person's rights.

3.5 Right to Data Portability

What it means: Where we process your personal data on the basis of your consent or a contract, and the processing is carried out by automated means, you can ask us to provide your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV). You can also request that we transmit it directly to another controller where technically feasible.

Scope: This right applies, for example, to your Partner Platform account data or marketing subscription preferences, but not to data processed on the basis of legal obligation (e.g., PV data).

3.6 Right to Object

What it means: You can object to our processing of your personal data in two situations:

  • Processing based on legitimate interests ( You can object on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is needed for legal claims.
  • Direct marketing: You have an unconditional right to object to processing of your data for direct marketing purposes, including profiling for marketing. We will stop immediately upon receipt of your objection.

3.7 Right to Withdraw Consent

What it means: Where we rely on your consent to process your personal data (e.g., for marketing communications, analytics cookies), you can withdraw that consent at any time.

Effect: Withdrawal does not affect the lawfulness of processing that took place before withdrawal. Once withdrawn, we will stop the relevant processing.

How: Unsubscribe link in marketing emails; cookie settings link on the website; or contact [email protected].

3.8 Right Not to Be Subject to Automated Decision-Making

What it means: You have the right not to be subject to decisions made solely by automated means — without any human involvement — where such decisions produce legal or similarly significant effects.

IDEOGEN does not currently carry out such automated decision-making. See Privacy Policy Section 10 for details.

3.9 Right to Lodge a Complaint

What it means: If you are not satisfied with how we have handled your request or your personal data generally, you have the right to lodge a complaint with the relevant supervisory authority. See Section 8.

4. Identity Verification

To protect your personal data from unauthorised disclosure, we are required to verify your identity before fulfilling a request. The measures we take are proportionate to the nature and sensitivity of the data involved.

4.1 Standard Requests

For most requests (e.g., access to contact form submissions, marketing preferences), we will ask you to verify your identity by:

  • Confirming the email address or account details associated with your data; and/or
  • Responding to a verification email sent to your registered contact address.

4.2 Requests Involving Sensitive Data

Where a request relates to sensitive personal data (such as health data from a pharmacovigilance report or Partner Platform financial records), we will apply enhanced verification, which may include:

  • A combination of identifiers (e.g., email address plus account reference number or date of last interaction);
  • For requests submitted by post: a copy of a government-issued identity document (passport or national ID card), which will be destroyed after verification and not retained beyond the purpose of verification.

We will not ask you for more information than is necessary to establish your identity.

4.3 Requests by Third Parties / Authorised Representatives

If you are acting on behalf of another individual (e.g., as a legal guardian or authorised representative), you must provide:

  • Proof of your own identity; and
  • Evidence of your authority to act on the data subject's behalf (e.g., a signed written authorisation, power of attorney, or legal guardianship documentation).

4.4 Where We Cannot Verify Identity

If we are unable to verify your identity after reasonable efforts, we may decline to fulfil the request, and will inform you of this in writing, including information about your right to complain to the supervisory authority.

5. Response Timeframes

5.1 Standard Timeframe

We will respond to your request without undue delay and in any event within:

  • 30 calendar days from receipt of your request — for both GDPR (Art. 12(3)) and Swiss nFADP (Art. 16(1)) requests.

The 30-day clock starts from the day we receive your request or, if identity verification is required, the day we receive sufficient information to verify your identity.

5.2 Extension for Complex or Multiple Requests

Where requests are complex or numerous, we may extend the response period by a further 60 calendar days ( — for a total maximum of 90 calendar days.

If we need to extend the period, we will inform you in writing within the initial 30-day window, explaining the reasons for the extension and the expected response date.

5.3 Acknowledgement

Upon receipt of a request, we will send an acknowledgement within 5 business days, confirming receipt, providing a reference number, and confirming any identity verification steps required.

5.4 Suspension of Timeframe

The timeframe is suspended while we await identity verification information from you. We will notify you promptly when the clock has been suspended and when it resumes.

6. Format of Response

6.1 Format

Responses will ordinarily be provided in electronic format (by email or through a secure download link), unless you specifically request a paper response.

Where we provide a copy of personal data (e.g., in response to an access request), we will use a clear, commonly used format (e.g., PDF, structured JSON, or tabular format as appropriate).

6.2 Language

Responses will be provided in English unless you request a response in another language in which IDEOGEN operates (French, German, or Italian), in which case we will endeavour to accommodate your preference.

6.3 Charges — First Copy

Providing a copy of your personal data in response to an access request is free of charge (

6.4 Charges — Further Copies

If you request additional copies of the same data, or if requests are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable administrative fee based on our actual costs of providing the response. We will notify you in advance before applying any charge.

6.5 Manifestly Unfounded or Excessive Requests

Where we consider a request to be manifestly unfounded or excessive, we may either charge a reasonable fee or decline to act on the request. In either case, we will inform you in writing within the standard timeframe, explaining our reasons and your right to complain to the supervisory authority.

7. Exceptions and Limitations

Not all rights apply in all circumstances. The following are the principal situations in which your rights may be limited or where we may decline a request, in whole or in part:

7.1 Legal Obligations and Regulatory Retention

Where we are required by law to retain data, we cannot comply with an erasure or objection request to the extent it conflicts with that obligation. In particular:

  • Pharmacovigilance data (see Privacy Policy Section 14): We are legally required to retain adverse event reports for a minimum of 10 years (standard products) or 30 years (ATMPs). We cannot erase, restrict, or transfer PV data in ways that conflict with , , or Module VI requirements.
  • Commercial and accounting records: Partner Platform order history, invoicing, and transactional data must be retained for a minimum of 10 years under the Swiss Code of Obligations (Art. 957ff CO) and applicable tax legislation.

7.2 Ongoing Litigation or Legal Claims

Where personal data is subject to a litigation hold (i.e., it is or may be relevant to actual or anticipated legal proceedings), we may decline an erasure or restriction request in respect of that data until the litigation is resolved or the litigation hold is lifted. We will inform you of this fact without disclosing privileged legal strategy.

7.3 Trade Secrets and Confidential Information

We may withhold or redact information in response to an access request where disclosure would adversely affect the rights and freedoms of others, or where the information constitutes a trade secret or confidential commercial information — for example, information about our internal business processes or about third parties not consenting to disclosure.

7.4 Disproportionate Effort or Impossible to Comply

Where compliance with a portability or access request would require disproportionate effort (e.g., because data is held in archival systems not designed for regular access or export), we will indicate this to you and discuss alternative means of providing the relevant information.

7.5 Third-Party Rights

Where personal data relates to or reveals information about third parties (e.g., a jointly submitted inquiry), we may need to balance your access right against the privacy rights of the third party. We will consider each case individually.

7.6 How We Handle Partial Compliance

Where an exception applies to part but not all of a request, we will fulfil the request to the extent possible and inform you in writing about the portion we are unable to fulfil, identifying the applicable exception and your right to complain.

8. Complaints and Escalation

8.1 Internal Escalation

If you are not satisfied with our response or the manner in which we have handled your request, you may escalate your concern directly to our Data Protection Officer at [email protected]. We take all complaints seriously and will provide a substantive response within 15 business days of escalation.

8.2 Right to Complain to a Supervisory Authority

You have the right, at any time, to lodge a complaint with the relevant data protection supervisory authority without first contacting us.

Switzerland — Federal Data Protection and Information Commissioner (FDPIC): Feldeggweg 1 3003 Bern, Switzerland Telephone: +41 58 462 43 95 Website: www.edoeb.admin.ch Online complaint form: available at www.edoeb.admin.ch/edoeb/en/home/the-/contact.html

Netherlands — Autoriteit Persoonsgegevens (AP): PO Box 93374 2509 AJ The Hague, Netherlands Website: www.autoriteitpersoonsgegevens.nl

Spain — Agencia Española de Protección de Datos (AEPD): Calle Jorge Juan 6 28001 Madrid, Spain Website: www.aepd.es

Austria — Datenschutzbehörde (DSB): Barichgasse 40-42 1030 Vienna, Austria Website: www.dsb.gv.at

Malta — Information and Data Protection Commissioner (IDPC): Website: https://idpc.org.mt

Turkey — Kişisel Verileri Koruma Kurumu (KVKK): Website: www.kvkk.gov.tr

You may lodge a complaint with the supervisory authority of your country of habitual residence, your place of work, or the place of the alleged infringement.

9. Internal Workflow (Brief Summary)

> This section is addressed to IDEOGEN staff responsible for handling data subject requests.

The following steps apply to all data subject requests received at [email protected], via the web form, or by post:

DSAR Register: A dedicated DSAR register is maintained by the DPO. It records all requests, status, timelines, outcomes, and any extensions. The register is reviewed quarterly and reported to senior management annually as part of the data protection compliance report.

Extensions: Any decision to extend the response period must be approved by the DPO and documented in the register, with the reason and new deadline communicated to the requester before expiry of the initial 30-day period.

Manifestly Unfounded/Excessive Requests: Any decision to charge or refuse a request on these grounds must be made by the DPO and documented in the register, with supporting reasons, prior to communicating the decision to the requester.

10. Contact Details

Data Protection Officer (DPO) [Name to be appointed] [email protected]

IDEOGEN Group GmbH Hurdnerstrasse 119 CH-8640 Hurden SZ Switzerland Tel: +41 43 311 52 52

General Enquiries: [email protected] Healthcare / Medical: [email protected]

This Data Subject Rights Request Procedure was last revised in March 2026 (Version 2.0). IDEOGEN Group GmbH, Hurdnerstrasse 119, CH-8640 Hurden SZ, Switzerland.