PRIVACY NOTICE

A. INTRODUCTION

Teva Pharma (Thailand) Co., Ltd. (the “Company”) respects your privacy and is committed to protecting your personal data in accordance with the requirements of the Personal Data Protection Act B.E. 2562 (2019) and related notifications (the “PDPA”).

Scope of privacy notice

This privacy notice explains how and why the Company collects, uses, and/or discloses (“Processes”
or “Processing”) your personal data, and applies to:

(1) Employment Candidates
(2) Contractors, Suppliers, and Vendors
(3) Healthcare Professionals, Drug Store Owners, Patient, and Related Parties
(4) Office Visitors and Others

It is important that you read this privacy notice, together with any other notices we may provide, in relation to specific occasions on which the Processing of your personal data is carried out so that you are fully aware of how and why we are using your data. This privacy notice supplements any other notices and is not intended to override or replace them.

The Company’s website may include links to third-party websites. Clicking on these links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy standards. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Controller and data protection officer

The Company is a data controller and is responsible for your personal data

We have appointed a data protection officer (the “DPO”) who is responsible for (among other things) overseeing questions and comments in relation to this privacy notice. If you have any questions or comments about this privacy notice, including any requests to exercise your legal rights, please contact the DPO, whose details are set out below.

Teva Pharma (Thailand) Co., Ltd., located at 689 Bhiraj Tower, 21st Floor, Rooms 1-2 and 7-14, Sukhumvit Road, Klongton Nua, Wattana, Bangkok

Phone: 02 302 3295

Email: Privacy.Thailand@tevapharm.com

Changes to privacy notice

This notice may be amended or updated from time to time, so please check back regularly for updates. This version was last updated on 1^st March 2023.

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your dealings with us by contacting the DPO.

B. PERSONAL DATA COLLECTED BY THE COMPANY

We collect both general personal data and sensitive data from you. For more information on the specific types of personal data collected by the Company, please see Section D on the Purpose and Lawful Basis for the Processing of Personal Data.

Definition of personal data and sensitive data

Personal data means any information about an individual from which that person can be identified. It does not include data where that person’s identity has been removed (anonymous data) or the data of a deceased person.

Sensitive data (a special category of personal data) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, and biometric data, as well as data concerning health, disability, sex life, or sexual orientation, in addition to any data which may affect an individual in a similar manner.

Collection of data on minors, incompetent persons, and quasi-incompetent persons

We may collect the personal data of, minors, incompetent persons, or quasi-incompetent persons, as defined by the PDPA and related laws If we do, we will comply with the requirement of the PDPA in collecting the personal data of such individuals.

Your failure to provide personal data

In the case that we need to collect your personal data, as required by law or under the terms of a contract, and you fail to provide your personal data when requested, we may not be able to perform our obligations by law or under the contract in which we are engaged, or with which we are attempting to engage, with you.

C. HOW PERSONAL DATA IS COLLECTED BY THE COMPANY

The Company obtains personal data in the following manners:

Direct interactions

You may provide us with your personal data by completing forms or corresponding with us by post, phone, email, or other methods. This includes personal data that you provide when you:
complete forms (including application or inquiry forms) or supply other documents to the Company;
request communication updates from the Company;
complete surveys conducted by the Company; or
send feedback to the Company or contact us for another specific

Automated technologies or interactions

The Company may automatically collect personal data concerning your computer equipment, browsing activities, and browsing patterns by using internet cookies and other similar

3. Third parties or publicly available

The Company may receive personal data about you from various third parties and public sources. This includes personal data that you have provided when you:
complete forms or supply other documents to the Company or a third party that has a relationship with the Company;
use or request services from third-party service providers related to the Company, such as when applying for payment services from a company that has a relationship with the Company; or
provide personal data publicly with your explicit consent.

D. PURPOSE AND LAWFUL BASIS FOR THE PROCESSING OF PERSONAL DATA

The Company has set out below a description of how we plan to use your personal data, and which legal bases we shall rely on to do so. We have also identified our legitimate interests where appropriate.

Note that the Company may Process personal data in accordance with more than one lawful basis, depending on the specific purpose for which the Company is using the data. Please contact the DPO for more details on the specific legal bases on which the Company is relying to Process your personal data in the case that more than one of the bases as set out in the table below are referred to.

Lawful basis for Processing general personal data	Description
Consent	The Processing is based on consent obtained from you.
Contract	The Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
Legal compliance	The Processing is necessary for compliance with a law to which we are subject.
Legitimate interests	The Processing is necessary to protect our legitimate interests or the legitimate interests of another person or entity.
Research	The Processing is necessary for achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics.
Vital Interests	The Processing is necessary for preventing or suppressing a danger to a person’s life, body, or health.

Lawful basis for Processing sensitive data	Description
Consent	The Processing is based on explicit consent obtained from you.
Legal compliance	The Processing is necessary for compliance with a specific law to which the Company is subject.
Legal claims	The Processing is necessary for the establishment, exercise, or defense of, or compliance with, legal claims.
Public disclosure	The Processing is with regards to information that is disclosed to the public with the explicit consent of the data subject.
Vital interests	The Processing is to prevent or suppress a danger to the life, body, or health of a person in the case that the data subject is incapable of giving consent for whatever reason.

1. Data of Employment Candidate

Purpose	Type of data	Lawful basis
Application Form To evaluate candidates for recruitment Kept as part of employee profile if applicant joins the company as an employee	Application Form Name, nationality, dob, age, Id card/passport number Permanent address + present address Telephone number, mobile phone, e-mail Name of spouse, occupation Company/employer, Education history Curricular activity (name of school/institution, activity, position) Training and professional courses Driving license number Employment history Relatives Criminal history Health issues [surgery history, contagious disease history] Referee Photo Transcript, certificate of employment, housing registration Id card copy Signature	General data Legitimate Interests Contract Sensitive data Consent to access criminal records and list of health issues. Consent for collection of sensitive data (blood type and religion) in ID card (as applicable)
Background check For background and pre- employment health check	Background check - previous workplace, educational degree, address, credit bureau, social media Criminal records Pre-employment heath check Military conscription evidence (if applicable) Evidence of name change (if any)	General data Legitimate Interests Contract Consent for credit bureau and social media Sensitive data

Purpose

Type of data

Lawful basis

Application Form

To evaluate candidates for recruitment

Kept as part of employee profile if applicant joins the company as an employee

Application Form

Name, nationality, dob, age,
Id card/passport number
Permanent address + present address
Telephone number, mobile phone, e-mail
Name of spouse, occupation
Company/employer,
Education history
Curricular activity (name of school/institution, activity, position)
Training and professional courses
Driving license number
Employment history
Relatives
Criminal history
Health issues [surgery history, contagious disease history]
Referee
Photo
Transcript, certificate of employment, housing registration
Id card copy
Signature

General data

Legitimate Interests
Contract Sensitive data
Consent to access criminal records and list of health issues.

Consent for collection of sensitive data (blood type and religion) in ID card (as applicable)

Background check

For background and pre- employment health check

Background check - previous workplace, educational degree, address, credit bureau, social media
Criminal records
Pre-employment heath check
Military conscription evidence (if applicable)
Evidence of name change (if any)

General data

Legitimate Interests
Contract
Consent for credit bureau and social media

Sensitive data

Purpose	Type of data	Lawful basis
		Consent to access criminal background check and health check information for assessment of working ability

2. Data of Contractors, Suppliers, and Vendors

Purpose	Type of data	Lawful basis
Contractors: Contracting and Payment ·For contracting/purchase order process ·For payment and records, including overtime.	1.Name 2.ID card no. 3.Account number	·Contract
Contractor: Enterprise Resource Planning ·For user ID creation in Enterprise Resource Planning (ERP) system ·To input information into ERP system	1.Name 2.ID card no 3.Telephone number 4.Date of birth, nationality, location, education 5.Work experience	·Legitimate interests (create contractor and expense records in ERP system)
Contractors: Monitoring and Coordination ·For monitoring working times and reports for contractors (security, housekeeper, gardener, driver) ·For coordinating all maintenance roles e.g., electrical, plumbing, air conditioning, furniture	1.Name 2.Phone number 3.Hours of work	·Legitimate interests (monitoring and coordination)
Vendors: Contracting For opening vendor form and making contract	Copy of ID card Name, date of birth, address Email, phone number	General Data Contract Sensitive Data Consent for collection of sensitive data (blood type and religion) in ID card (as applicable)
Vendors: Payments For recording of payments and expenses. For payment	Name Address ID card number Phone number Bank account Email Agreement	Legitimate Interests Contract

Purpose	Type of data	Lawful basis
·For issuing invoice and receipt	8.CV of speaker
Vendors: Enterprise Resource Planning ·For vendor ID creation in the ERP system ·To input information into the ERP system ·For vendor expense records in ERP system ·For creating data request form	1.Name 2.Address 3.ID card number/passport number 4.Phone number 5.Bank account 6.Email 7.Nationality 8.Location	·Legitimate Interests
Tax ·To submit withholding tax to Revenue Department	1.Name 2.Address 3.ID card number	·Compliance with law (withholding taxes and other Tax required under Tax law)
Suppliers for facility management ·For creating purchase order in ERP program as facility service for operation ·For collaborating contract agreement and purchase order for supplier	1.Name 2.ID card number 3.Bank account number	·Contract ·Legitimate Interests
Catering and transportation ·For collaborating with catering and transportation providers to support business functions and meetings	1.Name 2.Phone number	·Legitimate Interests

3. Data of Healthcare Professionals (“HCPs), Drug Store Owners, Patient, and Related Parties

Purpose	Type of data	Lawful basis
Speaker ·For selection as a speaker at a Company event ·For sharing speaker’s details ·For payment	1.Name 2.ID card no./ passport no. bank account no., credit card no. 3.Address, email, telephone number 4.Location, education, financial information, employment information 5.Work experience	·Legitimate Interests ·Contract

Purpose

Type of data

Lawful basis

Speaker

·For selection as a speaker at a Company event

·For sharing speaker’s details

·For payment

1.Name
2.ID card no./ passport no. bank account no., credit card no.
3.Address, email, telephone number
4.Location, education, financial information, employment information
5.Work experience

·Legitimate Interests

·Contract

Purpose	Type of data	Lawful basis
Direct Marketing ·To communicate Company’s information ·For events and activities	1.Name 2.Email, telephone number and LINE ID 3.Profession and workplace	·Consent
Account Creation ·To create new a purchase account with our affiliate so that HCPs and drug store owner can purchase medicine via the account.	1. Name 2. ID card no./ passport no. bank account no., credit card no. 3. Address, email, telephone number 4. Date of birth, nationality, education, financial information, employment information 5. Profession and workplace	·Legitimate Interests ·Contract
Investigators ·To retain CVs of healthcare professional investigators in order to comply with regulatory requirements on the conduct of Bioequivalence studies	Curricular Vitae of investigators	·Legitimate Interests
MITR LINE ·To facilitate and allow HCPs to report Pharmacovigilance/ Drug Safety Report via MITR LINE · for disclosure of Pharmacovigilance/ Drug Safety Report to foreign countries	Name/abbreviated name, LINE ID,	·Legitimate Interests ·Consent
Drug Safety Report (HCPs) ·To use and disclose Pharmacovigilance/ Drug Safety Report by HCPs	Name/abbreviated name, LINE ID, [occupation, phone number]	·Legal Compliance
Tiering of HCPs · To tier HCPS who are our business partners for business reason	CVs of HCPS, including date of birth, nationality, location, education, employment information and work experiences	·Legitimate Interests
Approval in Dealing with HCPs ·For our employees to obtain approval for activities that they perform with HCPs.	Name, hospital name	·Legitimate Interests

Purpose	Type of data	Lawful basis
Patients · For usage as part of drug safety report as required by law for submission to the food and drug safety administration and other government agencies.	Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use, [ID card number, title, gender, nationality, age, weight, drug allergy history, disease history and health status]	·Legal Compliance
Patients ·For sharing data as part of clinical studies	Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use	·Consent

Purpose

Type of data

Lawful basis

Patients

· For usage as part of drug safety report as required by law for submission to the food and drug safety administration and other

government agencies.

Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use, [ID card number, title, gender, nationality, age, weight, drug allergy history, disease history and health status]

·Legal Compliance

Patients

·For sharing data as part of clinical studies

Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use

·Consent

4. Office Visitor and Others

Purpose	Type of data	Lawful basis
Building Management ·For coordinating with Bhiraj management for any operational issues	1.Name/Nick name 2.Phone number	·Legitimate Interests
Transferring Calls ·For operator to pick up and transfer incoming telephone calls	1. Name/Nick name 2. Phone number	·Legitimate Interests
For Safety ·For recording CCTV footage on Company’s premises	CCTV footage	·Legitimate Interests

Purpose

Type of data

Lawful basis

Building Management

·For coordinating with Bhiraj management for any operational issues

1.Name/Nick name
2.Phone number

·Legitimate Interests

Transferring Calls

·For operator to pick up and transfer incoming telephone

calls

1. Name/Nick name
2. Phone number

·Legitimate Interests

For Safety

·For recording CCTV footage on Company’s premises

CCTV footage

·Legitimate Interests

Note that we may also elect to process your personal data in accordance with another lawful basis under the PDPA as the situation requires.

Change of purpose

The Company will only use your personal data for the purposes for which we have collected it, as set forth above, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. If you wish to be provided with an explanation as to how the new purpose is compatible with the original purpose, please contact our DPO.

If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so

E. DISCLOSURE OF PERSONAL DATA

Subject to the purposes above, the Company may disclose your personal data to the entities set out below.

Persons that we have legal relationships with, including our employees and staffs,.
The Company’s business partners and representatives or other organizations (such as independent auditors, information and document service providers, personal data processing service providers, and other service provider platforms that have a legal relationship with the Company and/or you).
Contractors, Suppliers, and
Government agencies and/or the agencies responsible for regulating the business of the Company
Courts, organizations, or any other entities to which the Company is ordered or consents to disclose personal data in compliance with the law and/or relevant rules.
In the case of business rehabilitation, merger, business transfer — in whole or in part, sale, purchase, joint venture, or the delivery, sharing, or distributing, whether in whole or in part, of shares of business assets or other similar transactions, the Company may have a legitimate reason to disclose personal data to the third party which is on the receiving end of the transaction or which is the intended recipient of the transferred rights of the Company and their advisors.
Other service providers of the Company, including, but not limited to:
debt collectors;
internet service providers;
information technology service and support providers;
local or international cloud storage service providers;
lawyers, consultants, auditors, and/or other professionals who support or assist the business operations of the Company;
payment service providers and payment systems service providers;
printing service providers;
security providers;
storage service providers and/or document destruction service providers;
telecommunication and communication service providers; and
website

Note that we may also be required to share your personal data with third parties by law.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to Process your personal data for the purposes specified and in accordance with our instructions.

F. INTERNATIONAL TRANSFER OF PERSONAL DATA

The Company may transfer personal data outside of Thailand on an as-needed basis.

Included below are the most common scenarios in which the Company will transfer your personal data outside of Thailand and the lawful basis upon which the Company relies for the benefit of compliance with the requirements of the PDPA.

Lawful basis for transfer of personal data	Description
Adequacy of data protection standards	The destination country has adequate data protection standards, and the transfer is carried out in accordance with the rules for the protection of your personal data as prescribed by the Personal Data Protection Committee.
Consent	The transfer is based on consent obtained from you.
Compliance with a contract to secure the interests of the data subject	The transfer is necessary for compliance with a contract between us and another entity to secure your interests.
Compliance with the law	The transfer is necessary for compliance with the law.
Necessary for the performance of a contract or in order to take action prior to entering into a contract	The transfer is necessary for the performance of a contract or in order to take action prior to entering into a contract.

Purpose	Lawful basis
Clinical Study Sending name of HCPs as well as the name, hospital name, HN (hospital number), medical diagnosis, co-morbid disease and medication use of patients to foreign countries for Pharmacovigilance/Drug Safety Report as part of a clinical study.	·Consent

Purpose

Lawful basis

Clinical Study

Sending name of HCPs as well as the name, hospital name, HN (hospital number), medical diagnosis, co-morbid disease and medication use of patients to foreign countries for Pharmacovigilance/Drug Safety Report as part of a clinical study.

·Consent

G. SECURITY OF PERSONAL DATA

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in any unauthorized way and to prevent it from being altered or disclosed. In addition, we limit access to your personal data to employees, agents, contractors, and other third parties, on a need-to-know basis. These entities may only Process your personal data in accordance with our instructions, and they are subject to a duty of confidentiality.

We have security programs and procedures in place for any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

H. RETENTION OF PERSONAL DATA

Personal data is retained by the Company for as long as necessary for the purposes associated with the data.

In determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we Process the personal data, and whether we can achieve these purposes through other means, as well as the applicable legal requirements.

Below are general estimates of the periods for which personal data is retained by the Company.

1. Employment Candidate

General purpose	Retention period
Employee candidates	Employee candidate data is kept for one year after application cycle period ends
Contractor (General)	Contractor information is kept for ten years from end of contract
Contractor (IT)	IT contractors’ data is kept for two years after the end of the contract.

2. Contractors, Suppliers, and Vendors

General purpose	Retention period
Vendors’ data as part of enterprise resource management program	Data are kept for ten years after end of relationship with the vendor
Signatories of vendors (for opening vendor form and making a contract	Data of the signatories are kept for five years after end of contract

3. Healthcare Professionals, Drug Store Owners, and Related Parties

General purpose	Retention period
HCPs (for a speaker at a Company event)	Data of the speaker is kept for three years
HCPs, drug store owner (create purchase account with affiliate)	Data received by email is deleted after sending it to affiliate
HCPs, drug store owner or contact person	Data is kept for five years
HCPs data for reporting Pharmacovigilance/Drug Safety	Personal data relating to HCPs reporting of Pharmacovigilance/Drug Safety are kept for five years. If the data is part of a clinical study, it is kept for ten years
HCPs data for our employee to obtain approval before conducting activities with HCPs	Data is kept for ten years after last engagement with HCPs
Participant in clinical studies	Data is kept for ten years after study concludes

4. Office Visitor and Others
.

General purposes	Retention period
Callers to company (to transfer incoming phone calls from the individuals to the right department and person)	Caller data is cleared out every month
CCTV image for safety	CCTV footage is kept for thirty days.
Catering and transportation data (for collaboration to support business)	Data is kept for one year from end of service agreement
Building manager (for coordinating)	Until building management contact person changes

I. LEGAL RIGHTS

Your legal rights

You have the following rights under the PDPA in relation to your personal data collected by the Company:

insofar as the processing is taking place on the basis of your consent, to revoke your consent at any time with effect for the future (this does not affect the legality of the data processing which occurred prior to the revocation on the basis of consent);
to request access to your personal data, allowing you to receive a copy of the personal data we hold about you, additionally, you can request the disclosure of any personal data obtained without your consent;
insofar as the personal data is in a machine-readable format, to demand from us that we issue your data in such format and transfer it to another entity.
to demand that we restrict the processing of your personal data or delete it;
insofar as the processing is taking place on the basis of legitimate interest, for the purpose of direct marketing, or for scientific, historical, or statistical research, to opt out of the processing by us;
to demand that we correct incorrect, out-of-date, misleading, or incomplete personal data; and
to file a complaint with the expert committee under the PDPA concerning our processing of your personal data.

Please note that your rights are not absolute, and we reserve the right to reject your requests in accordance with the PDPA.

Exercising your legal rights

If you wish to exercise any of the rights set out above, please contact us via our DPO.

You will generally not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request as permitted by law.

We may also need to request specific information from you to help us confirm your identity and ensure that you have the right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

The DPO will request additional information if the Officer determines that you are unable to act with legal independence.

Finally, we try to respond to all legitimate requests as soon as possible and within 30 days. Occasionally, however, it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you informed of any updates.

J. COOKIES POLICY

The Company uses cookies to collect information about you and store your online preferences. Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the website when you return to it: this is useful because it allows the website to recognize your device. To find out more about cookies please visit www.allaboutcookies.org

The Company uses the following categories of cookies on the website:

Category 1: Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not then work.

Category 2: Performance Cookies

These cookies collect information on how people use the website. For example, the Company uses these cookies to help us understand how customers arrive at the website, browse or use the website and highlight areas where we can improve areas such as navigation, user experience and marketing campaigns. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the website works.

Category 3: Functionality Cookies

These cookies are set to enhance functionality and personalization on the website. These cookies remember choices you make (such as language choices). These can then be used to provide you with an experience more appropriate to your selections and to make your visits to the website more tailored. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.

If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

Information on deleting or controlling cookies is also available at www.allaboutcookies.org. Please note that by deleting our cookies (or disabling future cookies) you may not be able to access certain areas or features of the website.

Retention period of Cookies

Where we place cookies directly on the website, we typically keep information collected from such cookies for a maximum period of 6 months.

Use of Web Beacons

Some pages of our website and e-mails we may send may contain electronic images known as web beacons (sometimes known as clear gifs) that allow us to count users who have visited these pages or read our e-mails. Web beacons collect only limited information which includes a cookie number, time and date of a page view, and a description of the page on which the web beacon resides. These beacons do not carry any personal data and are only used to track the effectiveness of a particular campaign.