NIDDA HEALTHCARE GMBH PRIVACY POLICY

This Privacy Policy was last updated in October 2023.

OUR COMMITMENT TO PRIVACY

Your privacy is important to Nidda Healthcare GmbH and our affiliates (together, ‘our’, ‘us’, ‘we’, ‘company’ or ‘Nidda Healthcare’).

This Privacy Policy describes how we gather and use personal data for visitors of, and existing or potential investors (‘Investors’) who access, the Nidda Healthcare Investor website. ‘Personal data’ as used in this Privacy Policy shall have the meaning given to it (or any equivalent term) under applicable data protection laws but shall generally mean any information that can be used to identify you as an individual. This Privacy Policy does not apply to any processing of personal data by or on behalf of Nidda Healthcare that is covered by a more specific privacy policy. Please read this Privacy Policy carefully.

Nidda Healthcare Holding GmbH and all Nidda group companies (including Nidda Healthcare GmbH, Nidda Healthcare Holding GmbH and Nidda BondCo GmbH) will each be a controller of any personal data collected by us. If you have any questions regarding our use of your personal data, or this Privacy Policy, please contact ir@stada.de.

We rely on various legal bases under applicable data protection legislation in order to process your personal data, including our legitimate interests, contractual necessity and as required by law. See section “Why we use your personal data” below, for further information. We use the personal data we collect to operate our business and provide you with the services (including Investor services) and products we offer and perform essential business operations.

The types of personal data that we collect are set forth in the section “Information you provide to us” below. We do not collect any special categories of personal data about you (which includes details about your health and genetic and biometric data, information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, and trade union membership), nor information about criminal convictions and offences.

If we require your personal data due to a legal requirement or obligation or in order to perform a contract with you, we will make you aware of this at the time we collect your personal data, and the possible consequences of you failing to provide this personal data (e.g., we may require your passport details to verify your identity for the purposes of anti-money laundering regulations) and failure to provide this personal data means that we cannot provide our services or products to you. In this case, we may have to cancel a service or investment you have with us but we will notify you if this is the case at the time.

You do not need to take any action as a result of this Privacy Policy, but you do have certain rights as described below in the section headed “Your rights”.

HOW WE OBTAIN YOUR PERSONAL DATA

Information you provide to us

We collect your personal data when you decide to interact with us and we only collect personal data necessary to carry out our business for the purposes set out below. You may provide us with personal data via the “Contact” details on the website including by email, post and telephone, or via the “Investor Login” page (‘Investor Portal’). The personal data we collect about you may include your name, name of your employer, address, title, username, job title, position, telephone number and email address, passport information, and financial information. We may also collect personal data about you through automated technology, such as cookies or other online identifiers. See section “Cookies” below, for further information.

Information provided by third parties or publicly available sources

We may also collect personal data from placement agents that we engage to market our applicable services.

WHY WE USE YOUR PERSONAL DATA

To the extent that you provide us with, or we otherwise collect, any personal data, through or in connection with this website, we may use such personal data for the below purposes and may process your personal data on more than one legal basis depending on the specific purpose:

Note that we may process your personal data on more than one legal basis depending on the specific purpose for which we are using your personal data.

No automated decision making, including profiling, is used when processing your personal data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

We may also monitor communications, where required to do so, to comply with regulatory rules and practices and, where permitted to do so, to protect our respective businesses and the security of our respective systems.

DISCLOSURE AND TRANSFER OF PERSONAL DATA

Although we do our best to protect your personal data, we cannot guarantee the security of any information or data transmitted to or through our website; any transmission of information or data by you to or through this site is at your sole risk.

Your personal data will be shared with and processed by our affiliates and certain service providers as necessary to fulfil the purposes set out in this Privacy Policy, including consultants, agents, contractors and data hosting providers and in some instances, placements agents and other fund administrators. We make sure anyone who provides a service to, or for us, enters into an agreement with us and meets our standards for data security. We may also share your personal data with regulatory authorities. To the extent your personal data is transferred to countries outside of the European Economic Area, such transfers will only be made in accordance with applicable data privacy laws. For further information about the safeguards used, please contact compliance@stada.com.

We reserve the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator, national security, for the purposes of public importance or any other legal or investigatory process involving us. Should we, or any of our affiliated entities, be the subject of a takeover, divestment or acquisition we may disclose your personal data to the new owner of the relevant business and their advisors.

SECURITY AND RETENTION OF PERSONAL DATA

We are committed to protecting the personal data you entrust to us. We adopt robust and appropriate technologies and policies, so the personal data we have about you is protected to the extent possible from unauthorized access and improper use. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will keep your personal data only for as long as is reasonably necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required by law. We will not keep more personal data than we need for those purposes. For further information about how long we will keep your personal data, please contact compliance@stada.com.

CAPACITY

This site is only intended for individuals who are at least 13 years of age. We do not knowingly encourage or solicit visitors to this site who are under the age of 13 or knowingly collect personal data from anyone under the age of 13 without parental consent. If we learn we have collected or received personal data from an individual under the age of 13, we will delete that personal data.

COOKIES

Information regarding how you access this website (e.g., browser type, access times, and Internet Protocol (IP) address) and your hardware and software is automatically collected through the use of cookies (a small text file placed on your hard drive) or other technologies or tools. This information is used to improve website performance and for our business purposes. Where cookies are not necessary for us to provide the products or services you have requested or for the functioning of this site, we will ask you to consent to their use. You may opt-in to accept cookies automatically by changing the settings on your browser. If you opt-out of certain cookies, you may not be able to access certain parts of this site. On the website and Investor Portal we use the cookies listed below.

• Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
• Analytical or performance cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
• Functionality cookies help us recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose so that they can serve you with relevant advertising on their websites.

You may wish to visit www.aboutcookies.org, which contains comprehensive information about types of cookies, how they are used, and how you manage your cookie preferences.

YOUR RIGHTS

You have the right to access the personal data we hold about you, and there are a number of ways you can control the way in which and what personal data we store and process about you. To exercise these rights and controls, please contact compliance@stada.com.

• Access: You have the right to ask for a copy of the personal data that we hold about you free of charge, however we may charge a ‘reasonable fee’, if we think that your request is excessive, to help us cover the costs of locating the personal data you have requested.
• Correction: You may notify us of changes to your personal data if it is inaccurate or it needs to be updated.
• Deletion: If you think that we shouldn’t be holding or processing your personal data any more, you may request that we delete it. Please note that this may not always be possible due to legal obligations.
• Restrictions on use: You may request that we stop processing your personal data (other than storing it), if: (i) you contest the accuracy of it (until the accuracy is verified); (ii) you believe the processing is against the law; (iii) you believe that we no longer need your personal data for the purposes for which it was collected, but you still need your personal data to establish or defend a legal claim; or (iv) you object to the processing and we are verifying whether our legitimate grounds to process your personal data override your own rights.
• Object: You have the right to object to processing, including: (i) for direct marketing; (ii) for research or statistical purposes; or (iii) where processing is based on legitimate interests.
• Portability: If you wish to transfer your personal data that we hold and process about you on the legal basis of contractual necessity to another organization (and certain conditions are satisfied), you may ask us to do so, and we will send it directly if we have the technical means.
• Withdrawal of consent: If you previously gave us your consent (by a clear affirmative action) to allow us to process your personal data for a particular purpose, but you no longer wish to consent to us doing so, you can contact us to let us know that you withdraw that consent.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

NOTIFICATION OF CHANGES

We reserve the right to amend this Privacy Policy from time to time by updating this Privacy Policy. If we decide to change our Privacy Policy, we will post those changes so our users are always aware of what personal data we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to collect personal data or use any collected personal data in a manner different from that stated at the time it was collected, we will notify applicable visitors and Investors. We will use your personal data only in accordance with the Privacy Policy under which such personal data was collected.

CONTACT US

If you have any questions or concerns about this Privacy Policy, please contact ir@stada.de.

COMPLAINTS

Furthermore, you have the right to complain to the data protection supervisory authority regarding our processing of your personal data. The relevant supervisory authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden

Telefon: +49 611 1408 – 0

E-Mail: poststelle@datenschutz.hessen.de