Supplemental UK and EU GDPR Privacy Statement (“Supplemental Statement”)

As the data controller, PVI, PeerView Institute for Medical Education, 1, rue Hildegard von Bingen, L-1282 Luxembourg, Luxembourg is required to provide additional and different information about its data processing practices to data subjects in the European Economic Area (“EEA”) and the United Kingdom (“UK”). This is on account of the European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the UK General Data Protection Regulation (“UK GDPR ”).

1. Who Does This Supplemental Statement Apply To?  

This Supplemental Statement applies to Users who access the Services from a member state of the EEA or the UK. The Supplemental Statement applies to you in addition to the Privacy Policy.

2. What Are the Contact Details of the GDPR Representative or DPO?

PeerView has appointed a data protection officer. Their contact details are as follows: Dr. Sebastian Kraska, Marienplatz 2, 80331 Munich, Germany; email@iitr.de.

We have appointed an UK GDPR-specific representative for the UK GDPR. Their contact details are as follows: Rickerts Services Ltd UK, PO Box 1487, Peterborough, PE1 9XX, United Kingdom; art-27-representative@rickert-services.uk.

3. What Are the Legal Bases for Processing Personal Data?

We process your personal data on several different legal bases, as follows:

• Contractual Necessity (see Article 6(1)(b) of the EU GDPR): When you access, use or register for Service, you form a contract with PeerView. This contract is based on the applicable terms of use or terms of service. We need to process your personal data to discharge our obligations in any such contract, fulfill your requests and orders, answer questions and requests from you, and provide tailored customer support.
• To pursue our legitimate interests (see Article 6(1)(f) of the EU GDPR): We process your personal data to send you invitations to relevant continuing medical education activities (unless you have opted out), medical newsletters (unless you have opted out), invitations to relevant educational needs assessment surveys (unless you have opted out), to understand which products and services may be relevant to you, and to generally improve our products, services and business practices.
• To comply with legal obligations (see Article 6(1)(c) of the EU GDPR): We may need to process your personal data to comply with relevant laws, regulatory requirements, and to respond to lawful requests, court orders, and legal process to which We are subject.
• Your consent (see Article 6(1)(a) of the EU GDPR): We process your personal data on the basis of your consent in various instances, such as with respect to cookies that are not strictly necessary. Your consent can be withdrawn at any time, but this does not affect the lawfulness of processing based on consent before such withdrawal.

Purposes of Use or Disclosure	Legal Bases of Processing and, if applicable, Legitimate Interests
Manage our relationship with you, including to: Create an account for you for the Services upon request; Respond appropriately to your inquiries; Update you regarding your account; Provide you with, maintain, secure, and improve our Services; Provide you with a customized experience in connection with our Services; Collect personal data about you from public resources, such as national or local registries of physicians, national or local medical associations, the public websites of hospitals, medical offices, clinics and educational institutions, academic journals, and professional social networking platforms such as LinkedIn, to validate your identity and better understand which medical news, education activities and surveys may be of most interest to you. Improve the accuracy and relevance of the results you see when you interact with the search engine and the search engine's integrated chatbot functionality that is part of our Services.	If we are contractually obligated to perform the processing based on the terms that apply to the applicable Service, Contract Performance Legal Basis. If the GDPR requires us to perform the processing to comply with the GDPR, Legal Obligations Legal Basis. In all other cases, Legitimate Interest Legal Basis—namely, to provide you and our other users with a good experience with our Services, prevent fraud and illegal conduct, administer and enforce our contractual and legal rights, and manage and improve our business operations and relationships with third parties.
Discharge our contractual obligations to you.	Contract Performance Legal Basis.
Comply with any legal obligations that apply to us.	If you are in the UK and the legal obligation emanates from UK law, or if you are in the EEA and the legal obligation emanates from a law of a Member State or the EEA, Legal Obligations Legal Basis. An example is to comply with the GDPR. Otherwise, Legitimate Interest Legal Basis—namely, to ensure that our Services comply with all applicable laws.
Send you invitations, newsletters and other related information as part of our Services, including: Invitations to participate in online medical education activities, including accredited continuing medical education activities, and information about medical activities and promotional communications; Invitations to learn more about and request information from us about patient assistance resources, such as sample activities and co-pay incentive activities; Medical newsletters including the top medical news in your field of interest and medical alerts; and Invitations to complete market research surveys, typically in exchange for honoraria.	If consent is not legally required and you would reasonably expect to receive such information, Legitimate Interest Legal Basis—namely, to deliver to you invitations, newsletters and other related information that we believe may be relevant to you, to help pharmaceutical and other life sciences companies reach a greater audience, and increase medical professionals’ awareness of relevant education activities, patient assistance resources, and medical news. Otherwise, Consent Legal Basis.
Use cookies, web beacons and similar technologies to customize your experience with our Services and track who is opening our electronic communications.	If consent is not legally required and you would reasonably expect us to engage in such processing, Legitimate Interest Legal Basis—namely, to provide you with a better experience on our Services, to help us improve our Services, and to take steps to confirm whether an individual wishes to continue to receiving our electronic communications if they are not opening them and potentially delete their personal data if appropriate. Otherwise, Consent Legal Basis.
If you respond to a survey, we process your personal data to: (i) verify your eligibility to participate in a study; (ii) validate your identity and responses; (iii) process your honoraria payment; (iv) provide anonymized survey results to third parties; and (v) identify a particular respondent to comply with applicable legal requirements, such as adverse events reporting requirements.	Where we are contractually obligated to perform the processing based on the terms that apply to our administration of the survey, Contract Performance Legal Basis. If you are in the UK and the legal obligation emanates from UK law, or if you are in the EEA and the legal obligation emanates from a law of a Member State or the EEA, Legal Obligations Legal Basis. An example is to comply with local adverse event reporting laws as applicable. In all other cases, Legitimate Interest Legal Basis—namely, to prevent duplicate or fraudulent responses, to maintain the integrity of the responses to the survey, to provide anonymized survey results to third parties to help inform their business activities, and to comply with legal requirements outside of your jurisdiction, such as adverse event reporting requirements, as applicable.
If you participate in a medical education activity that we publish and thereby obtain a continuing medical education or similar certificate, we may disclose the fact that you participated in the activity to the medical school or institute that accredited the activity for the purposes of complying with professional accreditation recordkeeping requirements.	Legitimate Interest Legal Basis—namely, to allow the medical school or institute to comply with professional accreditation recordkeeping requirements and to assist you in meeting your professional accreditation recordkeeping requirements.
If we publish an activity from another medical education provider, and thereby obtain a continuing medical education or similar certificate, we may disclose the fact that you participated in the activity to the medical education provider for the purposes of complying with professional accreditation recordkeeping requirements.	Legitimate Interest Legal Basis—namely, to allow the medical education provider to comply with professional accreditation recordkeeping requirements and to assist you in meeting your professional accreditation recordkeeping requirements.
Disclosures of personal data to courts and public authorities to protect you, us, or third parties from harm, such as fraud.	Legitimate Interest Legal Basis—namely, to protect you, us or third parties from harm, such as fraud or the effects of illegal conduct. These circumstances are rare and we may provide you with additional information prior to such processing where required by applicable law.
Disclosures of personal data to our agents and service providers for the purposes described above.	See the legal bases and, where applicable, the legitimate interests described above.

4. Disclosure of Personal Data to Affiliates.

We may, subject to applicable law, disclose your personal data to affiliates who act as data controllers for the purposes of improving our products, services, and business practices, as well as those of our affiliates. Please contact us at privacy@peerview.com for information about our affiliates and, if applicable, their UK GDPR-specific representative and data protection officer.

5. Is My Personal Data Transferred Outside of the EEA or the UK?

Yes, some recipients of your personal data are located in:

(i) Canada, which is a country outside of the EEA for which the European Commission has issued an adequacy decision. The transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective (pursuant to Article 45 of the EU GDPR).

(ii) The U.S. and Mexico. The European Commission has not issued an adequacy decision in respect of the level of data protection for these countries. By entering into appropriate data transfer agreements based on Standard Contractual Clauses approved by the authorities of your jurisdiction, We have established that all such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer (including to our affiliates outside the EEA) is subject to appropriate onward transfer requirements as required by the applicable contract or law. You can ask for a copy of such appropriate data transfer agreements by contacting us using the details provided at the bottom of this Supplemental Statement.

6. How Long Will We Retain Your Personal Data?

We will delete, erase or anonymize your personal data within 1 month after your personal data is no longer necessary for us to:

• Provide you with any information or services you have requested;
• Pursue any of the legitimate interests specified herein where the legitimate interest is not overridden by your fundamental rights or privacy interests;
• Comply with any legal obligations to which We are subject; or
• Defend any legal claim against us or support any legal claim made by us, including any potential appeal.

7. How Long Will We Retain Your Personal Data?

As a person whose personal data is processed, you have the following rights under the EU GDPR and the UK GDPR:

(i) You can withdraw your consent to processing: If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. However, this withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

(ii) You have the right to access information: You can ask us to confirm if your personal data is being processed and, if so, to request access to the personal data. The access information includes, among other things:

• The purposes of the processing;
• The categories of personal data processed; and
• The recipients or categories of recipients to whom the personal data have been or will be disclosed. You also have the right to obtain a copy of the personal data being processed. Subject to applicable law, We may charge a reasonable fee for copies, based on administrative costs.

(iii) You can seek to rectify personal data: You have the right to ask us to rectify inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed. You can do this, among other ways, by providing us with a supplementary statement.

(iv) You can ask for your personal data to be erased: To the extent it is not legally required to be retained, you have the right to ask us to erase your personal data.

(v) You can request that processing be restricted: In this case, your personal data will be marked and processed by us only for certain purposes.

(vi) You have the right to receive your data in a portable format: You have the right to receive your personal data which you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transfer the personal data to another entity without hindrance from us.

(vii) You can object to our processing of your personal data: Such an objection can be made at any time, on grounds relating to your particular situation, and We can be required to no longer process your personal data. Exercising this right will not incur any cost. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to (a) take steps prior to entering into a contract; or (b) to perform a contract already concluded.

(viii) You have the right to submit a complaint: In addition to contacting us, you have a right to lodge a complaint with a supervisory authority.

Please note that these rights may be limited under applicable national data protection law. To exercise your rights (except for the right to complain to a supervisory authority), please contact us as stated below.

8. Your Choices With Respect to Your Personal Data.

You have a choice with respect to whether to provide us with your personal data. You are not required to provide any personal data to us; however, if you do not provide any personal data to us, you may not be able to use or receive the Services. You can also use the Services without consenting to cookies that are not strictly necessary; the only consequence is that the Services will be less tailored to you.

9. How Can I Contact You for More Information or to Exercise My Rights?

Please contact us at privacy@peerview.com for more information relating to this Supplemental Statement or to exercise your rights as described in the Supplemental Statement.