PRIVACY AND DATA PROTECTION POLICY

1. INTRODUCTION

In the course of its activities, BIONEXX SA collects and processes certain types of information (including, but not limited to, name, telephone numbers, address, gender, passport photo, ID card number, fingerprints and signature, etc.) relating to individuals and which makes them easily identifiable. These persons are current, past and future customers, suppliers/vendors, and other persons with whom BIONEXX SA communicates or deals, jointly and/or severally (“Data Subjects“).

It is necessary that the Data Subjects do not suffer any negative consequences/effects as a result of the transmission of their Personal Data to BIONEXX SA in order to maintain the trust of the Data Subject. To this end, BIONEXX SA is firmly committed to complying with applicable data protection laws, regulations, rules and principles in order to guarantee the security of the Personal Data processed by the Company.

This Privacy and Data Protection Policy (“Policy“) describes the minimum standards that must be strictly adhered to in the collection, use and disclosure of Personal Data and states that BIONEXX SA is committed to treating the Personal Data it receives or processes with absolute confidentiality and security.

This policy applies to all forms of systems, operations and processes existing in the BIONEXX SA environment that involve the collection, storage, use, transmission, erasure or destruction of Personal Data.

Failure to comply with the data protection rules and guidelines set out in Law No. 2014 – 038 on the Protection of Personal Data, as well as those set out in this Policy, constitutes a material violation of the policies of BIONEXX SA and may result in measures such as the suspension or termination of the business relationship.

2. DEFINITIONS

In the context of the political phase, the following terms mean:

“Consent of the data subject”: any explicit, free, specific and informed indication of the data subject’s wishes by which he or she consents to the processing of personal data concerning him or her.

“Database” means a collection of data organized in such a way as to permit access, retrieval, deletion and processing of such data; it includes, but is not limited to, structured, unstructured, cached and system file databases.

“Controller of personal data”: a person or organization that has the power to decide on the creation of the processing alone or jointly with others, and that determines the purposes and means to be implemented on behalf of and on the instructions of BIONEXX SA.

“Recipient of personal data” means the natural or legal person, public authority, agency or other body which receives communication of data or to which data are made accessible. The authorities authorised in the context of a particular investigative mission are not recipients of the data within the meaning of this definition.

“Data subject”: the person to whom the data subject to the processing relates.

“Law” means Law No. 2014 – 038 on the Protection of Personal Data.

“Personal Data” means any information relating to an identified natural person (“Data Subject”) or who can be identified, directly or indirectly, by reference to a name, an identification number or to one or more elements specific to that person. These elements include physical, physiological, psychological, economic, cultural or social. In order to determine whether a person is identifiable, consideration shall be given to all means of enabling that person to be identified, available or to which the controller or any other person may have access, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or to one or more factors specific to physical identity,  physiological, genetic, mental, economic, cultural or social of that natural person; This may include a name, address, photo, email address, bank account details, social media site posts, medical information, and other unique identifiers such as, but not limited to, MAC address, IP address, IMEI number, IMSI number, SIM card, personally identifiable information (PII) among others.

“Sensitive data”: due to the risks of discrimination and infringement of individuals’ freedoms, any processing of sensitive data is prohibited. Sensitive data includes data revealing racial origin, biometric data, genetic data, political opinions, religious or other beliefs, trade union membership and data relating to the health or sex life of individuals.

3. CHAMP D’APPLICATION

This Policy applies to all customers and employees of BIONEXX SA, as well as all external business partners (such as retailers, suppliers, subcontractors, vendors, and other service providers) who receive, send, collect, access, or otherwise process Personal Data on behalf of BIONEXX S,  including full or partial processing by automated means. This Policy also applies to third-party Data Controllers who process Personal Data received from BIONEXX SA.

4. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING

BIONEXX SA undertakes to maintain the general principles relating to data and processing as set out in Article 14 of Law No. 2014 – 038 on the Protection of Personal Data regarding the processing of Personal Data.

To demonstrate this commitment and our goal of creating a positive culture of privacy within BIONEXX SA, we adhere to the following basic principles for the processing of Personal Data:

4.1          Legality, fairness and transparency

Personal Data must be processed in accordance with the law, fairly and transparently at all times. This implies that the Personal Data collected and processed by/or on behalf of BIONEXX SA must be in accordance with the specific, legitimate and lawful purpose to which the Data Subject has consented and must meet one of the conditions defined in Article 17 of Law No. 2014 – 038 on the Protection of Personal Data,  unless the processing is otherwise permitted by law or under other legal grounds recognized in Law No. 2014 – 038 on the Protection of Personal Data.

In accordance with the terms of Article 46 of Law No. 2014 – 038 on the protection of personal data, whether or not computer processing, which presents particular risks to rights and freedoms or which is likely, due to its content, structure or purpose, to infringe on privacy must be the subject of an authorisation from the Malagasy Commission for Information Technology and Civil Liberties prior to its implementation. work.

4.2          Accuracy of Data

Personal Data must be accurate and up-to-date. In this regard, BIONEXX SA undertakes to:

1. To ensure that all data it collects and/or processes is accurate and not misleading in a way that could harm the Data Subject;

2. Update Personal Data to the extent reasonable and applicable; and

3. Correct or erase, in a timely manner, Personal Data when inaccuracies are discovered.

4.3          Purpose limitation

4.3.1.     BIONEXX SA will process personal data for one of the following reasons:

a)       The performance of a contract or the conclusion of a contract with the data subject;

b)       The legitimate business interests of BIONEXX SA, insofar as these do not override the rights and freedoms of the data subject (e.g., fraud prevention, security of our network and services, marketing, analysis and improvement of our services); or

c)       To comply with a mandatory legal obligation, in particular in relation to accounting, taxation, money laundering or anti-corruption.

4.3.2.     BIONEXX SA will collect personal data relating to:

      a)    To customers (Customer Personal Data), as well as to end customers (i.e., persons in the public to whom we do not directly sell our products and services, but who use, will use, or plan to use a service that BIONEXX SA ultimately provides);

      b)    To users of our websites or other related services provided by BIONEXX SA (User’s Personal Data);

      c)     To suppliers, industry professionals and other persons who provide goods and/or services to BIONEXX SA (Suppliers’ Personal Data).

4.3.3.     BIONEXX SA holds and processes Customers’ Personal Data for the following purposes:

   a)    Administering and managing our relationships with our end customers and customers, which may include:

                                                                   i.        Manage inquiries, process orders, and provide the customer with products and services (including arranging delivery);

                                                                  ii.        Take appropriate steps to invoice and accept appropriate payment or credit from the customer; and

                                                                 iii.        Provide up-to-date information, such as changes to terms and conditions;

   b)    Marketing and promoting our products and services and inviting customers to participate in market research;

   c)     Any corrective action that may be required in relation to any of the products and services we provide;

   d)    To improve our products and services and innovate, which allows us, for example, to manage our networks more efficiently and to better   understand their use;

   e)    Credit checks, fraud prevention, debt collection and security;

   f)      Compliance with applicable laws, regulations and rules.

4.3.4.     BIONEXX SA holds and processes the User’s Personal Data for the following purposes:

  a)    To provide promotional and marketing offers (at the express request of the user) and online advertising;

  b)    Administering and improving our websites and related functions (including the collection and analysis of anonymous, de-identified and   aggregated information); and

  c)     Compliance with applicable laws, regulations and rules.

4.3.5.     BIONEXX SA holds and processes the Supplier’s Personal Data for the following purposes:

  a)       Administer the receipt of products and services from its suppliers;

  b)     Administer and manage its relationships with its suppliers; and

  c)     Compliance with applicable laws, regulations and rules.

BIONEXX SA may share the personal data it has collected with its affiliates and third parties operating on its behalf. BIONEXX SA will only share personal data with companies that are required to protect it in accordance with applicable laws, regulations and rules, and subject to any appropriate security measures and the instructions of the relevant BIONEXX SA data controller, and in accordance with this policy.

4.4          Data Minimization

• BIONEXX SA limits the collection and use of Personal Data to those data that are relevant, adequate and absolutely necessary for the fulfilment of the purpose for which the data is processed;

• BIONEXX SA will assess whether and to what extent the processing of personal data is necessary and, where the purpose allows, whether anonymous data is to be used.

4.5          Integrity and Confidentiality

• BIONEXX SA will establish adequate controls in order to protect the integrity and confidentiality of Personal Data, both in digital and physical form, and to prevent Personal Data from being accidentally or deliberately compromised;

• Data Subject Personal Data must be protected against unauthorized access or access and unauthorized modification to ensure its reliability and accuracy;

• Any processing of Personal Data undertaken by an employee who has not been authorized to do so in the course of his or her legitimate duties is prohibited;

• Employees may only have access to Personal Data to the extent appropriate to the type and scope of the task in question and are prohibited from using the Personal Data for private or commercial purposes, disclosing it to unauthorized persons, or otherwise making it available;

• The Human Resources Department must inform employees, at the beginning of the employment relationship, of the obligation to maintain the confidentiality of Personal Data. This obligation will remain in effect even after the period of employment has ceased.

4.6          Retention of Personal Data

• All personal information will be retained, stored and destroyed by BIONEXX SA in accordance with legislative and regulatory guidelines. For all Personal Data and information obtained, used and stored within the Company, BIONEXX SA will carry out periodic reviews of the data retained to confirm their accuracy, purpose, validity and the need to keep them.

• To the extent permitted by applicable laws, the retention period of Personal Data will be, among other things, determined by:

1. The contractual terms agreed between BIONEXX SA and the Data Subject or for as long as they are necessary for the purposes for which they were obtained; or
2. The possibility that the transaction or relationship has legal implication or a required retention period; or
3. The possibility that there may be an express request for the deletion of Personal Data by the Data Subject, provided that such a request will only be processed if the Data Subject is not the subject of any investigation that may require BIONEXX SA to retain such Personal Data or if there is no contractual agreement in force with the Data Subject that would require the processing of the Personal Data; or
4. The possibility that BIONEXX SA may have another legal basis for retaining such information beyond the period for which it is necessary to achieve the original purpose.

• BIONEXX SA will use all reasonable means not to retain the Personal Data in its possession when such Personal Data is no longer required by BIONEXX SA, provided that no applicable law or regulation requires BIONEXX SA to retain such Personal Data.

4.7          Responsibility

• BIONEXX SA demonstrates responsibility in accordance with the obligations of Law No. 2014 – 038 on the Protection of Personal Data by continuously monitoring and improving data privacy practices within BIONEXX SA.

• Any person or employee who violates this Policy may be subject to internal disciplinary action, but may also be subject to the sanctions provided for in Articles 55 et seq. of Law No. 2014 – 038 on the Protection of Personal Data, in the event of violations of the provisions of the said Law.

5. DATA PRIVACY NOTICE

BIONEXX SA considers Personal Data to be confidential and, as such, it must be appropriately protected against unauthorized use and/or disclosure. BIONEXX SA will ensure that Data Subjects receive relevant information regarding the use of their Personal Data and will obtain their respective consents, if necessary.

6. CONSENT

Where the processing of Personal Data requires consent, BIONEXX SA will obtain such required consent from the Data Subjects at the time of collection of the Personal Data. In this regard, BIONEXX SA will ensure:

1. That the specific purpose of the collection be brought to the attention of the Data Subject and that consent be sought in clear and simple language;
2. That consent is freely given by the Data Subject and obtained without fraud, coercion or undue influence;
3. That the consent is sufficiently distinct from the other points to which the Data Subject has consented;
4. That consent be explicitly given in the affirmative;
5. That consent is obtained for each purpose of the collection and processing of Personal Data; and
6. That it is clearly communicated to Data Subjects, in plain language and understood by them, that they can update, manage or withdraw their consent at any time.

7. RIGHTS OF DATA SUBJECTS

   • In accordance with the terms of Articles 22 to 27 of Law No. 2014 – 038 on the Protection of Personal Data, all persons whose Personal Data is held by BIONEXX SA have the following rights:
8. Right to request and access their Personal Data collected and stored. Where data is stored electronically in a structured form, for example in a Database, the Data Subject has the right to receive such data in a common electronic format;
9. Right to information about their personal data collected and stored;
10. Right to object to being included in a processing or restriction request;
11. Right to object to automated decision-making;
12. The right to request the indirect rectification and modification of their data that is stored by BIONEXX SA;
13. Right to request the deletion of their data, unless limited by law or the statutory obligations of BIONEXX SA;
14. Right to request the transfer of data from BIONEXX SA to a third party; these are the right to data portability; and
15. The right to object and to request that BIONEXX SA restrict the processing of its information, unless required by law or the statutory obligations of BIONEXX SA.

• To opt out of receiving marketing or unsolicited messages:

If you no longer wish to receive marketing messages from BIONEXX SA, you may choose to unsubscribe at any time. If you have previously agreed to receive personalized content based on how and where you use our network, you can also unsubscribe at any time, including:

1. By contacting our customer service team via email addresses: contact@bionexx.com;
2. Turning off instant notification messages, including marketing messages, at any time in our apps, changing your device’s notification settings, or uninstalling the app.

8. TRANSFER OF PERSONAL DATA

8.1      Transfer of Data to Processors

BIONEXX SA may engage the services of external processors in order to process your Personal Data that we have collected.

In accordance with the terms of Article 16 of Law No. 2014 – 038 on the Protection of Personal Data, personal data may only be processed by a processor on the instructions of the Data Controller. The processor must provide sufficient guarantees to ensure the implementation of security and confidentiality measures. This requirement does not relieve the controller of its obligation to ensure compliance with these measures.

The processing by these third parties will be governed by a written contract with BIONEXX SA to ensure that appropriate protection and security measures are put in place by the third party for the protection of Personal Data in accordance with the terms of this Policy and the provisions of Article 16 of Law No. 2014 – 038 on the Protection of Personal Data. The contract between the processor and the controller shall include an indication of the obligations incumbent on the processor in terms of the protection of data security and confidentiality and shall provide that the processor may only act on the instructions of the controller.

8.2      Transfer of Data to authorities and third parties

Where appropriate, BIONEXX SA will share your information with:

1. Law enforcement authorities, government agencies, regulators, courts or other public authorities if we are required to do so or are permitted to do so by law. For example, under the Cybercrime Act, a law enforcement authority may require a service provider to retain or disclose any information about data usage, subscribers, content, or the like. This, however, is only for legal purposes;
2. A third party or body where such disclosure is necessary to satisfy any applicable law or other legal or regulatory requirement, such as to detect or prevent fraud or the commission of any other crime;
3. Partners, suppliers or agents involved in the provision of the products and services you have ordered or used;
4. A merged or acquiring entity when we undergo a corporate reorganization, such as a merger, acquisition, or takeover.

8.3       Transfer of Personal Data to a Foreign Country

In accordance with the terms of Article 20 of Law No. 2014 – 038 on the protection of personal data, when the Personal Data is to be transferred to a country outside Madagascar, BIONEXX SA will ensure that the recipient State has legislation ensuring a level of protection of individuals similar to that provided by the above-mentioned law.

The transfer of Personal Data outside Madagascar will be done in accordance with the provisions of Article 20 of Law No. 2014 – 038 on the protection of personal data.

The level of protection offered by a third country is assessed in the light of all the circumstances relating to a transfer or a category of data transfers. In particular, the nature of the data, the purpose and duration of the proposed processing operation(s), the countries of origin and final destination, the general or sectoral rules of law in force in the third country in question, and the professional rules and security measures complied with therein, shall be taken into account.

In the absence of a similar level of protection, the Malagasy Commission for Information Technology and Civil Liberties (“CMIL”) may authorise the transfer of personal data, when the data controller offers sufficient guarantees with regard to the protection of privacy and the fundamental rights and freedoms of individuals; Such guarantees may result in particular from appropriate contractual clauses or from the adoption of internal rules.

By way of derogation from the preceding paragraphs, the transfer of personal data to a third party that does not provide a similar level of protection may be carried out on an exceptional basis, provided that:

1. The data subject has undoubtedly given his or her consent to the proposed transfer, duly informed of the lack of a similar level of protection. And in all circumstances, the Data Subject has been manifestly warned, by clear warnings, of the specific data protection principle(s) that are likely to be violated in the event of a transfer to a third country, this provision shall not apply in cases where the Data Subject has to face a duly established legal action following any civil or criminal complaint in a third country or;
2. The transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject or;
3. The transfer is necessary for the conclusion or performance of a contract concluded or to be concluded, in the interest of the data subject, between the controller and a third party or;
4. The transfer is necessary or legally binding for the protection of an important public interest, or for the establishment, exercise or defence of a legal claim or;
5. The transfer is necessary to safeguard the vital interests of the data subject or;
6. The transfer takes place from a public register which, by virtue of legislative or regulatory provisions, is intended for the information of the public and is open to public consultation or to any person demonstrating a legitimate interest, insofar as the legal conditions for consultation are fulfilled in the particular case.

BIONEXX SA will take all necessary measures to ensure that Personal Data is transmitted in a safe and secure manner. Details of the protection afforded to your information when it is transferred outside of Madagascar will be provided to you upon request.

9. DATA BREACH MANAGEMENT PROCEDURE
   • A data breach procedure is established and maintained to address incidents involving Personal Data or privacy practices that result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or processed;

• All employees must immediately inform their designated supervisor or the personal data controller of BIONEXX SA of any violations of this Policy or other regulations on the protection of Personal Data, in particular in the following cases:

1. Inappropriate transmission of Personal Data across borders;
2. Loss or theft of data or equipment in which the data is stored;
3. Accidentally sharing data with a person who does not have a right to know that information;
4. Improper access controls allowing unauthorized use;
5. Equipment failure;
6. Human error resulting in the sharing of data with a person who does not have the right to know that data; and
7. A computer hack.

• A notification of a data protection breach must be made immediately after any data breach to ensure that:

1. Immediate corrective action can be taken with respect to the violation;
2. The Malagasy Commission for Information Technology and Civil Liberties (CMIL) or any other regulatory authority be notified and pronounce the applicable sanctions in the event of infringements of the provisions of Law No. 2014 – 038 on the protection of personal data;
3. Any Data Subject may be informed and;
4. All communication with stakeholders can be managed.

• Where a potential breach has occurred, BIONEXX SA will investigate to determine if an actual breach has occurred; The actions required to manage and investigate the breach include:

1. Validate whether or not there has been a breach of Personal Data.
2. Ensure that an appropriate and impartial investigation (including digital analysis if necessary) is initiated, conducted, documented and concluded.
3. Identify remediation needs and monitor resolution.
4. Report results to senior management
5. Coordinate with the appropriate authorities as necessary.
6. Coordinate internal and external communications.
7. Ensure that Data Subjects are properly informed, if necessary.
8. As soon as the breach is detected, it must be notified to the Group Privacy Director and General Counsel.

• DATA PROTECTION IMPACT ASSESSMENT

BIONEXX SA will carry out a Data Protection Impact Assessment (SIFT) for any new project or IT system involving the processing of Personal Data to determine whether any type of processing is likely to result in a risk to the rights and freedoms of the Data Subject.

11. DATA SECURITY

    • All Personal Data must be kept secure and must not be stored for longer than necessary. BIONEXX SA will ensure that appropriate measures are employed against unauthorized access, accidental loss, damage and destruction of data. This includes the use of password-encrypted databases for digital storage and locked cabinets for those using paper format.

• To ensure the security of Personal Data, BIONEXX SA will implement, among other things, the following appropriate technical controls:

1. Industry-recognized protection standards for workstations, servers, and databases;
2. Full software disk encryption on all drives of the company’s workstation and laptop operating systems storing Personal Data and Sensitive Data;
3. Encryption of stored data, including key database management.
4. Enabling the retention of security audits on all systems handling Personal Data;
5. Limiting the use of removable media such as USB flash drives;
6. Anonymization techniques on test environments;
7. Physical access control where Personal Data is stored on paper.

12. DATA CONTROLLER OF PERSONAL DATA

BIONEXX SA will appoint a personal data controller who has the power to decide on the creation of the processing alone or jointly with others, and who determines the purposes and means to be implemented in order to ensure compliance with the requirements of Law No. 2014 – 038 On the Protection of Personal Data.

13. USE OF COOKIES

Our website uses cookies to improve the user experience and analyze website traffic. A cookie is a small text file that is stored on your device, which allows us to recognize your browser and remember certain information. The types of cookies we use include:

1. Necessary cookies: Essential for the proper functioning of the site;
2. Performance and analytics cookies: To analyze website traffic and improve site performance;
3. Personalization cookies: To remember your preferences and improve your browsing experience;
4. Advertising cookies: To deliver relevant advertisements based on your interests.

When you first visit our website, a consent banner informs you of the use of cookies and allows you to accept or reject them. You can change your cookie preferences at any time through your browser settings or through the cookie management tools on our website

14. CHANGES TO THE POLICY

BIONEXX SA reserves the right to change, modify or alter this Policy at any time. If we change this Policy, we will provide you with the updated version.

Made to serve and value what is right.