In this Data Privacy Statement, “Rhythm Pharmaceuticals”, “we”, “us”’’ and ‘’our’’ refers to Rhythm Pharmaceuticals Netherlands BV. As a science-based pharmaceutical company, we may process your personal data for the purposes and by the manners described in this Privacy Statement.

We take the privacy and security of your personal data very seriously. With this privacy statement, we would like to inform you about the data we may collect from you, the purposes of processing these data, the way the data are collected, processed and protected, and to what extent they are transmitted to third parties. We also explain which rights you have with regards to this data and provide useful contact details in case you have questions or concerns.

The collection and processing of personal data is carried out in accordance with the applicable law, namely the General Data Protection Regulation (GDPR).

What information do we collect / process, and for what purposes?

The types of personal data and the purposes why we process your data differ depending on the specific data processing activities, and can be grouped according to the following categories:

I. Professional data
II. Interaction documentation
III. Medical information requests
IV. Information about our contractual relationships with you

Click on each category to find out more about the types of personal data processed and the purposes for the processing of your data in each case. Categories 2, 3 and 4 only apply for registered healthcare professionals.

I. Professional data

What are professional data?

Examples of professional data that we collect are:

• Your name
• Your professional address
• Professional contact details such as phone numbers, fax numbers and e-mail address(es)
• Technical information about your device when you visit our websites, social media or similar digital channels, such as your IP address, device type, device and advertising identifiers, browser type and version, and other standard server log information
• Other personal data you choose to provide to us
  
  

In case you are a registered healthcare professional in your country we may also collect:

• Medical specialty
• Name of your practice / clinic / hospital
• General Medical Council (GMC) identifier
• Name and job title of clinic and nursing staff
• Other professional data you choose to provide to us|
  
  

How do we collect professional data?

We gather professional data from public registers, from data brokers like, for instance, IQVIA Commercial BV & Co. KG (formerly IMS BV) and from our sales force and/or other Rhythm Pharmaceuticals employees that interact with you. Information deriving from activities in our websites, social media profiles, etc. is collected via so-called “cookies”. Cookies are small text files that are stored in the memory of your terminal via your browser and store certain information (for example your preferred language or site settings). Your browser may retransmit these to us when you revisit our website, depending on the lifespan of the cookie.

Why do we process your professional data?

Professional data is stored and processed by us for different purposes:

• Sending drug safety-relevant information (e.g. Dear Doctor Letter)
• Contacting you in case of queries about reported adverse reactions or to answer your scientific questions
• Planning for further interactions
• If you have given us a consent for this purpose, reaching out to you through digital means with commercial communications
• If necessary, sending information material by post
• Documentation and correspondence on contract-related topics and other interactions with you
• Complaint management
• Analyse the effectiveness of our different campaigns and assess if they meet the predefined goals
• Evaluate the effectiveness and impact of our marketing material
• Analyse how to best optimize our resources and design the customer experience
  
  

What is the legal basis for the processing of your professional data?

The legal basis for the processing of these professional personal data could be: your consent for processing for specific purposes pursuant to Art. 6 (1) a) GDPR granted by you (e. g. for sending you commercial communications), our legitimate interest under Art. 6 (1) f) GDPR (e. g. for the planning of sales force visits or assessing the effectiveness of campaigns and impact of our marketing material) and / or in accordance with Art. 6 (1) (c) GDPR, fulfilment of a legal obligation to which the responsible is subject (e. g. for the information exchange relevant for drug safety and pharmacovigilance).

II. Interaction documentation

What is “interaction documentation” data?

Interaction documentation includes the following data:

• Date of interaction
• Name of the conversation partner, if applicable
• Information about giving a sample, if applicable
• Name of the products that have been discussed, if applicable
• Indications that have been discussed
• Your voluntary information on product and information interests
• Your voluntary information about the prescription of our products in practice
  
  

How do we collect “interaction documentation” data?

Interaction documentation is registered by our teams in our systems during and/or after each interaction, especially if you are a registered healthcare professional in your country.

Why do we process “interaction documentation” data?

We use the data collected during the interaction for the following purposes:

• To coordinate the visits of our field staff
• For legally required sample documentation
• To plan the submission of informational materials to you
• To respect our legal obligations to document HCP interactions
• Analyse the effectiveness of our different campaigns and assess if they meet the predefined goals
• Evaluate the effectiveness and impact of our marketing material
• Analyse how to best optimize our resources and design the customer experience
  
  

What is the legal basis for the processing of “interaction documentation” data?

The legal basis for the collection and processing of this data could be: a consent granted by you for processing for specific purposes pursuant to Art. 6 (1) a) GDPR (e. g. for sending information materials to you), our legitimate interest under Art. 6 (1) f) GDPR (e. g. for the coordination of visits of our field staff or assessing the effectiveness of campaigns and impact of our marketing material) and the fulfilment of a legal obligation according to Art. 6 (1) c) GDPR (e. g. for the purpose of documenting giving away a sample.)

III. Information about your medical information requests and other professional interests

What information do we process about your medical information requests and other professional interests?

We process the following information about your medical information requests and
other professional interests in our systems:

• Product or indication related questions
• Product or indication related areas of interests and focus
• Scientific / medical and / or professional fields of interest
• General information about the patient population
• Membership in medical associations
• Publications, including postings and announcements in social media channels
• Documentation of the consent ("opt-in") allowing us to reach out to you by digital means with commercial communications
• Your interest in a contractual collaboration (lectures, events, medical education, consultancy)
• Your activities on our websites and online presences (e.g. viewed pages, visits on our social media profiles, received commercial communications, clicks on our online advertisements)
• Technical information about your device when you visit our websites, social media or similar digital channels, such as your IP address, device type, device and advertising identifiers, browser type and version, and other standard server log information
  
  

How is the information about your medical information requests and other professional interests collected?

This information is usually collected by phone, email, fax or direct face to face interaction with our team members. Information deriving from activities in our websites, social media profiles, etc. is collected via so-called “cookies”. Cookies are small text files that are stored in the memory of your terminal via your browser and store certain information (for example your preferred language or site settings). Your browser may retransmit these to us when you revisit our website, depending on the lifespan of the cookie. We also collect information about your interests in our products, campaigns and other related content, when you have given us your explicit consent to receive this information through digital means from us. For example, when you receive an e-mail about a certain campaign from us, we are able to see whether you have accessed the content of this e-mail; this helps us assess the effectiveness of our different campaigns and improve the manner in which the information is presented.

Why do we process information about medical information requests and other professional interests?

Information about your medical information requests and other professional interests is used for the following purposes:

• Answering your medical information requests
• Planning the distribution of scientific and other information materials
• Relaying individually tailored information
• Sending commercial communications
• Offers for contractual cooperation
• Invitations to events
• Analyse the effectiveness of our different campaigns and assess if they meet the predefined goals
• Evaluate the effectiveness and impact of our marketing material
• Analyse how to best optimize our resources and design the customer experience
  
  

What is the legal basis for the processing of information about medical information interests and other professional interests?

The basis for the collection / storage of data is a consent granted by you pursuant to Art. 6 (1) a GDPR (e. g. for sending commercial communications) or our legitimate interest under Art. 6 (1) f) GDPR (e. g. for assessing the effectiveness of campaigns and impact of our marketing material).

IV. Information about our contractual relationship with you

What information do we process about our contractual relationship with you?

We collect and process data to plan and fulfil our contractual relationships with you. These include:

• Contract documentation
• Fees
• Invoices, payment documentation, travel expense reports
• Employer authorizations obtained for hospital doctors
• Documentation of the services provided
• Invitations to events
• Covered event costs, travel expenses
• Documentation of participation in events
  
  

How do we collect this data?

The data is usually collected while setting up the contract, insofar as this is necessary for the execution, fulfilment and documentation of the collaboration.

Why do we process this data?
The processing of this data serves the following purposes:

• Execution of the contract
• Fulfilment of the legal obligations to establish transparency and fulfilment of documentation requirements ("compliance")
• To disclose payments under local Transparency Codes
• Planning and execution of events
• Analyse the effectiveness of our different campaigns and assess if they meet the predefined goals
• Evaluate the effectiveness and impact of our marketing material
• Analyse how to best optimize our resources and design the customer experience
  
  

What is the legal basis for the processing of this data?

The legal basis for the collection and processing of this data may be a consent granted by you for processing for specific purposes pursuant to Art. 6 (1) a) GDPR (e.g. disclosing payment information in accordance with the Transparency Code), for fulfilling a contract or precontractual measures pursuant to Art. 6 (1) b) GDPR (e. g. for execution of the contract), for fulfilment of a legal obligation under Art. 6 (1) c) GDPR (e. g. for the purposes of meeting the requirements of compliance regulations) or a legitimate interest pursuant to Art. 6 (1) f) GDPR (e. g. for the avoidance of any compliance risks or assessing the effectiveness of campaigns and impact of our marketing material).

Where is your data stored?

Rhythm Pharmaceuticals uses different IT systems and applications to store and process your data. You can be identifiable in these systems based on the use of direct identifiers, such as your name or email address, or indirect identifiers, such as your registration ID or IP address.Rhythm Pharmaceuticals uses a central Customer Relationship Management System (“CRM”) in which we combine, update and rectify your personal data which you have provided to us or which was collected by us as outlined above in a central customer profile. This is necessary to pursue our legitimate interests in managing your personal data in the most effective way (for example, centralising your personal data helps us to easily keep it up-to-date), efficiently managing our relationship with you and enhance your customer experience as well as to facilitate our direct marketing efforts in the most efficient manner. You have the right to object to this kind of processing at any time. In such case Rhythm Pharmaceuticals will carefully evaluate your request and only continue to process your personal data to the extent that it is legally required or in accordance with your explicit consent.

How is your data protected?

We ensure that the personal data we process from you is adequately protected by taking state of art technical and organizational measures. Access to our systems is strictly personal and purpose based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.

How long will your personal data be processed for?

We will store and process your personal data as long as we can claim a legitimate interest, you have provided a valid consent or if there is a legal requirement for a specific time period which is determined by applicable laws and the company´s IT security and data privacy policies, as the case may be.

Will your data be transferred?

Your personal data may be transferred to other Rhythm Pharmaceuticals affiliates and may be stored by contracted third parties as software vendors and IT solution providers. We use Rhythm Pharmaceuticals proprietary and standard industry solutions to process your data in a safe environment.

We may also share categories of your personal data listed above with certain service providers or third parties such as: IT providers for the purposes of system development and technical support (for example, IQVIA, Salesforce, Veeva or DOMO); auditors and consultants to verify our compliance with external and internal requirements; statutory bodies, law enforcement agencies and litigants, as per a legal reporting requirement or claim.

Some of these parties are located outside the European Union (“EU”) or the European Economic Area (“EEA”), which means that your data will partly be processed in countries that may have a lower data protection level than European countries. In such cases, Rhythm Pharmaceuticals will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with these contractual partners.
Rhythm Pharmaceuticals does not sell personal data to third parties. We do permit third parties to collect information through our website but only for the purposes described herein and as described in our Cookie Notice.

What are your data privacy rights?

The following rights are available to you based on applicable privacy laws:

• Right to information about personal data on you stored by us
• Right to deletion or restriction of processing, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or in the event that the processing serves the enforcement, exercise or defence of legal claims
• Right to correct your personal data
• Right to object to processing that serves our legitimate interest, a public interest or profiling, unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or, in case, that the processing serves the enforcement, exercise or defence of legal claims
• Right to data transferability
• Right to complain to a supervisory authority
• You may withdraw your consent to the collection, processing and use of your personal data at any time from that point in time onwards.

If you want to exercise your rights, please address your request to privacy@rhythmtx.com.

Who can you contact in case of questions or concerns regarding the processing of your data?

In case of any questions regarding our data privacy you can get in touch with our company data protection team at the following address:

Rhythm Pharmaceuticals Netherlands BV

Radarweg 29
1043 NX Amsterdam
The Netherlands

Or by e-mail: privacy@rhythmtx.com

Rhythm Pharmaceuticals Netherlands B.V. is a member of the Rhythm Pharmaceuticals group. Please use the contact details below in case you are looking for information about the processing of personal data by other EU Rhythm Pharmaceuticals group companies:

Rhythm Pharmaceuticals France SAS
Rhythm Pharmaceuticals Germany GmbH
Rhythm Pharmaceuticals Italy S.r.l
Rhythm Pharmaceuticals Limited (Ireland)
Rhythm Pharmaceuticals Spain S.L
Rhythm Pharmaceuticals UK Limited