Declaration relating to Privacy for Social Media Users – Article 14 of Regulation (EU) 2016/679 ("GDPR" – General Data Protection Regulation).

This Declaration relating to Privacy describes the manner in which NHS processes your personal data when you use your profile on social media such as Facebook, YouTube, Twitter, Instagram, LinkedIn, or any other similar networks or pages (hereinafter referred to as "Social Media") so as to interact with the NHS profile or pages on these Social Media, or when you visit the NHS websites while logged in to these Social Media.
This document only concerns personal data processing operations carried out by NHS.

Your data is first and foremost collected and processed by the Social Media for which you possess a profile (and which therefore serves as the Data Controller for your personal data).
NHS has restricted access to a small amount of your data held by these Social Media, and only processes said data if you interact with the NHS profile or pages on these Social Media, or the NHS websites.
NHS serves as an Independent Data Controller for your personal data derived from these Social Media. Consequently, the Social Media and NHS independently decide the purposes and processing methods of your personal data to which they both have access.

The processing operations carried out by NHS are described hereafter. If you wish to know more about these Social Media process your data, you can read their privacy policies via your profile(s) on the Social Media in question.
If you interact with the NHS account, page, or profile on the Social Media (hereinafter referred to as the "Page"), NHS is authorized to process the following categories of personal data, derived from your profile: first name; surname; user name; other biographical and professional information; age; sex; information you have voluntarily made public or shared on the Social Media in question in the form of posts or other features; your activities on the NHS Page and Social Media such as "likes", comments, public posts, tags, hashtags, and the content of private messages sent to NHS.
Moreover, if you have consented, in your profile on the Social Media in question and in your browser settings, the Social Media can provide NHS with additional information relating to your activities and preferences you have expressed while browsing the Internet. This information may also be collected using tools such as cookies, spy pixels, and web beacons.
If you wish to find out more, you can check your browser settings, your profile settings on the Social Media in question, or the policies of the websites you frequent. Please note that the use of such tools on the NHS websites is further documented in the Cookie Policy and Privacy Policy.
It should be specified that when you are logged in to your Social Media account and browse the Internet via the same device, NHS may be able to detect information linked to your Social Media profile, such as your age bracket, "likes", etc., and, in certain cases, be able to identify you.

Your data is processed for the following purposes:
- To respond to your posts, requests, and questions; allow you to participate in activities organized through the Page; manage and optimize the content of the Page; perform statistical analyses and market studies on users' interactions with the Page or our websites.
The legal basis for this processing is the NHS's legitimate interest in promoting its activities and improving its corporate image (Article 6.1.(f) of the GDPR).
- To fulfill its legal obligations and other obligations with the intent of safeguarding public health, which necessitate the supervision, monitoring, and reporting to authorities/other organizations (licensors, licensees, etc.) of all information relating to known or potential adverse effects linked to the use of NHS products.
The legal basis for this processing is compliant with legal obligations and the representation of public interest in the field of public health, consisting of ensuring the strict standard of security and quality of NHS products (Articles 6.1.(c) and 9.2.(i) of the GDPR).
- To ensure your adherence to the rules of netiquette, observance of the legal rights of NHS, and compliance with the NHS Code of Ethics and the Group Code of Conduct.
The legal basis for this processing is the further pursuit of NHS's legitimate interest to avoid breaches committed by netizens through the Page, including the failure to comply with the above-mentioned Codes and all laws in force, as well as the defense of its legal rights (Articles 6.1.(f) and 9.2.(f) of the GDPR).
- To implement promotional campaigns relating to NHS's activities, products, and/or services (in accordance with the laws in force on promotional activities concerning health-related products and services) using NHS Social Media accounts, including the dissemination of advertisements and messages.
The legal basis for this processing is your expressed consent given on the Social Media (Article 6.1.(a) of the GDPR).

IMP-NHS-CMP-07 – Version 1 – IMP-NHS-0008
IMP-NHS-0008 – Version 1 – 10/25/2023 12:08 – Activation date: 11/17/2020
DECLARATION RELATING TO PRIVACY FOR SOCIAL MEDIA USERS – IMP/NHS/CMP/07 1 / 3

- To send you targeted advertisements ("profiling") relating to the above-mentioned activities, products, and services.
The legal basis for this processing is your expressed consent given on the Social Media, including consent to the use of cookies, spy pixels, tracking pixels, and web beacons (Article 6.1.(a) of the GDPR).
- With regards to user data collected relating to job opportunities listed by NHS on the Social Media, to assess and/or establish a professional relationship.
The legal basis for this processing is the execution of a contract or pre-contractual measures with the aim of entering into a contract with you (Article 6.1.(b) of the GDPR).

If you publish personal data pertaining to third parties, it is your responsibility to adhere to requirements in terms of data collection and obtaining consent, in accordance with the data protection laws in force.

Regarding your consent for the processing of data concerning you, that NHS has obtained via your Social Media profile, we hereby attest:
(i) the forms of consents in question are given by you when you register with the Social Media, and you can amend them at any time (however, NHS has strictly no control over these operations, which are entirely managed by the Social Media);
(ii) the data processed by NHS is data made available by the Social Media – NHS shall therefore not be held liable in the event of unauthorized disclosure of such information by the Social Media or the receipt of unwanted advertisements or messages in violation of the options you have selected.

Your data shall be processed digitally in most cases, and recorded in the NHS IT systems in accordance with the data protection laws in force, including aspects regarding data security and data privacy and according to the principles of lawfulness and impartiality.
Data will be retained for as long as necessary in order to fulfill the specified purposes.
In all cases, the criterion used to determine the retention period is based on compliance with the time limits authorized by the law and the principles of data minimization, retention limitation, and the rational management of our archives.

NHS personnel belonging to the following categories are authorized to process users' data: administrative and technical personnel; IT personnel; product managers; personnel in charge of internal audits and compliance; and any other personnel required to process data in the context of their professional duties.
The data may also be made accessible to other Menarini Group companies in other countries, including countries outside the European Union (hereinafter referred to as "Non-EU Countries"), for administrative and accounting purposes, in accordance with Article 6.1.(f) and Recital 48 of the GDPR.
Additionally, the data may be made accessible, including in Non-EU Countries, to the NHS supervisory board; to third-party companies such as service providers and subcontractors providing IT and Cloud services, network service providers in charge of managing NHS Pages, and companies providing consultancy services (tax, administration, etc.) on behalf of NHS; to public organizations, institutions, and authorities for institutional purposes in accordance with the laws in force; and to third parties in the case of audits, mergers, and acquisitions (including those in other countries).
Recipients of this data will process it for the above-mentioned purposes and in accordance with the laws in force.

*** Regarding the transfer of data outside the European Union, including in countries whose laws do not guarantee the same level of protection regarding the privacy of personal data as that provided by the European legislation, the Data Controller hereby attests that such transfer shall, in all cases, comply with the methods authorized by the GDPR, including, for example, those relating to the confirmation of users' consent and the adoption of the European Commission's Standard Contractual Clauses, by opting for parties adhering to international programs for the free movement of data, and/or by operating in countries considered safe by the European Commission.

If you wish to exercise the rights provided for under Articles 15 to 22 of the GDPR, including the right to obtain confirmation of the existence of personal data concerning you so as to verify its content, origin, exactitude, and location (including, where applicable, in Non-EU Countries); the right to request a copy thereof; the right to request a rectification; and, in the context of the cases provided for by the law in force, the right to request the restriction of such processing; the right to request the erasure of such data; and the right to object to direct contact (limited to certain means of communication), you can contact the Data Protection Officer (DPO) designated by NHS via the following email address: dpo@menarini.com.
It is also possible to submit any concerns you may have regarding the processing of your data, or lodge a complaint with the French Data Protection Authority (CNIL: Commission Nationale de l’Informatique et des Libertés).

If you wish to withdraw your consent under the Social Media, you must submit your request directly to the Social Media in question.