Privacy Notice

1.1 Purpose

As a healthcare company, Camurus Pty Ltd (Camurus) recognises the importance of privacy and is committed to the management and handling of Personal Information and Sensitive Information in an open and transparent way. Camurus is required to comply with the Australian Privacy Act 1988 (Cth) and its amendments, including the Privacy and Other Legislation Amendment Act 2024 (Privacy Act) and this policy creates a framework to ensure that any Personal Information Camurus holds is collected, used, stored and disclosed in accordance with the Australian Privacy Principles (APPs) in the Privacy Act.

Your Personal Information is held securely in accordance with this Privacy Policy and privacy laws and is treated with respect and care. You have the right to contact us to access or correct your Personal Information. We encourage you to contact us if you have questions or concerns about your privacy or how your Personal Information is handled by Camurus.

1.2 Scope

This Privacy Policy documents the handling of Personal Information by and on behalf of Camurus, both within and outside of Australia.

This policy does not apply to the handling of Personal Information about Camurus employees.

1.3 Regulatory Environment

As a healthcare company which deals with Personal Information and Sensitive Information, Camurus has an obligation to respect the privacy of individuals and to follow the Australian privacy laws, which include:

• the Privacy Act 1988 (Cth) (as amended from time to time);
• the National Privacy Principles contained in Schedule 3 to the Privacy Act or where applicable, the Australian Privacy Principles contained in Schedule 1 of the Privacy Act;
• all other applicable laws that require a person to observe privacy or confidentiality obligations in respect of Personal Information.

Camurus acknowledges that penalties can be imposed up to 30% of annual turnover or 3x benefit obtained from breach, a new civil penalty regime with tiered enforcement, and new compliance notice powers for OAIC.

Camurus is also required by law to retain certain medical records which may contain Personal Information under the Therapeutic Goods Act 1989 and the Therapeutic Goods Regulations.

2. Personal Information

Camurus may collect and hold information about individuals who may be customers, members of the general public, job applicants, business contacts, healthcare professionals and others.

The information Camurus typically collects, holds and processes is detailed below. Where Camurus relies on consent for the collection, use or disclosure of your Personal Information, such consent must be:

• Voluntary: Freely given without coercion, deception or undue influence
• Informed: You understand what you’re consenting to
• Current: Given for the specific purpose at hand
• Specific: Related to particular purposes, not blanket consent
• Unambiguous: Clear and not implied from inaction
• Easily withdrawn: You can withdraw consent as easily as you gave it

Camurus will clearly explain the consequences of withdrawing consent, including any impact on our ability to provide services connected to our products.

Camurus will not collect Sensitive Information about you, such as information about your health or ethnicity, without your explicit, written consent, except where collection is required or authorised by law, or necessary to prevent or lessen a serious threat to life, health or safety.

2.1 Members of the Public

• Information obtained when you access Camurus’ websites
• Information you provide when calling Camurus’ medical affairs line or reporting an adverse event, including name/Initials, occupation, home/work address, telephone number, email address, gender, date of birth, age or age range, pregnancy, medication, medical history including drug of dependence, doctor’s details, details of adverse event
• Information from any patient support programmes which Camurus runs, including de-identified details (your initials and date of birth), age or age range, medication, medical history including drug of dependence, doctor’s details

2.2 Healthcare Professionals

• Your name, business address, business telephone number(s) and email address
• Professional details, including provider number
• Practice specialty including areas of interest
• Membership of professional associations
• Practice and/or business information including, where applicable, interest in Camurus products
• Information relating to your patients and your name, place of work and contact details, following Adverse Event/Safety reporting, product complaints or Medical Information line enquiries, including patient drug of dependence, as required for reporting to regulatory authorities and for safety data reporting by Camurus’ global pharmacovigilance function
• Information relating to your participation in Camurus sponsored or supported clinical trials, conferences or other educational events
• Information from public domain websites
• Information obtained when you access Camurus’ websites
• Information and all notes obtained during telephone or in-person sales calls and meetings, including date and duration of the call/meeting, call/meeting outcome, follow-up required
• Frequent flyer numbers, passport details and next of kin details, when Camurus sponsors or arranges your travel to educational events or for business relating to Camurus

Camurus will use Personal Information from Healthcare Professionals to undertake “fair market value” assessments for compensation paid to Healthcare Professionals who provide services to Camurus, as required under the Medicines Australia Code of Conduct. Such information may include Healthcare Professional qualifications, experience, place of work, specific skills, and recommended or requested compensation. Fair market value assessment information is stored on a shared platform operated by Camurus’ parent company, and which is accessed by other Camurus affiliates in Europe and the United States of America. Healthcare Professionals providing information for a services agreement to enable fair market value assessment shall be deemed to have approved the storage of their information on this shared platform.

2.3 Transparency Reporting Under the Medicines Australia Code of Conduct

As a pharmaceutical company, Camurus acknowledges that the Transparency Reporting obligations in the Medicines Australia Code of Conduct are a public benefit which provides visibility for consumers and other parties of payments and transfers of value related to prescription medicines made by Australian companies to healthcare professionals and organisations engaged in patient care or provision of services to Australian patients, including not-for-profit organisations that represent the interests and views of consumers of healthcare.

In order to comply with the Transparency Reporting Obligations in the Medicines Australia Code of Conduct, Camurus collects, holds, stores and uses information from healthcare professionals and health consumer organisations with which it from time to time enters into agreements providing benefits to such parties, including Speaker Agreements and Sponsorship Agreements. Camurus discloses information to Camurus AB to enable Camurus to process and prepare data to comply with reporting requirements under the Medicines Australia Code of Conduct, which may include Personal Information.

The Medicines Australia Code of Conduct requires that the information below be published on Camurus Australia’s website for three years from the date of publication of that information by Camurus.

• Healthcare Professionals engaged in speaking or consulting services:
  • NameProfession/area of specialisation or practice
  • Business/practice address
  • Date of the event
  • A description of the event
  • The value of fees paid for services provided
  • Whether the fees were paid directly to the Healthcare Professional or to a third party
  • Details and value of any air travel, accommodation costs (room rate) and registration fee paid by Camurus and/or reimbursed to a Healthcare Professional and/or the Healthcare Professional’s employer to attend the Event.
• Health Consumer Organisations:
  • Organisation name
  • A description of the nature of the Sponsorship and any other support provided to the
  • Organisation by Camurus, including details of the Event/Conference
  • The monetary value of the of financial support and of invoiced costs related to the Sponsorship
  • A description of the non-monetary value of any items or benefits that the Organisation receives as part of the Sponsorship.

2.4 Business Contacts

• Your name, business address, business telephone number(s) and email address
• Dealings with Camurus in respect of general business relationships
• Work, professional and employment references, reports and assessments
• Information from public domain websites
• Information obtained when you access Camurus’ websites
• Bank information for payment of invoices
• Vaccination status for COVID-19 or other relevant public health/pandemic instances, where you will attend Camurus offices or have face-to-face contact with Camurus personnel or customers

2.5 Job Applicants

The types of Personal Information Camurus collects from job applicants, including for both employment and contract positions, may include:

• Employment history
• Qualifications
• Residential address
• Date of birth
• Opinions about suitability for employment from referees and previous employers
• Taxation and banking details
• Information from public domain and social media websites
• Information obtained when you access Camurus’ websites
• Driver’s licence/passport details
• Superannuation fund details
• Next of kin
• Psychometric testing results
• Records of Medicines Australia course or code of conduct training completion
• “Right to work” check to ascertain right to reside and work in Australia
• Police clearance, where required for customer facing roles employment purposes
• Vaccination status for COVID-19 or other relevant public health/pandemic instances, where relevant for the performance of the role being applied for

Job applicants have the right to not disclose Personal Information, however Camurus may not be able to assess a candidate’s suitability for employment when it does not receive all necessary information. Camurus will only disclose the Personal Information of job applicants to third parties with the consent of the job applicant, or as otherwise permitted in limited circumstances by law.

Once a position has been filled, all applications received by Camurus are filed and kept in Camurus’ human resources files. However, the following information, if previously collected, will not be retained for applicants who do not commence employment or a contract position with Camurus: bank account details, driver’s licence/passport, Tax File Number, superannuation fund details, next of kin.

2.6 Children’s Privacy

Camurus recognises the importance of protecting children’s privacy online, and Camurus will comply with the Children’s Online Privacy Code once developed by the OAIC. Where our websites, applications, or digital services may be accessed by children under 18:

• We implement age-appropriate privacy practices;
• Privacy notices and collection statements are presented in clear, child-friendly language using graphics, video, and audio content where appropriate;
• We obtain verifiable parental consent before collecting personal information from children under 13;
• We limit collection of children’s Personal Information to what is necessary for the specific purpose; and
• We implement enhanced security measures for children’s data.

3. Management of Personal Information

3.1 How Will Camurus Collect Your Personal Information

Wherever possible, Camurus will collect Personal Information about you directly from you. Nevertheless, on some occasions Camurus may collect your Personal Information from other sources, such as:

• Third party agents or data providers
• Public domain websites on the Internet
• Electronic communications such as articles and information pieces in which you feature such as a health information site or a medical professional site
• Publicly available directories and listings such as telephone directories
• Newspapers, magazines, professional journals and the electronic media
• The date, time and domain from which you access Camurus’ website
• Personal interactions and/or communications with Camurus employees and/or contractors
• Databases purchased from an external provider
• Healthcare professionals
• Carers

Personal information about you which Camurus collects and holds may vary depending on your particular interaction with Camurus and will be for a legitimate business purpose. Camurus will not collect Sensitive Information about you, such as information about your health or ethnicity without your consent.

3.2 Collection of Your Personal Information Through Camurus’ Websites

Camurus’ websites provide for direct input of Personal Information under some circumstances.
In addition, Camurus’ websites make use of ‘cookies’ which are small text files that are stored in the visitor’s local browser cache. This enables recognition of the visitor’s browser to optimise the website and simplify its use. Most browsers are set up to accept these cookies automatically, however you can deactivate the storing of cookies or adjust your browser to inform you before the cookie is stored on your computer. Data collected via cookies will not be used to determine the personal identity of the website visitor.

Camurus expects to increasingly makes use of web analytics, including analysis by third party service providers, which may use IP addresses. While this may in some circumstances be ‘Personal Information’ neither Camurus nor the service providers have any interest in an individual’s browser activities and will not use the information to take any action targeted to individuals without having obtained that person’s consent.

3.3 How Will Camurus Hold and Use Your Personal Information

Members of the public

• If you call Camurus’ Medical Information line, information will be collected where required for Camurus to respond to any questions you may have raised.
• If you, your healthcare professional, or your carer, report an adverse event to Camurus, your information will be retained by Camurus as required for regulatory purposes, or to respond/follow up on matters relating to the adverse event.

Customer Relationship Management (CRM) Software

• Information relating to healthcare professionals and third parties with which Camurus conducts business will be held on Camurus’ secure customer relationship management (CRM) software platform. This information will be accessed and used in the ordinary course of conducting business and for continuous and improved relationship management, including but not limited to communicating with you, order processing and fulfilment, accounting, responding to enquiries or complaints.
• Sales data and call activity will be entered into databases run by 3rd party providers such as IQVIA and Prospection. Camurus may also provide those providers with your updated contact or other professional information, consistent with the use of such databases by other pharmaceutical companies.
• Information relating to third parties with which Camurus conducts business will be used to facilitate the provision of products and services to Camurus.

Healthcare Professionals

In addition to the uses of Personal Information specified in the CRM section, Camurus may use your information as follows:

• To provide you with information relevant to your practice
• To involve you in conferences and provide training and support relevant to Camurus’ products and therapy areas relevant to your practice
• To assess your suitability for and involvement in advisory boards
• To otherwise satisfy our legal and regulatory obligations
• To report adverse events to regulatory authorities and for safety data reporting by Camurus’ global pharmacovigilance function

Personal Health Information

• Camurus will collect and record Personal Information, including health information, obtained from calls to Camurus’ medical affairs line when you or your carer or healthcare professional report an adverse event related to a Camurus medication. Camurus Affiliates support processing and reporting of Australian adverse events and accordingly have direct access to reported adverse event information, including Personal Information, and may communicate directly with you in relation to a reported adverse event.
• Patient Personal Information will be anonymised and included in reports to regulatory agencies and in Camurus records.

Transparency Reporting Under the Medicines Australia Code of Conduct

Camurus will collect and disclose information from Healthcare Professionals and Health Consumer Organisations in order to comply with transparency reporting requirements under the Medicines Australia Code of Conduct, as detailed in section ‎2.3 of this policy.

Other Use and Disclosure

Camurus may disclose information about you in the course of any of the uses described above, including to related businesses and third-party service providers for routine business purposes such as order delivery, marketing, hosting, data processing and validation, data storage or archiving, printing and mailing. Camurus will use only reputable service providers and will ensure that it enters into appropriate contractual provisions with service providers to safeguard your privacy.

If you conduct business with Camurus and as a consequence are a close contact of Camurus’ personnel, Camurus may disclose information about your visits to Camurus’ offices and/or interaction with Camurus’s personnel if required in relation to COVD-19 or other relevant public health/pandemic instances.

Camurus will otherwise only disclose Personal Information about you to a third party where required by law.

3.4 Adverse Event Reporting

Camurus is required by law to report Adverse Events to relevant regulatory authorities, including the Therapeutic Goods Administration and overseas equivalent regulatory authorities in markets in which Camurus has current activities or intends to commence future activities. Camurus uses third parties in Australia and in Europe to assist with processing and reporting adverse events. The following information is collected and used to fulfil these reporting requirements:

• Identifiable patient information is required for an Adverse Event report to be validated, however only patient initials OR age OR gender is required. Personal information will be redacted unless required for regulatory reporting purposes or follow-up.
• Where Adverse Event reports require submission to local regulatory health authorities or to an in-licensed partner/distributor, a de-identified CIOMS-I form is used to collect and transmit the information (refer to section 3.1 for additional information).
• Suspect Drug Information (name, strength, dosage, route of administration, therapy start and end date, indications for use)
• Adverse Event details (date started/ended, outcome, causality).
• Concomitant medications (if any)
• Medical conditions (if available)
• Name, profession, institution name and contact details of person reporting the Adverse Event. If the Adverse Event is reported by a patient, personal details are de-identified and contact details are withheld unless authorised to complete a follow-up, in which case the contact details are retained until they are no longer needed, at which time they are permanently deleted.

3.5 Automated Decision-Making

Camurus uses artificial intelligence (AI) and automated systems to support our business operations and improve service delivery. Where we use substantially automated decision-making based on Personal Information that has a legal effect or other significant effect on you, we will inform you of:

• The fact that automated decision-making is being used
• The logic involved in the decision-making process
• The significance and consequences of such processing
• Your right to request human intervention in the decision-making process

Current AI Systems Used by Camurus Include:

• SANA Learning Management System (LMS): We use SANA’s AI-powered learning platform for:
  • Learning pathway recommendations
  • Training completion tracking and analytics
  • Educational content optimisation
• Microsoft Copilot AI: We use Microsoft Copilot for:
  • Internal query processing and information retrieval
  • Document analysis and summarisation
  • Administrative task automation
  • Email and communication assistance

Personal Information processed through these AI systems may include professional details, training records, communication content, and interaction data. These systems operate under strict data governance frameworks and do not make automated decisions with legal or significant effects without human oversight.

Safeguards for AI Processing:

• All AI-assisted decisions with significant impact are subject to human review
• We maintain audit trails of AI system decisions
• Regular assessment of AI system accuracy and bias
• Clear escalation procedures for challenging AI-assisted decisions

4. Cross Border Privacy

4.1 Overseas Recipients

Camurus may transfer your Personal Information to Camurus Affiliates and service providers located in countries that have been prescribed as having adequate privacy protections under Australian law, or to recipients covered by binding schemes recognised under the Privacy Act. For transfers to other countries, we ensure appropriate safeguards are in place through contractual arrangements that provide substantially similar protections to Australian privacy law.. Under these circumstances, your Personal Information will always be stored in a secure manner which is at least as robust as the practices followed by Camurus in Australia.

• Your Personal Information may be aggregated with data from other Camurus sources and stored or processed on computers or web-based database systems located outside Australia where data protection laws may differ from ours. Camurus’ IT servers, databases and cloud-based data centres are located globally.
• Your Personal Information may be stored, maintained and processed on computers or web-based database systems at Camurus which may be accessed by and shared with Camurus Affiliates and with third-parties working with Camurus Affiliates. Our overseas related corporate bodies are located in the European Union, amongst others. Camurus Affiliates provide back-up and support processing and reporting of Australian medical information inquiries and adverse events, and accordingly have direct access to Camurus’ medical information email in-box and shared drives. Any Personal Information included by you in an email to Camurus’ medical information team is accessible to relevant medical information and regulatory support personnel in Camurus Affiliates.
• Some of our overseas service providers, including our IT service providers, are located globally including in the European Union. Where Camurus uses external service providers located in countries outside of Australia, Camurus takes reasonable steps, including by contract provisions, to ensure that these service providers do not breach the Australian privacy laws.
• We may disclose your Personal Information to regulatory authorities overseas, such as the European Medicines Agency, ethics committees, or otherwise as required by law.

Other than where expressly stated elsewhere in this Policy, before disclosing your Personal Information overseas to a country other than Sweden, where Camurus’ head office is located, we will inform you of:

• The countries or regions where your Personal Information may be sent
• The types of recipients who may receive your Personal Information
• The purposes for which your Personal Information will be used overseas
• The privacy protections that will apply to your Personal Information.

4.2 European General Data Protection Regulation (GDPR)

Camurus’ parent company and many Camurus Affiliates are subject to the GDPR. Although many of the privacy principles of the GDPR are similar to the Act and other Australian privacy laws, there are some differences. If you are a European resident, Camurus may be subject to GDPR in relation to Personal Information it holds about you. Accordingly, any processing of Personal Data of EU residents or Personal Data that is otherwise subject to the GDPR will be done in accordance with Camurus’ general GDPR privacy notice, which can be accessed online: https://www.camurus.com/privacy-notice . Your Personal Information will still be subjected to the same information security standards as are applied to all Personal Information held by Camurus and Camurus Affiliates. However, we may manage your Personal Information in a different manner to take account of data portability entitlements and other GDPR-specific requirements, as outlined in Camurus’ Privacy Policy.

5. Data Management

5.1 Data Security

Camurus implements comprehensive security measures including:

• Technical safeguards: Encryption, access controls, secure transmission protocols
• Physical safeguards: Secure facilities, controlled access, equipment protection
• Administrative safeguards: Staff training, security policies, regular audits
• Organisational safeguards: Data governance frameworks, privacy impact assessments

Camurus’ security procedures are continuously revised based on emerging threats, new technological developments and to maintain compliance with applicable security standards to ensure that any Personal Information that is provided to Camurus by you through Camurus’ systems will be protected against possible misuse by third parties.

In the event of an actual or suspected data breach, Camurus will follow the procedures outlined in its Mandatory Data Breach Response Plan, including

• containing the data breach
• conducting a risk assessment to assess the severity rating of a suspected or known data breach
• assessing whether an Eligible Data Breach has occurred.

If an Eligible Data Breach has occurred, Camurus may report the data breach to third parties such as:

• Camurus’ financial services provider
• police or law enforcement bodies
• the Australian Securities & Investments Commission (ASIC)
• the Australian Taxation Office (ATO)
• the Australian Transaction Reports and Analysis Centre (AUSTRAC)
• the Australian Cyber Security Centre (ACSC)
• the Australian Digital Health Agency (ADHA)
• the Department of Health
• State or Territory Privacy and Information Commissioners
• Australian Health Practitioner Regulation Agency
• professional associations and regulatory bodies
• insurance providers.

Camurus will contact you if you have been personally impacted by an Eligible Data Breach. Camurus acknowledges that the OAIC now has enhanced enforcement powers including tiered civil penalties, infringement notices, and expanded investigation powers.

5.2 Data Retention

Under APP 11.2, Camurus must take reasonable steps to destroy Personal Information or ensure it is de-identified if it no longer needs the information for any purpose for which the information may be used or disclosed under the APPs. This requirement applies except where Camurus is required by law to retain the Personal Information.

Camurus will maintain your Personal Information for as long as is necessary to fulfil the purposes for which it was collected and for compliance with legal and regulatory obligations and additional legal purposes related to Camurus’ legitimate business interests. If Camurus becomes aware that you are a European resident, it will ensure that your Personal Information is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the Personal Information is processed. Camurus will delete from its records Personal Information which is no longer required.

Under subsection 28(5)(ca) of the Therapeutic Goods Act 1989, which requires that sponsors of therapeutic goods must adhere to any record-keeping obligations stipulated by the Therapeutic Goods Regulations, records relating to the safety of Camurus’ medicines and regulatory reporting must be retained indefinitely for the life of the medicine and for:

• a period of 10 years after removal from the Australian Register of Therapeutic Goods for registered medicines, and
• a period of 5 years after removal from the Australian Register of Therapeutic Goods for listed medicines.

Records relating to Medical Information inquiries which contain identifiable patient information and which do not relate to Adverse Events or safety data, will generally be retained for 7 years or until the patient referred to reaches the age of 25 in accordance with applicable State or Territory legislation or Royal Australian College of General Practitioner Guidelines, as the case may be

5.3 Individual Privacy Rights

You have the right to:

• Access your Personal Information we hold (subject to limited exceptions);
• Correct inaccurate, out-of-date, incomplete, irrelevant or misleading Personal Information;
• Request deletion of your Personal Information where legally permissible and subject to section ‎5.4 below;
• Lodge a complaint about our handling of your Personal Information;
• Request that we stop sending you direct marketing communications; and
• Seek information about our data handling practices

We will respond to requests within 30 days or advise if additional time is required. We may charge reasonable fees for complex or voluminous requests.

5.4 Deletion of Data

You may notify Camurus at any time if you do not wish Camurus to retain your Personal Information. Camurus will comply with all such requests wherever practicable and lawful. Camurus will take reasonable steps to verify the identity of any person requesting erasure of their Personal Information to ensure that the person making the request is actually the data subject. If you are a European resident, Camurus will correct any of your inaccurate Personal Information without undue delay where the right to be forgotten applies.

6. Privacy Complaints and Contact Details

6.1 Complaint Process

All privacy complaints or complaints regarding your Personal Information should be made in writing to Camurus’ Privacy Officer.

All privacy complaints will be:

• Acknowledged within 5 business days
• Investigated promptly and fairly
• Resolved within 30 days where possible
• Responded to in writing with our decision and reasons

If you are not satisfied with our response, you may:

• Lodge a complaint with the OAIC
• Seek review through the Federal Court or Federal Circuit Court
• Pursue a statutory tort claim for serious invasions of privacy

6.2 Privacy Officer contact information

All requests relating to access, correction or deletion of Personal Information, or any other information relating to Camurus’ Privacy Policy should be made in writing to:

The Privacy Officer
Camurus Pty Ltd
Hyde Park Hub
223 Liverpool St
Darlinghurst, NSW, 2010
Australia

Email: australia@camurus.com
Phone: 1800 142038

7. Privacy Policy Review

7.1 Privacy Impact Assessments

Camurus will conduct Privacy Impact Assessments (PIAs) to help where an activity or data collection undertaken by Camurus has a high privacy risk, such as new data collection activities that involve Sensitive Information, new cross-border data transfers to a country other than Sweden, implementation of new technologies that process Personal Information, new automated decision making involving Personal Information, or any significant data analytics or profiling.

7.2 Policy Review and Updates

Camurus will review this Privacy Policy periodically and update it as necessary to reflect:

• Changes in applicable privacy laws
• New business practices or technologies
• Feedback from stakeholders and regulators
• Results of privacy audits and assessments

The current version of this Privacy Policy is dated 22/12/25 and supersedes all previous versions.

8. Definitions