Privacy notice

Introduction

Last updated: December 2025

This Privacy Notice (“Notice”) explains how Zealand Pharma A/S (“Zealand Pharma”, “we”, “us”, “our”) processes personal data when you interact with us, including but not limited to via our websites (e.g., www.zealandpharma.com), email or phone, fax, social media platforms (i.e. LinkedIn etc.), in-person, hybrid or virtual events and webinars, medical information and safety reporting channels, clinical research activities, supplier and vendor management, contracting and business partner engagements, recruitment platforms (i.e. Workday, etc.), compliance hotlines, whistleblowing , and any other business interactions and services.

This Notice applies to individuals whose personal data (as defined below) we process in accordance with applicable data protection laws, including the GDPR, and relevant U.S. federal and state laws and regulations, including but not limited to: website visitors; newsletter subscribers; patients/reporters and healthcare professionals; clinical trial participants and site/CRO/investigator contacts; suppliers and vendors; contracting parties, business partners, event and webinar participants; business contacts (including prospective customers and stakeholders); job applicants; consultants , whistleblowing reporters; and social media users.

We process personal data for these individuals in line with the GDPR, and applicable U.S. federal and state laws and regulations and the specific lawful basis relevant to each activity and purpose outlined in this Notice.

Employee data is governed by our internal employee privacy notice and is not covered by this Notice.

We strive to ensure a high level of data protection and that you can trust the processing of your personal data in all interactions with Zealand Pharma in accordance with the GDPR, applicable U.S. federal and state laws and regulations, and principles of lawfulness, fairness, and transparency.

Controller

Zealand Pharma is responsible for the processing of your personal data and acts as the data controller for the purposes described in this Notice. In certain cases, Zealand Pharma affiliates may act as controllers or joint controllers, as communicated for the relevant activity. Zealand Pharma’s address and contact information are:

Zealand Pharma A/S
Sydmarken 11
DK-2860 Søborg
Denmark
CVR: 20045078
Email address: [email protected]

If you have any questions or concerns regarding the processing of your personal data, kindly contact us using the email address provided above.

Key Definitions

“Personal Information” or “Personal Data”: information that identifies or relates to an identified or identifiable individual.
“Special Category Data”: certain categories of data (e.g., health, genetic, biometric data) subject to enhanced protections under applicable law.
“Processing”: any operation performed on personal data (e.g., collection, use, storage, disclosure, deletion).
“Controller”: the entity determining the purposes and means of processing personal data.
“Processor”: the entity processing personal data on behalf of the controller.

Categories and Sources of Personal Data

We process:

Contact and identifiers: name, email, phone, postal address, employer/role.
Device/technical data: IP address, browser, OS, time zone, website usage and interactions (via cookies, subject to consent as required by appliable law).
Professional details: qualifications, areas of expertise, public profiles (e.g., LinkedIn).
Communication data: emails, meeting coordination, inquiries.
Event data: registration and attendance details.
Supplier/vendor data: business contact info, contract and invoicing details.
Recruitment data: CV/resume, work/education history, referees, interview notes, application data processed via Zealand Pharma’s recruitment platform Workday.
Medical information and pharmacovigilance data: safety reports, case details, reporter contact information, health-related information.
Clinical research data: study data, identifiers/pseudonyms, site/CRO records, consent records (as applicable), monitoring/audit documentation, protocol deviations, and adverse event/safety data, and are processed in accordance with applicable laws, ethics approvals, and study protocols, as applicable.
Compliance Hotline (Whistleblower) data: report content, reporter details (which may be anonymous where permitted) and processed in accordance with applicable whistleblowing laws and as also outlined in the separate privacy policy for Zealand Pharma’s compliance hotline (external provider) and Zealand Pharma’s Compliance Hotline Policy
Sources includes, but are not limited to: directly from you; automated means (cookies, logs); social platforms (LinkedIn); CROs/sites and vendors (including investigators and service providers engaged for clinical and operational activities); referees/recruiters; public sources; HCP databases and conference lists; Zealand Pharma group companies (intra-group sharing), and internal systems supporting our interactions (e.g. email, collaboration tools, and recruitment platforms such as Workday).

Record of Processing Activities (External)

The table below summarizes our main processing activities. For sub-activities, each appears as a separate row.

Purpose	Activity	Categories of personal data	Sources	Legal basis	Recipients (categories)	Retention
Clinical research (sponsor/controller)	Planning, conducting, monitoring, and reporting clinical trials	Health and study data; identifiers/pseudonyms; site/CRO records; consent records	Participants; sites; CROs/vendors	Depending on local law and ICF: legal obligation (Art. 6(1)(c)) or consent (Art. 6(1)(a)); special category: scientific research (Art. 9(2)(j)) and/or explicit consent (Art. 9(2)(a)); public health (Art. 9(2)(i)) where applicable	CROs; sites; labs; regulators; ethics committees; advisors	Per protocol and legal requirements
Events and webinars	Registration and attendance management	Name; email; company; role; registration details; attendance status	Direct from you	Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f))	Event platforms; internal teams	Duration of event plus up to 12 months for follow-up/reporting
General business communications	Routine emails for meetings, projects, admin notices, etc.	Email content/attachments, metadata; name; email; employer/role (if included)	Direct from you; internal	Legitimate interests (Art. 6(1)(f)); contract/pre-contract (Art. 6(1)(b)) where applicable; legal obligation (Art. 6(1)(c)) for recordkeeping	Internal teams; advisors; authorities (where required)	Typically up to 5 years after last correspondence; longer if part of contractual/legal records (often 5–10 years)
HCP liaison and feasibility	Assessing study feasibility; interacting with HCPs	Professional contact details; qualifications; expertise; public profiles	Public sources; professional directories; conferences; LinkedIn	Legitimate interests (Art. 6(1)(f))	Internal teams; CROs/vendors	3 years, then reviewed for deletion
Legal and governance	Legal/regulatory requests, audits, and M&A	Records necessary to fulfill the request/transaction (communications, contracts, logs)	Internal systems; counterparties	Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))	Authorities; auditors; legal advisors; transaction counterparties	As required by applicable law and records policies
Marketing and communications	Conducting and producing marketing content (e.g., interviews/testimonials with patients, caregivers, or HCPs), including recording audio/video, taking photos, creating written case stories, and publishing on Zealand Pharma’s channels (website, press materials, LinkedIn, events)	Contact details (name, email/phone); consent/release forms; interview notes/transcripts; photos/videos/audio; biographical details (e.g., role, condition summary if disclosed); any health-related information voluntarily shared during the interview; publication metadata	Direct from participant; production vendors/PR agencies (acting as processors)	Consent (Art. 6(1)(a) GDPR) for creation and use of marketing content; if special category data (e.g., health information) is included, explicit consent (Art. 9(2)(a)). For minors, parental/guardian consent/assent per applicable law	Internal Marketing/Communications teams; PR/creative agencies; production vendors; website hosting providers; LinkedIn (upon publication)	For as long as consent remains valid and the content is in use; upon consent withdrawal, we cease further use and remove content where feasible; archival copies may be retained in accordance with applicable law and Zealand’s records management policy (including legal holds, if any)
Medical information	Responding to medical information requests	Inquiry content; contact details; health-related info you may provide	Direct from you	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable; special category: public interest in public health (Art. 9(2)(i)) or explicit consent (Art. 9(2)(a)), as applicable	Internal medical information teams; advisors	Typically 5 years; PV-related records follow PV retention (often 10+ years)
Medical Inquiries	Responding to medical inquiries from healthcare professionals (HCPs); providing scientific/medical information about Zealand products and research; routing any safety-related content to Pharmacovigilance	HCP professional contact details (name, email, phone, role, specialty, institution); inquiry content and correspondence; may incidentally include patient-related information provided by the HCP (minimized)	Direct from HCP via email/phone/webform; CRM/MI systems	Art. 6(1)(f) GDPR (legitimate interests in providing accurate medical information and managing inquiries); where a legal duty applies, Art. 6(1)(c). If special category data is processed (e.g., patient information provided by the HCP), rely on Art. 9(2)(i) (public interest in public health) or route to PV under applicable legal bases; where required, Art. 9(2)(a) (explicit consent)	Internal medical information team; scientific/medical advisors under confidentiality; Pharmacovigilance team/regulators if an adverse event or product quality complaint is identified; IT/CRM providers (processors)	Typically 5 years; PV-related records follow PV retention (often 10+ years)
Pharmacovigilance	Safety reporting and adverse event monitoring	Health data; identifiers; reporter details (patient/HCP contact info); case details	Direct reports; HCPs; partners; authorities	Legal obligation (Art. 6(1)(c)); special category: public interest in public health (Art. 9(2)(i)); in emergencies, vital interests (Art. 6(1)(d), Art. 9(2)(c))	Regulatory authorities; MAHs; CROs; safety databases; advisors	As required by pharma regulations (often 10+ years; varies by jurisdiction)
Recruitment (Candidate testing)	Administering psychometric testing during candidate evaluation	Name; email address	Direct from candidate; testing provider platforms	Art. 6(1)(b) GDPR (steps prior to entering a contract) and Art. 6(1)(f) GDPR (legitimate interests in evaluating candidates fairly)	HR and hiring managers; approved psychometric testing provider(s) acting as processors	Retained in accordance with applicable local law and Zealand Pharma’s records retention policy; where law prescribes specific periods, those are applied. Records may be retained longer as necessary to comply with legal obligations, resolve disputes, or enforce agreements (including legal holds).
Recruitment (Workday)	Processing applications and assessing candidates	CV/resume; contact info; work/education history; referees/recruiter data; interview notes; application metadata	Direct from you; recruiters/referees; Workday	Steps prior to contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in hiring; legal obligation (Art. 6(1)(c)) where applicable; special category data only with explicit consent or as permitted by law	Hiring managers; HR; Workday; background check providers (where lawful)	Retained in accordance with applicable local law and Zealand Pharma’s records retention policy; where law prescribes specific periods, those are applied. Records may be retained longer as necessary to comply with legal obligations, resolve disputes, or enforce agreements (including legal holds).
Security monitoring	Detecting, investigating, and preventing fraud/abuse/security incidents	Device/usage data; access logs; IP addresses; audit trails	Automated; internal systems	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable	Internal security; security vendors; authorities where required	12 months; longer for incident investigations/legal purposes
Social media presence	Interacting with users on LinkedIn; receiving aggregated statistics via LinkedIn plug-ins	Public profile info you share; interactions (likes, comments, shares); aggregated demographics/geography	LinkedIn; public sources	Legitimate interests (Art. 6(1)(f)) in promoting and interacting	LinkedIn (joint controller for certain statistics); internal teams	Deleted when a post is deleted or you remove your interaction; otherwise after 10 years
Supplier/vendor management	Onboarding, managing, and paying suppliers/vendors	Business contact info; contract/invoice details; communications	Direct from suppliers; internal systems	Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); legal obligation for tax/accounting (Art. 6(1)(c))	Finance/Procurement; accounting/tax authorities; auditors; IT providers	Contract term plus 7–10 years to meet accounting/legal archiving obligations
Technical diagnostics	Performing diagnostics to investigate/resolve issues	Device/browser details; telemetry; diagnostic logs; error reports	Automated; internal systems	Legitimate interests (Art. 6(1)(f))	Internal teams; IT/security providers	12 months; longer if needed for incident resolution
Website analytics	Statistical and functional cookies (subject to consent)	User ID; device/OS; time zone; referring site/platform; country; engagement and time on site	Automated via cookies (with consent)	Consent (Art. 6(1)(a)); Danish cookie rules	Analytics/cookie consent providers	Until cookie expiration, deletion, or consent withdrawal (see cookie settings)
Website communications	Newsletter subscriptions and sending company announcements/press releases	Email address; first/last name (optional); preferences	Direct from you	Consent (Art. 6(1)(a) GDPR)	Email service providers; Zealand group entities as needed	For as long as consent is active; email address retained up to 2 years after last distribution to document compliance with Danish Marketing Act
Website inquiries	Managing enquiries via web forms or direct email	Name, email, phone (if provided), company, type of enquiry, message content	Direct from you	Legitimate interests (Art. 6(1)(f)) in managing enquiries	Internal teams; IT/email providers	Up to 2 years from receipt, unless part of legal/compliance records
Whistleblowing	Compliance hotline reporting and investigation	Report content; reporter details (if provided); implicated individuals; supporting evidence	Direct from reporter; internal investigation	Legal obligation (Art. 6(1)(c)) where applicable; legitimate interests (Art. 6(1)(f)) in integrity/compliance; special category data processed only as permitted by law	Compliance/Legal; external investigators; authorities (where required)	Typically 5 years from case closure,

Notes:

We do not use tracking pixels or link analytics in email campaigns.
We do not operate external user accounts/portals beyond newsletter subscriptions.
If a medical inquiry includes adverse events or product quality complaint information, it is handled under Pharmacovigilance with the corresponding legal bases and retention.

Sharing of Personal Data

We share personal data with:

Service providers acting as processors (e.g., IT systems, website hosting, analytics, email delivery, Workday, CROs), on written instructions and under confidentiality, and where required, subject to data processing agreements, appropriate security measures, and restrictions on sub-processing.
Zealand Pharma group companies, to respond to enquiries and manage activities, including intra-group transfers based on appropriate safeguards and need-to-know access
Professional advisors (auditors, lawyers), regulators, and authorities, where needed to obtain advice, comply with law, defend legal rights, enforce agreements, or protect rights, property, or safety, or to meet pharmacovigilance, compliance, and reporting obligations.

Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects without human involvement. If this changes, we will provide meaningful information about the logic involved and your rights related to such processing.

Social Media Joint Controllership (LinkedIn)

When you visit our LinkedIn page, LinkedIn may collect and process personal data (including aggregated statistics and engagement data). In certain cases, we and LinkedIn act as joint controllers of such statistics. You may exercise your rights under the GDPR with either party. For details on LinkedIn’s processing and joint controllership, please refer to LinkedIn’s Privacy Policy and terms.

International Data Transfers

We may transfer personal data outside the EU/EEA for the purposes described above. Where destination countries are not covered by an adequacy decision, we implement appropriate safeguards, including:

The EU Standard Contractual Clauses (SCCs) with recipients and processors.
Transfer Impact Assessments where required.

Data Security

We apply administrative, technical, and physical safeguards to protect personal data, including role-based access controls, encryption, network monitoring, staff training, and vendor due diligence. We investigate and respond to suspected incidents and comply with applicable notification requirements. We periodically test and review our security controls and conduct risk assessments.

Cookies and Similar Technologies

We use statistical and functional cookies only with your consent, in accordance with Danish cookie regulation. You can manage your preferences and withdraw consent at any time via our cookie settings. Personal data collected via cookies is deleted when the relevant cookie expires, when you delete the cookie(s), or when you withdraw your consent.

We do not use tracking pixels or link analytics in our email campaigns.

Children’s Privacy

Our websites and general services are not directed at children. In certain regulated activities (e.g., clinical research), we may process minors’ data with appropriate parental/guardian consent/assent and ethics approvals, in accordance with applicable laws and protocols.

U.S. Privacy Rights

Depending on the U.S. state of residence (i.e. California, Colorado etc.), you may have the right to the following:

Know what personal data is collected
Opt out of certain data sharing or targeted advertising
Request deletion of your personal data
Not be discriminated against for exercising privacy rights

Requests may be submitted by using the webform below.

Your Data Protection Rights

You have the following rights under the GDPR, subject to conditions and limitations:

Withdraw consent at any time (e.g., unsubscribe via the link in our emails).
Access your personal data and receive a copy.
Rectify inaccurate or incomplete data.
Erase personal data (in certain circumstances).
Restrict processing (in certain circumstances).
Object to processing (in certain circumstances).
Data portability (in certain circumstances).

To exercise your rights, use our Privacy Web Form. We may need to verify your identity before completing your request. We typically respond within one month of verifying your identity, extendable by two months for complex requests. You also have the right to lodge a complaint with a supervisory authority, such as the Danish Data Protection Agency (Datatilsynet), see below.

You can read more about your rights in the Danish Data Protection Agency’s guidelines: www.datatilsynet.dk.

There may be conditions or limitations on these rights. This depends on the specific circumstances of the processing activity.

Applying for a job at Zealand

From time to time, we advertise open positions at Zealand Pharma on our career site. You can find all open positions here. Kindly note that we do not accept unsolicited applications.

Changes to this Privacy Notice

We may update this Notice from time to time to reflect changes in our practices or legal requirements, and such updates may occur without prior notice.

The “Last updated” date at the top indicates the latest revision.