SCOPE

Sarepta Therapeutics, Inc. (“Sarepta”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Sarepta has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Sarepta has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

PERSONAL DATA PROCESSED

Sarepta in its capacity as the sponsor of clinical research activities and operations collects anonymized medical and health related information about individuals as potential and/ or active clinical research participants and patients who take part in clinical trials. Sarepta also collects personal information regarding clinical research sites staff / patients’ family members or caregivers and other Health Care Professionals, human resources related information such as information on candidates, employees and contractors, personal information associated with its business partners / customers, vendors / suppliers, and potential or existing investors.

PURPOSES OF PROCESSING

Sarepta collects, uses and retains personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland:

a) for the purposes of recruitment of potential clinical research participants, investigators, and other research personnel;

b) for customer relationship management, customer service, social engagement, community building and data analytics purposes;

c) for the purposes of recruitment of personnel and contractors and for the purpose of execution, administration and performance of the employment or contract relationship, and

d) for the purpose of marketing and business development and other business and promotional activities.

DATA PRIVACY FRAMEWORK PRINCIPLES

1. NOTICE

Sarepta will not sell or provide your personal information to any third party without notice. When Sarepta directly collects personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland, it, as explained below, advises you about the purposes for which the information is collected and used, and your ability to limit the use and disclosure of such information, and how to contact Sarepta. Sarepta provides this notice in clear and conspicuous language, either through this privacy statement or other means such as informed consent forms, statements on Sarepta’s website and other disclosures.

2. CHOICE

Subject to the exceptions outlined in the “Product Safety and Efficacy Monitoring” section below, and as otherwise permitted by applicable law, Sarepta does not use or intend to use your personal information for any purpose (other than that for which it was originally collected) without your consent.

Sarepta does not disclose personal information to third parties for purposes that are incompatible with the purposes for which it was originally collected. Sarepta may occasionally transfer personal information to third parties who act for or on behalf of Sarepta, or in connection with the business of Sarepta, for further processing consistent with purposes for which the data were originally collected. Where disclosure of personal information to a third party is likely or necessary, further notice may be provided, where appropriate, at such collection points as to the intended use of the data.

3. ONWARD TRANSFERS

To facilitate the above purposes, personal information will be shared with third parties which Sarepta has chosen to outsource work, such as study sites, investigators, consultants, business partners, third party service providers and competent authorities and regulatory bodies. Sarepta will endeavor to only transfer personal information to a third party where such third party has given written assurances that it provides at least the same level of privacy protection as required by the Data Privacy Framework ("DPF") Principles and this Policy and will notify Sarepta if it makes a determination it can no longer meet this obligation.

With respect to transfers of individuals’ Personal Data to third-party processors, Sarepta (i) enters into a contract with each relevant processor, (ii) transfers Personal Data to each such processor only for limited and specified purposes, (iii) ascertains that the processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the DPF Principles, (iv) takes reasonable and appropriate steps to ensure that the processor effectively processes the Personal Data in a manner consistent with Sarepta’s obligations under the DPF Principles, (v) requires the processor to notify Sarepta if the processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, (vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Data by the processor, and (vii) provides a summary or representative copy of the relevant privacy provisions of the processor contract to the Department of Commerce, upon request.

In certain circumstances, Sarepta shall remain liable if its agent processes such personal information in a manner inconsistent with the Principles, unless the Sarepta proves that it is not responsible for the event giving rise to the damage.

Sarepta may be required to disclose personal information received from EEA member countries, the United Kingdom and Switzerland in reliance on the DPF in response to lawful requests by U.S. public authorities and governmental bodies, including to meet national security or law enforcement requirements.

4. RIGHTS TO ACCESS, TO LIMIT USE, AND TO LIMIT DISCLOSURE

In accordance with the Data Privacy Framework, EEA, UK and Swiss residents whose data is collected may have a right to access personal information regarding them, and to limit use and disclosure of their personal information or to object to their personal data being used for any purpose materially different from the purposes disclosed to them or stated within this Privacy Policy, by contacting Sarepta’s Data Protection Officer (DPO) at [email protected].

5. PRODUCT SAFETY AND EFFICACY MONITORING

The Notice, Choice, Onward Transfer and Access Principles outlined above do not apply to Sarepta’s product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients or subjects using certain medicines or medical devices to the extent that the adherence to these principles interferes with compliance with regulatory requirements, including disclosures to agencies, such as the U.S. Food and Drug Administration.

6. SECURITY

Sarepta takes all appropriate and reasonable measures to protect the personal data covered by this Data Privacy Framework Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of personal information and the risks involved in the processing in accordance with the Data Privacy Framework.

7. INQUIRIES AND COMPLAINTS

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sarepta commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Sarepta at: [email protected].

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sarepta commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to Jams Inc, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit Jams Inc. at: https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint.  The services of Jams Inc. are provided at no cost to you.

Human Resources Data:

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sarepta commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

Complaints related to human resources data should not be addressed to Jams Inc.

8. INVESTIGATION AND ENFORCEMENT

The Federal Trade Commission has jurisdiction over Sarepta’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

9. ARBITRATION

Under certain conditions, more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2, you may invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.

10. HOW TO CONTACT US: To ask questions about this Privacy Policy or to exercise any rights under privacy or data protection laws, please contact us by email at [email protected], or please write to the following address:

Sarepta Therapeutics
Attn: Corporate Communications
215 First Street, Cambridge
MA 02142
617.274.4000

11. CHANGES TO THE PRIVACY POLICY: This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for personal information is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.

PRIVACY POLICY - EFFECTIVE DATE: OCTOBER 3, 2023.