This Policy applies to Sarepta Therapeutics Inc., with a principal place of business at 215 First Street, Cambridge, MA 02142, Massachusetts, United States (collectively referred to as “Sarepta”, “we”, “us” or “our”) when personal information collected, used and retained is transferred from European Economic Area (“EEA”) member countries, the United Kingdom (UK) and Switzerland to the United States, in any format including electronic, paper or verbal. In that manner Sarepta respects individual privacy, including personal information of candidates, employees, business partners / customers, investors, patients, clinical research participants, clinical research site staff, Investigators and Health Care Professionals.

SCOPE

This Policy is consistent with the Privacy Shield Frameworks and Sarepta complies with the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework (collectively hereinafter referred to as “Privacy Shield” or “Privacy Shield Frameworks”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from EEA member countries, the United Kingdom (UK) and Switzerland to the United States.

Sarepta has certified to the U.S. Department of Commerce (“DoC”) that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability to all personal information received from EEA member countries, the United Kingdom (UK) and Switzerland in reliance on the Privacy Shield. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program see the US Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. To review our certification, please visit: https://www.privacyshield.gov/list.

DATA PROCESSED

Sarepta in its capacity as the sponsor of clinical research activities and operations collects anonymized medical and health related information about individuals as potential and/ or active clinical research participants and patients who take part in clinical trials. Sarepta also collects personal information regarding clinical research sites staff / patients’ family members or caregivers and other Health Care Professionals, human resources related information such as information on candidates, employees and contractors, personal information associated with its business partners / customers, vendors / suppliers, and potential or existing investors.

PURPOSES OF PROCESSING

Sarepta collects, uses and retains personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland:

a) for the purposes of recruitment of potential clinical research participants, investigators, and other research personnel;

b) for customer relationship management, customer service, social engagement, community building and data analytics purposes;

c) for the purposes of recruitment of personnel and contractors and for the purpose of execution, administration and performance of the employment or contract relationship, and

d) for the purpose of marketing and business development and other business and promotional activities.

PRIVACY SHIELD PRINCIPLES

1. NOTICE

Sarepta will not sell or provide your personal information to any third party without notice. When Sarepta directly collects personal information from individuals located in EEA member countries, the United Kingdom (UK) and Switzerland, it, as explained below, advises you about the purposes for which the information is collected and used, and your ability to limit the use and disclosure of such information, and how to contact Sarepta. Sarepta provides this notice in clear and conspicuous language, either through this privacy statement or other means such as informed consent forms, statements on Sarepta’s website and other disclosures.

2. CHOICE

Subject to the exceptions outlined in the “Product Safety and Efficacy Monitoring” section below, and as otherwise permitted by applicable law, Sarepta does not use or intend to use your personal information for any purpose (other than that for which it was originally collected) without your consent.

Sarepta does not disclose personal information to third parties for purposes that are incompatible with the purposes for which it was originally collected. Sarepta may occasionally transfer personal information to third parties who act for or on behalf of Sarepta, or in connection with the business of Sarepta, for further processing consistent with purposes for which the data were originally collected. Where disclosure of personal information to a third party is likely or necessary, further notice may be provided, where appropriate, at such collection points as to the intended use of the data.

3. ONWARD TRANSFERS

To facilitate the above purposes, personal information will be shared with third parties which Sarepta has chosen to outsource work, such as study sites, investigators, consultants, business partners, third party service providers and competent authorities and regulatory bodies. Sarepta will endeavor to only transfer personal information to a third party where such third party has given written assurances that it provides at least the same level of privacy protection as required by the Privacy Shield Principles and this Policy and will notify Sarepta if it makes a determination it can no longer meet this obligation.

With respect to transfers of individuals’ Personal Data to third-party processors, Sarepta (i) enters into a contract with each relevant processor, (ii) transfers Personal Data to each such processor only for limited and specified purposes, (iii) ascertains that the processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the Privacy Shield Principles, (iv) takes reasonable and appropriate steps to ensure that the processor effectively processes the Personal Data in a manner consistent with Sarepta’s obligations under the Privacy Shield Principles, (v) requires the processor to notify Sarepta if the processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, (vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Data by the processor, and (vii) provides a summary or representative copy of the relevant privacy provisions of the processor contract to the Department of Commerce, upon request.

In certain circumstances, Sarepta shall remain liable if its agent processes such personal information in a manner inconsistent with the Principles, unless the Sarepta proves that it is not responsible for the event giving rise to the damage.

Sarepta may be required to disclose personal information received from EEA member countries, the United Kingdom and Switzerland in reliance on the Privacy Shield in response to lawful requests by U.S. public authorities and governmental bodies, including to meet national security or law enforcement requirements.

4. RIGHTS TO ACCESS, TO LIMIT USE, AND TO LIMIT DISCLOSURE

In accordance with Privacy Shield, EEA, UK and Swiss residents whose data is collected may have a right to access personal information regarding them, and to limit use and disclosure of their personal information or to object to their personal data being used for any purpose materially different from the purposes disclosed to them or stated within this Privacy Policy, by contacting Sarepta’s Data Protection Officer (DPO) at [email protected].

5. PRODUCT SAFETY AND EFFICACY MONITORING

The Notice, Choice, Onward Transfer and Access Principles outlined above do not apply to Sarepta’s product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients or subjects using certain medicines or medical devices to the extent that the adherence to these principles interferes with compliance with regulatory requirements, including disclosures to agencies, such as the U.S. Food and Drug Administration.

6. SECURITY

Sarepta takes all appropriate and reasonable measures to protect the personal data covered by this Privacy Shield Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of personal information and the risks involved in the processing in accordance with the Privacy Shield.

7. ENFORCEMENT

Sarepta is subject to the Federal Trade Commission (FTC) investigatory and enforcement powers, the Department of Transportation or another statutory body that will effectively ensure compliance with the Privacy Shield Principles, ensuring Sarepta ’s compliance with the Privacy Shield framework.

In compliance with Privacy Shield Principles Sarepta commits to resolve complaints and disputes about our collection or use of your personal information. EEA, UK and Swiss residents with inquiries or complaints regarding our Privacy Shield policy should first contact Sarepta’s Data Protection Officer at [email protected]

Sarepta has further committed to refer unresolved Privacy Shield complaints to Jams Inc, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit Jams Inc. at: https://www.jamsadr.com/ for more information or to file a complaint. The services of Jams Inc. are provided at no cost to you.

If any request remains unresolved, Individuals may, under certain circumstances, have a right to invoke binding arbitration under Privacy Shield; for additional information, please see https://www.privacyshield.gov.

If your complaint involves human resources data transferred to the United States from the EU and/or UK and Switzerland in the context of the employment relationship, and Sarepta does not address it satisfactorily, Sarepta commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Complaints related to human resources data should not be addressed to Jams Inc.

8. ARBITRATION

Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

9. HOW TO CONTACT US: To ask questions about this Privacy Policy or to exercise any rights under privacy or data protection laws, please contact us by email at [email protected], or please write to the following address:

Sarepta Therapeutics
Attn: Corporate Communications
215 First Street, Cambridge
MA 02142
617.274.4000

10. CHANGES TO THE PRIVACY POLICY: This Policy may be reviewed and amended from time to time, without advance notice, to ensure that an appropriate level of protection for personal information is maintained. All amendments will be posted on this website. Please check back periodically for updates to this Policy.

PRIVACY POLICY - EFFECTIVE DATE: MAY 13, 2020.