SYNLAB and personal data privacy

SYNLAB, as the Data Controller, and its affiliated companies are committed to protecting and respecting your privacy.
This Policy outlines the information and procedures regarding the processing of personal data by the entities of the SYNLAB PORTUGAL GROUP, which are identified in the table below.

The categories of individuals whose personal data is processed by SYNLAB include our clients (when they are individuals) and users of the Platforms, healthcare professionals who prescribe clinical analyses, genetic tests, or molecular pathology performed by SYNLAB, business partners who are individuals, or their representatives or contacts with whom we interact in the course of our activities, interlocutors of SYNLAB in regulatory entities or other administrative entities with authority, or business associations that relate to SYNLAB, researchers, doctors, or other members of the scientific community who also interact with SYNLAB in the context of its activities.

This privacy statement also establishes the circumstances under which we will process any personal data that we may collect about you as a visitor to our website, our facilities, or in the context of the services we provide, suppliers, or other business partners. As such, we ask that you carefully read this privacy policy.

We may collect and process the following data about you:

This is the information about you that you provide to us through:

1.1.1 filling out forms on our website (or other forms we may ask you to complete),

1.1.2 providing a business card (or similar); or

1.1.3 correspondence with us by phone, mail, email, or other means.

This may include, for example, your name, address, email address, and phone number, information about your business relationship with SYNLAB, and information about your professional activity, background, and interests.

1.2.1 If you visit our website, it will automatically collect some information about you and your visit, including the Internet Protocol (IP) address used to connect your device to the internet and other information such as the type and version of the browser, as well as the pages of our website that you visit.

1.2.2 Our website may also download cookies to your device – this is described separately in our Cookie Policy.

1.2.3 If you exchange emails, have phone conversations, or make other electronic communications with our employees or collaborators, our information technology systems will record details of such communications, sometimes including their content.

1.2.4 Some of our facilities are equipped with closed-circuit television systems, which may record you if you visit our facilities, for security and protection purposes.

We may also collect information from other sources. For example:

1.3.1 If we have a business relationship with an organization represented by you, your colleagues or other professional contacts may provide us with information about you, such as your contact details or information about your role in that relationship.

1.3.2 Sometimes we collect information through third parties that provide data or from publicly available sources for the purposes of developing our commercial and scientific activities, combating money laundering, background checks, and similar purposes, as well as for the protection of our business and compliance with our legal and regulatory obligations.

Special Categories of Personal Data – In providing our services, we will necessarily need to collect data related to your health and genetic data. In certain cases, we may need to collect data related to your racial or ethnic origin. Such information is considered “special categories of data” under the GDPR, and SYNLAB will observe the more stringent protection requirements set forth in the GDPR regarding the processing of such data, both in relation to the appropriate legal grounds for its processing and in relation to the implementation of appropriate technical and organizational measures to minimize its processing, restrict access to such data, and ensure its security.

Security Measures Adopted by SYNLAB – SYNLAB is committed to ensuring the confidentiality, protection, and security of the personal data of Data Subjects by implementing appropriate technical and organizational measures to protect your data against any form of unlawful or improper processing and against any accidental loss or destruction of such data. To this end, we have systems and teams dedicated to ensuring the security of the personal data processed, creating and updating procedures to prevent unauthorized access, accidental loss, and/or destruction of personal data, and we are committed to complying with the legislation regarding the protection of personal data of Clients and to processing this data only for the purposes for which it was collected, as well as ensuring that this data is processed with adequate levels of security and confidentiality.

Because we recognize the sensitivity of this information, and in order to ensure compliance with applicable data protection rules, we have provided our employees with the necessary training. Additionally, our employees are committed to not disclosing to third parties or using for unlawful purposes any personal information of SYNLAB Clients that they may come to know in the course of their duties.

In this regard, for any questions related to the protection of personal data, you may contact SYNLAB’s data protection contact using the contact details provided below.

In this case, we inform you below of our purposes for processing and the legal basis for it:

In accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Law No. 58/2019 of August 8, the personal data of users of healthcare services provided at SYNLAB Laboratories and Clinics are processed by SYNLAB for the purpose of managing their demographic and health data, conducting clinical analyses and pathological anatomy, performing genetic tests, providing care in the context of medical consultations, as applicable, conducting statistics, or developing scientific research activities based on previously anonymized data, as well as for billing purposes and contacting users to provide information related to the services provided by SYNLAB.

— Article 9 of the GDPR – Conducting genetic tests in the context of providing healthcare, providing clinical analysis and pathological anatomy services, and conducting medical consultations for the purposes of preventive medicine, diagnosis, and/or treatment of disease(s);

— Article 9 of the GDPR – Use of anonymized data for clinical research purposes;

— Article 6 of the GDPR – Management of the data necessary for managing the contractual relationship (including conducting non-clinical genetic tests), billing, sending results, and verifying coverage by insurance policies;

— Article 6 of the GDPR – Legitimate interest of SYNLAB, as the data controller, to inform its clients about the services it provides, as well as to obtain information about the level of client satisfaction regarding the services used;

— Article 9 of the GDPR – Consent of the data subject for the processing of special categories of personal data.

Under the GDPR, in cases where the legal basis for processing personal data is based on the consent of the data subject, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of the processing carried out based on the consent previously given.

SYNLAB’S RELATIONSHIP WITH HEALTHCARE UNITS

Due to the regulatory framework applicable to the conduct of genetic tests, the clinical genetic tests performed by SYNLAB are always subject to a requisition signed by a healthcare professional, thereby facilitating the transmission of data from the patient/user of the Healthcare Units where the Clients are followed to SYNLAB for the purpose of conducting the prescribed tests. The data flow for molecular pathology analyses is the same.

The Healthcare Unit requesting the tests and/or analyses is responsible for collecting personal data, collecting samples (when this takes place in the hospital), and obtaining the informed consent of the patient to comply with the legal requirements applicable to the conduct of genetic tests and/or the provision of other healthcare services.

2.1.1 to operate, manage, and improve our website and facilities and other aspects related to how we conduct our operations;

2.1.2 to comply with our legal and regulatory obligations and to assert or defend against legal claims.

2.1.3 for purposes related to our financial and banking agreements.

2.1.4 to explore, manage, develop, and promote our business and, in particular, our relationship with the organization you represent (if any) and related transactions – for example, for marketing purposes; and

2.1.5 to protect our business from fraud, money laundering, breach of confidentiality, cyberattacks, theft of tangible property, and other financial or corporate crimes.

2.1.6 to provide the Second Opinion service described in point 6 of this Policy to those who request it, and with their informed consent.

2.2 Periodically, we may review the information about you held in our systems – including the contents of other information related to your email and other communications with us – for compliance and business protection purposes, as described above.

2.3 This may include reviews for the purpose of disclosing relevant information for litigation and/or reviews of relevant records for criminal or regulatory investigations, whether internal or external.

2.4 To the extent permitted by applicable law, such reviews will be conducted in a reasonable and proportionate manner and approved by the competent management body. Ultimately, they may involve the disclosure of your information to government agencies and counterparts in litigation, as described below.

2.5 Your emails and other communications may also, occasionally, be accessed by someone other than the employee to whom the communications were directed for common business management purposes (for example, if necessary when an employee is out of the office or has left SYNLAB).

2.6 We will only process your personal information as necessary to pursue the purposes described above, and even then, only when we have concluded that our processing does not harm you or your privacy in a way that would result in an overriding of our legitimate interest in pursuing such purposes.

2.7 In exceptional circumstances, we may also be required by law to disclose or otherwise process your personal information. We will inform you when we request information about yourself if providing the requested information is necessary to comply with a legal obligation or, on the other hand, if it is purely voluntary and there will be no implications if you refuse to provide the information. Otherwise, you should assume that we need the information for compliance or for our activities (as described above).

2.8 If you have any questions about SYNLAB’s need for the information we request from you, please contact the SYNLAB representative requesting information, or Contact Us (see below) with your inquiry.

3.1 Under applicable law, the results report of your genetic test(s) related to the provision of healthcare will be sent by SYNLAB to the prescribing physician of the test(s). The report of clinical analyses or pathological anatomy may be sent by SYNLAB to the physician or healthcare professional who requested the analyses, upon written request from the data subject or their legal representative.

3.2 Your personal data may be transferred to other companies within the SYNLAB group, as well as to external suppliers, hospitals, and other healthcare providers responsible for the care provided to data subjects, health subsystems, insurers, and health authorities, which may be located inside or outside the European Economic Area (“EEA”), including in countries that do not provide levels of data protection equivalent to those of the EEA, particularly in the context of providing hosting and IT support services. In such cases, SYNLAB will ensure that these data transfers are carried out in compliance with applicable data protection regulations.

3.3 If necessary, SYNLAB may engage third parties to provide necessary services for the proper execution of its healthcare activities (e.g., event organizing entities, document management service providers, and information technology service providers). These entities may have access to personal data to the extent necessary to provide the relevant services, and SYNLAB commits to entering into data processing agreements with them, as required by applicable legislation. SYNLAB also processes personal data in the context of partnerships with other laboratories, acting on behalf of other laboratories as a subcontractor, in which case the relationships involving subcontracting are governed by a written contract in accordance with the provisions of the applicable regulations for medical genetics laboratories and Article 28 of the GDPR.

3.4 The communications mentioned in paragraph 3.1 above may involve, when applicable, the international transfer of your information and personal data abroad. If you maintain a relationship with us from the European Economic Area (or the United Kingdom, after leaving the European Economic Area), you should be aware that data transfers may occur to countries that do not ensure an equivalent level of privacy protection as guaranteed by the GDPR, provided that the measures established in the GDPR are adopted, which may include the use of standard contractual clauses. Your personal data may be transferred to other companies within the SYNLAB group, as well as to business partners (such as hospitals and other healthcare providers), external suppliers, and health authorities, which may be located inside or outside the European Economic Area (“EEA”), including in countries that do not offer levels of data protection equivalent to those of the EEA, particularly in the context of providing hosting and IT support services. In such cases, SYNLAB will ensure that these data transfers are carried out in compliance with applicable data protection regulations, which may involve the use of standard contractual clauses approved by the European Commission.

4.1 We aim to keep your personal information accurate and up to date. We will delete the information we hold about you when we no longer need it.

4.2 The personal data processed by SYNLAB in the context of its activities related to genetic testing, clinical analyses, or pathological anatomy, and the provision of care in the context of medical consultations, will be retained only for the duration of the contractual relationship to which the processing relates, and until the expiration of the legal limitation period for the respective rights and obligations, without prejudice to its retention for the purpose of fulfilling legal obligations for the periods defined by law. Additionally, SYNLAB has a Policy on the retention of personal data. We will not retain your information for longer than strictly necessary or required by law, after which it will be deleted or anonymized.

4.3 Please note that we may retain some limited information about you after we become aware that you are no longer part of the organization you represent, in order to maintain a continuous relationship with you if and when we are in contact with you again, representing a different organization.

4.4 SYNLAB has a Policy on the retention of personal data, which you can consult here.

5.1 You have the right to access your personal information that we hold about you, as well as some related information, under data protection law. You may also request the correction or deletion of any inaccurate personal information.

5.2 You can object to the use of your personal information for direct marketing purposes at any time, and you may have the right to object to our processing of some or all of your personal information (and request that it be deleted) in other circumstances.

5.3 In some circumstances, you may also have the right to “data portability,” which means we will transfer your personal data to you or to a new service provider.

5.4 If you wish to exercise any of the rights mentioned above, please Contact Us as set out in section 6 (Contact Us) below.

5.5 Without prejudice to any other administrative or judicial remedy, you may also file a complaint with the CNPD regarding the processing of your personal information or with another competent Supervisory Authority under the law (please find the contact details here: https://www.cnpd.pt/en/ or http://ec.europa.eu/justice/data-protection/article29/structure/data-protection-authorities/index_en.htm).

SYNLAB provides laboratory medical diagnostic services to healthcare professionals and/or patients. SYNLAB employs highly specialized medical professionals throughout the EU and in third countries.

The SeNe allows the physicians responsible for diagnosis to consult selected ultra-specialized experts in case of doubt, thereby improving the quality and reliability of the medical diagnoses provided to their patients. This resource is not just a tool; it is a concrete support to enhance the professional relationship with national and international specialists, to exchange medical knowledge, and to significantly contribute to patient care. SYNLAB’s commitment to medical excellence extends to the patient. The SeNe platform will enable SYNLAB to provide second opinions based on knowledge, not limited by geographical proximity, and with the capacity to reach all or most medical specialties of SYNLAB. This service will be provided by SYNLAB at the request of the data subject(s) and will require the informed consent of the latter.

If a laboratory result is inconclusive or if the physician responsible for the diagnosis (“Diagnostic Physician”) has doubts regarding the diagnosis, the Diagnostic Physician may seek advice from a physician with specialized knowledge (“Specialist Physician”) through the SeNe (SYNLAB’s electronic network of specialists). The Diagnostic Physician must provide transparent advice and recommendations, and the decision and choice of the Specialist Physician must be made by the patient.

For more information, please refer to the document “Terms of Use of SeNe” from SYNLAB (October 2024).

7.1 We welcome questions, comments, and requests regarding this privacy statement and the processing of personal information.

7.2 Please email our Data Protection Officer at protecaodedados@synlab.pt.

Any future changes to this privacy statement will be made available on our website (at https://www.synlab.pt/politica-de-privacidade.aspx) and will also be available if you contact us at:

• Email: protecaodedados@synlab.pt
• Address: Columbano Bordalo Pinheiro Avenue, no. 75, Floor 6.01 • 1070 061 Lisbon
• Phone: (+351) 217 216 060

This Policy is subject to change by SYNLAB.

You may contact the GenoMed personal data protection contact for further information about the processing of your personal data, as well as any questions related to exercising your rights under applicable law, and in particular those referred to in this Data Protection Policy, at the following contact details:

Telephone: (+351): (+351) 21 799 95 01
e-mail: rgpd@genomed.pt
Address: Edifício Egas Moniz, Sala P3-A-23 Av. Prof. Egas Moniz – 1649-028 LISBOA

©POLÍTICA DE PRIVACIDADE GRUPO SYNLAB, 04 /MAR/2025