DNA – Privacy Statement DNALife

All genetic testing activities and data management by DNALife/Nordic Laboratories are conducted in
accordance with relevant ISO protocols governing the industry.

DNA data produced from the analysis are digitised and retained indefinitely. These DNA data files contain
no direct patient identifiers. Without the necessary codes to link a data file to a patient order number and
subsequently to a patient, the data is completely anonymous.

Why is the data retained?
This enables a report to be recovered or reissued should the client lose or delete their reports. Further,
the data can be utilised to provide additional reports if requested by practitioner or patient. DNALife is
also in a continuous development phase as more peer-reviewed research is concluded and published. As
the knowledge base develops, so will our reports. The retained data enables reports to be updated for a
client where possible.

Do we share data?
No genetic data are shared beyond the necessary and essential operational processes related to acquiring
the sample, analysing and reporting. Data is not sold onwards or shared to third parties.

Data held by Nordic Laboratories is maintained on encrypted servers located in Germany and Finland. All
data retention, data security, and data transmission protocols are in compliance with GDPR and other
appropriate legislation. No personal information is shared unless necessitated by operational processes
(e.g. Address and contact data is required for courier delivery or collection documents and events).

Data Security

Our investment in data security processes is not only motivated by the requirements of GDPR and other
legislation. With our reliance on electronic platforms to serve clients reliably and securely without
interruption in the 60+ territories in which we operate, it is essential that we maintain security on our
platform. Data breaches can be operationally and financially devastating to a company, and we invest
significant effort and finances to protect our systems. Our IT office has additional alarm and reaction
systems in place to detect “unusual” access attempts.

Ultimately, it is also the users (practitioners and patients) responsibility to ensure that their own computers
and hardware are suitably secured. Up until the time you have downloaded a report, we can guarantee the
security of the data. At the time you or your patient have made a copy of the test data onto your devices,
we can obviously no longer influence the manner in which you use or distribute this data.

Data Deletion:
A client can instruct that a sample and associated data be destroyed by requesting the same
via support@nordicgroup.eu. Understand that sample data deletion will preclude the possibility to reissue
reports without purchase of a new test.

DNA Sample handling policy and procedures explained:
Upon receipt of DNA samples these are assigned a unique identification code. Processing and analysis is
conducted with only this code as an identifier. No name data is associated to the sample during this phase.
The resulting genetic data is only re-associated with the patient’s identity at a later stage during the report
generation process.

Once DNA is extracted from the sample devices (buccal swab or blood spot), these devices are secured. It
is essential that samples be retained for a variety of reasons. Should an analytical run encounter error or
failure to produce a reliable result for one or more variations, additional sample material will be extracted
from the retained sample. Further, the remote possibility of latent error or defect in a process or with
analytical instruments may not be apparent at the time of initial analysis. Should anomalies or errors be
identified, the retained sample can be accessed to repeat analysis in order to validate results as required to
ensure accuracy or report correction.

Practitioners may also discover the necessity to expand their report requirements beyond the initial reports
ordered for a patient based on health care goals or concerns that may only become apparent after the
initial reports have been reviewed. Retained samples enable the expansion of reports without requirement
for new samples in most cases. This does not preclude the requirement for additional sample material if
insufficient material has remained available.

Physical sample devices and samples are retained for a period of 2 years (dried blood spot) to facilitate the
above scenarios. These physical samples are secured in accordance with ISO regulations and associated
data managed within GDPR protocols. Thereafter samples are destroyed in accordance with ISO protocols.
Buccal swab samples are entirely consumed during analysis and are therefore not retained. Extracted DNA
is retained for a 4-month period as is practically required and similarly destroyed thereafter.