GDPR Manual

The right of access is fundamental to GDPR, enabling data subjects to exercise additional rights including correction, processing restrictions and erasure requests.

Under Article 15 of the GDPR, the controller of the data should make every effort to provide the data subject with the requested information. When nuvoteQ acts as a processor in clinical trials, we notify our clients (the controllers) of subject access requests before taking further action.

This manual facilitates access to records held by nuvoteQ. It is available for inspection at nuvoteQ offices free of charge, and PDF copies are available upon request from the Data Protection Officer.

Under GDPR Article 15, individuals may request copies of their personal information. Requestors include:

• Personal requestors — accessing their own records
• Third-party requestors — with valid consent, meeting procedural compliance, exercising legal rights, and without grounds for refusal

Data Protection Officer: Marina Lazaridis (marina@nuvoteq.io)

Deputy Data Protection Officer: Ricky Haug (ricky@nuvoteq.io)

Physical address: 47 Hazelwood Rd, Hazelwood, Pretoria, 0081, South Africa.

Data Subject — the person to whom personal information relates.

Controller (Joint Controller) — natural or legal person determining purposes and means of personal data processing.

Processor — natural or legal person processing personal data on behalf of a controller.

Personal Information — data identifying living natural persons or legal entities, including race, gender, health status, financial history, identifying numbers, email addresses, biometric data, opinions, correspondence and third-party views. Pseudonymised or de-identified information remains personal information if it is traceable.

Complete the 'Data Subject Access Request Form' (ML-GM-02 v00 TPL-1.0) fully and submit it via email to the Data Protection Officer. Incomplete submissions delay processing.

• Submit the form in writing
• Provide identity proof authenticating the requestor (or proof of third-party identity with consent)
• Use BLOCK LETTER responses
• Mark 'N/A' for inapplicable questions and 'Nil' for questions with nothing to disclose
• Use additional pages with question titles for insufficient space
• Attach supporting documents as applicable

We decide within one (1) month of receipt whether to grant or decline a request and provide written notice with reasons if required. The one-month period may extend by up to a further two months considering complexity and volume — you will be notified of any extension in writing.

Successful requests specify the access format. Unsuccessful requests explain the refusal and your rights to file a complaint with the supervisory authority.

When nuvoteQ is acting as a processor (not the controller), our response to the controller will precede the one-month deadline so the controller can meet their own obligations.

Use the 'Correction, Restriction of Processing or Erasure Request Form' (ML-GM-02 v00 TPL-2.0). Submission requirements mirror the access request process.

We action requests within one month of receipt, with extensions possible for complex or high-volume requests. Successful requests confirm the action taken. Unsuccessful requests explain the refusal and your right to lodge a complaint.

When nuvoteQ is not the controller, we notify the client (controller) in writing of:

• Legally binding disclosure requests from law enforcement (unless confidentiality preservation is necessary)
• Accidental or unauthorised access
• Direct data subject requests — without responding directly

The Data Protection Officer confirms identity and matches records carefully to prevent any cross-contamination when sharing, correcting, restricting or erasing records. The Deputy DPO performs documented quality review before decision notices are issued.

When records cannot be located or do not exist, requestors receive a notification by affidavit or affirmation detailing the steps undertaken to locate the records.

If you believe your GDPR rights have been infringed, you have the right to lodge a complaint with the relevant EU data protection supervisory authority in your member state, in addition to any other administrative or judicial remedy.