Data Subject Rights Policy GDPR

1. ABOUT THESE PROCEDURES

1.1 Akums Drugs & Pharmaceuticals Ltd. (“we”, “our”, “us”, “the Company”) needs to comply with various laws and regulations in relation to the handling of Personal Data (as defined below).

1.2 As we operate across a number of countries, these laws can include both Indian and laws of other countries.

1.3 When we handle Personal Data of individuals in the United Kingdom, we will need to comply with the UK General Data Protection Regulation (UK GDPR). Similar rules will apply where we handle Personal Data of individuals within the European Economic Area.

1.4 Under UK and EU laws, Data Subjects have certain rights in respect of their Personal Data. When we Process Data Subjects' Personal Data, we shall respect those rights. This policy applies to all staff, and to all Personal Data and Special Category Personal Data held by us. These procedures provide a framework for responding to requests to exercise those rights. It is our policy to ensure that requests by Data Subjects covered by these procedures to exercise their rights in respect of their Personal Data are handled in accordance with applicable law.

1.5 Failure to comply with these procedures could lead us to be in breach of applicable law which could expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.

1.6 For the purposes of these procedures, "Personal Data" means any information relating to an identified or identifiable Data Subject. An identifiable “Data Subject” is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier. "Processing" and “Process” means any operation or set of operations that is performed on Personal Data, such as collection, use, storage, dissemination and destruction.

1.7 These procedures only apply to Data Subjects whose Personal Data we Process (although if we receive an access request from someone whose Personal Data we do not Process, we should confirm to them that we do not Process their Personal Data; see paragraph ‎3.1).

2. GENERAL REQUIREMENTS, RECORD KEEPING AND WHERE TO GET FURTHER INFORMATION AND ADVICE

• 2.1 It is important that we keep accurate records of requests that we receive and how we handle them.
• 2.2 Requests can be made to any part of our organisation and in any form, including verbally, via email, social media or other method. It is the responsibility of all of us to recognise requests and to ensure that they are properly handled. We have designated the Data Protection Officer as responsible for handling requests and all employees are responsible for following the guidelines and instructions of the Data Protection Officer.
• 2.3 When determining whether we hold Personal Data, we should document what searches we have carried out. It may be helpful to refer to our Data Retention Policy and Data Handling Policy. We should also locate any privacy notice that applies to that Data Subject to assist with responding to the Data Subject.
• 2.4 When responding to requests, we must communicate in a concise, transparent, intelligible and easily accessible form, and use clear and plain language. We should generally communicate in writing (which can include email) but we can reply verbally if specifically requested by the Data Subject. We must be satisfied with the identity of the Data Subject.
• 2.5 With any request, it is necessary to identify the laws that apply to that Data Subject's request as this will be important to determine how to respond. If the request does not need to be complied with, this should be carefully explained to the Data Subject.
• 2.6 Any questions about Data Subject rights or these procedures relevant to your department or function should be raised with your department lead.

3. RESPONDING TO REQUESTS TO ACCESS PERSONAL DATA

3.1 Data Subjects have the right to request access to their Personal Data Processed by us under the laws of certain jurisdictions (UK and EU). These requests are called subject access requests (SARs). When a Data Subject makes a SAR, we shall take the following steps:

• Log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met).
• Confirm the identity of the Data Subject who is the subject of the Personal Data. Additional information may be requested.
• Search databases, systems, applications, and other places where the Personal Data may be held.
• Confirm to the Data Subject whether or not Personal Data of the Data Subject making the SAR is being Processed.

3.2 If Personal Data is being Processed, we shall provide the Data Subject with information including:

• The purposes of the Processing.
• The categories of Personal Data concerned.
• The recipients or categories of recipient to whom the Personal Data has been or will be disclosed.
• The envisaged period for which the Personal Data will be stored, or criteria used to determine that period.
• The existence of the right to request rectification, erasure, restriction, or objection.
• The right to lodge a complaint with the ICO or other relevant regulator.
• Where the Personal Data is not collected from the Data Subject, any available information as to its source.
• The existence of automated decision-making and its consequences.
• Details of safeguards for Personal Data transferred outside the UK or EU.

3.3 We shall also, unless exempt, provide a copy of the Personal Data in a commonly used electronic form within one month of receipt of the request. Extensions may be applied for complex requests.

4. RESPONDING TO REQUESTS TO RECTIFY PERSONAL DATA

4.1 Data Subjects have the right to have inaccurate or incomplete Personal Data rectified without undue delay.

4.2 Rectification shall be communicated to recipients of the Personal Data, unless impossible or disproportionate.

5. RESPONDING TO REQUESTS FOR THE ERASURE OF PERSONAL DATA

5.1 Data Subjects can request erasure of Personal Data in certain circumstances, such as withdrawal of consent, unlawful Processing, or legal obligations.

• Log the request date.
• Confirm the Data Subject's identity.
• Search and erase the data within one month (extension possible).
• Inform public processors if applicable.
• Communicate erasure to recipients unless disproportionate.

6. RESPONDING TO REQUESTS TO RESTRICT THE PROCESSING OF PERSONAL DATA

6.1 Data Subjects may request restriction in circumstances such as contesting accuracy, unlawful Processing, or objection pending verification of legitimate grounds.

7. RESPONDING TO REQUESTS FOR THE PORTABILITY OF PERSONAL DATA

7.1 Data Subjects can receive their Personal Data in a structured, machine-readable format to transfer to another company, where Processing is based on consent or contract.

8. RESPONDING TO OBJECTIONS TO THE PROCESSING OF PERSONAL DATA

8.1 Data Subjects can object to Processing on certain lawful grounds. Direct marketing objections must be honored immediately.

9. RESPONDING TO REQUESTS NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING

9.1 Data Subjects can request not to be subject to decisions based solely on automated Processing if legally or significantly impactful.

10. EXEMPTIONS

10.1 Check whether exemptions apply before responding. Exemptions may include national security, crime prevention, immigration control, legal proceedings, research, statistics, health, and child protection.

Date of procedures: September, 2025