ESG Report 2025

24 5.4.3 Privacy Protection and Personal Information Management The United Laboratories regards privacy rights and interests as a core component of its human rights protection framework. Based on internal policies such as the “Privacy Policy of The United Laboratories International Holdings Limited” and the “Personal Information Security and Privacy Protection Policy”, it has established a privacy protection mechanism covering the full process of pharmaceutical R&D, clinical trials, production and operations. In the collection of personal information, the Group strictly follows four basic principles: lawfulness and legitimacy, minimum necessity, informed consent and purpose limitation. Before collection, the information subject is informed in a clear and understandable manner of the purpose, method, scope, retention period, sharing arrangements and rights involved, and explicit consent is obtained. According to the type of personal information subject and the processing scenario, the Group has established a classified management mechanism and applies differentiated controls to different categories of information, as summarised below: Marketing Department of the Finished Product Marketing Centre Clinical Research Centre Basic information Medical history Medication history Identity information Clinical trial data Main Content Responsible Department Information Category Retention Period Patient personal information Twenty years after upload; supervised destruction upon expiry Five years after trial termination Human resources departments of each company Basic information Personnel files Compensation and benefits Trial subject personal information Employee personal information Each business department Basic contact information Business partner personal information Retained during employment and after departure in accordance with regulations Handled during the cooperation period and after expiry in accordance with agreements Key Controls Confidentiality agreements Access approval Dedicated management Ethics review Informed consent Anonymisation Internal policy controls Access segregation Collection limited to the minimum necessary Confidentiality agreements In terms of technical protection, the Group has established a multi-layered network and system security protection system. By deploying technological tools such as firewalls, intrusion detection and vulnerability scanning, it conducts routine security monitoring and early warning for servers and endpoint devices, and coordinates with original equipment manufacturers' managed security services to achieve round-the-clock system security assurance. For data security, the Group implements end-to-end document encryption to ensure the confidentiality and integrity of data during storage and transmission. It has also established a comprehensive data backup and disaster recovery system, using multiple backup strategies and conducting recovery tests on a regular basis to ensure that business operations can be restored promptly in the event of system failures or emergencies. In response to the risk of equipment damage or data loss arising from sudden power outages, the Group has formulated “Emergency Operation Procedures for Power Outage of Server Rooms”, which set out detailed emergency steps and are supported by regular planned power outage drills. For access control, the Group implements a unique account and password system on a “one-person-one-account” basis. All personnel log into systems through their own dedicated accounts. Access rights are granted according to job responsibilities under the principle of minimum necessary access, and data under different accounts are segregated among departments and individuals, preventing cross- account access. Where cross-account access is genuinely required for work, written authorisation from the account holder and approval by the compliance department are required. The Group also enforces a strict password policy, requiring complex passwords with a maximum validity period of 90 days, after which log-in is blocked until a change is made. At the same time, the Group regularly screens and clears the accounts of departed and temporary personnel, disabling accounts immediately upon departure and completing account cancellation within 10 working days to prevent malicious access. The United Laboratories International Holdings Limited 2025 Environmental, Social and Governance Report