1. Introduction

Pursuant to Section 99d of the Danish Financial Statements Act, the LEO Foundation (“we”, “us”, or “the foundation”) is obliged to supplement the management’s report with an account of our data ethics policy under the “follow-or-explain” principle.

As part of our responsible data management, we have developed this written policy to describe how we organize our data practices and how we act when using data, whether it concerns personal data submitted by grant applicants, data about employees or non-personal data. This policy complements relevant legislation, our internal data policies, and our Code of Conduct.

For us, data ethics concerns the fundamental ethical considerations that influence how data is collected and used. It goes beyond legislative requirements. We recognize that our use of data may create risks not fully addressed by legislation. Legislation may be challenged in keeping up with the technological development and does not always consider all conceivable issues arising in a technological context. There may also be situations where legislation allows a given use of data, where we, however, find such use incompatible with our purpose and values.

2. Strategy and objectives

The LEO Foundation’s overall objectives are to ensure the long-term continuation and success of LEO Pharma, and support independent scientific research through philanthropic grants. In pursuing these objectives, we collect and process data to support our strategic ownership, grantmaking, investment activities, communications, and knowledge sharing.

We aim to handle all data with integrity, transparency, and responsibility. Our ethical approach to data management aims to support trust among our stakeholders incl. grant applicants, grantees, collaborators, and employees.

3. Ethical data principles

While our use of data and new technology is generally limited, we remain conscious of the risks that data processing can pose. We are committed to detecting and addressing such risks to ensure that our practices remain responsible and aligned with our values. Therefore, we have developed the following principles for how to handle data in an ethical way:

• Treating people with dignity and fairness: When we process personal data, and especially when we process information about grant applicants, we strive to treat all people with dignity and fairness, ensuring that their submissions are reviewed by people and not merely systems. We also strive to ensure that all of our data-related decisions involve human decision-making based on merit and that they are not biased. We deliberately avoid automated systems that may neglect nuance, context, or fairness.
• Confidentiality and responsibility: As a foundation handling sensitive information, including data about investments, scientific research, and financial assets, we recognize the need for confidentiality and responsible treatment. We treat all confidential information with care and do not use it for purposes that are not in line with our values and objectives.  
• Ethical collaboration: We expect our external partners and vendors to uphold similar ethical standards. Our vendor due diligence includes not only legal compliance but also ethical alignment. These expectations are reflected in our Code of Conduct.

4. Data Collection and processing

The LEO Foundation primarily collects data through external providers, such as those operating our grant management system. These providers act on our behalf and under formal data processing agreements, which ensure compliance with our instructions and standards.

We collect only the data necessary to fulfill our objectives, and we work to ensure that our partners process data in a way that is consistent with our ethical and operational expectations.

5. Use of technology

In relation to the implementation and use of new technology and IT systems, such as the use of AI systems, the Foundation ensures a high standard of data ethics by applying responsible practices, carefully considering the nature and origin of the data used, and continuously evaluating the ethical implications of system usage.

We do not currently use artificial intelligence, machine learning, or algorithmic decision-making in any part of our application handling. All grant applications are reviewed and assessed by qualified individuals, ensuring that decisions are based on fair, objective, and human judgment.

6. Security and risk management

Data security is a high priority for the LEO Foundation. We maintain safeguards to prevent loss, misuse, or unauthorized access. We collaborate with IT providers to monitor cybersecurity risks and respond swiftly to any identified vulnerabilities.

7. Governance and accountability

Responsibility for this Data Ethics Policy rests with our General Counsel, who ensures alignment with both legal obligations and the Foundation’s values. The General Counsel reports directly to the CEO and conducts internal oversight and reporting.

8. Policy review and approval

The LEO Foundations Data Ethics Policy is reviewed on a regular basis to ensure it remains relevant and effective in light of technological developments, legal changes, and evolving best practices.

This policy was approved by management on 1 September 2025.

For further information, see the LEO Foundation’s Code of Conduct and Privacy Policy.