By using our data protection contact form you can request information regarding the processing of your personal data including but not limited to the origin and recipients of your data and the purposes of the processing. You can also request to have access to your data or to object to the processing of your data. If your personal data are incorrect, incomplete or not processed in compliance with applicable law, you have the right to have this data rectified, deleted or blocked. Furthermore, you can in certain cases, also ask to directly transfer them to another organization (data portability).
Binding Corporate Rules
To consistently regulate the way in which personal data is handled or processed among the group companies of the business segments Fresenius Kabi (Fresenius Kabi AG and its affiliated companies) and Fresenius Corporate, we adopted Binding Corporate Rules (BCR). These BCR are approved by the European data protection authorities.
BCR are internal rules for data processing within multinational organizations and, together with the associated security policies and procedures, aim to create a globally uniform and adequate level of data protection for the participating companies.
Commitment to a common standard for the processing of personal data and to an effective approach to data protection compliance reinforces our commitment to protect your privacy at the global and local level
In case you are interested in our Binding Corporate Rules, please have a look at the document or the summary below:
An adequate and uniform level of data protection
Fresenius needs to follow many data protection laws around the world. The Binding Corporate Rules (BCR) set a uniform and adequate level of data protection. This enables the internal exchange of personal data between the Fresenius entities in scope.
Applicable around the world
The BCR apply to the following Fresenius entities:
- Fresenius Kabi AG including all subsidiaries / affiliates
- Fresenius Digital Technology GmbH
- Fresenius SE & Co. KGaA
Applicable for certain activities
The BCR apply to the following Personal data processing activities:
- All activities by European entities.
- Activities of non-European entities:
- When they collect personal data on behalf of a European Fresenius entity or
- When they collaborate with a European Fresenius entity
- When they receive personal data from European entities
- When they collect personal data from people located in Europe for the offering of goods and services or related to monitoring behaviour.
BCR apply to both paper based and IT based processes.
The BCR apply to all processes that allow structured search for personal data.
BCR sets the minimum level
If any local data protection laws require stricter or additional rules on processing of personal data, these need to be observed additionally.
If a local law contradicts the BCR, the Data Protection Officer (DPO) needs to be informed. The DPO will assess the impact and resolves the conflict.
If an entity receives an order of an authority to disclose personal data that is not in line with the BCR requirements, the DPO needs to be informed. The DPO will inform the supervisory authority in Germany.
The BCR are binding to the organisation and our employees
The BCR need to be obliged and are binding for:
- All entities: they sign a contract
- All employees: they have the duty to follow corporate policies based on their employment contract.
Organisations and people can derive rights under these obligations.
The enforcement of the BCR and potential sanctions because of violations are the same as any other policy violation.
Fresenius Group established an internal data protection organization, and assigned the following roles and responsibilities:
- The Data Protection Officer (DPO) monitors, i.e. checks and oversees if the BCRs, local laws, rules and processes are followed. The DPO can perform audits, reviews and investigations. The DPO is also the point of contact for the data protection authorities in Europe. Contact details are:
Data Protection Officer:
Else-Kröner-Str. 1
61352 Bad Homburg v.d.H.
Germany
Or per mail:
For Fresenius SE and Netcare: dataprotectionofficer@fresenius.com
For Fresenius Kabi entities: dataprotectionofficer@fresenius-kabi.com
- The Local Data Protection Advisor (LDPA) helps and advises local employees as well as process owners whenever they have any questions or concerns related to data protection. Where necessary the LDPA supports the DPA and DPO, e.g. on request in its monitoring function and contact with supervisory authorities e.g., due to language issues.
- The Data Protection Advisor (DPA) provides supporting and consulting tasks for the LDPAs and is responsible for the data protection management system. Where necessary the DPA supports the DPO on request in its monitoring function and contact with Supervisory Authorities e.g., due to language issues.
When processing personal data, we will follow several principles to protect the fundamental rights and freedoms of individuals in accordance with the BCR. Each entity must comply with the following principles when processing personal data:
Principle 1: Lawfulness
Have a documented legal basis when collecting, using and processing personal data. These legal bases are limitative listed. Examples are:
- The processing is necessary for the performance of a contract with the individual, such as employee contracts and sales contracts
- The individual has given consent
- The legitimate interests of Fresenius are bigger than the negative consequences for the individuals
- The need to fulfil other legal obligations, such as tax laws, vigilance requirements or GxP requirements.
Special categories of data, such as health data, need additional legal grounds.
If local laws require additional or divergent provisions, these must also be followed (this might for example be relevant for employee data).
Principle 2: Transparency and Fairness
Handle personal data fairly and in a transparent manner. Inform individuals before or at the moment of collecting and using the personal data about:
- Who is responsible and how we can be contacted
- What data is collected
- How the data is collected
- Why we need the data (purpose)
- With what organisations the data is shared
- If it is shared with other countries
- How long the data will be stored
- The legal basis for collecting and using data and an explanation of that (principle 1)
- If the individuals are profiled
- If we make any decisions by automated means
- If the data must be provided and what happens if that is not done
- The contact details of the DPO and the authority
- The rights that the individuals have.
All this information must be provided in a comprehensive and in an easily accessible form, using clear and plain language.
Principle 3: Purpose Limitation
Only use personal data for the specified, explicit and legitimate purposes for which it is collected. Further use is not allowed, unless this further use is in line with the original purpose and/or additional measures are taken.
Purposes for further processing which are generally deemed in line with the original purpose are:
- Archiving
- Internal audit
- Investigations.
The (L)DPA will be able to provide guidance if a change of purpose might be permitted. In case of a permitted change of purpose, individuals must be informed of any such changes.
Principle 4: Data minimization
Only collect and use personal data that is necessary for the defined purpose as communicated to the individual. That means to ensure that personal data is relevant and not excessive in light of the purpose.
Principle 5: Accuracy
Keep personal data accurate and up-to-date. Procedures must be implemented to ensure that inaccurate data is deleted, corrected or updated without delay.
Principle 6: Storage Limitation
Do not keep personal data longer as necessary for the purpose it has been collected for, unless it is required by law. In such case access to it has to be restricted. Delete or anonymise personal data if there is no legal reason or purpose anymore.
Principle 7: Security, Integrity and Confidentiality
Take appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, disclosure or access to personal data (e.g. through appropriate roles & rights concept, backup and restore or by using encryption).
When implementing such measures, the risks to the individual must be considered. The security of IT systems must be assessed in light of these risks when installing and maintaining IT systems.
Document and report any breach of security that is likely to result in a risk for the affected Individuals to the data protection organization. Depending on the situation such breaches must also be notified to the supervisory authority, the individuals or other organisations.
Principle 8: Accountability
Be able to demonstrate compliance with the BCR. This is done by creating and maintaining appropriate documentation such as:
- records of processing activities
- technical and organizational measures taken to comply with the data protection principles and to address the risks.
- data protection risk and control assessments
Engagement of Processors
Only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the BCR and local data protection laws. This must be ensured by a data protection contract between the respective entity and the processor.
(Onward) Transfers of personal data
Implement measures to adequately safeguard transfers of personal data to other organisations situated outside of the EEA in compliance with these BCR. This could be done by agreeing standard contractual clauses as adopted by the European Commission with the other organisation.
Data protection risk assessment
For every data processing activity, a data protection risk assessment needs to be carried out. This assessment is a formal process to assess the impact of the activity on the rights and freedom of the respective concerned data subjects.
The identified control gaps and potential risks must be reported and documented. Mitigating technical and organizational measures must be implemented before the data processing activity is started.
Data protection impact assessments
If the result of the data protection risk assessment is a high risk, a Data Protection Impact Assessment (DPIA) needs to be carried out. The advice of the DPO will be sought.
Where a DPIA identifies a high risk of a specific data processing activity, adequate measures to mitigate such risks prior to the start of the processing activity must be implemented. If the DPIA still indicates high risk after the implementation of the measures, the concerned supervisory authority, before processing the data, should be consulted.
Individuals must be enabled to exercise their rights (data subject rights):
- Right to access personal data: The individual can ask to access/receive information about individual personal data processed by Fresenius (e.g. the purpose of processing, the categories of personal data concerned, the recipients, storage periods, any existence of automated decision-making).
- Right to rectify personal data: The individual can ask to correct inaccurate or incomplete personal data.
- Right to erase personal data: The individual can ask to delete his/her personal data unless it must be maintained e.g. due to legal retention requirements.
- Right to restrict processing of personal data: The individual can ask to restrict the processing of his/her personal data if either the accuracy of the personal data is contested, or the processing is unlawful (no longer required for the pursued purposes).
- Right to receive personal data in a portable format: The individual can ask to receive their personal data in a commonly used and machine-readable format, if the following conditions are met:
- Personal data have been provided by the individual
- The processing is based on the individual’s consent or on a contract with the individual
- The processing is carried out by automated means.
- Right to object to the processing of personal data: The individual can, due to his or her personal situation, object to processing of his or her personal data based on legitimate or public interest. Such request must be assessed. Further the individual can object to direct marketing and profiling. The processing must then stop.
- Right not to be subject to automated decision making: The individual has the right not to be subject to automated decision making (incl. profiling) which could lead to legal or similar significant effects on the individual, unless:
- It is necessary for entering into or performance of a contract between the individual and the respective entity
- It is based on the individual’s explicit consent.
Access to BCR
The BCR must be available for individuals in an appropriate manner. The BCR will be published on the internet and intranet.
Individuals can also access the BCR by contacting the respective DPO or any member of the data protection organization.
BCR complaint handling
Each individual is entitled to:
- Claim violation of the BCR, local data protection laws, orders by supervisory authorities, internal policies and guidelines, or voluntary self-commitments related to data protection
- Address its individual rights
- Enforce any other right of the BCR.
Any such complaints can be submitted e.g. via phone, by email or letter, orally by approaching the respective DPO, the respective (L)DPA or the compliance hotline.
In case the complaint is considered justified, the entity will take adequate action(s) to address the complaint and inform the individual respectively within a month.
Liability and Enforcement
Individuals who are affected by or have suffered damages as a result of the processing of their respective personal data, are entitled to enforce these parts of the BCR and if applicable to receive compensation before a competent court.
In case of proven violations by parties established outside the EU/EFA, FSE accepts responsibility and liability for any damages towards the individuals. The entity, who caused the damage, shall provide reasonable assistance to FSE to respond to such complaints or requests in a timely manner.
Cooperation with Supervisory Authorities
Each entity is required to cooperate with the supervisory authorities, to comply with advice concerning the interpretation of these BCR and to accept being audited by the concerned supervisory authorities.
Training
Each entity will enrol and oblige their employees to participate in a training on the BCR and data protection and to regularly repeat such training. General training must be provided at least bi-annually to all relevant employees. Furthermore, role specific training (e.g. for HR or procurement departments) is provided considering the specific needs of certain roles/persons.
Auditing
All parties will commit to be regularly audited (through planned or ad hoc audits) to evaluate and test compliance with the BCR and implement adequate and sufficient mechanisms to remedy non-compliance of an entity with the BCR. The data protection organization will follow up on any conducted audit to assess whether proposed corrective actions have been appropriately implemented and document any outcomes in the audit report. Each entity will make audit reports available to supervisory authorities upon request.
Update of BCR
Parties will review local data protection laws and indicate if changes to BCR are necessary. Fresenius can amend the BCR if needed. Any significant changes to the BCR will promptly be reported to each entity and to the supervisory authority. Any other non-substantive amendments to the BCR will be reported to the parties as soon as practicable.
We collect and use your data for the following purposes:
- Execute the contract with you, including payment transfers
- Maintain a database of HCPs with whom we already collaborated and/or may collaborate in the future
- Contact management and communicating with you
- Assess and categorize which specific business needs match best with your abilities (e.g. when we look for a key opinion leader in a certain field or for specific products, the extent you belong to the group of scientific input providers, based on scientific or professional experience
- Best practice sharing
- Fulfillment of our compliance requirements, such as those stemming from anti-corruption laws, anti-money laundering laws and other laws on economic crime, regulatory and pharmacovigilance and medicines laws, as well as disclosure requirements resulting from applicable laws and self-regulatory codes of conduct as a result of our membership in trade associations
We may collect and use your personal data in the following situations:
Information you provide to us
We collect your personal data depending on the different types of interaction you have with us. Such personal data includes:
- First and last name
- Gender
- Contact and address information, including address, e-mail address, phone number, fax number
- Country of residence
- Curriculum vitae information, including information on your professional experience, your engagement with us and other companies, events you attended, publications
- Pictures of you
- Audio-visual recordings of your voice, appearance and statements, if a presentation of yours is recorded
- Your areas of expertise and your areas of professional interest as an HCP
- Information on payments made and benefits granted to you
- Your bank account number
- Your tax identification number
- Contract entered between you and us
- Payments made, or benefits granted to you
Information we collect from publicly available sources
Before we enter in an interaction with you, we may collect information about you and your professional experience from publicly available sources, such as the internet, social media platforms, sanction lists and other online and print publications.
Such data includes:
- First and last name
- Curriculum vitae information, including information on your professional experience, your engagement with other companies, events you attended, publications etc.
- Business address
- Pictures and audio-visual recordings of you
Depending on the business contact we have with you and the purposes we collect and use your data, we process your personal data on one or more of the following legal bases:
- The processing of your personal data is necessary for the performance of a contract (to be) concluded between you and us (Art. 6.1 b, GDPR)
- The processing of your personal data is necessary for us in order to comply with a legal obligation we are subject to (Art. 6.1 c GDPR). More specifically we are obliged to comply with national and, if applicable, international laws and regulations relating to the fight against corruption, anti-money laundering anti-terrorism financing and other economic crime. We have to assess the appropriateness of the remuneration and other payments made and other support granted to you and are subject to certain documentation, publication and reporting obligations and therefore, can be obliged to disclose the remuneration paid or other support in kind availed to you as a speaker or other service provider, to your employer or to competent regulatory authorities, criminal prosecutors and other recipients responsible for the implementation of transparency rules upon request, or make such payments and in kind support available publicly. This includes particularly documentation, disclosure and reporting obligations in connection with medicines, medical devices and healthcare regulations, transparency laws, laws on anti-money laundering and self-regulatory regimes such as industry and patient codes
- The processing is necessary for purposes of the legitimate
interests pursued by us or by a third party, except where such interests
are overridden by your interests or fundamental rights and freedoms
which require protection of personal data (Art. 6.1 f, GDPR). These
legitimate interests are:
- Maintenance of a database that contains all HCPs with whom we already collaborated or may collaborate in the future, to manage the interactions with you and other HCPs
- Establishment, exercise or defense of legal claims
- You have given us your consent for the intended processing of your personal data (Art. 6.1 a GDPR)
You can withdraw your consent at any time. You can withdraw your consent to all processing or for individual purposes of your choice. The withdrawal of consent will not affect the lawfulness of processing based on your consent before the withdrawal. You can withdraw your consent by sending an email to Local Data Privacy Advisor.
Weecollaborate with other organizations to achieve our purposes. Therefore, we may send your personal data in parts or as a whole to other organizations.
This applies particularly to payment and other financial data and contract data that will be accessible only to a very limited number of recipients who have a need to know the data for the fulfillment of their tasks, subject to any disclosure obligations.
Such recipients are:
- Other Fresenius Group companies if such a transfer of personal data is required for the specific purpose, or that may be interested in working with you .
- Service providers which process personal data on our behalf (e.g. for hosting or maintenance services) and have to follow our instructions on such processing; these service providers will not be allowed to use your personal data for other than our purposes
- Competent regulatory authorities, criminal prosecutors and other recipients responsible for the implementation of transparency rules as well as criminal laws and administrative laws
- Authorities, courts, parties in a litigation to the extent required to meet any applicable law, regulation, legal process or enforceable governmental request
- The general public, to the extent we are obliged to publicly disclose payments made to you and other benefits provided to you, e.g. meals, travel and lodging as well as other hospitality. Where there is no statutory legal basis for public disclosure including the identity of the recipient, you may choose to withhold your consent to such disclosure, and we would then disclose the payments and benefits on an anonymous aggregated basis
- Professional advisors or auditors, such as tax advisors, financial auditors, lawyers, insurers, banks and other external professional advisors in the countries in which we operate
International data transfers
We may send your personal data in parts or as a whole to Fresenius Group recipients or our service providers other international organizations in countries, which are not member states of the European Union, for the purposes listed above.
We may send data to the following countries for which the European Commission has determined an adequate level of data protection to be in place that matches the level of data protection within the European Union in which Fresenius entities are established: Argentina, Canada, Japan, New Zealand, Switzerland or Uruguay.
With regards to such international data transfers to third countries, for which the European Commission has not decided that an adequate level of data protection exists, we have provided appropriate safeguards in order to secure your personal data to a degree that equals the level of data protection in the European Union.
Safeguards used are:
- For the exchange of data within our company: our Binding Corporate Rules for Controllers
- For the exchange of data with our service providers and other international organizations: Standard Contractual Clauses that have been issued by the European Commission
You can obtain a copy of these Standard Contractual Clauses and our Binding Corporate Rules online, or upon request.
The personal data related to your interactions with us will be deleted ten years after the completion of the last interaction with you, unless we are legally required to retain the data.
Depending on the situation you have certain rights regarding your personal data. You have the right to:
- Request access to your personal data
- Request rectification of your personal data
- Request erasure of your personal data
- Request the restriction of processing of your personal data
- Data portability
- Object on grounds specific to your situation
You can exercise these rights online by using the data protection contact form.
Requirements to provide personal data
Your personal data is required to make the website accessible to you and to be able to follow up on your inquiry.
If you do not provide your personal data, the website will not work, and we may not be able to respond to or properly process your request.
Changes to this data protection statement
As our collection and use of your data may change over time, we may also modify this data protection statement to always correctly reflect our data processing practices. We encourage you to review it from time to time.
The controller and responsible entity for processing of personal data is:
Echelon Institutional Area
Plot No-11, Sector - 32
Gurgaon
Pin code - 122001
Haryana, India
