Our security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of Fresenius Kabi’s hardware and infrastructure. The security team receives information system security notifications on a regular basis and distributes security alert and advisory information to the organization on a routine basis.
Information Security at Fresenius Kabi
At Fresenius Kabi, we know information security is important to our customers, patients, and business partners. We are committed to maintaining information security through responsible management, appropriate use, and protection in accordance with legal and regulatory requirements.
We have adopted an Information Security Capability Model , that is complemented by other security measures based on industry best practices. This allows us to maintain a holistic approach to compliance with respect to security. Also, periodic maturity assessments of our security capabilities are regularly conducted, and the results reported to the Fresenius Kabi management.
We are in the process of developing a set of rules that are aligned with the Fresenius Group baseline requirements, a Fresenius Group wide internal control catalog in alignment with industry best practices.
Fresenius Kabi has a formal internal audit program implemented to ensure compliance with our internal policies, relevant cybersecurity laws and regulations.
We have established a process for classifying data to apply appropriate security measures to protect the data of our customers, patients, and business partners.
We encrypt sensitive data in transit and at rest where possible and practical.
We have established access management requirements for granting, managing, and revoking user access. Role based access controls are implemented for access to Fresenius Kabi information systems.
Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know principle. Furthermore, we grant access permissions only on the principle of least privilege.
Users of information systems are given unique user accounts and passwords, the password requirements are defined and enforced.
We restrict administrator privileges to dedicated administrator accounts.
Virtual private network (VPN) software is provided to our users to enable secure, internet-based remote access to key systems. We also require multi-factor authentication for remote network access.
We strive to apply the latest security patches and updates to operating systems, endpoints, and network infrastructure to mitigate exposure to vulnerabilities.
A patch management process is in place to implement security patch updates as they are released by vendors.
We perform periodic scans of externally exposed and internally assets.
We have a formalized incident response plan and associated procedures that are triggered in case of a security incident. The incident response plan defines the responsibilities of key personnel and identifies processes and procedures for notification, and escalation. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
We follow the SANS Incident Response Process, an industry standard framework for incident response, to help prepare, identify, prevent, detect, and respond to security incidents. We are supported in this by the Fresenius Cybersecurity Emergency Response Team (CERT).
Our endpoints are equipped with a centrally managed antivirus solution to ensure that the latest virus definitions are always available on the endpoints and that consistent security policies are enforced on all endpoints.
All laptops are full disk encrypted with the keys managed using a security vault.
We have configured automatic session locking on enterprise assets after a defined period of inactivity.
Mobile devices are subject to a mobile device management system and access is only permitted from devices configured in accordance with our security policy. This security policy requires a code to be entered to access the device and allows remote erasure if it is reported lost or stolen.
We perform traffic filtering between network segments.
Only Fresenius Kabi managed wireless networks are permitted within our environment. Wireless access security controls include segregation of corporate and guest access and rotation of wireless keys.
We have deployed a solution that regularly updates URL filtering software that blocks access to inappropriate web sites from its network.
Our email gateways act as barriers that filter malicious traffic and stop the phishing and allow only authentic communications.
Application and infrastructure systems logs are stored for troubleshooting, security reviews, and analysis by authorized personnel. Logs are preserved in accordance with regulatory requirements.
Centralized security event alerting across enterprise assets for log correlation and analysis is implemented. A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.
Fresenius Kabi employees are required to participate in cybersecurity awareness training. For this purpose, we provide various formats to present the topic of cybersecurity and make it simple to understand. Our slogan is "Cybersecurity is a team sport" and in this spirit we regularly strive to inspire our employees with various awareness campaigns, with news articles and blog posts on the topic of security to become an active member in the defense strategy of our company.
Accompanying our security awareness program, every person with access to our IT systems is provided quarterly with phishing simulation tests. The quarterly campaigns support security awareness as they increase everyone’s knowledge and vigilance of phishing emails.
Physical access controls are implemented at our offices. Controls include building security and secured access to Fresenius Kabi premises. Proximity card access is required to enter Fresenius Kabi offices and production plants. There are defined procedures for visitor access control, requiring all visitors to report to reception.
If you have any further questions about information security at Fresenius Kabi, we will be happy to answer your questions on this important topic at any time. You can reach us at Infosec@Fresenius-kabi.com.
We collect and use your data for the following purposes:
- Execute the contract with you, including payment transfers
- Maintain a database of HCPs with whom we already collaborated and/or may collaborate in the future
- Contact management and communicating with you
- Assess and categorize which specific business needs match best with your abilities (e.g. when we look for a key opinion leader in a certain field or for specific products, the extent you belong to the group of scientific input providers, based on scientific or professional experience
- Best practice sharing
- Fulfillment of our compliance requirements, such as those stemming from anti-corruption laws, anti-money laundering laws and other laws on economic crime, regulatory and pharmacovigilance and medicines laws, as well as disclosure requirements resulting from applicable laws and self-regulatory codes of conduct as a result of our membership in trade associations
We may collect and use your personal data in the following situations:
Information you provide to us
We collect your personal data depending on the different types of interaction you have with us. Such personal data includes:
- First and last name
- Gender
- Contact and address information, including address, e-mail address, phone number, fax number
- Country of residence
- Curriculum vitae information, including information on your professional experience, your engagement with us and other companies, events you attended, publications
- Pictures of you
- Audio-visual recordings of your voice, appearance and statements, if a presentation of yours is recorded
- Your areas of expertise and your areas of professional interest as an HCP
- Information on payments made and benefits granted to you
- Your bank account number
- Your tax identification number
- Contract entered between you and us
- Payments made, or benefits granted to you
Information we collect from publicly available sources
Before we enter in an interaction with you, we may collect information about you and your professional experience from publicly available sources, such as the internet, social media platforms, sanction lists and other online and print publications.
Such data includes:
- First and last name
- Curriculum vitae information, including information on your professional experience, your engagement with other companies, events you attended, publications etc.
- Business address
- Pictures and audio-visual recordings of you
Depending on the business contact we have with you and the purposes we collect and use your data, we process your personal data on one or more of the following legal bases:
- The processing of your personal data is necessary for the performance of a contract (to be) concluded between you and us (Art. 6.1 b, GDPR)
- The processing of your personal data is necessary for us in order to comply with a legal obligation we are subject to (Art. 6.1 c GDPR). More specifically we are obliged to comply with national and, if applicable, international laws and regulations relating to the fight against corruption, anti-money laundering anti-terrorism financing and other economic crime. We have to assess the appropriateness of the remuneration and other payments made and other support granted to you and are subject to certain documentation, publication and reporting obligations and therefore, can be obliged to disclose the remuneration paid or other support in kind availed to you as a speaker or other service provider, to your employer or to competent regulatory authorities, criminal prosecutors and other recipients responsible for the implementation of transparency rules upon request, or make such payments and in kind support available publicly. This includes particularly documentation, disclosure and reporting obligations in connection with medicines, medical devices and healthcare regulations, transparency laws, laws on anti-money laundering and self-regulatory regimes such as industry and patient codes
- The processing is necessary for purposes of the legitimate
interests pursued by us or by a third party, except where such interests
are overridden by your interests or fundamental rights and freedoms
which require protection of personal data (Art. 6.1 f, GDPR). These
legitimate interests are:
- Maintenance of a database that contains all HCPs with whom we already collaborated or may collaborate in the future, to manage the interactions with you and other HCPs
- Establishment, exercise or defense of legal claims
- You have given us your consent for the intended processing of your personal data (Art. 6.1 a GDPR)
You can withdraw your consent at any time. You can withdraw your consent to all processing or for individual purposes of your choice. The withdrawal of consent will not affect the lawfulness of processing based on your consent before the withdrawal. You can withdraw your consent by sending an email to Local Data Privacy Advisor.
Weecollaborate with other organizations to achieve our purposes. Therefore, we may send your personal data in parts or as a whole to other organizations.
This applies particularly to payment and other financial data and contract data that will be accessible only to a very limited number of recipients who have a need to know the data for the fulfillment of their tasks, subject to any disclosure obligations.
Such recipients are:
- Other Fresenius Group companies if such a transfer of personal data is required for the specific purpose, or that may be interested in working with you .
- Service providers which process personal data on our behalf (e.g. for hosting or maintenance services) and have to follow our instructions on such processing; these service providers will not be allowed to use your personal data for other than our purposes
- Competent regulatory authorities, criminal prosecutors and other recipients responsible for the implementation of transparency rules as well as criminal laws and administrative laws
- Authorities, courts, parties in a litigation to the extent required to meet any applicable law, regulation, legal process or enforceable governmental request
- The general public, to the extent we are obliged to publicly disclose payments made to you and other benefits provided to you, e.g. meals, travel and lodging as well as other hospitality. Where there is no statutory legal basis for public disclosure including the identity of the recipient, you may choose to withhold your consent to such disclosure, and we would then disclose the payments and benefits on an anonymous aggregated basis
- Professional advisors or auditors, such as tax advisors, financial auditors, lawyers, insurers, banks and other external professional advisors in the countries in which we operate
International data transfers
We may send your personal data in parts or as a whole to Fresenius Group recipients or our service providers other international organizations in countries, which are not member states of the European Union, for the purposes listed above.
We may send data to the following countries for which the European Commission has determined an adequate level of data protection to be in place that matches the level of data protection within the European Union in which Fresenius entities are established: Argentina, Canada, Japan, New Zealand, Switzerland or Uruguay.
With regards to such international data transfers to third countries, for which the European Commission has not decided that an adequate level of data protection exists, we have provided appropriate safeguards in order to secure your personal data to a degree that equals the level of data protection in the European Union.
Safeguards used are:
- For the exchange of data within our company: our Binding Corporate Rules for Controllers
- For the exchange of data with our service providers and other international organizations: Standard Contractual Clauses that have been issued by the European Commission
You can obtain a copy of these Standard Contractual Clauses and our Binding Corporate Rules online, or upon request.
The personal data related to your interactions with us will be deleted ten years after the completion of the last interaction with you, unless we are legally required to retain the data.
Depending on the situation you have certain rights regarding your personal data. You have the right to:
- Request access to your personal data
- Request rectification of your personal data
- Request erasure of your personal data
- Request the restriction of processing of your personal data
- Data portability
- Object on grounds specific to your situation
You can exercise these rights online by using the data protection contact form.
Requirements to provide personal data
Your personal data is required to make the website accessible to you and to be able to follow up on your inquiry.
If you do not provide your personal data, the website will not work, and we may not be able to respond to or properly process your request.
Changes to this data protection statement
As our collection and use of your data may change over time, we may also modify this data protection statement to always correctly reflect our data processing practices. We encourage you to review it from time to time.
The controller and responsible entity for processing of personal data is:
Echelon Institutional Area
Plot No-11, Sector - 32
Gurgaon
Pin code - 122001
Haryana, India
