Data Protection

Our Data Protection Organization

Fresenius Kabi operates a central data protection center of competence. This center has set up a data protection management framework in alignment with ISO 29100 (privacy framework for the protection of personally identifiable information). The competence center aims to implement a harmonized and consistent way of processing personal data across all Fresenius Kabi entities. It sets the policies, procedures and standards for data protection and provides tools and processes for the employees as well as training and awareness material. Furthermore, this center provides expertise on all data protection topics.

Our local data privacy advisors at the various Fresenius Kabi legal entities support local management in their compliance efforts. They do this by executing risk and compliance assessments for the different data processing activities. With these assessments we aim to integrate data protection requirements into the design of our processes and IT systems.

At Fresenius Kabi, we know information security is important to our customers, patients, and business partners. We are committed to maintaining information security through responsible management, appropriate use, and protection in accordance with legal and regulatory requirements and our agreements. Please find more about the Information Security at Fresenius Kabi.

The monitoring of our data protection compliance efforts is overseen by our data protection officer.

Our Data Protection Policy

The Fresenius Kabi Group has adopted Binding Corporate Rules on the protection of personal data. These rules have been approved by the European Data Protection Authorities and describe the principles for protecting personal data and determine how we apply them when collecting and processing personal data.

The Fresenius Binding Corporate Rules and associated security policies and procedures aim to create a global adequate and uniform level of data protection across our group. They also set the rules for the internal data transfers between Fresenius Kabi companies and our internal service provider worldwide.

If you interact with us, as a healthcare professional, business contact, or website user, also if you report an adverse event or submit a data subject request, we collect and use your personal data. In the data protection statements below, we explain how we collect and use your data in these different contexts.

Business contacts (vendors, clients, interested business contacts)

As our business contact, we mostly collect and use your personal data in order to prepare, fulfill or perform an agreement or contract with you or with your organization for the provision of products and services. This includes:

• the evaluation of our relationship with the company you work for (business partner evaluation), and
• the fulfillment of compliance requirements such as business partner due diligence, sanction list screening and money laundering laws.

In our data protection statement for business contacts you will find further details.

Healthcare professionals

If you are a healthcare professional we mostly collect and use your data to send you product and service related information and to assess whether you are a suitable contact for specific business needs, e.g., when we look for an expert in a certain field or for a specific product.

In our data protection statement for healthcare professionals you will find further details.

Website users

If you are using our website, we also collect data about you. How and why we do that is stated in our data protection statement for website visitors.

Reporters of adverse reactions or events

We collect, use and report personal data of patients using our products and of reporters of adverse reactions or events. In the data protection statement for vigilance, we explain why and how we do that.

Individuals submitting a data subject request

If you contact us with a request regarding your rights as a data subject, we will handle those requests. You can find how we do that in our data protection statement for data subject requests.

By using our data protection contact form you can request information regarding the processing of your personal data including but not limited to the origin and recipients of your data and the purposes of the processing. You can also request to have access to your data or to object to the processing of your data. If your personal data are incorrect, incomplete or not processed in compliance with applicable law, you have the right to have this data rectified, deleted or blocked. Furthermore, you can in certain cases, also ask to directly transfer them to another organization (data portability).

If you submit a request, our data protection organization may contact you for additional information to confirm your identity and to ensure rapid clarification of your question. We provide information free of charge unless requests are manifestly unfounded or excessive. In that case we may charge a fee.

We aspire to answer your request within four weeks. We reserve the right to extend the period within the scope of the admissibility by law and will inform you if this is the case. Please do not inquire about your processing status.

You have the right to file a complaint about the way we manage your personal data with our data protection officer or with the data protection authority.