An adequate and uniform level of data protection
Fresenius needs to follow many data protection laws around the world. The Binding Corporate Rules (BCR) set a uniform and adequate level of data protection. This enables the internal exchange of personal data between the Fresenius entities in scope.
Applicable around the world
The BCR apply to the following Fresenius entities:
- Fresenius Kabi AG including all subsidiaries / affiliates
- Fresenius Digital Technology GmbH
- Fresenius SE & Co. KGaA
Applicable for certain activities
The BCR apply to the following Personal data processing activities:
- All activities by European entities.
- Activities of non-European entities:
- When they collect personal data on behalf of a European Fresenius entity or
- When they collaborate with a European Fresenius entity
- When they receive personal data from European entities
- When they collect personal data from people located in Europe for the offering of goods and services or related to monitoring behaviour
BCR apply to both paper based and IT based processes.
The BCR apply to all processes that allow structured search for personal data
BCR sets the minimum level
If any local data protection laws require stricter or additional rules on processing of personal data, these need to be observed additionally.
If a local law contradicts the BCR, the Data Protection Officer (DPO) needs to be informed. The DPO will assess the impact and resolves the conflict.
If an entity receives an order of an authority to disclose personal data that is not in line with the BCR requirements, the DPO needs to be informed. The DPO will inform the supervisory authority in Germany.
The BCR are binding to the organisation and our employees
The BCR need to be obliged and are binding for:
- All entities: they sign a contract
- All employees: they have the duty to follow corporate policies based on their employment contract.
Organisations and people can derive rights under these obligations.
The enforcement of the BCR and potential sanctions because of violations are the same as any other policy violation.