Binding Corporate Rules

The Binding Corporate Rules (BCR) are a set of policy documents that determine consistent data protection and information security standards. These documents cover all types of personal data and personal identifiable information (PII) such as address and communication data, master data or health data, and all types of individuals such as employees, customers, suppliers, HCPs and patients falling under the applicability of General Data Protection Regulation (GDPR).

BCR permit the transfer of personal data between Fresenius Kabi group entities in Europe and Fresenius Kabi group entities in countries outside of Europe. As a global company, Fresenius Kabi has certain business processes that fall within the scope of the GDPR.

To learn more and view the complete document, click here.


Data Protection Principles

Fresenius needs to follow many data protection laws around the world. The BCR set a uniform and adequate level of data protection. This enables the internal exchange of personal data between the Fresenius entities in scope.

When processing personal data, we will follow several principles to protect the fundamental rights and freedoms of individuals in accordance with the BCR. Each entity must comply with the following principles when processing personal data:

Principle 1: Lawfulness

  • Have a documented legal basis when collecting, using, and processing personal data.      

Principle 2: Transparency and Fairness

  • Handle personal data fairly and in a transparent manner.

Principle 3: Purpose Limitation

  • Only use personal data for the specified, explicit, and legitimate purposes for which it is  collected. Further use is not allowed unless this further use is in line with the original purpose and/or additional measures are taken.

Principle 4: Data Minimization

  • Only collect and use personal data that is necessary for the defined purpose as communicated to the individual. Take steps to ensure that personal data is relevant and not excessive in light of the purpose for which it is collected and used.

Principle 5: Accuracy

  • Keep personal data accurate and up to date. Procedures must be implemented to ensure that inaccurate data is deleted, corrected, or updated without delay.

Principle 6: Storage Limitation

  • Unless required by law, do not keep personal data longer than necessary for the purpose of its collection. If required to retain the data longer than the intended purpose for its collection, access to the data must be restricted. When the data is no longer required to be retained, it must be deleted or anonymize such that it cannot be used for any purpose.

Principle 7: Security, Integrity, and Confidentiality

  • Take appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, disclosure, or access.

Principle 8: Accountability

  • Be able to demonstrate compliance with the BCR.


Data Protection Risk Assessment

For every data processing activity, a data protection risk assessment needs to be carried out. This assessment is a formal process to assess the impact of the activity on the rights and freedom of the respective concerned data subjects.

The identified control gaps and potential risks must be reported and documented. Mitigating technical and organizational measures must be implemented before the data processing activity is started.


BCR Complaint Handling

Each individual is entitled to:

  • Claim violation of the BCR, local data protection laws, orders by supervisory authorities, internal policies and guidelines, or voluntary self-commitments related to data protection
  • Address its individual rights
  • Enforce any other right of the BCR


Any such complaints can be submitted e.g. via phone, by email or letter, orally by approaching the respective DPO, the respective (L)DPA or the compliance hotline. In case the complaint is considered justified, the entity will take adequate action(s) to address the complaint and inform the individual respectively within a month.