Data Protection

(June 2022)

We appreciate your interest in Fresenius. Protecting your privacy is important to us and we want you to feel secure when visiting our websites. In the following, we would like to explain which data we collect via our website https://fresenius.com and what happens with this data. However, our website may contain links to websites that are not covered by this data protection notice.

The processing of personal data is subject to the EU General Data Protection Regulation (GDPR) and the Telecommunications Telemedia Data Protection Act (TTDSG). This data protection notice informs you about how your personal data and information is processed in your terminal equipment (e.g. laptop or smartphone) when using this website and what data is involved.

"Personal data" means all information about you as data subject.
"Processing" means any operation performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With this data protection notice, we explain to you in detail, in particular: 

• who is responsible for the processing of your personal data and whom you can contact if you have questions or wish to make a complaint (Section 1)
• how we collect your data, what data we collect, for what purposes we process these personal data, which legal bases we rely on in this regard and how long we store your personal data (Section 2)
• what kind of cookies will be used (Section 3)
• to whom we may transfer your personal data (Section 4)
• how you can update, correct or even delete your personal data and exercise other rights in relation to your personal data (Section 5) and
• in which other situations your personal data may be processed and how you can contact us (Section 6).
   

1. Controller and contact details

The controller responsible for the processing of your personal data is: 
Fresenius SE & Co. KGaA, Else-Kröner-Strasse 1, 61352 Bad Homburg, Germany
E-mail: pr-fre@fresenius.com

According to the GDPR, we are obliged to provide you with the contact details of the data protection officer. You can contact the data protection officer by sending a letter to the postal address of the controller for the attention of the Data Protection Department or by e-mail via dataprotection@fresenius.com. 

 

2. Processing of personal data

We process your personal data for the following purposes and on the basis of the following legal grounds:

 

2.1 Recording of technical characteristics when visiting the website

We collect information about your visit to our website, as we do with most other websites. When you visit our website, the web server temporarily records

• the domain name or IP address of your computer,
• the file request of the client (file name and URL),
• the http response code,
• the website from which you are visiting us,
• which Internet browser and which operating system you are using,
• the nature of their device,
• the date of her visit,
• as well as how long you've been here.

Your IP address is only recorded anonymously - shortened by the last block of numbers (octet). The logging of data is necessary for navigation through the pages and use of essential functions (§ 25 II No. 2 TTDSG, Art. 6 I b) GDPR). In addition, the data is used for the purpose of detecting and tracking abuse on the basis of the legitimate interests of data security and the functionality of the service (Art. 6 I f) GDPR, § 25 II No. 2 TTDSG). In particular, no overriding interest of the data subject is opposed to a use for the defense against attempted attacks on our web server to ensure proper use. The data will neither be used for the creation of individual profiles nor passed on to third parties and will be deleted after seven days at the latest.

 

2.2 When you actively provide information when contacting us 

We will collect and process data you actively provided to us for instance when filling in online forms when contacting us by means of communication such as e-mail, telephone or mail. In case of online forms, the purpose for which you provide us with your personal data can be found on the form itself, generally the purpose will be to communicate with you.        

If you contact us via e-mail, phone, fax or an online contact form provided on our website, we process personal data as far as provided by you: your name, company, profession, address data, e-mail address, phone number, fax number, content and type of your request and possible further information provided by you for the purpose of responding to your inquiry. We do this based on your prior given consent (Art. 6 sec. 1 lit. a) GDPR) or, in order to execute a contract you are party to (Art. 6 sec. 1 lit. b) GDRP), or based on our legitimate interest in communicating with you and answer your inquiry, which is not overridden by your interests, rights or freedoms since you contacted us yourself (Art. 6 sec. 1 lit. f) GDPR). We will not use the information as a basis for contacting you further for marketing purposes, unless you have given us your explicit consent to do so. Your contact data will be stored for up to six months after completion of the request or survey, unless there is a legal obligation to store the data longer.. Details provided on online forms are always collected using a secure connection to protect personal information from manipulation or unauthorized access. Please be aware that regular e-mail traffic is not secure.

 

2.3 When you activate Activity Feeds

We implemented activity feeds of social media providers on our website (in our case namely those of Facebook, Twitter, Instagram, YouTube, LinkedIn and Xing). These activity feeds are deactivated by default. Via the cookie settings you can give your consent to data processing, for example, by means of cookies, the use of local storage, and other transmission of your data. For this purpose, please activate the category "Services from other companies (autonomous third-party providers)". The processing of data takes place in order to enable you to use and connect with the services of these social media providers. Your consent provides the legal basis for this transfer of your personal data by Fresenius (Art. 6 sec. 1 lit. a) GDPR). In addition, if you are currently logged in to a social network of one of the listed providers, your activity may be linked to your user account by the respective social media provider at the same time. If you activate the activity feeds of social media providers your web browser will connect to the servers of the respective providers and send your specific user data. The transmitted data may in particular include: date and time of your visit on our website, URL of the website you are on, URL of the website you visited before, used browser, used operating system, and your IP-Address.

When using Local Storage, data is stored locally in the cache of your computer. This data also exists after closing the browser window or closing the program and can therefore be read out. In contrast to cookies, which are partly deleted after a usage session or after a given period of time, the data in the local storage are only deleted by actively emptying the cache.

Fresenius has no influence on the scope or the kind of data that will be submitted by activating the activity feeds. Besides, further data processing operations by the respective social media providers could be triggered, on which we do not have any influence. To learn more about the scope of personal data collected and processed, the purpose your data may be used for, as well as your respective rights and configuration options in order to protect your privacy (including your right of withdrawal of consent), please refer to the respective social network’s privacy policy:
 

Facebook
Twitter
YouTube
Google about Youtube
Instagram
LinkedIn
Xing

All processing of personal data in relation to the activity feed is carried out by and in responsibility of these providers. Fresenius is not responsible for such processing of personal data.

 

3. Usage of cookies

When you visit a website, it may retrieve or store information about your browser. This usually takes the form of cookies and similar technologies. These are small text files that are stored locally on your computer by your web browser. This can be information about you, your settings or your device. In most cases, the information is used to ensure that the website functions as expected. This information does not normally identify you directly. However, it can provide you with a more personalized web experience. Because we respect your right to privacy, you can choose not to allow certain types of cookies. We would like to give you the choice of which cookies you allow via the cookie settings. You can access these settings again at any time to manage your preferences.

 

Cookie Settings

 

However, blocking certain types of cookies may result in a compromised experience with the website and services we provide. You can delete cookies at any time, even if they have already been used. Via the query that appears when you visit our website and the cookie settings, you have the option of fully agreeing to or rejecting cookies, as well as setting specific preferences. Detailed information and explanations on the different types of cookies can also be found in the cookie settings. We store your consent for one year and your rejection for one month. Cookies that are necessary to provide the web service (see explanation below) cannot be rejected.

Please note that your cookie settings always refer to the Internet browser used. If you use a different Internet browser, you must make this setting again. How you can adjust the use of cookies browser-based, see the descriptions of your respective Internet browser:

Chrome
Firefox
Internet Explorer
Safari

4.1 Possible recipients of personal data

In order to fulfill the aforementioned purposes, we may share your personal data in whole or in part with other group companies and/or service providers.
In addition, the following categories of recipients may receive your personal data:

• authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
• auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
• another company in the event of a change of ownership, merger, acquisition or disposal of assets. 

 

4.2 International data transfer

IIn order to fulfill the aforementioned purpose, we may transfer your personal data to recipients outside Germany. Transfers within the European Economic Area (EEA) always take place in accordance with the uniform EEA data protection level.

Transfers to third countries are always carried out in compliance with the supplementary requirements of Article 44 et seq. GDPR.

Your personal data may be transferred to certain third countries for which an adequacy decision of the EU Commission determines that an adequate level of protection exists in accordance with the uniform EEA data protection level. The full list of these countries is available here.

As a rule, EU standard contractual clauses (“SCC”) are concluded with the recipient for transfers to other third countries. These have been issued by the EU Commission to safeguard such international data transfers.
To transfer personal data outside the EEA among group companies of the business segments Fresenius Kabi (Fresenius Kabi AG and its affiliated companies) and Fresenius Corporate, we implemented binding corporate rules (“BCR”) approved by the data protection authorities in accordance with Article 47 GDPR. A copy of the SCC and the BCR can be requested via dataprotection@fresenius.com.

Ultimately, personal data may be transferred on the basis of an exceptional circumstance under Article 49 GDPR.

 

5. Your rights 

According to the GDPR you are entitled to various rights. You have the right to access your personal data (Art. 15 GDPR, Section 34 et seq. BDSG), to correct incorrect personal data (Art. 16 GDPR), to delete your personal data under certain circumstances (Art. 17 GDPR, §§ 34 ff. BDSG) and to restrict the processing of your personal data under certain circumstances (Art. 18 GDPR).

 

Right to object on a case-by-case basis
In case the processing is based on Art. 6 I e) or f) GDPR including profiling based on those provisions, you have the right to object to the processing of your personal data on grounds relating to your particular situation (Art. 21 I GDPR).

 

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR (Art. 77 GDPR in conjunction with Section 19 BDSG). The responsible data protection authority for Fresenius is "Der Hessische Beauftragte für Datenschutz und Informationsfreiheit", Postfach 3163, 65021 Wiesbaden. The right of appeal is without prejudice to any other administrative or judicial remedy.

 

6. Further information on data processing in other contexts and our contact details

We may process your personal data in various other contexts, for example, when you visit our website https://karriere.fresenius.de. For the processing of your personal data in these situations, please refer to the specific information in each case. If you have any questions about data protection at Fresenius, please contact dataprotection@fresenius.com.

 

For the full data protection statement, please click here.

The processing of personal data is subject to the EU General Data Protection Regulation (GDPR). This data protection notice informs you about how Fresenius SE & Co. KGaA, Fresenius Netcare GmbH, Hyginus Publisher GmbH, Fresenius Versicherungsvermittlungs GmbH, Fresenius Management SE, Fresenius Immobilien-Verwaltungs-GmbH, Fresenius Immobilien-Verwaltungs-GmbH & Co. Friedberg KG, Fresenius Immobilien-Verwaltungs-GmbH & Co. Schweinfurt KG, Fresenius Immobilien-Verwaltungs-GmbH & Co. St. Wendel KG, ("we" or "Fresenius") personal data of you as a business partner business partners, visitors and recipients of public relations work ("you") and what data is involved.

By “personal data” we mean any information related to you.

By “processing” we mean any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With this data protection notice, we explain to you in detail, among other things,

• who is responsible for processing your personal data, and who you can contact if you have questions or complaints (section 1)
• how we collect your data, what data we collect and for what purposes we process this personal data (sections 2.1 and 2.2)
• the legal basis on which we base this (section 2.3)
• to whom we may transfer your data (sections 3 and 4)
• how long we store your data (section 5) 
• why we have a compelling need to know your personal data (section 6)
• how you can update, correct or even delete this data and exercise other rights in relation to your data (section 7) and
• give you further information for specific situations and contacts (section 8).

1.    Controller and Contact

1.1 Responsible

The Fresenius company with which you have concluded a contract or are in the process of negotiating a contract and/or whose premises you visit and/or who is in contact with you in the context of public relations work is the data controller under the GDPR, as this company uses your personal data in the context of the respective relationship with you. The address and name of this Fresenius company can be found in the documents available to you.

1.2 Data protection officer

According to the GDPR, we are obliged to provide you with a data protection officer. This person can be contacted at the address of the responsible person for the attention of the data protection department or by e-mail: dataprotection@fresenius.com

 

2.    Processing of personal data

2.1 How we collect your data and what data we process    

We process personal data that you provide to us when you order our products and services, enter into a contract for the supply of goods and services with us, visit a premises or contact us in any way. In addition, personal data about you is collected when you log on to or use a system or application provided by us.

We also process personal data about you, your function in your company and as well as personal data of other executives and representatives, owners and shareholders of your company and the affiliated companies or your political mandate, which are published in predominantly publicly accessible commercial registers, websites, blogs and print media. This also includes other data sources that are publicly accessible or accessible to certain groups, in particular those made available by competent authorities and business associations.

We also process personal data relating to your company, you, other officers and agents, owners and shareholders of your company and affiliates, or your political mandate that is provided to us by service providers under contract, by other Fresenius companies or by competent authorities (including credit rating agencies, credit and risk information providers, financial services providers, governmental or international agencies or similar organizations, in particular tendering authorities or procurement authorities).

Such personal data may include your company name, your name, contact information, the names of your company's officers and agents and your company's affiliates, your company's bank accounts and payment information, the occupation and qualifications of your company's officers and agents, professional identifiers, organizational data, your company's affiliation data, certifications and quality statements, The information may include the bank account and payment information of your company, the occupation and qualifications of your company's officers and agents, professional identifiers, organizational data, affiliation data of your company, certifications and quality statements issued by your company's officers, agents or auditors, the names of your company's shareholders and your company's affiliates and the amount of ownership, information about public filings, trade registries and professional associations, as well as information about your company's disclosed transactions, including proposals and financing arrangements and past interactions with Fresenius and/or any of our affiliates.

Your personal data, such as names, email addresses, organisational details, may also be processed by us in connection with the use of Microsoft 365 Services. Microsoft 365 Services also creates internal analytics through aggregated reporting based on a use of your personal usage data. We also process your personal data in connection with the use of other company systems and devices. In particular, we process IT application data (e.g., system identifiers, single sign-on identifiers, system and device passwords), instant messaging, video conferencing and other messaging account data, network IDs and infrastructure information, geographic location information (such as GPS data, WI-FI access points, cell tower access points, IP addresses), workflow data (roles, activities), system and device logs, internet usage data (e.g. which web pages were visited and when), video recordings and content generated by you are processed. In addition, video and audio recordings made in connection with the use of MS Teams/ Skype and in the context of operational video surveillance also contain contextual information on ethnic origin, religion or health.
 

2.2. Purposes of Processing 

We process this data for the purpose of initiating, maintaining and/or terminating as well as assessing a (possible) business relationship with you. This general purpose includes in particular:

• the manufacture, provision and supply of products and services;
• the procurement of products and services from you;
• a potential investment in Fresenius shares, a potential acquisition, divestiture or joint venture transaction with us or an affiliate of Fresenius and/or an outside company;
• the exchange of information about existing contracts or possible contracts with you;
• the exchange/processing of business documents by means of the use of various Microsoft 365 Services. In principle, all Microsoft 365 services used have the overriding purpose of promoting communication and collaboration with external parties;
• create internal analytics for Fresenius' own use using Microsoft 365 services, such as MyAnalytics;
• the fulfilment of compliance requirements (e.g. conflict checks, business partner checks, sanctions list checks, money laundering identifications and controls, the verification of regulatory requirements for supply chains, customs and export requirements, traceability requirements for products);
• managing our relationship/communication with you or the company you work for (e.g. customer relationship management, supplier management, investor relations management);
• marketing (e.g. information about products and services or related information);
• assessing whether you are a suitable contact for specific business requirements, e.g. if we are looking for an expert in a particular area or for specific products;
• business partner assessment and qualification, e.g. whether you and your company meet certain quality and certification requirements;
• implementation and evaluation of the payment and accounting system, together with the collection of payments due to us, including the refinancing of receivables;
• assessing the financial solvency and credit risk of your company;
• organizing, securing and improving internal processes including communication, administration and IT (e.g. infrastructure and workplace management);
• organizing events for our company or if Fresenius provides the infrastructure for them (premises, IT infrastructure)
• crisis management for hazard prevention and response;
• in the area of communications management and information technology, the authorization of visitors for access to systems and applications and for access authorization/logging (authentication), e.g. when entering a building, a parking garage or a specific room, in particular by means of an access card or a key; location management, i.e. making room reservations, room management/planning; the use of the IT infrastructure and log-in data for the maintenance of the IT infrastructure in order to ensure IT support and for troubleshooting; security management, i.e. making room reservations, room management/planning; the use of the IT infrastructure and log-in data for the maintenance of the IT infrastructure in order to ensure IT support and for troubleshooting; security management, i.e. making room reservations, room management/planning i.e. making room reservations, room management/planning; the use of the IT infrastructure and log-in data to maintain the IT infrastructure in order to ensure IT support and to identify and rectify errors; the security analysis, as well as the prevention of cyberattacks and the improvement of information security, including IT security.

2.3 Legal bases for processing

We process your personal data on one of the following legal bases:

• if the processing of your personal data is necessary for the performance of the contract concluded between you and us (Art. 6 I b) GDPR).
• if the processing of your personal data is necessary for us to comply with national and/or international legal obligations (e.g. employment laws, tax laws, social security laws, occupational health and safety laws, financial market laws, drug control laws, medical device laws, environmental laws, criminal and administrative offences laws, and commercial and corporate obligations), regulatory requirements (e.g. tax authorities, employment agencies, social security institutions) and public interests to which we are subject, and to provide evidence thereof (Art. 6 I c) or e) GDPR).
• Since the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party (Art. 6 I f) GDPR), unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. These legitimate interests are:
  • fulfilling our contract with the company you work for, including enforcing any rights we have under that contract;
  • gathering information/knowledge management related to internal processes, products and services;
  • development, optimization and improvement of our products and services;
  • optimization of the administration;
  • conducting research;
  • organizational management;
  • risk management: hedging against e.g. financial/reputation risks;
  • internal Audit: performing internal audit procedures within the Group;
  • maintaining IT infrastructure, IT security, ensuring IT support, and identifying and resolving errors; and
  • compliance with and evidence of compliance with internal policies, national and international industry standards and legal obligations outside the EEA;
  • detection, investigation and prosecution of criminal offences and misdemeanours;
  • video surveillance and hazard prevention (especially building and facility security measures).
• If you have been informed about the intended processing of your personal data and have given us your consent (Art. 6 I a) GDPR). You can revoke your consent at any time. You can withdraw your consent to the processing or for individual purposes of your choice. The withdrawal of consent does not affect the lawfulness of the processing based on your consent before the withdrawal. You can revoke your consent by sending an E-Mail to dataprotection@fresenius.com.

3. Possible recipients of personal data 

In order to fulfill the aforementioned purposes, we may share your personal data in whole or in part with other group companies and/or service providers.
In addition, the following categories of recipients may receive your personal data:

• authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
• auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
• another company in the event of a change of ownership, merger, acquisition or disposal of assets.

 

4. International data transfers

In order to fulfill the aforementioned purpose, we may transfer your personal data to recipients outside Germany. Transfers within the European Economic Area (EEA) always take place in accordance with the uniform EEA data protection level.

Transfers to third countries are always carried out in compliance with the supplementary requirements of Article 44 et seq. GDPR.

Your personal data may be transferred to certain third countries for which an adequacy decision of the EU Commission determines that an adequate level of protection exists in accordance with the uniform EEA data protection level. The full list of these countries is available here.

As a rule, EU standard contractual clauses (“SCC”) are concluded with the recipient for transfers to other third countries. These have been issued by the EU Commission to safeguard such international data transfers.
To transfer personal data outside the EEA among group companies of the business segments Fresenius Kabi (Fresenius Kabi AG and its affiliated companies) and Fresenius Corporate, we implemented binding corporate rules (“BCR”) approved by the data protection authorities in accordance with Article 47 GDPR. A copy of the SCC and the BCR can be requested via dataprotection@fresenius.com.
Ultimately, personal data may be transferred on the basis of an exceptional circumstance under Article 49 GDPR.
 

5. How long we store your personal data

As a rule, we store your personal data for one of the following periods:

• In accordance with applicable laws, for as long as we are subject to a retention obligation;
• Unless a mandatory record retention provision applies, we will retain your personal data for the duration of the contractual relationship with you or the company for which you work;
• In accordance with applicable law, as long as we have a legitimate interest outside of a contractual relationship;
• Preservation of evidence for the assertion, exercise or defence of legal claims within the framework of the statutory limitation provisions. According to §§ 195 ff. BGB, these limitation periods can be up to 30 years, with the regular limitation period being three years.
  The exact period depends on the company you work for and your position in the company. In the case of longer retention periods (e.g. because we are obliged to store the data for the company audit), the aim is for the data to be blocked and archived until the end of the respective retention period and then deleted. Your data will be blocked for purposes other than archiving and kept until the end of the respective retention period.
   

6. Mandatory provision of personal data

You may need to provide us with your personal data to fulfil a contract with you or the company you work for. For example, we may need your contact details if you are our business contact with a supplier. If you do not provide your personal data, we may not be able to enter into the relevant contractual relationship.

 

7. Your rights 

According to the GDPR you are entitled to various rights. You have the right to access your personal data (Article 15 GDPR, section 34 et seq. BDSG), to correct incorrect personal data (Article 16 GDPR), to delete your personal data under certain circumstances (Article 17 GDPR, section 34 et seq. BDSG) and to restrict the processing of your personal data under certain circumstances (Article 18 GDPR).

In case of processing based on consent, you have the right to withdraw this consent (Article 7 (3) GDPR) and, in case of processing carried out by automated means, the right to receive personal data you provided to us in a structured, commonly used, machine-readable format in order to forward it to another controller (Article 20 GDPR).]
[if needed: If the processing is based on a contract and carried out by automated means, you have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit your personal data to another controller (Article 20 GDPR).
 

---

Right to object on a case-by-case basis
In case the processing is based on Article 6 (1) (1) (e) or (f) GDPR including profiling based on those provisions, you have the right to object to the processing of your personal data on grounds relating to your particular situation (Article 21 (1) GDPR).

Right to object to processing for direct marketing purposes
In case your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing (Article 21 (2) GDPR).

---

 

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR (Article 77 GDPR in conjunction with section 19 BDSG). The responsible data protection authority for Fresenius is "Der Hessische Beauftragte für Datenschutz und Informationsfreiheit", Postfach 3163, 65021 Wiesbaden. The right of appeal is without prejudice to any other administrative or judicial remedy.

 

8. Further information for special situations and contact persons

We may process your personal data in various other contexts, for example when you visit our website. For the processing of your personal data in these situations, please refer to the specific information in each case.

If you have any questions about data protection at Fresenius, please contact dataprotection@fresenius.com. 

 

For the full data protection statement, please click here.

To consistently regulate the way in which Personal Data is handled or processed among the group companies of the corporate division Fresenius Corporate (Fresenius Management SE, Fresenius SE and all affiliates in the reporting segment Fresenius Group) and the business segment Fresenius Kabi (directly or indirectly controlled by Fresenius Kabi AG), we adopted binding corporate rules ("BCR") approved by European data protection authorities. 
BCR are internal rules for data processing within multinational organisations and, together with the associated security policies and procedures, aim to create a globally uniform and adequate level of data protection for the participating companies.
The commitment to a common standard for the processing of personal data and to an effective approach to the data protection compliance reinforces our effort to protect your privacy at the global and local level.

For the full text of our BCR, please click here.

As a first insight into our BCR, we are happy to provide you with an abridged version below.

 

Summary of the Binding Corporate Rules (BCR)

Please note that only the full text of the English language version of the binding corporate rules (BCR) is legally binding. The following abridged version and/or the German translation of the full text or of the abridged version does not replace the full text of the English language version approved by the European data protection authorities.

1    An adequate and uniform level of data protection

Fresenius needs to follow many data protection laws around the world. The Binding Corporate Rules (BCR) set a uniform and adequate level of data protection. This enables the internal exchange of personal data between the Fresenius entities in scope. 

2    Applicable around the world

The BCR apply to the following Fresenius entities:
-    group companies of the business segment Fresenius Kabi (directly or indirectly controlled by Fresenius Kabi AG) 
-    group companies of the corporate division Fresenius Corporate (Fresenius Management SE, Fresenius SE and all affiliates in the reporting segment Fresenius Group) 

Applicable for certain activities

The BCR apply to the following Personal data processing activities: 
-    All activities by European entities
-    Activities of non-European entities:

• When they collect personal data on behalf of a European Fresenius entity or 
• when they collaborate with a European Fresenius entity 
• when they receive personal data from European entities
• when they collect personal data from people located in Europe for the offering of goods and services or related to monitoring behaviour.

BCR apply to both paper based and IT based processes. 
The BCR apply to all processes that allow structured search for personal data.

3    BCR sets the minimum level

If any local data protection laws require stricter or additional rules on processing of personal data, these need to be observed additionally. 
If a local law contradicts the BCR, the Data Protection Officer (DPO) needs to be informed. The DPO will assess the impact and resolves the conflict. 
If an entity receives an order of an authority to disclose personal data that is not in line with the BCR requirements, the DPO needs to be informed. The DPO will inform the supervisory authority in Germany.

4    The BCR are binding to the organisation and our employees

The BCR need to be obliged and are binding for:
-    All entities: they sign a contract 
-    All employees: they have the duty to follow corporate policies based on their employment contract.
Organisations and people can derive rights under these obligations. 
The enforcement of the BCR and potential sanctions because of violations are the same as any other policy violation.

5    Fresenius established a data protection organization

Fresenius Group established an internal data protection organization, and assigned the following roles and responsibilities:

-    The Data Protection Officer (DPO) monitors, i.e. checks and oversees if the BCRs, local laws, rules and processes are followed. The DPO can perform audits, reviews and investigations. The DPO is also the point of contact for the data protection authorities in Europe. Contact details are:

Data Protection Officer:
Else-Kröner-Str. 1
61352 Bad Homburg v.d.H.
Germany
Or per mail:
For Fresenius Corporate:     dataprotectionofficer@fresenius.com
For Fresenius Kabi:     dataprotectionofficer@fresenius-kabi.com

-    The Local Data Protection Advisor (LDPA) helps and advises local employees as well as process owners whenever they have any questions or concerns related to data protection. Where necessary the LDPA supports the DPA and DPO, e.g.  on request in its monitoring function and contact with supervisory authorities e.g., due to language issues.

-    The Data Protection Advisor (DPA) provides supporting and consulting tasks for the LDPAs and is responsible for the data protection management system. Where necessary the DPA supports the DPO on request in its monitoring function and contact with Supervisory Authorities e.g., due to language issues.

6    Eight data protection principles to follow under BCR 

When processing personal data, we will follow several principles to protect the fundamental rights and freedoms of individuals in accordance with the BCR. Each entity must comply with the following principles when processing personal data: 

6.1    Principle 1: Lawfulness

Have a documented legal basis when collecting, using and processing personal data. These legal bases are limitative listed. Examples are: 

-    the processing is necessary for the performance of a contract with the individual, such as employee contracts and sales contracts
-    the individual has given consent
-    the legitimate interests of Fresenius are bigger than the negative consequences for the individuals
-    the need to fulfil other legal obligations, such as tax laws, vigilance requirements or GxP requirements.

Special categories of data, such as health data, need additional legal grounds.
If local laws require additional or divergent provisions, these must also be followed (this might for example be relevant for employee data).

6.2    Principle 2: Transparency and Fairness

Handle personal data fairly and in a transparent manner. Inform individuals before or at the moment of collecting and using the personal data about: 

-    Who is responsible and how we can be contacted
-    What data is collected
-    How the data is collected
-    Why we need the data (purpose)
-    With what organisations the data is shared
-    If it is shared with other countries
-    How long the data will be stored
-    The legal basis for collecting and using data and an explanation of that (principle 1)
-    If the individuals are profiled
-    If we make any decisions by automated means
-    If the data must be provided and what happens if that is not done
-    The contact details of the DPO and the authority
-    The rights that the individuals have.

All this information must be provided in a comprehensive and in an easily accessible form, using clear and plain language. 

6.3    Principle 3: Purpose Limitation

Only use personal data for the specified, explicit and legitimate purposes for which it is collected. Further use is not allowed, unless this further use is in line with the original purpose and/or additional measures are taken.
Purposes for further processing which are generally deemed in line with the original purpose are: 

-    Archiving
-    Internal audit 
-    Investigations

The (L)DPA will be able to provide guidance if a change of purpose might be permitted. In case of a permitted change of purpose, Individuals must be informed of any such changes.

6.4    Principle 4: Data minimization

Only collect and use personal data that is necessary for the defined purpose as communicated to the individual. That means to ensure that personal data is relevant and not excessive in light of the purpose.

6.5    Principle 5: Accuracy

Keep personal data accurate and up-to-date. Procedures must be implemented to ensure that inaccurate data is deleted, corrected or updated without delay.

6.6    Principle 6: Storage Limitation

Do not keep personal data longer as necessary for the purpose it has been collected for, unless it is required by law. In such case access to it has to be restricted. Delete or anonymise personal data if there is no legal reason or purpose anymore

6.7    Principle 7: Security, Integrity and Confidentiality

Take appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, disclosure or access to personal data (e.g. through appropriate roles & rights concept, backup and restore or by using encryption). 
When implementing such measures, the risks to the individual must be considered. The security of IT systems must be assessed in light of these risks when installing and maintaining IT systems. 
Document and report any breach of security that is likely to result in a risk for the affected Individuals to the data protection organization. Depending on the situation such breaches must also be notified to the supervisory authority, the individuals or other organisations.

6.8    Principle 8: Accountability

Be able to demonstrate compliance with the BCR. This is done by creating and maintaining appropriate documentation such as: 

-    records of processing activities 
-    technical and organizational measures taken to comply with the data protection principles and to address the risks.
-    data protection risk and control assessments

6.8.1    Engagement of Processors

Only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the BCR and local data protection laws. This must be ensured by a data protection contract between the respective entity and the processor.

6.8.2     (Onward) Transfers of personal data 

Implement measures to adequately safeguard transfers of personal data to other organisations situated outside of the European Economic Area in compliance with these BCR. This could be done by agreeing standard contractual clauses as adopted by the European Commission with the other organisation.

7    Data protection risk assessment

For every data processing activity, a data protection risk assessment needs to be carried out. This assessment is a formal process to assess the impact of the activity on the rights and freedom of the respective concerned data subjects. 
The identified control gaps and potential risks must be reported and documented. Mitigating technical and organizational measures must be implemented before the data processing activity is started. 

8    Data protection impact assessments

If the result of the data protection risk assessment is a high risk, a Data Protection Impact Assessment (DPIA) needs to be carried out. The advice of the DPO will be sought.
Where a DPIA identifies a high risk of a specific data processing activity, adequate measures to mitigate such risks prior to the start of the processing activity must be implemented. If the DPIA still indicates high risk after the implementation of the measures, the concerned supervisory authority, before processing the data, should be consulted.

9    Individuals’ rights

Individuals must be enabled to exercise their rights (data subject rights):
-    Right to access personal data: The individual can ask to access/receive information about individual personal data processed by Fresenius (e.g. the purpose of processing, the categories of personal data concerned, the recipients, storage periods, any existence of automated decision-making).
-    Right to rectify personal data: The individual can ask to correct inaccurate or incomplete personal data.
-    Right to erase personal data: The individual can ask to delete his/her personal data unless it must be maintained e.g. due to legal retention requirements. 
-    Right to restrict processing of Personal Data: The individual can ask to restrict the processing of his/her personal data if either the accuracy of the personal data is contested, or the processing is unlawful (no longer required for the pursued purposes).
-    Right to receive personal data in a portable format: The individual can ask to receive their personal data in a commonly used and machine-readable format, if the following conditions are met: 

• Personal data have been provided by the individual 
• The processing is based on the individual’s consent or on a contract with the individual
• The processing is carried out by automated means.

-    Right to object to the processing of personal data: The individual can, due to his or her personal situation, object to processing of his or her personal data based on legitimate or public interest. Such request must be assessed. Further the individual can object to direct marketing and profiling. The processing must then stop, 
-    Right not to be subject to automated decision making: The individual has the right not to be subject to automated decision making (incl. profiling) which could lead to legal or similar significant effects on the individual, unless:

• It is necessary for entering into or performance of a contract between the individual and the respective entity
• It is based on the individual’s explicit consent

10    Compliance with BCR
10.1    Access to BCR

The BCR must be available for individuals in an appropriate manner. The BCR will be published on the internet and intranet. 
Individuals can also access the BCR by contacting the respective DPO or any member of the data protection organization. 

10.2    BCR complaint handling

Each individual is entitled to:
-    Claim violation of the BCR, local data protection laws, orders by supervisory authorities, internal policies and guidelines, or voluntary self-commitments related to data protection
-    Address its individual rights
-    Enforce any other right of the BCR.
Any such complaints can be submitted e.g. via phone, by email or letter, orally by approaching the respective DPO, the respective (L) DPA or the compliance hotline. 
In case the complaint is considered justified, the entity will take adequate action(s) to address the complaint and inform the individual respectively within a month. 

10.3    Liability and Enforcement

Individuals who are affected by or have suffered damages as a result of the processing of their respective Personal Data, are entitled to enforce these parts of the BCR and if applicable to receive compensation before a competent court.
In case of proven violations by parties established outside European Union/ European Economic Area, Fresenius SE & Co. KGaA accepts responsibility and liability for any damages towards the Individuals. The entity, who caused the damage, shall provide reasonable assistance to Fresenius SE & Co. KGaA to respond to such complaints or requests in a timely manner.

10.4    Cooperation with Supervisory Authorities

Each entity is required to cooperate with the supervisory authorities, to comply with advice concerning the interpretation of these BCR and to accept being audited by the concerned supervisory authorities.

10.5    Training

Each entity will enrol and oblige their employees to participate in a training on the BCR and data protection and to regularly repeat such training. General training must be provided at least bi-annually to all relevant employees. Furthermore, role specific training (e.g. for HR or Procurement departments) is provided considering the specific needs of certain roles/persons.

10.6    Auditing

All parties will commit to be regularly audited (through planned or ad hoc audits) to evaluate and test compliance with the BCR and implement adequate and sufficient mechanisms to remedy non-compliance of an entity with the BCR. The data protection organization will follow up on any conducted audit to assess whether proposed corrective actions have been appropriately implemented and document any outcomes in the audit report. Each entity will make audit reports available to supervisory authorities upon request. 

10.7    Update of BCR

Parties will review local data protection laws and indicate if changes to BCR are necessary. Fresenius can amend the BCR if needed. Any significant changes to the BCR will promptly be reported to each entity and to the supervisory authority. Any other non-substantive amendments to the BCR will be reported to the parties as soon as practicable.

11    Exit Management
In case an entity ceases to adhere to the BCR (i.e. via termination of the respective intra-group-agreement), such entity will either 
-    return all personal data to any Parties from which data have been received, or 
-    in compliance with local data retention rules, destroy all such personal data, or 
-    will provide for sufficient safeguards with regard to such personal data (e.g. by concluding standard contractual clauses). 

We are happy to accept general data protection inquiries and data subject right requests under the General Data Protection Regulation (e.g., requests for information) via the contact form below. We would like to inform you in the following how we collect personal data when you contact us and exercise your rights under the General Data Protection Regulation, what types of information we collect and explain how this information is used. For this purpose, we provide you with our data protection information below.   

 

Data Protection Information for Data Subjects Making a Data Subject Request

If you contact us with a request regarding your rights as a data subject under the General-Data-Protection-Regulation, Fresenius SE & Co. KGaA (“we” or “Fresenius”) will process certain personal data. 
By “personal data” we mean any information related to you. 

By “processing” we mean any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
We take the protection of your personal data very seriously. All processing of per-sonal data by us is governed by the General Data Protection Regulation of the European Union (“GDPR”). This Data Protection Information informs you about how we process your personal data.

1    Controller and contact

Responsible for the processing of your personal data is:
Fresenius SE & Co. KGaA
E-Mail: pr-fre@fresenius.com
According to the GDPR, we are obliged to provide you with a data protection of-ficer. This person can be reached at the address of the responsible person for the attention of the Data Protection Department or by email: 
dataprotection@fresenius.com

2    Processing of personal data
2.1    How we collect your data

We process personal data you provide to us when you fill in the mandatory fields in the contact formula for data subject requests or you send to us directly via email. Furthermore we process personal data you provide to us when you fill in optional fields which are optional details. We may also process personal data you provide to us in cases of requests, e.g. we need to verify your identity.

2.2    Purposes of Processing

We process the personal data you provided to us (the exact data depends on what information you include in your request, typically, it will be your name, con-tact information, information on in what kind of a relationship you are with Fresenius and the request itself) for the purpose of handling and responding to your request.

2.3    Legal Basis for Processing

We process your personal data on one of the following legal bases:
The processing of your personal data is necessary for us in order to comply with a legal obligation we are subject to . We are legally obliged to respond to your re-quest and to process your personal data accordingly.

3    Possible recipients of your personal data

In order to fulfill the aforementioned purposes, we may share some or all of your personal data with other group companies and/or service providers. In addition, the following categories of recipients may receive your personal data:
- Authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal information by applicable law, regulation, legal process or enforceable governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;
- auditors or external consultants such as lawyers, tax advisors, insurers or banks, and
- another company in the event of a change of ownership, merger, acquisition or disposal of assets.

4    International data transfers

In order to fulfill the aforementioned purpose, we may transfer your personal da-ta to recipients outside Germany. Transfers within the European Economic Area (EEA) always take place in accordance with the uniform EU data protection level.
Transfers to third countries are always carried out in compliance with the sup-plementary requirements of Art. 44 et seq. GDPR.
Your personal data may be transferred to certain third countries for which an ad-equacy decision of the EU Commission determines that an adequate level of pro-tection exists in accordance with the uniform EU level of data protection. The full list of these countries is available here. 

As a rule, EU standard contractual clauses are concluded with the recipient for transfers to other third countries. These were issued by the EU Commission to safeguard such international data transfers and can be requested at dataprotec-tion@fresenius.com.
To transfer personal data among group companies of the business segments Fresenius Kabi (Fresenius Kabi AG as well as its affiliated companies) and Frese-nius Corporate within and outside the EEA, we implemented binding corporate rules ("BCR") approved by European data protection authorities pursuant to Art. 47 GDPR.
A copy of the EU Standard Contractual Clause and the Binding Corporate Rules can be requested via dataprotection@fresenius.com.
Ultimately, personal data may be transferred on the basis of an exceptional cir-cumstance under Art. 49 GDPR.

5    Retention period

We store your personal data until we have responded to your request. After-wards, the respective personal data shall be blocked (i.e. we block your data for all other purposes) until the end of the respective statute of limitation for corre-sponding legal claims. After the end of this status of limitation (after 4 years), your data will be erased entirely.
If longer retention periods apply beyond the time periods listed above (e.g., be-cause we are obliged to store the data for tax audit purposes) we aim also in-cludes that the data will be blocked and will be archived until the end of the re-spective retention period and then erased. Your data will be blocked for pro-cessing for any purposes other than archiving and will be kept until the end of the respective retention period. 

6    Requirements to provide personal data

If you fail to provide your personal data, we might not be able to respond to or properly process your request.

7     Your rights 

According to GDPR you are entitled to various rights. You have the right to in-spect your personal data (Art. 15 GDPR, section 34 et seq. BDSG), to correct in-correct personal data (Art. 16 GDPR), to delete your personal data under certain circumstances (Art. 17 GDPR, section 34 et seq. BDSG) and to restrict the pro-cessing of data under certain circumstances (Art. 18 GDPR).
You also have the right to file a complaint with a supervisory authority (Art. 77 GDPR in conjunction with section 19 BDSG). The data protection authority responsible for Fresenius is "Der Hessische Beauftragte für Datenschutz und In-formationsfreiheit", Postfach 3163, 65021 Wiesbaden. The right of appeal is without prejudice to any other administrative or judicial remedy.

8    Further information for specific situations and contact

We may process your personal data in various other contexts, for example when you visit our website. For the processing of your personal data in these situa-tions, please refer to the specific information in each case.
If you have any questions on data protection at Fresenius, please contact us at 
dataprotection@fresenius.com.
 

For the full data protection statement, please click here.