Our Data Protection Organization

Fresenius Kabi operates a central data protection center of competence. This center has set up a data protection management framework in alignment with ISO 29100 (privacy framework for the protection of personally identifiable information). The competence center aims to implement a harmonized and consistent way of processing personal data across all Fresenius Kabi entities. It sets the policies, procedures and standards for data protection and provides tools and processes for the employees as well as training and awareness material. Furthermore, this center provides expertise on all data protection topics.

Our data protection and security policies, associated procedures as well as our guidelines for processing personal data aim to create a uniform and basic level of adequate data protection across all Fresenius Kabi entities.

Our local data privacy advisors at the various Fresenius Kabi legal entities support local management in their compliance efforts. They do this by executing risk and compliance assessments for the different data processing activities. With these assessments we aim to integrate data protection requirements into the design of a process or a system.

Our internal IT service provider, Fresenius Netcare, has implemented a certified management system for information security according to ISO 27001 in order to provide high security standards for data centers. Our Global Cybersecurity Emergency Response Team (CERT) identifies, evaluates and responds to security incidents and acts as a central contact point for security-related topics.

The monitoring of our data protection compliance efforts is overseen by our data protection officer.

Our Data Protection Policy

Our data protection policy sets out the requirements for our employees when collecting and processing personal data. It includes that all processing activities that are introduced are subject to a risk and compliance assessment process.

In these assessments we ensure that all relevant data protection principles have been taken into consideration within the design. In certain cases, a data protection impact assessment might be necessary before starting the respective processing activity.

We register the data processing activities within Fresenius Kabi in the “Records of Processing Activities”. This register contains essential information to comply with the data protection laws.

If you interact with us, e.g. as a patient, healthcare professional, supplier, customer or website user, we collect and use your personal data. In the data protection statements below, we explain how we collect and use your data in these different contexts.

Business Contacts (Vendor, Client, interested business contact)

As our Business Contact, we mostly collect and use your personal data in order to prepare, fulfill or perform an agreement or contract with you or with your organization for the provision of products and services. This includes:

• the evaluation of our relationship with the company you work for (business partner evaluation), and
• the fulfillment of compliance requirements such as business partner due diligence, sanction list screening and money laundering laws.

In our data protection statement for business contacts you will find further details.

Healthcare Professionals

If you are a healthcare professional we mostly collect and use your data to send you product and service related information and to assess whether you are a suitable contact for specific business needs, e.g. when we look for an expert in a certain field or for a specific product.

In our data protection statement for healthcare professionals you will find further details.

Website Users

If you are using our website, we also collect data about you. How and why we do that is stated in our data protection statement for website visitors.

By using our data protection email you can request information regarding the processing of your personal data including but not limited to the origin and recipients of your data and the purposes of the processing. You can also request to have access to your data or to object to the processing of your data. If your personal data are incorrect, incomplete or not processed in compliance with applicable law, you have the right to have this data rectified, deleted or blocked. Furthermore, you can in certain cases, also ask to directly transfer them to another organization (portability).

If you submit a request, our data protection organization may contact you for additional information to confirm your identity and to ensure rapid clarification of your question. We provide information free of charge unless requests are manifestly unfounded or excessive. In that case we may charge a fee.

We aspire to answer your request within four weeks. We reserve the right to extend the period within the scope of the admissibility by law and will inform you if this is the case. Please do not inquire about your processing status. More information on how we handle your request is stated in our data protection statement for data subject requests.

You also have the right to file a complaint about the way we manage your personal data with our data protection officer.