Notification of Adverse Reactions

WARNING: this privacy notice is applicable to the adverse events notified within the European Union.

Privacy notice available in other languages.

1. Who is the data controller?

The data controllers are:

(a) the Grifols' group company that holds the marketing authorization of the pharmaceutical product in the territory of its commercialization ("Grifols' MAH"). The identity and contact details of Grifols' MAH is available in the national registers of authorised medicines of Member States of the European Union (, and

(b) the Grifols' group company that has designated a Local Qualified Pharmacovigilance Contact Person responsible for pharmacovigilance issues at a national level ("Grifols' LQPVCP"). Grifols' LQPVCP is the data controller with respect to the adverse events notified in its territory.

The identity and contact details of Grifols' MAH and LQPVCP in a specific country are available here. Grifols' MAH and Grifols' LQPVCP will be jointly referred to as "Grifols".

2. Who is the data protection officer of Grifols and how can you contact him/her?

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and guarantee your rights under such legislation. You may contact the data protection officer at or the data protection officer of Grifols Deutschland, GmbH at, if the latter is the company that holds the marketing authorization or if it has appointed a Local Qualified Pharmacovigilance Contact Person.

3. For which purposes does Grifols process the personal data?

Grifols processes the personal data to:

(a) contact the data subject to obtain more information on the adverse events and, if necessary, to monitor the notification it has received,

(b) be able to comply with all pharmacovigilance related obligations as a pharmaceutical company, and

(c) notify the competent health authorities, national or international, of any data related to the adverse events the data subject has notified.

Additionally, Grifols' LQPVCP processes the personal data to notify any data and information related to adverse events to Grifols' MAH. In any event, any data processing by Grifols' LQPVCP shall follow Grifols' MAH indications, unless otherwise regulated in applicable laws and regulations.

4. Which is/are the lawful basis/bases to process the personal data?

The legal bases to process the personal data are:

(a) the compliance with the legal obligations stemming from the national laws implementing the Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use and any other legislation supplementing or replacing it, and

(b) the public interest in the area of public health for the purposes of ensuring the quality and security of Grifols' group pharmaceutical products, on the basis of the pharmacovigilance applicable legislation.

5. How long does Grifols retain the personal data?

Once the purposes for which the personal data processed are fulfilled, Grifols retains the personal data until the end of statutes of limitation of any liabilities that may arise and during the term required to comply with any applicable legal obligation.

6. With whom does Grifols share the personal data?

In accordance with Section 3 and based on the nature of the notified adverse event, it may be necessary to provide the personal data to the pharmacovigilance team and any other teams existing across the Grifols' group companies, such as regulatory affairs, quality, marketing and audit or legal services, among others.

Additionally, your personal data may be exceptionally provided to national or international competent health authorities, healthcare professionals or companies with whom Grifols has signed commercial and/or license agreements or who are responsible of assessing the pharmaceutical products, with the sole purpose of complying with the pharmacovigilance obligations.

If the personal data is accessed from countries that do not offer an adequate level of protection, Grifols will adopt, if required, appropriate safeguards on such international data transfers in accordance with applicable data protection legislation. You may request Grifols additional information on the appropriate safeguards by writing to the address

Grifols does not share the personal data with any other third party, unless necessary for the daily management of the activities set out in Section 3 and/or unless required by applicable law.

7. How does Grifols obtain the personal data and what categories of personal data are processed when not provided by the data subject?

Grifols only processes those personal data that are relevant for the purposes mentioned in Section 3.

When the reporter of the adverse event is not the patient, Grifols obtains the patient's personal data detailed below from the reporter. The personal data of the healthcare professional could be obtained from the reporter or through any other third party.

The personal data that might not have been obtained from the data subject and has thus been obtained from other sources are:

(a) data that allows indirect identification (for example, age and sex ) of the patients exposed to the adverse event and its health data (for example, treatments administered and nature of the adverse effect), which has been obtained from the reporter, and

(b) identifying data and contact details of the healthcare professional responsible of the patient exposed to the adverse event, that has been obtained from the reporter or another source.

8. Which are your data protection rights?

Right Content
Access You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification You may request the rectification of your personal data if this is inaccurate.
Restriction of processing You may request a restriction on how personal data is processed when:
  • the accuracy of your personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you oppose to its erasure.
  • Grifols does no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
  • you have objected to the processing of your personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, whilst it is being verified whether the legitimate grounds of Grifols override yours.


For notifications of adverse events made to Grifols France, S.A.R.L. (acting as data controller), you also have a right to provide guidance on the management of your data after your death.

Given that the legal basis to process personal data are the compliance with legal obligations, the rights of erasure, objection and portability are not applicable.  

You may exercise, when appropriate, the data protection rights by sending a written communication to Grifols' MAH and/or Grifols' LQPVCP to the corresponding address identified here and indicating as subject matter of the communication "Pharmacovigilance – Adverse Events Notification". For these purposes, Grifols may request a copy of your ID card/passport in force or any other valid document evidencing your identity.

In addition, you may lodge a complaint with a data protection authority.

Date of creation: May 2018
Date of last update: March 2020