Shareholders Meeting – Privacy Notice

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and well-being of people around the world. Its three main business units - Biopharma, Diagnostic and Bio Supplies - develop, produce and market innovative solutions and services that are sold in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European Union General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 7 for specific provisions. It outlines Grifols' data collection practices and the data subjects’ rights in the context of Grifols collection, use and sharing of their personal data.

This privacy notice applies to the personal data of shareholders, their legal representatives and employees of custodian or depositary entities. For the purpose of this privacy notice, "data subject" refers to these types of individuals.

The data controller/owner is Grifols, S.A. with address for contact purposes at Parque Empresarial Can San Joan, Avenida de la Generalitat, 152-158, 08174, Sant Cugat del Valles (Barcelona) ("Grifols").

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com.

Purposes
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences2.
  • Shareholding and financial data3
  • Browsing history data4.

Recipients:

  • Providers of products and services.
Lawful basis

Legal Obligation

Execution of a contract
 

Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences2.

Recipients:

  • Providers of products and services.
Lawful basis

Consent (by voluntarily posing for the camera)

Legitimate interest

Categories of personal data and recipients

Categories of personal data:

  • Browsing history data4.

Recipients:

  • Providers of products and services.
Lawful basis

Legitimate interest

Categories of personal data and recipients

Categories of personal data:

  • Browsing history data4.
  • Interests and preferences2.

Recipients:

  • Providers of products and services.
Lawful basis

Consent

1. For example, name, last name, signature, image, voice, ID/passport, address, phone number, username and email address to access the digital voting/delegation platform and the shareholders’ forum.
2. For example, language, opinions and voting intention
professional contact details, job position, place of work, member of professional associations.
3. For example, number of shares held, data of the depository, data relating to the delegation or representation.
4. For example, IP address, access credentials, visited sections.

1. For example, name, last name, signature, image, voice, ID/passport, address, phone number, username and email address to access the digital voting/delegation platform and the shareholders’ forum.
2. For example, language, opinions and voting intention
professional contact details, job position, place of work, member of professional associations.
3. For example, number of shares held, data of the depository, data relating to the delegation or representation.
4. For example, IP address, access credentials, visited sections.
Purposes Categories of personal data and recipients Lawful basis
  • Development, compliance and control of the shareholder relationship, including among others: 
    • Management of the notice, celebration, development and control of the General Shareholders' Meeting.
    • Management of the rights’ exercise of information, participation, attendance, representation and voting (in person or electronically) or of their delegation.
    • Identity verification of attendees with access to the venue where the meeting is held.
  • Management of the electronic platform for delegation of attendance, voting and Shareholders' Forum, including among others:
    • Identity verification of the shareholder or representative.
    • Access to and use of the electronic platform.
    • Registration and participation in the Shareholders' Forum.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences2.
  • Shareholding and financial data3
  • Browsing history data4.

Recipients:

  • Providers of products and services.

Legal Obligation

Execution of a contract
 
  • Live broadcast of the General Shareholders' Meeting to facilitate remote attendance and participation by shareholders or their representatives, as well as image capture and audiovisual recording to document and provide information about the event. When accessing the meeting venue or making an intervention, the image and voice of the attendee may be captured for the purposes indicated.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences2.

Recipients:

  • Providers of products and services.

Consent (by voluntarily posing for the camera)

Legitimate interest
  • To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to its users. 

Categories of personal data:

  • Browsing history data4.

Recipients:

  • Providers of products and services.

Legitimate interest
  • To customize certain functionalities of websites, landing pages, and apps based on the data subjects' browsing preferences and analyse their browsing behaviour with the aim of improving the services offered through these platforms. 

Categories of personal data:

  • Browsing history data4.
  • Interests and preferences2.

Recipients:

  • Providers of products and services.

Consent

 

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:

  • Consent: Data subjects may provide their consent, for example, by clicking acceptance buttons or ticking boxes in cookies’ banners of webs, landing pages and apps, or making any other affirmative clear action (for example by voluntarily posing in front of a camera). Data subjects may withdraw their consent at any time, as set out in Section 6.
  • Legitimate interest (of Grifols and/or third parties): Grifols considers that the legitimate interests to facilitate the virtual attendance to the Shareholders’ Meeting by shareholders and its representatives by broadcasting it in real time, as well as the capture of images and audiovisual recording to document the event, override the fundamental rights and freedoms of the data subjects, given that these processings are within the data subjects' reasonable expectations based on their relationship with Grifols.

    In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com
  • Execution of a contract: Failure to provide the personal data requested may result in Grifols being unable to manage or maintain the shareholding relationship with the data subject, or where applicable, the process any proxy granted for attendance at and the exercise of shareholders’ rights at the General Shareholders Meeting.
  • Legal Obligation: applies when the processing of personal data is necessary to comply with legal obligations aplicable to Grifols. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that require the processing of personal data.

 

3.2. Recipients of personal data 

The table above shows categories of recipients with whom Grifols may share personal data, by purpose. This section includes additional information regarding these recipients when applicable:

  • Providers of products and services: for example, service providers related to the organization and management of the shareholders’ meeting; providers of the virtual meeting platform; event organizers; the public notary responsible for recording the minutes of the meeting; lawyers; auditors; photographers; camera crews; and media agencies or media owners.

    The Company’s websites may include cookies or similar technologies from third parties other than the Company’s. This usually occurs when the Company’s website incorporates elements from other websites (such as images or social network plugins, for example, to access the Company’s profile on these platforms) or when the Company contracts third parties to provide measurement, analysis or marketing services for the website. By accepting the installation of these cookies, clicking on these plugins or performing similar actions, users' personal data (including, IP address and browsing data) may be transferred to the providers of these technologies, including social network providers. The Company will not be liable for any further processing of such personal data by these providers.

    The purpose and scope of the data collection, as well as its subsequent processing and use by the providers of such technologies, together with the related rights and available options for configuring privacy settings, may be consulted in the privacy information provided by these companies. 

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless it is authorised by the data subject or required by the applicable law.
 

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

If data subjects do not directly provide Grifols with their personal data, Grifols may obtain them from:

  • Share depositories or custodian entitites, 
  • The entity legally authorized to keep the registry of the securities represented by means of book entries (Sociedad de Gestión de los Sistema de Registro, Compensación y Liquidación de Valores S.A.U -Iberclear) 
  • In the event that you have been appointed as a proxy, the data comes from the shareholder who has appointed you.

If data subjects provide personal data of third parties, they will previously inform said third parties of the transfer of their personal data to Grifols and to provide them with a copy of this privacy notice. 

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

 

Rights
Content

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Content

You may request the rectification of your personal data if inaccurate.

Content

You may request the erasure of your personal data.

Content

You may request that your personal data is not processed under specific circumstances.

Content

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Content

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after being contested.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
     
Content

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

Rights Content

Access

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

You may request the rectification of your personal data if inaccurate.

Erasure

You may request the erasure of your personal data.

Objection

You may request that your personal data is not processed under specific circumstances.

Portability

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after being contested.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
     

Withdrawal of consent

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

 

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Shareholders Meeting". To that end, Grifols may request further information or documents if necessary or appropriate to identify you. 

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

European Union Unión 
The legal bases for processing the personal data identified in Section 3 are regulated in the following provisions of the GDPR:

  • Consent: Article 6(1)(a) of the GDPR
  • Legitimate interest (of Grifols and/or any third party): Article 6.1(f) of the GDPR
  • Execution of a Contract: Article 6.1(b) 
  • Legal obligation: Article 6.1(c) del RGPD

Spain
The legal obligation referred to in Section 3 is regulated by the Companies Act ( “Ley de Sociedades de Capital”).
 

Last update: April 2026