3.1. Additional information about the lawful basis to process personal data
The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:
- Legal obligation (article 6.1(c) of GDPR): Grifols needs to process the requested personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that requires the processing of personal data.
- Public interest (article 6.1(e) of GDPR): Grifols needs to process the personal data for the performance of a task carried out in the public interest or in the exercise of official authority.
- Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR): Grifols needs to detect, assess and prevent infringements of applicable laws, regulations and internal policies and procedures in accordance with its corporate principles and values. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
- Prevention of fraud, and
- Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols group.
In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.
The processing of special categories of personal data (e.g. health data, sex life and sexual orientation, racial or ethnic origin, religious or philosophical beliefs) is based on the fulfilment of obligations and the exercise of specific rights in the field of employment and social security and social protection law (article 9.2(b) of the GDPR), the establishment, exercise or defence of legal claims (article 9.2(f) of the GDPR), or reasons of substantial public interest on the basis of the Whistleblowing Directive and its implementing local regulations (article 9.2(g) of the GDPR).
3.2. Recipients of personal data
The table above shows categories of recipients with whom Grifols may share personal data, by purpose. This section includes additional information regarding these recipients when applicable:
- Grifols' group companies: The list is available here.
- Providers of products and services: for example, IT service providers and lawyers.
- Public or private organizations: for example, governmental organizations, police or judicial authorities.
Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards to carry out such international data transfers in accordance with the applicable data protection legislation. Information on the appropriate safeguards for international data transfers can be obtained from Grifols at privacy@grifols.com.
Grifols does not share personal data with any other third party unless it is authorised by the data subject or required by the applicable law.