PRIVACY NOTICE
INTERACTIONS WITH HCP's AND COMMERCIAL CONTACTS

Interactions with healthcare professionals (HCP's) and commercial contacts

1. Introduction

Grifols is a global healthcare group committed to improving the health and well-being of people around the world. Its four divisions – Bioscience, Diagnostic, Hospital and Bio Supplies – develop, produce and market innovative solutions and services that are sold in more than 100 countries.

Grifols respects the privacy rights of any data subjects who entrust Grifols with their personal data and is committed to comply with applicable data protection regulations in each country.

This privacy notice has been prepared in accordance with the General Data Protection Regulation (the "GDPR"). It outlines Grifols' data collection practices and the choices data subjects can make about the way Grifols collects, uses and shares their personal data.

If any section of this privacy notice conflicts with any provision of the data protection legislation that applies to the data subjects, the provisions set out in the applicable data protection legislation will prevail.

2. Identification of the data controller(s)/owner(s) of the personal data

The data controllers/owners are:

(a) the Grifols' group company that contacts the data subjects to evaluate potential business opportunities and develop scientific and commercial relationships;

(b) the Grifols' group company with whom the data subjects or the institution to whom the data subjects are part have a contractual relationship, and/or

(c) the Grifols' group company operating and identified as such in the websites, landing pages, apps and any other similar digital platforms by means of which personal data of the data subjects is processed.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group companies will be individually or jointly referred to as "Grifols".

3. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and guarantee your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may respectively contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.com.

4. Purposes and lawfulness of the processing

Purposes Lawful basis
  • To establish contact with data subjects by any means, including electronically, to evaluate potential business opportunities and collaborations as well as to develop, control and manage current and future relationships. The purpose of the contacts may include but is not limited to:
    • Scheduling appointments (virtual or in person),
    • Evaluating their participation as attendees, speakers or members in advisory boards, symposiums, conferences, webinars, training sessions or similar events organized by Grifols or by third parties (virtual or in person),
    • Any other activities and information that may contribute to evaluate potential business opportunities.
  • To send information about Grifols' products, services, activities and scientific and educational information, by any means including electronically when there is a current relationship with the data subject. As set out in Section 8, data subjects are entitled to exercise their right to object to the processing of their personal data for direct marketing purposes.
  • To respond to requests of information and suggestions.
  • To carry out anticorruption compliance checks.
  • To carry out maintenance tasks of the websites, landing pages and apps to offer a secure environment to its users.
  • To establish, exercise or defend from claims.
  • To manage corporate reorganization activities.
     
 Legitimate interest of Grifols and/or of third parties (article 6.1(f) of GDPR):

Grifols considers that the legitimate interest in which bases the processing of the personal data overrides data subjects' fundamental rights and freedoms, given that the processing is:
  • Within the reasonable expectations of the data subjects based on their relationship with Grifols,
  • Necessary to prevent fraud,
  • For direct marketing purposes,
  • Part of the daily management of a multinational group of companies,
  • Necessary to create a secure information system infrastructure and prevent unlawful or malicious actions that may compromise personal data.
In any case, data subjects may request further information on legitimate interest or exercise their right to object by addressing such request to privacy@grifols.com.
  • To send information about Grifols' products, services, activities and scientific and educational information, by any means including electronically provided that no current relationship exists with the data subject. As set out in Section 8, data subjects are entitled to exercise their right to object/to withdraw consent to the processing of their personal data for direct marketing purposes.
  • To create data subjects' profiles based on (a) the preferences provided by the data subjects, (b) the information received from third party sources detailed in Section 7, and (c) data subjects' behavior when receiving communications or when browsing internet. Grifols will use these profiles to send communications to the data subjects that are relevant to their interests. Automated decisions will not be taken based on such profile. As set out in Section 8, data subjects are entitled to exercise their right to object/to withdraw consent to the processing of their personal data for direct marketing purposes, including when profiling activities are carried out for direct marketing.
  • To manage and control data subjects' registration, participation and attendance to symposiums, conferences, webinars, training sessions or similar events, organized by Grifols or by third parties held in person or virtually.
  • To customize certain features of the websites, landing pages and apps in accordance with data subjects' browsing preferences and analyzing data subjects' behavior with the aim of improving the services offered through them. This analysis will be used by Grifols to send tailored communications in some circumstances. The information on profile activities and analysis behavior is available in this Privacy Notice and, if applicable, in the Cookies Policy of the relevant website, landing page and app.
  • To publish the transfers of value made to the data subjects in order to comply with Grifols' group policy, as well as the guidelines and/or regulations that the different associations of the pharmaceutical industry issue to ensure greater transparency in the interactions held among the distinct market players.
 Consent (article 6.1(a) of GDPR):

Data subjects may provide consent through data collection forms, by clicking acceptance buttons or ticking boxes, by replying e-mails or by making any other affirmative clear action.

Data subjects can withdraw their consent at any time.
  • To respond to medical and technical (non-commercial) requests of information regarding products manufactured or distributed by Grifols.
  • To publish the transfers of value made to the data subjects in order to comply with Grifols' group policy, the applicable laws, as well as the guidelines and/or regulations that the different associations of the pharmaceutical industry issue to ensure greater transparency in the interactions held among the distinct market players.
  • To comply with certain regulatory obligations resulting from the interactions with data subjects or with the institutions of which they are members.
 Legal obligation (article 6.1(c) of GDPR)

Grifols needs the personal data requested for statutory reasons.
  • To execute and maintain the existing contractual relationship between Grifols and the data subjects or the institutions of which they are members.
 Performance of a contract (article 6.1(b) of GDPR):

The failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.

5. Recipients of personal data

Grifols may share the personal data including, if applicable, the profile of the data subjects with:

  • Grifols' group companies. The list of companies is available here.
  • Providers of products and services hired by Grifols to accomplish the mentioned purposes. These providers are travel agencies, information technology providers, marketing agencies and event organizers.
  • National or international health authorities or associations of the pharmaceutical industry.

If the personal data is processed from countries that do not offer an adequate level of data protection, Grifols and/or the providers (as the case may be) will adopt, if required, the appropriate safeguards on such international data transfers in accordance with applicable data protection legislation. Information on the appropriate safeguards for international data transfers can be obtained from Grifols at privacy@grifols.com.

Grifols does not share the personal data with any other third party, unless required by applicable law.

6. Retention period

Once the purposes for which the personal data processed are fulfilled, Grifols retains the personal data until the end of statutes of limitation of any liabilities that may arise and during the term required to comply with any applicable legal obligation.

7. Sources and categories of personal data

Grifols only processes the personal data that is relevant for the purposes mentioned in Section 4.

If data subjects do not directly provide with their personal data to Grifols, the sources from which Grifols obtains the personal data are databases from event organizers and public sources, such as websites and publications from the healthcare sector, professional social media and social listening techniques (i.e. process to identify and evaluate the perception of the market about a specific brand, product, company, topic or problem).

The personal data that might not have been obtained from the data subject and has thus been obtained from other sources are:

  • Identification data (e.g. name and last name, ID/passport number, etc.)
  • Professional contact details (e.g. e-mail address, postal address and professional phone number, etc.)
  • Professional data (e.g. job position, place of work, membership of scientific societies or associations, etc.)
  • Academic information (e.g. level of studies, CV, etc.)
  • Interests and preferences
  • Browsing history data

8. Data protection rights

The following data protection rights are applicable according to GDPR. Different rights may be applicable under other data protection regulations and Grifols is committed to respect and address said data protection rights.

Rights Content
Access You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification You may request the rectification of your personal data if this is inaccurate.
Erasure You may request that your personal data is erased.
Objection You may request that your personal data is not processed in specific circumstances.
Portability You may request receiving, in an electronic file, the personal data that you provided Grifols, as well as the right to transmit it to other parties.
Restriction of processing You may request a restriction on how personal data is processed when:
  • the accuracy of your personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you oppose to its erasure.
  • Grifols does no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
  • you have objected to the processing for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, whilst it is being verified whether the legitimate grounds of Grifols override yours.
Withdrawal of consent You may withdraw your consent without affecting the lawfulness of processing based on consent before its withdrawal.

You may exercise, when appropriate, the data protection rights by sending a written communication to Grifols to privacy@grifols.com and indicating as subject matter of the communication "Interactions with HCPS and Commercial Contacts". For these purposes, Grifols may request a copy of your ID card/passport in force or any other valid document evidencing your identity.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

9. Specific Provisions

Privacy Statement for California Residents
https://www.grifols.com/en/privacy-statement-california-residents

Date of creation: July 2020