Interactions with Healthcare Professionals (HCP's) and Commercial Contacts

Privacy notice available in other languages.

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and wellbeing of people around the world. Its three main business units – Biopharma, Diagnostic and Bio Supplies – develop, produce and market innovative solutions and services that are sold in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European Union General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 7 for specific provisions. It outlines Grifols' data collection practices and the data subjects’ rights in the context of Grifols collection, use and sharing of their personal data.

This privacy notice applies to the processing of personal data of (a) healthcare professionals, commercial contacts and individuals belonging to institutions to whom Grifols provides, or could potentially provide services and/or products, and (b) healthcare professionals or commercial contacts that collaborate or could potentially collaborate with Grifols directly or indirectly. For the purpose of this privacy notice, "data subject" refers to both types of individuals.

1. Identification of the data controller(s)/owner(s) of the personal data

The data controller(s)/owner(s) is/are:

  1. The Grifols' group company with which the data subjects (as defined above) have a contractual relationship,
  2. The Grifols' group company operating and identified as such in the websites, landing pages, apps, and any other similar digital platforms through which the personal data of the data subjects are processed,
  3. The Grifols' group company contacting or to whom the data subjects may contact (as identified in the methods used to establish said contact) for the remaining purposes set out in Section 3,
  4. The Grifols’ group company that acts as the sponsor of a research study for which the data subject is the principal investigator, or
  5. Grifols Viajes, S.A. for all activities relating to the management of travel and events.

When the processing of personal data has a scientific or anti-corruption purpose, the data controllers/owners of the personal data will jointly be the company identified in Section 1(a), (b) or (c) and Grifols, S.A.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as controller/s or joint controllers will be referred to as "Grifols".

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.de, respectively.

If they so wish, the data subjects may ask the data protection officer for more information about the essential aspects of the joint controllership agreement resulting from what is set out in Section 1.

3. Purposes, lawful basis for processing, categories and recipients of personal data

Purposes
  • To contact data subjects by any means, including electronic ones, to evaluate potential business opportunities and collaborations, and to develop, control and manage current and future relationships. The reasons for contacting data subjects may include but are not limited to:
    • Scheduling appointments (online or in-person),
    • Evaluating their participation as speakers or members in advisory boards, symposiums, conferences, webinars, training sessions, scientific awards, clinical studies or similar events organized by Grifols or by third parties (online or in-person), and in drafting scientific publications,
    • Sending surveys or similar, and
    • Any other activities that may contribute to evaluating potential business opportunities.
  • To assess and, if applicable, to respond to any requests for information or suggestions.
  • To develop and maintain the relationship with personnel of the organizations with whom Grifols has a contractual relationship, including the management of training sessions.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations
Lawful basis

Legitimate interest

  • To send scientific, educational and commercial information about Grifols’ group products, services, and activities, by any means, including electronic ones, when there is a contractual relationship with the data subject (e.g. direct marketing). As set out in Section 6, the data subjects may exercise their right to object to the processing of their data for direct marketing purposes.
  • To send scientific and educational information, which is not related to Grifols’ group products, services and activities, to increase the knowledge in the scientific community. 
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Legitimate interest

  • To carry out anticorruption compliance checks, which include the assessment of the capacity of the organizations or other third parties to collaborate with Grifols and initiate or maintain commercial relationships in accordance with Grifol’s anti-corruption programmes.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.
Lawful basis

Legitimate interest

  • To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to its users.
Categories of personal data and recipients

Categories of personal data:

  • Browsing history data4.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Legitimate interest

  • To manage corporate reorganization activities.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Browsing history data4.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Legitimate interest

  • To interact (i.e., respond to messages or comments, generate reactions, share content, etc.) with users of Grifols' profiles on social networks, which would involve the communication of certain data (i.e., IP address and browsing history data) to the providers of these social networks.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Legitimate interest

  • To send scientific, educational and commercial information about Grifols' group products, services and activities, by any means, including electronic ones, if a contractual relationship with the data subject does not exist. As set out in Section 6, data subjects may withdraw their consent to have their data processed for direct marketing purposes.
  • To manage and control the registration, participation and attendance of data subjects to symposiums, conferences, webinars, training sessions, scientific awards or similar events, in person or online, organized by Grifols or third parties.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Consent

  • To create profiles of data subjects based on their preferences and personal interests; this information is provided by the data subjects, obtained from the third-party sources detailed in Section 5 and from analysing their behaviour (through cookies or similar technologies) when receiving or interacting with communications from Grifols or when browsing the internet. Grifols will use these profiles to send communications which meet data subjects' preferences, interests and behaviours. Automated decisions will not be taken based on such profile. As set out in Section 6, data subjects may withdraw their consent to the processing of their personal data for the creation of profiles for direct marketing purposes. Occasionally, data subjects’ profiles will be prepared in an aggregated manner so that Grifols does not know in any way their identity and, in such cases, the aggregated information will be used to analyse the behaviour of segments of data subjects.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Consent

  • To customize certain features of websites, landing pages and apps based on the data subjects' browsing preferences and analyse their browsing behaviour with the aim to improve the services offered through these platforms. The information about profiling activities and behavioural analysis is available in this Privacy Notice and, if applicable, in the Cookies Policy of the relevant webpage, landing page or app.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Consent

  • To publish the transfers of value (compensation) made to data subjects, to comply with the Grifols' group policy, as well as with the guidelines and regulations issued by the different associations of the pharmaceutical industry to ensure greater transparency in the interactions between the different market players.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.
Lawful basis

Consent

  • To use the data subjects' personal data (including their image, voice and any other identifying feature) in the terms regulated in the authorization document for the recording and use of images or other identifying features or in any other communication of similar characteristics, as well as for evidencing the consent of the data subjects.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Consent

  • To share the personal data with distributors of companies of the Grifols' group for the latter to use the personal data to evaluate potential business opportunities and collaborations.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Distributors of companies of the Grifols' group and other commercial contacts.
Lawful basis

Consent

  • To respond to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
Lawful basis

Legal obligation

  • To publish the transfers of value (compensation) made to the data subjects to ensure greater transparency in the interactions held among the distinct market players, as further detailed in Section 7.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.
Lawful basis

Legal obligation

  • To comply with certain regulatory obligations resulting from interactions with data subjects.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.
Lawful basis

Legal obligation

  • To execute and maintain the existing contractual relationship between Grifols and the data subjects, including the communication of the personal data and the use of the image, voice or other identifying features of the data subjects necessary to accomplish the contractual purposes.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Financial entities.
Lawful basis

Execution of a contract

  • To manage travel and events
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.
Lawful basis

Execution of a contract:
When the processing is carried out by the Grifols’ group company with whom the data subject has a contractual relationship

Legitimate Interest:
When the processing is carried out by Grifols Viajes, S.A.

  • To analyse and understand the type of characteristics of attendees to symposiums, conferences, webinars, training sessions, scientific awards or similar events, in person or online, organized by Grifols or third parties.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.


Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
     
Lawful basis

Legitimate Interest

1. For example, name, last name, sex, nationality, image, voice, number of national/foreigner's ID/passport document, social security affiliation number, username.
2. For example, professional contact details, job position, place of work, member of professional associations.
3. For example, financial interests and bank details.
4. For example, IP address, device or user ID, browser type and version, visited sections, country from which the connexion is made.
5 For example, training, degree, curriculum vitae.

Purposes Categories of personal data and recipients Lawful basis
  • To contact data subjects by any means, including electronic ones, to evaluate potential business opportunities and collaborations, and to develop, control and manage current and future relationships. The reasons for contacting data subjects may include but are not limited to:
    • Scheduling appointments (online or in-person),
    • Evaluating their participation as speakers or members in advisory boards, symposiums, conferences, webinars, training sessions, scientific awards, clinical studies or similar events organized by Grifols or by third parties (online or in-person), and in drafting scientific publications,
    • Sending surveys or similar, and
    • Any other activities that may contribute to evaluating potential business opportunities.
  • To assess and, if applicable, to respond to any requests for information or suggestions.
  • To develop and maintain the relationship with personnel of the organizations with whom Grifols has a contractual relationship, including the management of training sessions.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations

Legitimate interest

  • To send scientific, educational and commercial information about Grifols’ group products, services, and activities, by any means, including electronic ones, when there is a contractual relationship with the data subject (e.g. direct marketing). As set out in Section 6, the data subjects may exercise their right to object to the processing of their data for direct marketing purposes.
  • To send scientific and educational information, which is not related to Grifols’ group products, services and activities, to increase the knowledge in the scientific community. 

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Legitimate interest

  • To carry out anticorruption compliance checks, which include the assessment of the capacity of the organizations or other third parties to collaborate with Grifols and initiate or maintain commercial relationships in accordance with Grifol’s anti-corruption programmes.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.

Legitimate interest

  • To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to its users.

Categories of personal data:

  • Browsing history data4.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Legitimate interest

  • To manage corporate reorganization activities.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Browsing history data4.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Legitimate interest

  • To interact (i.e., respond to messages or comments, generate reactions, share content, etc.) with users of Grifols' profiles on social networks, which would involve the communication of certain data (i.e., IP address and browsing history data) to the providers of these social networks.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Legitimate interest

  • To send scientific, educational and commercial information about Grifols' group products, services and activities, by any means, including electronic ones, if a contractual relationship with the data subject does not exist. As set out in Section 6, data subjects may withdraw their consent to have their data processed for direct marketing purposes.
  • To manage and control the registration, participation and attendance of data subjects to symposiums, conferences, webinars, training sessions, scientific awards or similar events, in person or online, organized by Grifols or third parties.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Consent

  • To create profiles of data subjects based on their preferences and personal interests; this information is provided by the data subjects, obtained from the third-party sources detailed in Section 5 and from analysing their behaviour (through cookies or similar technologies) when receiving or interacting with communications from Grifols or when browsing the internet. Grifols will use these profiles to send communications which meet data subjects' preferences, interests and behaviours. Automated decisions will not be taken based on such profile. As set out in Section 6, data subjects may withdraw their consent to the processing of their personal data for the creation of profiles for direct marketing purposes. Occasionally, data subjects’ profiles will be prepared in an aggregated manner so that Grifols does not know in any way their identity and, in such cases, the aggregated information will be used to analyse the behaviour of segments of data subjects.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.
  • Academic information5.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Consent

  • To customize certain features of websites, landing pages and apps based on the data subjects' browsing preferences and analyse their browsing behaviour with the aim to improve the services offered through these platforms. The information about profiling activities and behavioural analysis is available in this Privacy Notice and, if applicable, in the Cookies Policy of the relevant webpage, landing page or app.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Browsing history data4.
  • Interests and preferences.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Consent

  • To publish the transfers of value (compensation) made to data subjects, to comply with the Grifols' group policy, as well as with the guidelines and regulations issued by the different associations of the pharmaceutical industry to ensure greater transparency in the interactions between the different market players.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.

Consent

  • To use the data subjects' personal data (including their image, voice and any other identifying feature) in the terms regulated in the authorization document for the recording and use of images or other identifying features or in any other communication of similar characteristics, as well as for evidencing the consent of the data subjects.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Consent

  • To share the personal data with distributors of companies of the Grifols' group for the latter to use the personal data to evaluate potential business opportunities and collaborations.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Distributors of companies of the Grifols' group and other commercial contacts.

Consent

  • To respond to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.

Legal obligation

  • To publish the transfers of value (compensation) made to the data subjects to ensure greater transparency in the interactions held among the distinct market players, as further detailed in Section 7.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.

Legal obligation

  • To comply with certain regulatory obligations resulting from interactions with data subjects.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.
  • Academic information5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.

Legal obligation

  • To execute and maintain the existing contractual relationship between Grifols and the data subjects, including the communication of the personal data and the use of the image, voice or other identifying features of the data subjects necessary to accomplish the contractual purposes.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Financial data3.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Financial entities.

Execution of a contract

  • To manage travel and events

Categories of personal data:

  • Identification data and personal characteristics1.
  • Interests and preferences
  • Professional data2.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Public or private organizations.

Execution of a contract:
When the processing is carried out by the Grifols’ group company with whom the data subject has a contractual relationship

Legitimate Interest:
When the processing is carried out by Grifols Viajes, S.A.

  • To analyse and understand the type of characteristics of attendees to symposiums, conferences, webinars, training sessions, scientific awards or similar events, in person or online, organized by Grifols or third parties.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Professional data2.
  • Academic information5.
  • Interests and preferences.


Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
     

Legitimate Interest

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the legitimacy of the processing:

  • Consent: Data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action. Data subjects may withdraw their consent at any time, as set out in Section 6.
  • Execution of a contract: Failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.
  • Legitimate interest (of Grifols and/or third parties): Grifols is interested in contributing to the advancement of scientific knowledge and research in a secure environment with the aim of guaranteeing people's health. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
    • Prevention of fraud,
    • Direct marketing
    • Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols group, and
    • Creation of a secure information system infrastructure for preventing unlawful or malicious activities that may compromise the personal data.Ç

In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

  • Legal obligation (article 6.1(c) of GDPR): applies when the processing of personal data is necessary for Grifols to comply with legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that require the processing of personal data. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations.

The processing of special categories of personal data is only permitted in compliance with the data protection regulations applicable in each country. See Section 7 for more information.

 

3.2. Recipients of personal data

The table above shows categories of recipients with whom Grifols may share personal data by purpose. This section includes additional information regarding these recipients when applicable: 

  • Grifols' group of companies: The list is available here.
  • Distributors of companies of the Grifols' group and other commercial contacts: for example, agents and any other commercial contact who can help Grifols evaluate business opportunities.
  • Providers of Grifols’ products and services: for example, travel agencies, transport companies, IT service providers, credit risk service providers, clinical studies service providers, insurance providers, courier agencies, marketing agencies, event organizers, providers operating in the anticorruption sector, lawyers, auditors, photographers, cameramen and media agencies/owners.

Grifols' website may include cookies or similar technologies of third parties other than Grifols. This usually occurs when Grifols’ website incorporates elements from other websites (such as images or social network plugins, for example,  in order to access Grifols' profile on these platforms), or when Grifols contracts third parties to provide website measurement, analysis or marketing services. By accepting the installation of these cookies, clicking on these plugins or performing similar actions, users' personal data (including IP address and browsing data) may be transferred to the providers of these technologies, including providers of social networks, and Grifols is not responsible for the subsequent processing that these providers may carry out with this personal data. The purpose and scope of the collection of data and its subsequent processing and use by the providers of these technologies, as well as the related rights and the possibilities of configuring privacy settings, can be consulted in the data protection information of each of these companies.

  • Public or private organizations: for example, health authorities, pharmaceutical industry associations or governmental organizations.
  • Potential investors or purchasers
  • Financial entities

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless it is authorized by the data subject or required by the applicable law.

4. Retention period

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

5. Sources of personal data

If data subjects do not directly provide Grifols with their personal data, Grifols may obtain the personal data from event organizers databases and public sources, such as websites and publications from the healthcare sector, professional social networks or social listening tools (that is, tools aimed at identifying and evaluating the market's perception about a specific brand, product, company, topic or problem).

If data subjects provide personal data of third persons for the purpose of executing and maintaining a contractual relationship, the data subjects will inform said third persons about the processing of their personal data beforehand, by providing a copy of this privacy notice.

6. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights

Access

Content

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

Content

You may request the rectification of your personal data if inaccurate.

Erasure

Content

You may request the erasure of your personal data.

Objection

Content

You may request that your personal data is not processed under specific circumstances.

Portability

Content

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

Content

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols does no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent

Content

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

Rights Content

Access

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

You may request the rectification of your personal data if inaccurate.

Erasure

You may request the erasure of your personal data.

Objection

You may request that your personal data is not processed under specific circumstances.

Portability

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols does no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Interactions with HCP’S and Commercial Contacts". To that end, Grifols may request further information or documents if necessary or appropriate to identify you. 

For residents in the United States, please contact the Privacy Office at US-PrivacyRights@Grifols.com.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

7. Specific Provisions

  • European Union

The legal bases for the processing of the personal data identified in Section 3 are regulated by the following provisions of the GDPR:

  • Consent: Article 6.1(a) of the GDPR
  • Execution of a Contract: Article 6.1(b) of the GDPR
  • Legitimate Interest (of Grifols and/or any third party): Article 6.1(f) of the GDPR
  • Legal Obligation: Article 6.1(c) of the GDPR

The legal obligation referred to in Section 3 with respect to the response to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols is regulated in Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the community code relating to medicinal products for human use and any other applicable regulations implementing, developing, complement and replacing the aforementioned.

The processing of special categories of personal data is only permitted when the data subject has given explicit consent to do so (Article 9.2(a) of the GDPR).

 

  • France

When Grifols France S.A.R.L. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death.

The legal obligation referred to in Section 3 to publish the transfers of value made to the data subjects and to share said personal data with the health authorities or associations of the pharmaceutical industry is regulated in the French public health code and in any other law that develops, complements and/or replaces it.

 

  • Italy

The legal obligation referred to in Section 3 to publish the transfers of value made to the data subjects and to share said personal data with the health authorities or associations of the pharmaceutical industry is regulated in the Italian Sunshine Act (Law 62/2022) and in any other law that develops, complements and/or replaces it.

 

  • People’s Republic of China
  1. Mainland China: When your personal data is being processed by any Grifols' group company in mainland of the People’s Republic of China, the addendum available here applies to you. The addendum is set out in addition to and forms an integral part of this privacy notice.

 

  • Portugal

When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the exercise of the data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.

When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.

The legal obligation referred to in Section 3 to publish the transfers of value made to the data subjects and to share said personal data with the health authorities or associations of the pharmaceutical industry in order to ensure greater transparency in the interactions held among the distinct market players is regulated in the Medicinal Product Statue (Decree Law 176/2006), in the Medical Devices Regime (Decree-Law 145/2009) and in any other laws that develop, complement and/or replace these.

 

  • Thailand

When Grifols Thailand Ltd. is the data controller, see full privacy notice here.

 

  • United Kingdom

All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland.

 

  • United States

You can review the privacy notice here

Last update: April 2024

Privacy notice available in other languages