PRIVACY NOTICE

The data controller(s)/owner(s) is/are:

1. The Grifols' group company with which the data subjects (as defined above) have a contractual relationship,
2. The Grifols' group company operating and identified as such in the websites, landing pages, apps, and any other similar digital platforms through which the personal data of the data subjects are processed,
3. The Grifols' group company contacting or to whom the data subjects may contact (as identified in the methods used to establish said contact) for the remaining purposes set out in Section 3, or
4. Grifols Viajes, S.A. for all activities relating to the management of travel and events.

When the processing of personal data has a scientific purpose, the data controllers/owners of the personal data will jointly be the company identified in Section 1(a), (b) or (c) and Grifols, S.A.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as controller/s or joint controllers will be referred to as "Grifols".

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and to guarantee your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.com, respectively.

Although the essential aspects of the joint controllership agreement resulting from what is set out in Section 1 are provided in this Privacy Notice, the data subjects may ask, if they wish so, the data protection officer for more information.

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:

• Consent (article 6.1(a) of the GDPR): Data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action. Data subjects may withdraw their consent at any time, as set out in Section 6.
• Execution of a contract (article 6.1(b) of GDPR): Failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.
• Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR): Grifols is interested in contributing to the advancement of scientific knowledge and research in a secure environment with the aim of guaranteeing people's health. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
  • Prevention of fraud,
  • Direct marketing
  • Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols group, and
  • Creation of a secure information system infrastructure for preventing unlawful or malicious activities that may compromise the personal data.

In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

• Legal obligation (article 6.1(c) of GDPR): Grifols needs to process the requested personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that require the processing of personal data.

3.2. Recipients of personal data

The table above shows categories of recipients with whom Grifols may share personal data by purpose. This section includes additional information regarding these recipients when applicable:

• Grifols' group of companies: The list is available here.
• Distributors of companies of the Grifols' group and other commercial contacts: for example, agents and any other commercial contact who can help Grifols evaluate business opportunities.
• Providers of products and services: for example, travel agencies, transport companies, IT service providers, credit risk service providers, clinical studies service providers, insurance providers, courier agencies, marketing agencies, event organizers, providers operating in the anticorruption sector, lawyers, auditors, photographers, cameramen and media agencies/owners.

Grifols' website may include social network plugins, which can be recognised by the social network's logo or name, so that users can access Grifols' profile on these platforms. By clicking these buttons, users' personal data (including, IP address and browsing data) will be transferred to the providers of said social networks. Grifols will not be liable for any further processing theta the providers of the social networks may carry out with this personal data. The purpose and scope of the collection of data and its subsequent processing and use by the providers of these social networks, as well as the related rights and the possibilities of configuring privacy settings can be consulted in the data protection information of each of these companies.

• Public or private organizations: for example, health authorities, pharmaceutical industry associations or governmental organizations.
• Potential investors or purchasers
• Financial entities

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless it is authorized by the data subject or required by the applicable law.

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

If data subjects do not directly provide Grifols with their personal data, Grifols may obtain the personal data from event organizers databases and public sources, such as websites and publications from the healthcare sector, professional social networks or social listening tools (that is, tools aimed at identifying and evaluating the market's perception about a specific brand, product, company, topic or problem).

If data subjects provide personal data of third persons for the purpose of executing and maintaining a contractual relationship, the data subjects will inform said third persons about the processing of their personal data beforehand, by providing a copy of this privacy notice.

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Interactions with HCP’S and Commercial Contacts". To that end, Grifols may request further information or documents if necessary to identify you.

For residents in the United States, please contact the Privacy Office at US-PrivacyRights@Grifols.com.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

• European Union
  
  The legal obligation referred to in Section 3 with respect to the response to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols is regulated in Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the community code relating to medicinal products for human use and any other applicable regulations implementing, developing, complement and replacing the aforementioned.
• France
  
  When Grifols France S.A.R.L. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. 
  
  The legal obligation referred to in Section 3 to publish the transfers of value made to the data subjects and to share said personal data with the health authorities or associations of the pharmaceutical industry is regulated in the French public health code and in any other law that develops, complements and/or replaces it.
• People’s Republic of China

1. Mainland China: When your personal data is being processed by any Grifols' group company in mainland of the People’s Republic of China, the addendum available here applies to you. The addendum is set out in addition to and forms an integral part of this privacy notice.

• Portugal
  
  When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the exercise of the data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.
  
  When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.
  
  The legal obligation referred to in Section 3 to publish the transfers of value made to the data subjects and to share said personal data with the health authorities or associations of the pharmaceutical industry in order to ensure greater transparency in the interactions held among the distinct market players is regulated in the Medicinal Product Statue (Decree Law 176/2006), in the Medical Devices Regime (Decree-Law 145/2009) and in any other laws that develop, complement and/or replace these.
• Thailand
  
  When Grifols (Thailand) Ltd. is the data controller, see full privacy notice here.
• United Kingdom
  
  All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland.
• United States
  
  You can review the privacy notice here