PRIVACY NOTICE

Interactions with healthcare professionals (HCP's) and commercial contacts

Privacy notice available in other languages.

Grifols is a global healthcare group committed to improving the health and wellbeing of people around the world. Its four divisions – Bioscience, Diagnostic, Hospital and Bio Supplies – develop, produce and market innovative solutions and services in over a 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data, and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the General Data Protection Regulation (the "GDPR"). It outlines Grifols' data collection practices and the choices that data subjects make about the way Grifols collects, uses and shares their personal data.

1. Identification of the data controller(s)/owner(s) of the personal data

The data controller(s)/owner(s) is/are:

(a)    The Grifols' group company with which the data subjects or the institution to which they belong have a contractual relationship,

(b)    The Grifols' group company operating and identified as such in the websites, landing pages, apps, and any other similar digital platforms through which the personal data of the data subjects are processed, or

(c)    The Grifols' group company contacting the data subjects (as identified in the methods used to establish said contact) for the remaining purposes set out in Section 3.

When the processing of personal data has a scientific purpose, the data controllers/owners of the personal data will jointly be the company identified in Section 1(a), (b) or (c) and, if applicable, Grifols, S.A.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as controller/s or joint controllers will be referred to as "Grifols".

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and to guarantee your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.com, respectively. Although the essential aspects of the joint controllership agreement resulting from what is set out in Section 1 are provided in this Privacy Notice, the data subjects may ask, if they wish so, the data protection officer for more information.

3. Purposes and legal basis for processing

Purposes Lawful basis
  • To contact data subjects by any means, including electronic ones, to evaluate potential business opportunities and collaborations, and to develop, control and manage current and future relationships. The reasons for contacting data subjects may include but are not limited to:
    • Scheduling appointments (online or in-person),
    • Evaluating their participation as speakers or members in advisory boards, symposiums, conferences, webinars, training sessions, scientific awards, clinical studies or similar events organized by Grifols or by third parties (online or in-person), and in  drafting scientific publications,
    • Sending surveys or similar
    •  Any other activities that may contribute to evaluating potential business opportunities.
  • To send scientific, educational and commercial information about Grifols' group products, services, and activities, by any means, including electronic ones, when there is a contractual relationship with the data subject. As set out in Section 7, data subjects are entitled to exercise their right to object to the processing of their personal data for direct marketing purposes.
  • To send scientific and educational information, which is not related to Grifols' group products, services and activities, to increase the knowledge in the scientific community
  • To respond to any requests for information or suggestions.
  • To carry out anticorruption compliance checks.
  • To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to its users.
  • To manage corporate reorganization activities and its possible communication to potential investors and purchasers (as set out in Section 4).
Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR):

Grifols is interested in contributing to the advancement of scientific knowledge and research in a secure environment with the aim of guaranteeing people's health. Therefore, Grifols considers that the legitimate interest in which bases the processing of the personal data overrides the fundamental rights and freedoms of the data subjects, given that the processing:
  • Is within the data subjects' reasonable expectations based on their relationship with Grifols,
  • Is necessary to prevent fraud,
  • Is for direct marketing purposes,
  • Is part of the daily management of a multinational group of companies, which means sharing information with the companies of the Grifols group (as set out in Section 4)
  • Is necessary to create a secure information system infrastructure and to prevent unlawful or malicious activities that may compromise the personal data.
In any event, data subjects may request further information on the legitimate interest or exercise their right to object by addressing their request to privacy@grifols.com.
  • To send scientific, educational and commercial information about Grifols' group products, services and activities, by any means, including electronic ones, if a contractual relationship with the data subject does not exist. As set out in Section 7, data subjects may exercise their right to object and withdraw their consent to have their data processed for direct marketing purposes.
  • To create profiles of data subjects based on their preferences and personal interests; this information is provided by the data subjects, obtained from the third-party sources detailed in Section 6 and from analysing their behaviour when receiving communications from Grifols or when browsing the internet. Grifols will use these profiles to send communications which meet data subjects' preferences, interests and behaviours. Automated decisions will not be taken based on such profile. As set out in Section 7, data subjects may exercise their right to object and withdraw their consent to the processing of their personal data for direct marketing purposes, including the right to object to profiling activities when those are conducted for direct marketing purposes.
  • To manage and control the registration, participation and attendance of data subjects to symposiums,  conferences, webinars, training sessions, scientific awards or similar events, in person or online, organized by Grifols or third parties.
  • To customize certain features of websites, landing pages and apps (for instance, the language used) based on the data subjects' browsing preferences and analyse their browsing behaviour (for instance, sections with more or fewer number of visits) with the aim to improve the services offered through these platforms. Occasionally, Grifols will use the browsing behaviour analysis to send data subjects communications based on their preferences, interests and behaviour. The information about profiling activities and behavioural analysis is available in this Privacy Notice and, if applicable, in the Cookies Policy of the relevant webpage, landing page or app.
  • To publish the transfers of value made to data subjects, in order to comply with the Grifols' group policy, as well as with the guidelines and regulations issued by the different associations of the pharmaceutical industry to ensure greater transparency in the interactions between the different market players and, if appropriate, to share the personal data of the subjects linked to said transfers of value with the pharmaceutical associations, as set out in Section 4
  • To use the data subjects' personal data (including their image, voice and any other identifying feature) in the terms regulated in the authorization document for the recording and use of images or other identifying features or in any other communication of similar characteristics, including sharing this with the owners of the media,  (as set out in Section 4), as well as for evidencing the consent of the data subjects.
  • Subject to data subjects' prior authorization (when necessary), to share the personal data with the companies of the Grifols' group (as set out in Section 4) in order for the latter to use the personal data for any of the purposes specified above.
Consent (article 6.1(a) of the GDPR):

Data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action.<

Data subjects may withdraw their consent at any time, as set out in Section 7.
  • To respond to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols.
  • To publish the transfers of value made to the data subjects and to share the personal data with the health authorities or associations of the pharmaceutical industry in order to ensure greater transparency in the interactions held among the distinct market players.
  • To comply with certain regulatory obligations resulting from interactions with data subjects or with the institutions of which they are members.
Legal obligation (article 6.1(c) of the GDPR)

Grifols needs to process the requested personal data to comply with legal obligations.
  • To execute and maintain the existing contractual relationship between Grifols and the data subjects or the institutions of which they are members, including the communication to the financial entities of the personal data needed to make the agreed payments and the use of the image, voice or other identifying features of the data subjects necessary for contractual purposes.
Execution of a contract (article 6.1(b) of the GDPR):

Failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.

4. Recipients of personal data

Grifols may share the personal data including, if applicable, the profile of the data subjects with:

  • Grifols' group of companies. The list of companies is available here.
  • Providers of products and services hired by Grifols to achieve the mentioned purposes. These providers are travel agencies, information technology service providers, marketing agencies, event organizers, providers operating in the anticorruption sector, photographers, cameramen or other media agencies, among others.
  • National or international health authorities or pharmaceutical industry associations, financial entities, third-party event organizers, potential investors or purchasers, and owners of the media in which the images and/or the personal data are included, among others.

Grifols will ensure that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed from countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards to carry out such international data transfers in accordance with the applicable data protection legislation. Information on the appropriate safeguards for international data transfers can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party, unless required by the applicable law.

5. Retention period

Once the purposes for which the personal data is processed have been achieved, Grifols will retain the personal data until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

6. Sources and categories of personal data

Grifols only processes personal data that is relevant to the purposes mentioned in Section 3.

If data subjects do not directly provide Grifols with their personal data, Grifols may obtain the personal data from event organizers databases and public sources, such as websites and publications from the healthcare sector, professional social networks or social listening tools (that is, tools aimed at identifying and evaluating the market's perception about a specific brand, product, company, topic or problem).

Regardless of the legal basis for processing the data and of whether it was obtained from third-party sources or from the data subject, Grifols processes the following categories of personal data:

  • Identification data (e.g. name and last name, ID/passport number, etc.)
  • Professional contact details (e.g. e-mail address, postal address and professional phone number, etc.)
  • Professional data (e.g. job position, place of work, membership in scientific societies or associations, etc.)
  • Academic information (e.g. level of studies, CV, etc.)
  • Personal interests and preferences
  • Browsing history data (e.g. IP address, visited web pages and country from which the connection is made)

Except for data regarding the browsing history and the personal interests and preferences (which will only be processed for the purposes expressly specified in Section 3), Grifols will process the remaining personal data categories, as required, to achieve each of the purposes set out in this Privacy Notice.

7. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other  data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights Content
Access You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification You may request the rectification of your personal data if inaccurate.
Erasure You may request the erasure of your personal data.
Objection You may request that your personal data is not processed under specific circumstances.
Portability You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.
Restriction of processing You may request a restriction on how your personal data is processed when:
  • the accuracy of the personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols does no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
Withdrawal of consent You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise, when appropriate, your data protection rights by sending a written communication to Grifols at privacy@grifols.com with the subject line "Interactions with HCPS and Commercial Contacts". To that end, Grifols may request a copy of your ID card/passport in force or any other valid document that proves your identity.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

8. Specific Provisions

Privacy Statement for California Residents

https://www.grifols.com/en/privacy-statement-california-residents

Last update: March 2021