Videosurveillance and Access Control

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and well-being of people around the world. Its three main business units – Biopharma, Diagnostic and Bio Supplies – develop, produce and market innovative solutions and services in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European Union General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 8 for specific provisions. It outlines Grifols' data collection practices and the data subjects’ rights in the context of Grifols collection, use and sharing of their personal data.

1. Identification of the data controller(s)/owner(s) of the personal data

The data controller/owner is the Grifols' group company responsible of guaranteeing the access and security of the premises, assets and individuals.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as controller/s will be referred to as "Grifols". 

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols’ compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.de, respectively.

3. Purposes and legal basis for processing
Purposes

- To guarantee the security of the premises, assets and persons, including employees, and, if applicable, to investigate any possible incidents occurring in the premises. To this end, Grifols may process your data through a system for controlling access to the premises which may include video surveillance systems and/or access identification cards.

- To share the personal data with the companies of the Grifols' group (as set out in Section 4) or with other interested third parties in order to investigate an illegal act and, if applicable, to establish, exercise or defend from appropriate actions or claims.
Lawful basis

Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR):

Grifols or other third parties are interested in ensuring the safety of the persons and assets in the premises and in investigating, accrediting and defending against acts that violate property, premises or the dignity of people. Therefore, Grifols considers that the legitimate interest in which bases the processing of the personal data overrides the fundamental rights and freedoms of the data subjects, given that the processing:

  • Is within the data subjects' reasonable expectations based on their relationship with Grifols, and
  • Is a part of the daily management of a multinational group of companies, which means sharing information with the companies of the Grifols' group (as set out in Section 4)

In any event, data subjects may request further information on the legitimate interest or exercise their right to object, by addressing their request to privacy@grifols.com.

- To share the personal data with judges, courts, public administrations, law enforcement agencies or other competent authorities (as set out in Section 4) in case of commission of illegal acts.  
Lawful basis

Legal obligation (article 6.1 (c) of GDPR):

Grifols needs to process the personal data to fulfil the legal obligations detailed in Section 8.

Purposes Lawful basis

- To guarantee the security of the premises, assets and persons, including employees, and, if applicable, to investigate any possible incidents occurring in the premises. To this end, Grifols may process your data through a system for controlling access to the premises which may include video surveillance systems and/or access identification cards.

- To share the personal data with the companies of the Grifols' group (as set out in Section 4) or with other interested third parties in order to investigate an illegal act and, if applicable, to establish, exercise or defend from appropriate actions or claims.

Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR):

Grifols or other third parties are interested in ensuring the safety of the persons and assets in the premises and in investigating, accrediting and defending against acts that violate property, premises or the dignity of people. Therefore, Grifols considers that the legitimate interest in which bases the processing of the personal data overrides the fundamental rights and freedoms of the data subjects, given that the processing:

  • Is within the data subjects' reasonable expectations based on their relationship with Grifols, and
  • Is a part of the daily management of a multinational group of companies, which means sharing information with the companies of the Grifols' group (as set out in Section 4)

In any event, data subjects may request further information on the legitimate interest or exercise their right to object, by addressing their request to privacy@grifols.com.

- To share the personal data with judges, courts, public administrations, law enforcement agencies or other competent authorities (as set out in Section 4) in case of commission of illegal acts.  

Legal obligation (article 6.1 (c) of GDPR):

Grifols needs to process the personal data to fulfil the legal obligations detailed in Section 8.

4. Recipients of personal data

Grifols may share the personal data with:

  • The parent company of the Grifols group, Grifols, S.A.
  • Providers of products and services hired by Grifols to achieve the mentioned purposes. These providers are reception and security services of the premises or maintenance services for video surveillance cameras or access control systems, among others.
  • Judges, courts, public administrations, law enforcement agencies or other competent authorities.
  • Other third parties interested in investigating an illegal act and, if applicable, establishing, exercising or defending the actions or claims they deem appropriate.

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed from countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable) to carry out such international data transfers in accordance with the applicable data protection legislation. Information on the appropriate safeguards for international data transfers can be obtained from Grifols at privacy@grifols.com

Grifols does not share personal data with any other third party unless required by the applicable law or authorised by the data subject.

5. Retention period

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

6. Sources and categories of personal data

Grifols only processes personal data that is relevant to the purposes mentioned in Section 3.

Regardless of the legal basis for processing the data, Grifols processes the following categories of personal data:

  • Identification data (e.g. name and last name, ID/passport number and image)
  • Private contact details (e.g. postal address, e-mail address and phone number)
  • Professional data (e.g. employee ID, professional contact details, job position and place of work)

7. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights

Access
Content

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification
Content

You may request the rectification of your personal data if inaccurate.

Erasure
Content

You may request the erasure of your personal data.

Objection
Content

Puede solicitar que sus datos personales no sean objeto de tratamiento en determinadas circunstancias.

Portability
Content

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing
Content

You may request a restriction on how personal data is processed when:

  • the accuracy of the personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
Rights Content

Access

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

You may request the rectification of your personal data if inaccurate.

Erasure

You may request the erasure of your personal data.

Objection

Puede solicitar que sus datos personales no sean objeto de tratamiento en determinadas circunstancias.

Portability

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

You may request a restriction on how personal data is processed when:

  • the accuracy of the personal data is being verified after you have contested its accuracy.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

You may exercise, when appropriate, the data protection rights by sending a written communication to Grifols at privacy@grifols.com with the subject line "Videosurveillance and Access Control". To that end, Grifols may request further information or documents if necessary and appropriate to identify you.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

8. Specific Provisions

Spain

Legal basis: the legal obligation referred to in Section 3 is regulated in the Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights.

Date of last update: September 2023