Privacy policy on notification of adverse reactions

1. Who is the data controller?

The data controller is Instituto Grifols, S.A., with address for these purposes in Avda. de la Generalitat 152, 08174 Sant Cugat del Vallés, Barcelona (Spain) ("Grifols").

2. Who is the data protection officer of Grifols and how can I contact him/her?

The data protection officer acts as an interlocutor between Grifols and you to ensure that Grifols complies with data protection laws as well as with your legal rights. You may contact the data protection officer by email at

3. How Grifols uses your personal data?

Incidentally, Grifols may use your personal data, including health related data, to (a) contact you to obtain more information on the adverse events and, if necessary, monitor the notification it has received, (b) be able to comply with all pharmacovigilance related obligations as a pharmaceutical company; and (c) notify the competent health authorities, national or international, of any data related to the adverse events you have notified.

4. Why does Grifols use your personal data?

The legal ground to process your personal data is to ensure the quality and safety of the pharmaceutical products of the Grifols group in the interest of public health, based on applicable laws related to pharmacovigilance matters.

5. How long Grifols will retain your personal data?

Grifols shall process your personal data for as long as it is necessary for the purposes mentioned above. Once said period has elapsed, Grifols shall store your personal data without processing it, for a maximum period of fifty years as from the expiry date of the medicine batch, unless Grifols has to retain your data during a longer period as a result of its legal obligations.

6. With whom Grifols will share your personal data?

Based on the nature of the notified adverse reaction, it may be necessary to provide your personal data to the pharmacovigilance team of the Grifols group companies. Grifols adopts relevant measures to secure that the personal data shared with Grifols' group companies located outside the European Union is processed with similar guarantees to those established in the European Union. To this end, Grifols protects these international transfers by entering into European Commission Standard Contractual Clauses. You may contact the data protection officer in order to obtain a copy of these clauses. Additionally, your personal data may be exceptionally provided to competent health authorities, national or international, to healthcare professionals or to companies with which Grifols has signed commercial licence agreements, with the sole purpose of complying with its pharmacovigilance obligations.

7. Which are your rights when you provide us with your personal data?

Right Content Notification channel
Access You may access your data included in Grifols' files.
Rectification You may modify your personal data if these are inaccurate.
Opposition You may request that your personal data are not processed.
Erasure You may request that your personal data are erased.
Restriction of processing You may request a restriction on how your data is processed when:
  • The accuracy of personal data is being verified after you have contested such accuracy,
  • The processing is unlawful and you oppose to the erasure of the personal data,
  • Grifols does no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims,
  • You have objected to the processing for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, whilst it is being verified whether the legitimate grounds of Grifols override yours.
Portability You may receive, in an electronic file, the personal data that you provided Grifols with, as well as the possibility of sending it to different entities.


You may exercise your rights, at any time, by sending an email to, with the subject line "Pharmacovigilance – Adverse Events Notification". You must also send a copy of your ID card or of any other document to confirm your identity.

In any event, you have the right to lodge a complaint with the Spanish Data Protection Agency ( or with any other competent supervisory authority.

Created on: May 2018