Patient affairs - Privacy Notice (excluding USA)

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European Union General Data Protection Regulation ("GDPR") and applicable privacy and data protection laws, see Section 7 for specific provisions. It outlines Grifols' data collection practices and data subjects’ rights in the context of Grifols collection, use and sharing of their personal data.

Grifols aims to build relationships of trust with patient associations and their members by providing insights into their conditions and supporting their efforts to raise awareness, promote early diagnosis, and improve access to treatments and care.

This privacy notice applies to the processing of personal data of patients and any other individuals who belong to or are associated with patient associations. For the purposes of this privacy notice, the term ‘data subject’ refers to these individuals.

The data controller(s)/owner(s)of the personal data is/are Grifols, S.A., jointly, where applicable, with the Grifols group company involved in organizing patient-related events. The identity and contact details of Grifols group companies are available here. The company(ies) acting as data controller(s)(owners(s) or joint controllers will be referred to as "Grifols".

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at the address detailed here.

The data subjects may request more information from the data protection officer about the essential aspects of the joint controllership agreement outlined in Section 1.

Purposes

To contact data subjects, by any means, including electronic ones, within the framework of scientific or educational activities, that may be of their interest, developed by the Grifols group or by third parties, as well as to manage and control the attendance and participation of interested parties in such activities.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private Contact Details2.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.

 

Lawful basis

Legitimate interest

Consent

To analyse and, where appropriate, respond to any requests for information, suggestions and/or queries made through the means provided for this purpose.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
     
Lawful basis

Legitimate interest

Consent

To deal with, manage, evaluate and award, in accordance with internal policies and procedures, grants and donations to patient associations.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.
  • Professional data4.
  • Financial data5.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
  • Public or Private organizations.
  • Financial entities.
Lawful basis

Legitimate interest

Execution of a contract (if terms and conditions of participation exist)

Legal Obligation

Consent
 

To manage corporate reorganization activities.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
  • Potential investors or purchasers.
Lawful basis

Legitimate interest

Consent
 

The capture, recording and use of images, voice and other identifying features including images and audiovisual recordings of oneself for the purposes described in the authorisation document or in another communication with similar characteristics, as well as to provide evidence of the consent of the data subjects. 

Such recordings may include data on the health status of the data subjects, depending on the context where they are obtained. 
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
Lawful basis

Consent

To execute and maintain the existing contractual relationship between Grifols and the data subjects, including the communication of the personal data and the use of the image, voice or other identifying features of the data subjects necessary to accomplish the contractual purposes.
Categories of personal data and recipients

Categories of personal data:

  • Identification data and personal characteristics1.
  • Special category data3.
  • Professional data4.
  • Financial data5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Financial entities.
     
Lawful basis

Execution of a contract

Consent

1 For example, name, surname, nationality, image, voice, ID numbers/passport.
2 For example, personal phone number and email address. 
3 For example, medical conditions
4 For example, professional contact details, position within the organization
5 For example, financial interests and bank details.

1 For example, name, surname, nationality, image, voice, ID numbers/passport.
2 For example, personal phone number and email address. 
3 For example, medical conditions
4 For example, professional contact details, position within the organization
5 For example, financial interests and bank details.
Purposes Categories of personal data and recipients Lawful basis

To contact data subjects, by any means, including electronic ones, within the framework of scientific or educational activities, that may be of their interest, developed by the Grifols group or by third parties, as well as to manage and control the attendance and participation of interested parties in such activities.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private Contact Details2.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.

 

Legitimate interest

Consent

To analyse and, where appropriate, respond to any requests for information, suggestions and/or queries made through the means provided for this purpose.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
     

Legitimate interest

Consent

To deal with, manage, evaluate and award, in accordance with internal policies and procedures, grants and donations to patient associations.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.
  • Professional data4.
  • Financial data5.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
  • Public or Private organizations.
  • Financial entities.

Legitimate interest

Execution of a contract (if terms and conditions of participation exist)

Legal Obligation

Consent
 

To manage corporate reorganization activities.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Private contact details2.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.
  • Potential investors or purchasers.

Legitimate interest

Consent
 

The capture, recording and use of images, voice and other identifying features including images and audiovisual recordings of oneself for the purposes described in the authorisation document or in another communication with similar characteristics, as well as to provide evidence of the consent of the data subjects. 

Such recordings may include data on the health status of the data subjects, depending on the context where they are obtained. 

Categories of personal data:

  • Identification data and personal characteristics1.
  • Special category data3.
  • Professional data4.

Recipients:

  • Grifols' group companies.
  • Providers of products and services.

Consent

To execute and maintain the existing contractual relationship between Grifols and the data subjects, including the communication of the personal data and the use of the image, voice or other identifying features of the data subjects necessary to accomplish the contractual purposes.

Categories of personal data:

  • Identification data and personal characteristics1.
  • Special category data3.
  • Professional data4.
  • Financial data5.

Recipients:

  • Grifols' group of companies.
  • Providers of products and services.
  • Financial entities.
     

Execution of a contract

Consent

3.1 Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:

  • Consent: Data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action. Data subjects may withdraw their consent at any time, as set out in Section 6.
  • Execution of a contract: Failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.
  • Legal Obligation: Grifols needs to process the requested personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that require the processing of personal data.
  • Legitimate interest (of Grifols and/or any third party): Grifols is interested in contributing to the health and wellbeing of patients through scholarships, donations and the organization of educational activities and initiatives. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
    • Prevention of fraud,
    • Advancing scientific and medical knowledge in society
    • Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols group, and

    In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

    The processing of special categories of personal data is only permitted in compliance with the data protection regulations applicable in each country. See Section 7 for more information.

     

3.2. Recipients of personal data

The table above shows the different categories of recipients to whom Grifols may provide the personal data identified by purpose. In this section, you can find additional about them:

  • Grifol, S.A.
  • Providers of products and services: for example, transport companies, hospitality, IT service providers, travel agencies, photographers, cameramen and media agencies/owners.
  • Public or private organizations: for example, health authorities, pharmaceutical industry associations or governmental organizations.
  • Potential investors or purchasers.
  • Financial entities.

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if the GDPR applies) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com

Grifols does not share personal data with any other third party unless it is authorised by the data subject or required by the applicable law.

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

If you do not directly provide Grifols with their personal data, Grifols may obtain the personal data from data bases or public sources, such as web sites, social networks and publications from the association and/or institution to which the data subject or the requester of grants and donations belongs.

If the data subjects provide Grifols with personal data of any third parties to execute or carry out a contractual relation, they undertake to previously inform said third parties of the transfer of their personal data to Grifols and to provide them with this privacy notice.

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights

Access
Content

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification
Content

You may request the rectification of your personal data if inaccurate.

Erasure
Content

You may request the erasure of your personal data.

Objection
Content

You may request that your personal data is not processed under specific circumstances.

Portability
Content

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing
Content

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after being contested.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent
Content

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

Rights Content

Access

You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

You may request the rectification of your personal data if inaccurate.

Erasure

You may request the erasure of your personal data.

Objection

You may request that your personal data is not processed under specific circumstances.

Portability

You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

You may request a restriction on how your personal data is processed when:

  • the accuracy of the personal data is being verified after being contested.
  • processing of your personal data is unlawful and you object to its erasure.
  • Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
  • you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent

You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Patient Affairs". To that end, Grifols may request further information or documents if necessary and appropriate to identify you.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

European Union

The lawful basis to process personal data identified in Section 3 are regulated in the following provisions of the GDPR:

  • Consent: Article 6.1(a) GDPR
  • Execution of a Contract: Article 6.1(b) of the GDPR
  • Legitimate interest (of Grifols and/or any third party): Article 6.1(f) of the GDPR
  • Legal obligation: Article 6.1(c) of the GDPR

The processing of special categories of personal data is only permitted when the data subject has given explicit consent to do so (Article 9.2(a) of the GDPR).

 

Spain

Donations are subject to tax law obligations (Law 49/2002 and related regulations).

 

Last update: October 2025