GDPR 

Contoller
The "controller“ is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processing on behalf of the controller

"Data processing on behalf of the controller" is a special case in data protection law and means the collection, processing or use of personal data by a processor in accordance with the instructions of the controller on the basis of a contract.

Legal basis

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Personal data
Personal data relates to an identified (specific) or identifiable (determinable) natural person. A person is "identified" if the data is directly linked to the data subject or if such a link can be established directly. Individual data with personal reference are, for example

• name and identification features (e.g. date of birth, name affixes, ID number),
• contact data (e.g. postal address, e-mail address, telephone number),
• physical characteristics (e.g. height, weight, hair color, genetic fingerprint) or
• other data (e.g. location data, usage data, actions, statements, value judgments, professional career, bank details, etc.).

Processing
“Processing" shall mean the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, regardless of whether the processing is carried out by automated means or not.

Pseudonymisation
In the case of "pseudonymisation", the name or other identification characteristics are replaced by a pseudonym (e.g. a number) in order to exclude the identification of the data subject or to make it significantly more difficult to establish. Through pseudonymisation, personal data of a data subject can now only be identified with the addition of further information.

Recipient
"Recipient" means a natural or legal person, public authority, agency or other body to whom personal data is disclosed.

Special categories of personal data
This is a subcategory of personal data. "Special categories of personal data" include particularly sensitive data, such as health data, biometric and genetic data, as well as religious confession, etc.

Third Country
Countries outside the European Union (EU) or the European Economic Area (EEA) are referred to as "third countries" in the GDPR.

The controller is:
B. Braun Melsungen AG
Carl-Braun-Strasse 1
34212 Melsungen
Germany
Phone: +49 (0)5661 71 - 0
E-mail: info@bbraun.com

The responsibility under data protection law depends on which of our companies you are in contact with or work with. More specific information can be found in the additional information on data protection.
If it is not clear to you who you should contact, you can contact B. Braun Melsungen AG at any time using the contact details provided.

If you have any questions regarding data protection, you can contact the respective data protection officer or our data protection team:

Data Protection Staff Department
Carl-Braun-Strasse 1
34212 Melsungen
Phone: +49 (0)5661 71 - 0
E-mail: dataprotection@bbraun.com

Your personal data may be processed for the following purposes, among others:

• communicating with our contacts, prospective customers, customers or sales partners (hereinafter "business partners") about products, services and projects
  
• answering inquiries from our business partners
  
• planning, implementing, and managing the (contractual) business relationship between our business partners and us, e.g. in order to process orders, for accounting purposes or to carry out and process deliveries
  
• conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests or similar promotions and events
  
• planning, implementation, and organization of events, e.g. product training, professional development or job shadowing
  
• advertising by e-mail and/or telephone as well as developing and providing advertising (newsletters) tailored to your interests
  
• sending samples, products and information
  
• maintaining the protection and security of our premises, e.g. issuing visitor passes, access control
  
• compliance with legal requirements, e.g. tax and commercial law retention obligations, in order to prevent white-collar crime or money laundering
  
• testing, optimising and further developing products and services
  
• maintaining and protecting the security of our products and services as well as our websites, preventing and detecting security risks and crimes, fraudulent actions or other criminal or damaging actions
  
• ensuring the group's IT security and operations
  
• settling legal disputes, enforcing existing contracts and asserting, exercising and defending legal claims
  

Which personal data is processed in detail depends on the respective purpose. The scope of the data processed depends on which personal data are required to achieve the specific purpose. To the extent permitted by the specific purpose, we process your data pseudonymously or anonymously.

In doing so, we base the processing of your personal data on one of the following legal bases:

If you are in a contractual relationship with us, the processing is carried out to fulfil the contract. The same applies to the implementation of pre-contractual measures based on your request.

We are subject to a large number of legal requirements, such as the Medical Devices Act, the Medicines Act, the Trade Regulation Act and the Commercial Code. In order to comply with these requirements, it may be necessary to process personal data.

Insofar as you have given us your consent to process your personal data for certain purposes, the respective consent is the legal basis for the processing specified in the respective consent form.

You can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

Insofar as the processing of your personal data is not necessary for the fulfilment of a contract with you or to comply with legal requirements and consent also does not constitute an appropriate legal basis for the processing, the processing is carried out on the basis of our or a third party's predominant legitimate interest. In order to be able to use this legal basis, we check in advance whether the following requirements are met:

• we or a third party has a legitimate interest in the processing,
  
• the processing is necessary to achieve the legitimate interest, and
  
• your interests or fundamental rights and freedoms requiring the protection of personal data do not override our legitimate interest.
  

Your personal data will be disclosed within the B. Braun group to the extent necessary to fulfill the respective purpose or if the internal organisation requires the disclosure (e.g. central financial accounting, sales and marketing, logistics).

Your personal data will only be passed on to third parties, i.e. bodies outside B. Braun, if the transfer can be based on one of the legal bases mentioned above. Companies are, for example, required by law to disclose data to certain recipients, including in particular

• public authorities, e.g. tax authorities
• judicial/law enforcement authorities, e.g. police, public prosecutors, courts
• lawyers and notaries, e.g. in insolvency proceedings
• auditors

In addition, we use various service providers ("processors" in accordance with Art. 28 GDPR), which we contractually obligate in accordance with the requirements of the GDPR. These include companies from sectors such as IT services, printing services, telecommunications or sales and marketing. Processors may only use personal data according to our instructions and for a specific purpose. Compliance with this is controlled and monitored by us.

As an internationally active group, we may also process your personal data in countries outside of the EU or the EEA ("third countries"). If a transfer to these countries is necessary, the transfer will only take place if

• there is an adequacy decision pursuant to Art. 45 GDPR or appropriate safeguards pursuant to Art. 46 GDPR are in place (e.g. standard contractual clauses issued by the European Commission)
• it serves the performance of a contract
  
• explicit consent has been given by you
  
• it is for the assertion, exercise or defence of legal claims
  
• there is any other exemption pursuant to Art. 49 GDPR
  

In particular, in accordance with the principle of data minimisation, we only transfer the personal data that are necessary for the fulfilment of the respective processing purpose.

Your personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. In addition, storage may take place if this is necessary to comply with regulatory or legal requirements.

Legal storage obligations may result, for example, from the German Commercial Code, the German Fiscal Code or the German Money Laundering Act. The periods specified there for storage or documentation are generally two to ten years.

Within the scope of our (contractual) business relationship and/or cooperation, you must provide the personal data that is required to achieve the respective purpose or that we are legally obliged to collect. Without this personal data, we will generally not be able to achieve the intended purpose and enter the business relationship and/or cooperation with you.

We do not use any procedures for automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately, insofar as this is required by law.

According to the GDPR, you can assert the following data subject rights with us:

• You can request information about your personal data processed by us in accordance with Art. 15 GDPR.
• If inaccurate personal data is processed, you have a right to rectification (Art. 16 GDPR).
• If the legal requirements are met, you may request erasure (“right to be forgotten”) or restriction of processing as well as object to processing (Art. 17, 18 and 21 GDPR).
• If you have given consent to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have the right to data portability (Art. 20 GDPR).
• In addition, you have the right to lodge a complaint with your respective data protection supervisory authority (Art. 77 GDPR).

Please note that legal obligations of the controller or national exceptions may mean that your data cannot be permanently deleted or can only be deleted after a certain period of time has elapsed (e.g. the restrictions according to § 34 and § 35 of the German Federal Data Protection Act apply within the scope of the right to information and deletion).

To assert one or more of your data subject rights, please contact us using the contact details provided under "controller and contact person".

Individual right to object

You have the right to object at any time, on the basis of your particular situation, to the processing of your personal data carried out on the basis of Art. 6 (1) f GDPR; this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Right to object to processing of personal data for direct marketing purposes

We may also use your personal data for direct marketing purposes within the framework of the legal provisions. You have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally. You will find our contact details under "contoller and contact person".

For information on how your personal data is processed in the context of your application, please refer to the privacy policy of the global job market or the privacy policy of the website of the respective affiliated company.

If you contact us via a contact form, an e-mail address or a telephone number, we also process personal data about you. You will often also be asked for your consent to the processing of personal data for advertising purposes in the context of contact forms. In this regard, please refer to the section "Newsletter/marketing emails".

The purpose of the processing results from the handling of your enquiry or request and further communication. The legal basis for the processing is our legitimate interest according to Art. 6 (1) f GDPR, which results from the aforementioned purposes, or your consent according to Art. 6 (1) a GDPR.

If your contact is aimed at the conclusion of a contract / an ongoing contractual relationship with us, the legal basis is the initiation or implementation of the contractual relationship in accordance with Art. 6 (1) b GDPR.

The specific data processed results from the respective contact form. As a rule, however, it will be the following data:

• Master data (e.g. names, addresses)
• Contact details (e.g. e-mail, telephone numbers)
  
• Information about your request
  

The storage period depends on your specific request. If, for example, your contact is aimed at concluding a contract with us or we already have a business relationship with you, your data will be stored until the contractual and/or legal obligations have been fulfilled and legal retention periods do not prevent deletion.

Depending on the request (e.g. questions about our products and services), your data will be processed further. In order to be able to answer your enquiry/your request in the best possible way, your data will be passed on to the necessary extent within the group (if necessary also to group companies outside the EU).

In addition, we use order processors (e.g. IT and software service providers).

As a global company, we work with contracted distributors in certain countries and regions. In order to provide information on B. Braun products, therapies, solutions or events, for promotional purposes, to contact you or to respond to your enquiry, we will, with your consent, pass on the personal data you have entered to these external sales partners so that they can contact you. Our sales partners work regionally, which means that your data is only passed on to the sales partner with whom we work in your region.

We want to continuously improve our offerings and services and for this reason we conduct customer satisfaction surveys after certain contact points. The surveys take place immediately after a previous customer contact. In this way, we also comply with the legal requirements and standards that require us to measure customer satisfaction.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of

• your consent in accordance with Art. 6(1) lit a GDPR,
• our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. There is a legitimate economic interest in gathering experience with our contacts and thus being able to continuously improve our service.
• of a contract according to Art. 6 (1) lit. b GDPR (e.g. hospitation contracts).

At the same time, we comply with the provisions of the German Unfair Competition Act.

Processed data

• Name, address, e-mail address, telephone number as well as comments
• Other information you provide to us when completing a survey. In the context of each survey, you will be informed in advance about the purpose of the processing.

When participating in the survey, you will also be asked to enter comments in free text fields. We strongly recommend that you do not enter any personal data about yourself or any other person. If you nevertheless enter personal data in a free text field, this data may be passed on to the categories of recipients listed below.

Storage period and location

Your data will be stored in accordance with legal and internal requirements and deleted after this period of 2 years. Your data will be processed within the EU. In the case of technical support, it may happen that your data is passed on to a service provider outside the EU in order to fulfil your request. In such a case, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Recipients

Your personal data is processed by us as data controller and in some cases by InMoment (a company under German law, registered with the commercial register number HRB92708 at the Hamburg District Court, with its registered office at Borselstraße 18, 22765 Hamburg) as data processor.

In addition, we use Qualtrics LLC, 333 W. River Park Drive, Provo UT 84604, USA. Data processing outside the European Union (EU) does not take place as a matter of principle, as we have restricted our storage location to data centres in the EU. Following a ruling by the European Court of Justice, service providers based in the USA do not currently offer an adequate level of data protection. This may entail various risks for the legality and security of data processing.

Qualtrics uses standard contractual clauses approved by the EU Commission (according to Art. 46 (2) and (3) DSGVO) as the basis for data processing with recipients based in third countries (outside the European Union) or a transfer of data there. These clauses oblige Qualtrics to comply with the EU level of data protection when processing relevant data outside the EU. These clauses are based on an implementing decision of the EU Commission.

For internal surveys we use the software "Forms" from Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The data is stored on Microsoft's servers within the EU and processed by us as data controller.

The purpose of the processing is to enable you to participate in a guided tour of the factory. The legal basis for this is your consent pursuant to Art. 6 (1) a GDPR, which you grant us with your registration. You can revoke your consent at any time. However, in the event of a withdrawal, you will not be able to participate in the guided tour of the factory. To withdraw your consent, please send an e-mail to werkfuehrungen@bbraun.com.

In addition, the contact person of the group assures us that the information provided by them, in particular first name/last name and email address, is true and correct, that they are authorised to provide the data of any other participants and that they have sufficiently informed them about the processing, e.g. by using this website.

When you register for and participate in a guided tour of the factory, we process the following data about you:

• Contact details (e.g. surname, first name, address, e-mail, telephone number).
• Dates of arrival and departure
  
• Plant you wish to visit
  
• Language in which the factory tour is to be conducted
  
• Means of transport on arrival
  
• Optional: Further information on the group, such as eating habits for participants with allergies.
  

If we process health-related data (e.g. on allergies), religious, political or other special categories of personal data in this context, this is done within the scope of public disclosure (e.g. for thematically oriented events) or with your consent.

Your data will be stored for 3 years in accordance with the legal requirements and deleted after this period. Your data will be processed within the EU.

We process your data in a central system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event.

Controller

The respective renal centre in which you are being treated is responsible for processing your data. This centre carries out the data processing through its own staff.

In addition, we use various service providers ("processors" according to Art. 28 GDPR), which we contractually obligate in accordance with the requirements of the GDPR. These include IT service providers who work on our behalf for the purpose of supporting and maintaining our electronic data processing systems. These are obliged to comply with the provisions of the applicable data protection law, specifically confidentiality and compliance with medical secrecy.

Purpose and legal basis

The processing of your data for the purpose of medical treatment is carried out by us on the basis of:

• a contract according to Art. 6 (1) b GDPR (treatment contract) and
• your consent according to Art. 9 (2) a GDPR
   

You can withdraw your consent at any time with effect for the future. To do so, please contact your contact person at the respective renal care centre. The withdrawl of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawl.

Processed data

Within the framework of your treatment and the resulting billing, information about your person (name, address, date of birth, health insurance company, health insurance number) as well as the medical data necessary for the therapy (e.g. previous illnesses, (previous) findings, laboratory values, contact of the nursing service, etc.) are processed in accordance with the legal regulations. Among other things, the data are so-called special categories of personal data (in particular health data). Furthermore, we process data that you provide to us personally in a conversation or that your health insurance company sends us if required. For billing purposes and to update your data, we will collect your data again at regular intervals.

Storage period

After expiry of the legal retention periods, which are usually 10 years after completion of the treatment, your data will be deleted in accordance with the legal requirements.

Recipients

For the purpose of further treatment, we may transmit data to other responsible bodies, such as pre- and post-treatment providers and other service providers. If you are covered by statutory health insurance, we transmit the data required for billing purposes to the responsible bodies in accordance with the provisions of the German social security code or comparable local legislations. As a private patient, the statement is usually sent to you directly by mail. In case of your consent, we use private billing centres to prepare statements. Your data will not be passed on to third parties without your prior consent.

Your rights as a data subject

You have the right to obtain information about the personal data relating to you. Furthermore, you have the right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can withdraw your consent at any time with effect for the future. The lawfulness of the processing until the withdrawl remains unaffected. Finally, you have the right to object to processing within the scope of the law. You also have the right to data portability within the framework of data protection law. You have the right to file a complaint about the processing of personal data by us with a supervisory authority for data protection.

Through our website, you have the opportunity to receive various information (e.g. download a white paper, participate in a webinar/event) on various specialist topics free of charge from B. Braun. For this purpose, it is necessary that you consent to the use of your data for marketing purposes in return for the provision of this information. We will use the contact details you provide for the provision of information. You will receive an activation email from us or by joining after the registration confirmation, through which your data will be confirmed. Thereafter, you will receive access to the broadly presented information and may also be informed in the future about other relevant therapies, products, solutions or events by B. Braun and our contractually bound sales partners.

The processing of your data for the purpose of advertising is carried out on the basis of:

• your consent pursuant to Art. 6 para. (1) a GDPR or
• our legitimate interest according to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about further offers and events of our own in order to establish and maintain a long-term customer relationship.
  

At the same time, we observe the requirements of the Unfair Competition Act (UWG).

Processed data:

• Name and email address
• Optional: Title and salutation

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising and providing information via our website. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted. Your data will be processed by processors (see recipients).

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision.

Furthermore, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers or service providers for sending mailings

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent. The risks resulting from the transfer of personal data to third countries can be found in the general part of this privacy notice under "Transfer to third countries".

If we have received your contact details as part of a business event, a business appointment or as part of an order, we use your contact details to maintain our business contacts. For this purpose, we transfer your contact data to our CRM system.

Your data is processed on the basis of our legitimate interest pursuant to Article 6 (1) f GDPR. There is a legitimate economic interest in maintaining contacts that have arisen in the course of business transactions beyond the initial contact and to use them to build up a business relationship and to remain in contact with you for this purpose.

In this context, we process the following personal data:

• name, title, function
• institution
  
• business contact details
  
• business address
  
• business e-mail address, telephone number
  

If requested by you and made available to us:

• private contact details, private address, private e-mail address, telephone number

We store your data for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally required to do so. In addition, data of business contacts with whom we had no business contact within a defined period of time will be deleted.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

We use your contact details to send you information about products, services or events that may be of interest to you.

The processing of your data for the purpose of advertising is carried out by us on the basis of:

• your consent pursuant to Art. 6 (1) a GDPR or
• our legitimate interest pursuant to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about our own offers and events in order to establish and maintain a long-term customer relationship

At the same time, we observe the local requirements and regulations on advertising.

In this context, we process the following personal data:

• by e-mail: Name, title, function, institution, department, address and e-mail address
• by mail: Name, title, function, institution, department, address
  
• personal interest in products/services and/or events
  

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted.

Your data will be processed by order processors (see recipients).

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

For the organisation, implementation and follow-up it is necessary to process personal data. Depending on the event and the scope of services, different personal data will be collected from you. Please read below how we process your personal data when you participate as a participant or speaker in our events and similar activities (hereinafter referred to as "events").

If the event takes place on our premises, please also read the "Privacy policy for visitor management".

Participants

The purpose of the processing is to enable you to participate in the events and take advantage of the services or promotions associated with your participation. The legal basis differs depending on the event

• Legitimate interest pursuant to Art. 6 (1) f GDPR (e.g. to ensure secure and efficient communication).
• Consent according to Art. 6 (1) a GDPR (e.g. your registration)
• Contract according to Art. 6 (1) b GDPR (e.g. hospitation contracts)

When you register and participate in one of our events, we process the following data about you:

• master data (e.g. name, title, department, function, address, institution).
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, duration, customer category)
• arrival and departure data
• optional: dietary requirements for participants with allergies

in individual cases additionally:

• specific passport data for the creation of invitation letters for VISA service
• date and place of birth

For paid events we also process:

• payment data (e.g. bank details, invoices, payment history, private address if given)

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event. This may be the case, for example, if we have to forward your contact request to national companies for processing or if you have participated in international events. Furthermore, it may be necessary to pass on personal data to other parties:

• o service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Active part (e.g. speakers, advisors, moderators)

Your data will be processed by us for the purpose of handling your contractual performance. The legal basis is the contractual relationship according to Art. 6 (1) b GDPR.

We process the following personal data about you:

• master data (e.g. name, title, department, function, address, institution)
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, term, customer category)
• arrival and departure data
• payment data (e.g. bank details, invoices, payment history, home address)
• optional: dietary requirements in case of allergies

in individual cases additionally:

specific passport data for the creation of invitation letters for VISA service.

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective activity/assignment:

• financial accounting for payment processing

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay.
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The scope of this privacy policy is limited to the processing of personal data in connection with product complaints, medical information requests and pharmacovigilance. Pharmacovigilance is the detection, evaluation, tracking and prevention of adverse events related to medicinal products. Within the framework of pharmacovigilance, we process reports of adverse events in connection with pharmaceuticals (e.g. suspected cases of side effects or lack of drug effect). If you report adverse events or other pharmacovigilance-relevant information to us, we will process this data exclusively for pharmacovigilance purposes.

Purpose and legal basis of the processing – Pharmacovigilance

In terms of pharmacovigilance reporting, we comply with the relevant requirements that oblige us and the responsible regulatory authorities to manage data on adverse events. This serves to protect public health and to ensure a high standard of quality and safety.

We are required to process certain personal data of affected patients and/or reporting persons to report adverse events related to pharmaceuticals to the relevant regulatory authorities. The personal data will only be processed for pharmacovigilance purposes and only when relevant and appropriate to properly document, assess and report such an event in accordance with our pharmacovigilance obligations. The information in question is of great importance to public health and is used for the detection, assessment, understanding and prevention of adverse events and other risks related to our pharmaceuticals. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in the context of adverse event reports related to medicinal products or other aspects of pharmacovigilance (even if provided in the context of a medical request)

Legal basis: This processing is necessary for B. Braun's statutory pharmacovigilance obligations (Good Pharmacovigilance Practice, MPA). (Art. 6 (1) c and Art. 9 (2) i GDPR)

Purposes and legal basis of the processing - Medical requests

Any personal information provided to B. Braun in connection with medical enquiries may be used to respond to and follow up on the enquiry in question. The information in question may be stored in a medical information database for reference purposes. In addition, we may be required by law (for example, as part of pharmacovigilance) to report the data to regulatory authorities. We do not use your data for any other purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data related to a medical request may be used to respond to and follow up on the request

Legal basis: This processing is based on B. Braun's legitimate interest in following up on your requests (Art. 6 (1) f GDPR). If you are a patient, we will only process your personal data with your explicit consent.  (Art. 6 (1) a and Art. 9 (2) a GDPR).

Purposes and legal basis of the processing – Product complaints

Any personal information provided to B. Braun in connection with a product complaint will be used solely for these purposes. The information in question is of great importance to public health and will be used to assess, classify, and evaluate the product complaint, to follow up on related enquiries and to store the data in a product complaint database for reference purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in connection with a product complaint (e.g. for the assessment, classification and evaluation of the product complaint, for the follow-up of the corresponding request and for the storage of the data for reference purposes in a product complaint database) (also if provided in the context of a medical request)

Legal basis: This processing is necessary to comply with the legal obligations applicable to B. Braun (Art.6 (1) c and Art.9 (2) i GDPR).

When submitting a notification, the following data may be processed, depending on the individual case:

Reporting of adverse events related to medicinal products

Reporting person: name, contact details, belonging to an occupational group

Person affected by an adverse event: personal data on health and medical history as far as necessary for the processing and assessment of the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of complying with the obligation to medicines safety and our legal obligations.

Medical requests

Reporting person: name, contact details, belonging to an occupational group

If a medical request includes data on a product complaint or suspected adverse reactions, it will additionally be treated as such.

Product complaints

Reporting person: name, contact details, belonging to an occupational group

In the event that a person has experienced a health impairment in connection with a product complaint, personal data on health and medical history will be collected to the extent necessary to process and assess the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of meeting the obligation to medicines safety and our legal obligations.

Due to their importance for public health, pharmacovigilance-related information will be kept for at least 15 years after the withdrawal of the respective products from the market in the last country where they were offered. As information on product complaints is important for public health, complaint records including the corresponding personal data are kept for at least 15 years. Personal data stored in the context of medical information requests will be kept for a maximum of 11 years from the date of receipt.

B. Braun may share personal information that you provide to us as necessary to maintain B. Braun's global pharmacovigilance database and to comply with applicable pharmacovigilance legislation. To do this, we may share and/or disclose personal data as follows:

• within the B. Braun Group, to analyse and evaluate a reported adverse event.
• to the competent supervisory authorities, regarding a (suspected) adverse event.
• to service providers, e.g. IT service providers. 
• to other pharmaceutical companies acting as co-marketers, co-distributors, or other licensing partners of the B. Braun Group, if the pharmacovigilance obligations for our product require such exchange of safety information. 
• When information about adverse events is published (for example, in the form of case studies and summaries); in these cases, your data will be anonymised to keep your identity confidential.

In addition, B. Braun is required to share certain pharmacovigilance and product-related information with health authorities worldwide. This also includes authorities for which data protection regulations differ from those of the EU. Legal basis: Art. 6 (1) c and for transfers outside the EU Art. 6 (1) f and Art. 49 (1) e GDPR. 

The reports in question contain details of the incident in question. Personal data are only included to the extent necessary:

• For patients, the report includes only, as indicated, age, sex, and initials (where indicated), date/year of birth (where disclosure is permitted) but never the patient's name. 
• For reporting persons, the report includes the name, profession (e.g. doctor, pharmacist), initials or address, email address and telephone number (where indicated). The contact information is necessary to be able to contact the reporter to obtain high quality and complete information on adverse events. If the reporter does not wish to share their contact information with B. Braun or authorities, "privacy" will be entered in the reporter's name and contact information field.

If your data is passed on to other companies, business partners or service providers outside the European Union, we ensure that your personal data is adequately protected, e.g. by concluding standard contractual clauses and/or that only necessary data is passed on.

We use the video conferencing tools "Teams" (from the provider Microsoft, USA) and "Zoom" (from the provider Zoom Video Communications Inc., USA) to carry out digital events.

The legal basis for processing personal data is determined by the specific purpose for which the respective platform is used and the digital event is offered. These can be: 

• Effective implementation of the event we offer to inform participants about professional topics: legal basis is our legitimate interest based on Art. 6 (1) f GDPR. 
• Conducting e.g. group or individual meetings, trainings and events to fulfil a contract with the data subject: legal basis is Art. 6 (1) b GDPR. 
• Conducting group or individual meetings, training sessions and events required for business purposes as part of the employment: the legal basis is the recruitment, performance or termination of the contract of employment pursuant to Section 26 (1) German Data Protection Act. 
• Implementation of group or individual meetings, training sessions and events based on your consent in accordance with Art. 6 (1) a GDPR, which you grant us by participating in the respective digital event.

The scope of the data processed depends on the purpose of the digital event, but in particular also on the information you provide before or during your participation in the event (e.g. use of the chat function): 

• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location.
• Text data: if you use the chat function, your posts are processed to display them within the chat. 
• Audio and video data: If you use the video and audio functions, data from the microphone and/or video camera will be processed for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time.
• Shared files and information: With the help of the " share" function, you can share your screen or files with other participants. All files, content and comments posted by users can be accessed by the people with whom they are shared. These can be individuals or members of a team or channel.
• Documentation of your participation with attendee lists: For certain purposes, such as conducting training or awareness-raising activities, it is necessary to keep a list of attendees and store it as evidence. The video conferencing tools offer the possibility to export a list of participants after an event.

We use Microsoft and Zoom as a processors within the meaning of Art. 28 GDPR. The providers obtain knowledge of the above-mentioned data to the extent contractually permitted.

Microsoft and Zoom reserve the right to process customer data for its own legitimate business purposes. We have no control over this data processing. To the extent that the providers process personal data in connection with its legitimate business purposes, they are the data controllers for those data processing activities and, as such, are responsible for compliance with all applicable data protection laws. This particularly applies when you access the website s of Microsoft and Zoom or use the video conferencing tools through your browser. If you require information about Microsoft's and Zoom's processing, please refer to their relevant privacy statements.

In principle, there is no data processing outside the European Union (EU), as we have limited our storage location to data centres in the EU. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This can be the case in particular if participants are located in a third country.  

The data processed during a digital event is encrypted during transport via the internet and thus protected against unauthorised access by third parties. In addition, we have agreed extensive technical and organisational measures with the providers that correspond to the current state of the art, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.

We delete personal data when the storage of the data is no longer necessary. In the case of statutory retention obligations, deletion comes into consideration after the expiry of the respective retention obligation.

You have the right to obtain information about the personal data relating to you. Furthermore, you have the right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can revoke your consent at any time with effect for the future. The lawfulness of the processing until the revocation remains unaffected. Finally, you have the right to object to processing within the scope of the law. You also have the right to data portability within the framework of data protection law. You have the right to file a complaint about the processing of personal data by us with a supervisory authority for data protection.

In certain circumstances, recording of digital events may take place. This is done for the purpose e.g. publication, documentation, etc. The legal basis is your informed (written) consent according to Art. 6 (1) a GDPR, which you grant us by attending the event. If a digital event is to be recorded, we will inform you about this transparently in advance (e.g. as part of the invitation). In addition, a notice will be provided during the event before the recording is started. The system will also inform you that the event is being recorded.

The recording is stored and deleted after expiration of the respective retention period in accordance with data protection regulations. 

Under certain circumstances, it may be necessary to publish the recording to the group of participants, on the intranet or on the internet in order to fulfil the above-mentioned purpose. If the recording is published on the intranet or internet, we would like to point out that the recordings are made accessible to a broad public. Every viewer can use the content on the internet at their own discretion, including misuse, without this being able to be monitored, restricted or prevented. However, within the framework of data minimisation, we take care, especially when publishing recordings, to delete or anonymise personal data in advance that is not relevant for publication (e.g. cropping the video excerpt).

For information on how we handle your personal data when you use one of our apps or websites, please refer to the respective privacy policy.

Only persons authorised by the Group may enter the factory premises. As a visitor, guest or external company employee, you must provide the categories of data listed below and will usually receive a visitor's pass that entitles you to stay on the factory premises for the duration of your visit/stay.

The purpose of the processing results primarily from the exercise of domiciliary rights and the protection of the company's property. In addition, the processing serves to be able to determine at any time who is on the factory premises and in our buildings, in particular to ensure the safety of the factory premises and the protection of the persons working there. The legal basis is our legitimate interest pursuant to Article 6 (1) f GDPR, which results from these purposes.

The following data are processed:

• Name and first name
• Vehicle registration number, if applicable
• Company for which you work
• Duration of your stay
• Your contact person in our company

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfil a contract (usually for 1 year). Data may be stored beyond this period if and insofar as this is required by law.

The storage of data differs per location. The data required for visitor management is stored either in a visitor management system or a visitor book.

We partially use processors based within the EU for visitor management (e.g. site security, IT service providers).

Please also note the information on data protection on site.

The purpose of the instruction is to ensure the health and safety of visitors and contractor employees on the company premises.

Applicable laws

• German Occupational Health and Safety Act (ArbSchG)
• Occupational Safety Act (ASiG)
• German Civil Code (BGB)
• Construction Site Ordinance (BaustellV)
• Ordinance on Industrial Safety and Health (BetrSichV)
• Ordinance on Hazardous Substances (GefStoffV)

Regulations of the Employer's Liability Insurance Association (DGUV - German Social Accident Insurance)

• DGUV Regulation 1 "Principles of Prevention“
• DGUV Regulation 2 "Company doctors and occupational safety specialists”
• DGUV Rule 100-001 "Principles of Prevention“

• First and last name
• Company
• Date of birth
• E-mail address
• Date of safety briefing/ visit or stay on the company premises

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfil a contract. Data may be stored beyond this if and insofar as this is provided for by law.

We use video surveillance to protect our factory premises and buildings. Surveillance areas are always marked with appropriate signs.

The video surveillance serves the purpose of plant security within the framework of house rights in accordance with our legitimate interest pursuant to Art. 6 (1) f GDPR. Please also note the corresponding information displayed at the respective location. The use of video surveillance is for preventive purposes to prevent persons from committing legal violations to the detriment of B. Braun. The aim of video surveillance is to ensure the preservation of evidence and the clarification of criminal offences as well as the enforcement of claims for damages under civil law in the event of irregularities such as climbing over, damage to property, manipulation of access equipment or unauthorised entry.

The storage period of the records is within the scope of what is operationally necessary and legally permitted and can vary depending on the location and the framework conditions and requirements there (between 72 h and a maximum of 14 days). The data is then automatically deleted unless there is a legal interest in further processing.

If a criminal offence has occurred, the corresponding video recordings will be passed on to the law enforcement authorities to the extent necessary.

The following privacy policy describes the handling of personal data within the whistleblower system of the B. Braun Group (hereinafter "B. Braun Group" or "We"). The privacy policy applies to notifications in the internal notification system that are submitted via the whistleblower portal of the website, by post, via an encrypted e-mail, by telephone or during a personal conversation.

The whistleblower system is used to receive and process notifications of violations of laws and regulations within the B. Braun Group. The B. Braun Group should not suffer any disadvantages as a result of violations of laws and regulations or other harmful conduct. The whistleblower system is intended to make an important contribution to the prevention of such violations or harmful conduct. The whistleblower system is set up voluntarily on the one hand and on the basis of legal obligations on the other. In principle, it is up to you in which form you make a notification via the whistleblower system and whether this notification is made anonymously or not. The notification itself and the provision of your data is voluntary. However, please consider submitting a notification personally so that we can contact you for any queries and, if necessary, better check the notification for plausibility. In this case, we will ensure that you do not suffer any unjustified disadvantages as a result of the notification submitted. This does not apply if the notification contains intentionally or grossly negligent incorrect information.

Internal Notification Office

Notifications submitted via the whistleblower system are processed exclusively by the Internal Notification Office.

B. Braun SE

Compliance Office Germany

Carl-Braun-Straße 1

34212 Melsungen

E-Mail: compliance.de@bbraun.com

Telefon: +49 (0) 5661 71 – 4142

Note: If you submit a notification by e-mail, please make sure that this e-mail is encrypted! Employees of the B. Braun Group can classify the e-mail as "Strictly Confidential/protected content" under "Confidentiality" in Outlook.

Purpose and Legal Basis

The processing of personal data collected within the context of the whistleblower system is limited to the purposes necessary and on the basis of different legal requirements.

a) Purposes

We process personal data for the purpose of the proper operation of the whistleblower system, which includes in particular:

if a notification is not made anonymous, we process the personal data of the whistleblower in particular for the purpose of identification, for the confirmation of receipt, for contacting the whistleblower in order to ask any questions about the notification and in order to be able to provide information about the status of the procedure.

• We may process personal data or information about circumstances that allow conclusions about the identity of natural persons. This is done for the purpose of a comprehensive check of the notification. A check is also carried out on the validity of the notification, for example, in order to be able to identify potential false notifications at an early stage. This is done in the interest of the whistleblower and the company on the one hand, and in the interest of the affected person on the other hand, in order to detect possible denunciations.
• The processing of personal data serves in particular the purpose of being able to properly conduct internal investigations and take appropriate follow-up measures. Internal investigations may be necessary under certain circumstances for the purpose of adequately processing the notification. It covers, for example, investigative measures to detect and clarify potential breaches of rules of any kind.
• The Internal Notification Office processes personal data for the purpose of a detailed documentation of the notification and the related measures and processes if these are part of or related to a notification.
• Personal data may be processed for the purpose of disclosure to competent authorities, for example for law enforcement purposes or other procedures where disclosure is required.
• We may process personal data for the purpose of proceedings to exonerate affected persons where unjustified allegations have been made against them. The processing serves the purpose of clarification and exoneration measures.

In addition, the purposes stated in the general information on data protection for employees may be considered as possible purposes of data processing, provided that such an employment relationship exists between the respective persons and a company of the B. Braun Group.

b) Legal Bases

Data processing within the whistleblower system is based on different legal bases depending on the content and subject of the notification. The reason for this is that different laws may apply depending on the content of a notification. For an overview of reportable misconduct, please read the general information on the whistleblower system.

Notifications within the scope of the HinSchG:

The Whistleblower Protection Act („HinSchG“) establishes a legal framework for the notification of breaches of certain regulations.

Legal basis: Art. 6 (1) lit. c GDPR in conjunction with §§ 10 sentence 1, 12 HinSchG

Insofar as and to the extent that an internal notification falls within the scope of the HinSchG, we are required by Section 12 HinSchG to establish and operate an internal notification office for the reception of notifications. The operation of the internal notification office includes the processing of notifications. In order to process these notifications properly and to adequately fulfil our legal obligation, it may be necessary to process personal data. The processing of personal data is then based in each case on Art. 6 (1) lit. c GDPR in conjunction with the specific legal obligation in the HinSchG. According to Section 10 HinSchG, internal notification offices are also authorised to process personal data insofar as this is necessary for the fulfilment of their tasks.

Legal basis: Art. 9 (2) lit. g GDPR in conjunction with §§ 10 p. 2, 12 HinSchG, § 22 BDSG (Federal Data Protection Act)

If it is necessary for the fulfilment of our obligations under the HinSchG, we also process special categories of personal data within the meaning of Art. 9 (1) GDPR. This is the case, for example, if a notification contains respective data and the reported behaviour is related to this data. Pursuant to section 10 sentence 2 HinSchG, internal notification offices are authorised to process this data if this is necessary for the fulfilment of their tasks. This is the case, for example, if the relevant personal data are part of a notification and the notified behaviour focuses on this type of personal data and processing of the data inevitably connected with the proper processing of the notification.

Notifications within the scope of the LkSG:

The German Act on Corporate Due Diligence Obligations in Supply Chains ("LkSG") provides regulations on human rights and environmental due diligence in corporate supply chains. B. Braun enables complaints within the meaning of Section 8 LkSG about possible violations via the whistleblower system.

Legal basis: Art. 6 (1) lit. c GDPR in conjunction with § 8 LkSG

Pursuant to Section 8 LkSG, we are obliged to set up an internal complaints procedure that enables persons to point out human rights and environmental risks as well as violations of human rights-related or environmental obligations. We process personal data insofar as this is necessary to fulfil the legal obligations imposed by the LkSG.

Notifications within the scope of other laws

If a notification falls within the scope of another law that requires the establishment of an internal complaints procedure, the processing of personal data takes place on the basis of Art. 6 (1) lit. c GDPR in conjunction with the respective specific legal obligation.

Other legal bases for the processing of personal data

In addition to the legal bases mentioned above, or in the event that a notification does not fall within the scope of a law requiring the implementation of an internal complaints procedure, we process personal data within the whistleblower system on the basis of the following legal bases:

Legal basis: Art. 6 (1) lit. b GDPR in conjunction with the employment contract

If the persons involved is an employee of the B. Braun Group and the processing is required in the context of the whistleblower system, we may process personal data for carrying out and terminating the employment relationship.

Legal basis: Section 26 (1) sentence 2 BDSG

Where necessary, personal data of employees is processed for the purpose of detecting criminal offences, provided that documented factual indications give rise to the suspicion that the person concerned has committed a criminal offence in the employment relationship and the further requirements of Section 26 (1) sentence 2 BDSG are met. 

Legal basis: Art. 6 (1) lit. f GDPR

We may process personal data under the whistleblower system to protect one of our legitimate interests or those of a third party, to the extent that the processing of personal data is necessary to process a notification.   

The B. Braun Group is committed to legally compliant and socially responsible corporate governance. This responsibility exists towards all stakeholders. B. Braun intends to enable notifications on any conduct that constitutes a violation of environmental and sustainability concerns or of the General Equal Treatment Act or is otherwise socially harmful or constitutes a serious internal breach of rules and, where applicable, goes beyond the scope of the HinSchG/LkSG. The justified interest consists in particular in averting possible damage to the B. Braun Group, its employees and business partners, such as a loss of image resulting from the misconduct, possible claims for damages or other legal consequences. In particular, disadvantages to employees due to discriminatory or otherwise harmful behaviour are to be prevented.

Furthermore, the processing of personal data within the framework of the whistleblower system also serves to protect the interests of the person affected by a notification or other persons named in a notification. For these persons, in particular, there is a risk of significant negative personal and economic consequences from information that is misreported intentionally or through gross negligence, which is why they have a particular interest in the adequate review of notifications.

Processed Data

In the context of the whistleblower system and possible related follow-up measures, it may become necessary to process the following personal data or data categories about you in particular:

Contact data of the whistleblower: If the notification is not anonymous, the name and e-mail address and, if applicable, further data such as a telephone number and other contact data are processed.

Data that is the content of a notification: The data that is the content of a notification submitted by the whistleblower through all channels of the whistleblowing system. It may contain a wide variety of personal data or other information that allows conclusions about the identity of the persons involved. This includes information such as the time, description of the circumstances, persons involved and other information necessary to describe the problem and notify the incident. Likewise, for example, photos, video recordings, documents and data may be processed in connection with the notification. If necessary, content logs of telephone and personal conversations are also made and processed, which are made during interviews with the whistleblower. If the whistleblower gives their written consent, audio recordings or verbatim transcripts of the report may also be made. The explicit information contained in notifications is not the responsibility of the Internal Notification Office. Targeted questions and predefined input fields are intended to minimise the collection of personal data that is not required. However, this may not be possible for all reporting channels. If the Internal Notification Office determines that the notification contains personal data that is not relevant to clarifying the facts or processing the report, this data is deleted and not processed further.

Personal data of data subjects: Personal data may be collected and processed from persons who are the subject of a notification or are otherwise named in a notification. This includes in particular all data necessary for identification and clarification of the facts. Likewise, data on persons who belong to the group of harmed persons may also be processed. The type and scope of the personal data processed depend in particular on the necessity for adequate processing of the notification and its subsequent follow-up measures.

Identity data: If the notification is not anonymous, data is collected on the fact that the whistleblower has made a notification. Depending on the type and scope of the notification, information on the fact that the whistleblowers are the subject of such a notification may also be processed. Furthermore, information may be processed on the fact that persons are otherwise involved in the procedure or that they support the whistleblower in a confident manner.

Employee Data: In some circumstances it may be necessary for us to process data in the context of the employment relationship. This includes, for example, the position and function in the company, master data of the employee, information about colleagues and supervisors.

Communication and digital data: It may be necessary for the investigation that communication data is processed within the context of internal investigations by the Internal Notification Office or a department designated by it. These data may allow conclusions about the communication behaviour of the person concerned. This includes, for example, an e-mail box evaluation as well as the evaluation of log and meta data.

Private content: Under certain circumstances, data may be processed that allows conclusions about private circumstances of the persons involved. This is the case, for example, if a notification contains such content.

Company-initiated documents: In the course of an internal review of the notification, it may be necessary to evaluate operational documents. These include, for example, time sheets, driver logbooks, invoices and travel expense reports.

Special categories of personal data: In individual cases, it may be necessary to collect and process special categories of personal data as defined in Art. 9 (1) GDPR. This is the case, for example, if relevant data is part of a notification and the notified behaviour focuses on this type of personal data and processing of the data inevitably falls in line with proper processing of the notification. In such a case, the Internal Notification Office will take specific and proportionate measures to safeguard the interests of the data subject.

Storage Duration

Personal data processed in the whistleblower system will only be stored by B. Braun for as long as it is required for specific purposes. Consequently, the data will be deleted by when:

• the relevant legal basis for processing the data no longer exists,
• the purpose for processing the data no longer exists,
• a legal obligation makes the deletion necessary, or
• you have objected to the processing of personal data,

unless there are legal retention periods. B. Braun may only finally delete your data after these periods have expired. Data whose deletion would represent a disproportionate effort is exempt from deletion.

For notifications within the scope of the HinSchG, the Internal Notification Office is legally obliged to provide detailed documentation of all notifications in accordance with § 11 HinSchG. This documentation must be kept for three years pursuant to Section 11 (5) HinSchG. Storage may last longer than three years if longer storage is required and proportionate under the HinSchG or another legal provision.

Recipients and Confidentiality

B. Braun SE operates the whistleblower system centrally for all subsidiaries of the B. Braun Group. Where appropriate, we therefore transfer personal data to one or more of the subsidiaries if this is necessary for adequate processing of the notification. We may receive personal data from subsidiaries regarding a notification.

a) Transfer to third countries

As a rule, personal data is not transferred to third countries (countries outside the European Union and the European Economic Area). An exception to this may be cases in which subsidiaries of the B. Braun Group in third countries are involved. We may transfer personal data from a third country to the location of a subsidiary in a third country if the incident took place in that country and is necessary for conducting internal investigations or taking follow-up measures.

b) Confidentiality of notifications

All notifications received through the whistleblowing system are treated with the utmost confidentiality. This confidentiality is maintained throughout the entire process, subject to a few exceptions. The content of a notification, as well as the identity of all persons associated with the notification, is only accessible to a small group of expressly authorised persons at the Internal Notification Office. This also includes persons who support the Internal Notification Office in the performance of its obligations.

However, it may be necessary for the Internal Notification Office to pass on the content of a notification as well as information about the identity of a person providing information or about other circumstances that allow conclusions about the identity of this person to other bodies, for example in order to carry out internal investigations, to take follow-up measures or to involve public bodies in the procedure or to pass it on to them. The identity is disclosed in particular if it is done at the request of the law enforcement authorities, on the basis of an order in an administrative procedure or on the basis of a court decision. The whistleblower shall be informed of the disclosure of the identity, if possible. This does not apply in the case where a law enforcement agency, the competent authority or the court has informed the Internal Notification Office that the information would threaten the relevant investigations, enquiries or court proceedings.

In the event that further disclosure of the identity or information about other circumstances that allow conclusions about the identity of the whistleblower is to be made and is necessary for the taking of follow-up measures, the Internal Notification Office will first obtain the written consent of the whistleblower and explain the reasons for such disclosure. In addition, the identity of the whistleblower or other persons named in the notification may also be disclosed if this is necessary for internal investigations or follow-up action.

The identity of a whistleblower will not be protected if he or she intentionally or through gross negligence notifications inaccurate information about violations.

Automated Individual Case Decisions or Profiling Measures

In the context of internal investigations or follow-up measures, as well as other actions in connection with the processing of incoming internal notifications, neither automated individual case decisions nor profiling measures within the meaning of Art. 22 GDPR take place.

Supplement to the general B. Braun privacy policy  

Sales Enablement & Training

Content exchange in the B2B environment 

Introduction 

B. Braun uses Showpad to share content with third parties. The B. Braun group company with which you interact via the Showpad solution and from which you receive content is responsible for the processing of personal data.

Purpose and legal basis  

The use of the Showpad platform enables secure content sharing, personalized interaction with recipients to gain insights on how to improve B. Braun's content and interaction with recipients. The legal basis for the processing is your consent according to Art. 6 (1) a) GDPR. 

Categories of data

• Contact details of the recipient (name and e-mail address) 

• The content shared with the recipient, the date and time the content was shared and the recipient's interactions with the content (clicks on the content, downloads, forwarding and time spent using the content) 

When assigning digital training (Showpad Coach), the following data is also recorded:  

• Learning and learning process status of the assigned modules 

• Basic access information (essentially: date, time and duration of access) 

• For integrated knowledge queries: degree of completion, access time and completion duration of the knowledge queries

Recipient

The data is collected via the Showpad platform, provided by Showpad Inc. Showpad acts on behalf of and according to the instructions of B. Braun.

Forwarding of data

We use Showpad Inc. as a processor within the meaning of Art. 28 GDPR. The provider receives knowledge of the above-mentioned data insofar as this is contractually provided for and permitted. Data processing outside the European Union (EU) does not take place, as we have limited our storage location to data centers in the EU.

Storage location and duration 

We store your data within our central CRM system for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally obliged to do so. In addition, data from business contacts with whom we have had no business contact within a defined time frame will be deleted.

Purpose and Legal Basis

The processing of your data is based on our legitimate interest in accordance with Article 6(1)(f) GDPR. Our legitimate interest is based on the continuous exchange with experts and opinion leaders to provide innovative and safe products and solutions for the best possible care of patients now and in the future.

Processed Data

Data you provide to us and that we collect from internal and publicly accessible sources, such as:

• Congress and event activities, publication activities,
• Spoken languages,
• Classification as an opinion leader,
• Regional sphere as an opinion leader and their professional network,
• Membership and position in medical societies,
• Experience level regarding the quantity and quality of their congress and operational activities, surgical experience
• Results from participant evaluations, e.g., at events and product courses.

Storage Duration and Location

We store your data for the duration of the KOL activity and an additional 5 years after the end of the last KOL activity in our Customer Relationship Management System (CRM). If you object to the processing, your personal data will be stored by us as long as we are legally obliged to do so. Our CRM is hosted in the EU.

Recipients

We process your data in our central CRM system. If necessary for cooperation with you, employees from various B. Braun companies may process your data. In cases where we work with contracted sales partners, it may be necessary for them to process your data to the required extent.

Additionally, we use external service providers, so-called processors, for certain activities.

If your data is transferred to other companies, service providers, or other entities outside the EU, we ensure adequate protection of your personal data, e.g., through the conclusion of standard contractual clauses.

You can find the risks arising from the transfer of personal data to third countries in the general part of this data protection information under Transfer to Third Countries.