UK Data Protection Regulation

Controller

The "controller“ is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processing on behalf of the controller

"Data processing on behalf of the controller" is a special case in data protection law and means the collection, processing or use of personal data by a processor in accordance with the instructions of the controller on the basis of a contract.

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Legal basis

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Personal data

Personal data relates to an identified (specific) or identifiable (determinable) natural person. A person is "identified" if the data is directly linked to the data subject or if such a link can be established directly. Individual data with personal reference are, for example

• name and identification features (e.g. date of birth, name affixes, ID number),
• contact data (e.g. postal address, e-mail address, telephone number),
• physical characteristics (e.g. height, weight, hair color, genetic fingerprint) or
• other data (e.g. location data, usage data, actions, statements, value judgments, professional career, bank details, etc.).

Processing

"Processing" shall mean the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, regardless of whether the processing is carried out by automated means or not.

Pseudonymisation

In the case of "Pseudonymisation", the name or other identification characteristics are replaced by a pseudonym (e.g. a number) in order to exclude the identification of the data subject or to make it significantly more difficult to establish. Through “Pseudonymisation”, personal data of a data subject can now only be identified with the addition of further information.

Recipient

"Recipient" means a natural or legal person, public authority, agency or other body to whom personal data is disclosed.

Special categories of personal data

This is a subcategory of personal data. "Special categories of personal data" include particularly sensitive data, such as health data, biometric and genetic data, as well as religious confession, etc.

Third Country

Countries outside the United Kingdom are referred to as "third countries" in the UK GDPR.

The controller is:
B. Braun Medical Limited
Brookdale Road
Sheffield S35 2PW

Phone: 0114 225 9000

The responsibility under data protection law depends on which of our companies you are in contact with or work with. More specific information can be found in the additional information on data protection.

If it is not clear to you who you should contact, you can contact B. Braun Medical Limited at any time using the contact details provided.

If you have any questions regarding data protection, you can contact the respective data protection officer or our data protection team:

Data Protection Department
Brookdale Road
Sheffield S35 2PW

E-mail: dataprotection.uk@bbraun.com

Your personal data may be processed for the following purposes, among others:

• communicating with our contacts, prospective customers, customers or sales partners (hereinafter "business partners") about products, services and projects
• answering inquiries from our business partners
• planning, implementing, and managing the (contractual) business relationship between our business partners and us, e.g. in order to process orders, for accounting purposes or to carry out and process deliveries
• conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests or similar promotions and events
• planning, implementation, and organization of events, e.g. product training, professional development or job shadowing
• advertising by e-mail and/or telephone as well as developing and providing advertising (newsletters) tailored to your interests
• sending samples, products and information
• maintaining the protection and security of our premises, e.g. issuing visitor passes, access control
• compliance with legal requirements, e.g. tax and commercial law retention obligations, in order to prevent white-collar crime or money laundering
• testing, optimising and further developing products and services
• maintaining and protecting the security of our products and services as well as our websites, preventing and detecting security risks and crimes, fraudulent actions or other criminal or damaging actions
• ensuring the group's IT security and operations
• settling legal disputes, enforcing existing contracts and asserting, exercising and defending legal claims

Which personal data is processed in detail depends on the respective purpose. The scope of the data processed depends on which personal data are required to achieve the specific purpose. To the extent permitted by the specific purpose, we process your data pseudonymously or anonymously.

In doing so, we base the processing of your personal data on one of the following legal bases:

For the performance of a contract (Art. 6 (1) b GDPR)

If you are in a contractual relationship with us, the processing is carried out to fulfil the contract. The same applies to the implementation of pre-contractual measures based on your request.

For compliance with a legal obligation (Art. 6 (1) c GDPR)

We are subject to a large number of legal requirements, such as the Human Medicines Act 2012 and the UK Medical Devices Regulations 2002. In order to comply with these requirements, it may be necessary to process personal data

Based on your consent (Art. 6 (1) a GDPR)

Insofar as you have given us your consent to process your personal data for certain purposes, the respective consent is the legal basis for the processing specified in the respective consent form.

You can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

Based on our legitimate interest (Art. 6 (1) f GDPR)

Insofar as the processing of your personal data is not necessary for the fulfilment of a contract with you or to comply with legal requirements and consent also does not constitute an appropriate legal basis for the processing, the processing is carried out on the basis of our or a third party's predominant legitimate interest. In order to be able to use this legal basis, we check in advance whether the following requirements are met:

• we or a third party has a legitimate interest in the processing,
• the processing is necessary to achieve the legitimate interest, and
• your interests or fundamental rights and freedoms requiring the protection of personal data do not override our legitimate interest.
  

Your personal data will be disclosed within the B. Braun group to the extent necessary to fulfill the respective purpose or if the internal organisation requires the disclosure (e.g. central financial accounting, sales and marketing, logistics).

Your personal data will only be passed on to third parties, i.e. bodies outside B. Braun, if the transfer can be based on one of the legal bases mentioned above. Companies are, for example, required by law to disclose data to certain recipients, including in particular

• public authorities, e.g. tax authorities
• judicial/law enforcement authorities, e.g. police, public prosecutors, courts
• lawyers and notaries, e.g. in insolvency proceedings
• auditors

In addition, we use various service providers ("processors" in accordance with Art. 28 GDPR), which we contractually obligate in accordance with the requirements of the GDPR. These include companies from sectors such as IT services, printing services, telecommunications or sales and marketing. Processors may only use personal data according to our instructions and for a specific purpose. Compliance with this is controlled and monitored by us.

As an internationally active group, we may also process your personal data in countries outside of the United Kingdom ("third countries"). If a transfer to these countries is necessary, the transfer will only take place if:

• there is an adequacy decision pursuant to Art. 45 GDPR or appropriate safeguards pursuant to Art. 46 GDPR are in place (e.g. standard contractual clauses issued by the European Commission)
• it serves the performance of a contract
• explicit consent has been given by you
• it is for the assertion, exercise or defence of legal claims
• there is any other exemption pursuant to Art. 49 GDPR

In particular, in accordance with the principle of data minimisation, we only transfer the personal data that are necessary for the fulfilment of the respective processing purpose.

Your personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. In addition, storage may take place if this is necessary to comply with regulatory or legal requirements. Legal storage obligations may result, for example, from the Companies Act 2006, Proceeds of Crime Act 2002.  The periods specified there for storage or documentation are generally two to ten years.

Within the scope of our (contractual) business relationship and/or cooperation, you must provide the personal data that is required to achieve the respective purpose or that we are legally obliged to collect. Without this personal data, we will generally not be able to achieve the intended purpose and enter the business relationship and/or cooperation with you.

We do not use any procedures for automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately, insofar as this is required by law.

According to the GDPR, you can assert the following data subject rights with us:

• You can request information about your personal data processed by us in accordance with Art. 15 GDPR.
• If inaccurate personal data is processed, you have a right to rectification (Art. 16 GDPR).
• If the legal requirements are met, you may request erasure (“right to be forgotten”) or restriction of processing as well as object to processing (Art. 17, 18 and 21 GDPR).
• If you have given consent to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have the right to data portability (Art. 20 GDPR).
• In addition, you have the right to lodge a complaint with your respective data protection supervisory authority (Art. 77 GDPR).

Please note that legal obligations of the controller or national exceptions may mean that your data cannot be permanently deleted or can only be deleted after a certain period of time has elapsed.

To assert one or more of your data subject rights, please contact us using the contact details provided under "controller and contact person".

Right to object according to Art. 21 GDPR

Individual right to object
You have the right to object at any time, on the basis of your particular situation, to the processing of your personal data carried out on the basis of Art. 6 (1) f GDPR; this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Right to object to processing of personal data for direct marketing purposes
We may also use your personal data for direct marketing purposes within the framework of the legal provisions. You have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally. You will find our contact details under "contoller and contact person".

For information on how your personal data is processed in the context of your application, please refer to the privacy policy.

If you contact us via a contact form, an e-mail address or a telephone number, we also process personal data about you. You will often also be asked for your consent to the processing of personal data for advertising purposes in the context of contact forms. In this regard, please refer to the section "Newsletters".

Purposes and legal basis

The purpose of the processing results from the handling of your enquiry or request and further communication. The legal basis for the processing is our legitimate interest according to Art. 6 (1) f GDPR, which results from the aforementioned purposes, or your consent according to Art. 6 (1) a GDPR.
If your contact is aimed at the conclusion of a contract / an ongoing contractual relationship with us, the legal basis is the initiation or implementation of the contractual relationship in accordance with Art. 6 (1) b GDPR.

Processed data

The specific data processed results from the respective contact form. As a rule, however, it will be the following data:

• Master data (e.g. names, addresses)
• Contact details (e.g. e-mail, telephone numbers)
• Information about your request

Storage period and location

The storage period depends on your specific request. If, for example, your contact is aimed at concluding a contract with us or we already have a business relationship with you, your data will be stored until the contractual and/or legal obligations have been fulfilled and legal retention periods do not prevent deletion.

Recipients

Depending on the request (e.g. questions about our products and services), your data will be processed further. In order to be able to answer your enquiry/your request in the best possible way, your data will be passed on to the necessary extent within the group (if necessary also to group companies outside the EU).
In addition, we use order processors (e.g. IT and software service providers).

As a global company, we work with contracted distributors in certain countries and regions. In order to provide information on B. Braun products, therapies, solutions or events, for promotional purposes, to contact you or to respond to your enquiry, we will, with your consent, pass on the personal data you have entered to these external sales partners so that they can contact you. Our sales partners work regionally, which means that your data is only passed on to the sales partner with whom we work in your region.

We want to continuously improve our offers and services and for this reason we conduct customer satisfaction surveys after certain contact points. The surveys take place immediately after a previous customer contact. We also comply with the legal requirements and standards that demand a measurement of customer satisfaction.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of:

• your consent in accordance with Art. 6 (1) a GDPR,
  
• our legitimate interest pursuant to Art. 6 (1) f GDPR. There is a legitimate interest in collecting the experience of our contacts and to be able to continuously improve our service,
• a contract according to Art. 6 (1) b GDPR (e.g. contracts on work shadowing)

Processed data

• Name, address, e-mail address, telephone number and comments; and
• Other information you provide to us when completing a survey. In the context of each survey, you will be informed in advance about the purpose of the processing.

When participating in the survey, you are also asked to enter comments in free text fields. We strongly recommend that you do not enter any personal data about yourself or any other person. If you enter personal data in a free text field, this data may be passed on to the categories of recipients listed below.

The following cookies can be used in conjunction with our survey tool:

• Aesculap Product complaint
  
• Aesculap Consultancy Services TCC
• Aesculap Consultancy Services TCC Follow UP
• Aesculap ELSA
• Aesculap Hospitationen
• Aesculap Product Launch

These cookies are used to allow respondents to pick up the survey where they left off after pausing the answering of the survey.

You can deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser if you do not know how to change these settings. Please note that if you disable cookies, you will probably not be able to use the survey tool.

Storage period and location

Your data will be stored in accordance with legal and internal requirements and deleted after a period of 2 years. Your data will be processed within the EU. In the case of technical support, your data may be transferred to a service provider outside the EU to fulfil your request. In such a case, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Recipients

Your personal data will be processed by us as data controller and, in some cases, by InMoment (a company under German law, registered with the commercial register number HRB92708 at the Hamburg District Court, with its registered office at Borselstraße 18, 22765 Hamburg) as data processor.

Purpose and legal basis

The purpose of the processing is to enable you to participate in a guided tour of the factory. The legal basis for this is your consent pursuant to Art. 6 (1) a GDPR, which you grant us with your registration. You can revoke your consent at any time. However, in the event of a withdrawal, you will not be able to participate in the guided tour of the factory. To withdraw your consent, please send an e-mail to werkfuehrungen@bbraun.com.

In addition, the contact person of the group assures us that the information provided by them, in particular first name/last name and email address, is true and correct, that they are authorised to provide the data of any other participants and that they have sufficiently informed them about the processing, e.g. by using this website.

Processed data

When you register for and participate in a guided tour of the factory, we process the following data about you:

• Contact details (e.g. surname, first name, address, e-mail, telephone number).
  
• Dates of arrival and departure
• Plant you wish to visit
• Language in which the factory tour is to be conducted
• Means of transport on arrival
• Optional: Further information on the group, such as eating habits for participants with allergies.

If we process health-related data (e.g. on allergies), religious, political or other special categories of personal data in this context, this is done within the scope of public disclosure (e.g. for thematically oriented events) or with your consent.

Storage period and location

Your data will be stored for 3 years in accordance with the legal requirements and deleted after this period. Your data will be processed within the EU.

Recipients

We process your data in a central system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event.

Through our website, you have the opportunity to receive various information (e.g. download a white paper, participate in a webinar/event) on various specialist topics free of charge from B. Braun. For this purpose, it is necessary that you consent to the use of your data for marketing purposes in return for the provision of this information. We will use the contact details you provide for the provision of information. You will receive an activation email from us or by joining after the registration confirmation, through which your data will be confirmed. Thereafter, you will receive access to the broadly presented information and may also be informed in the future about other relevant therapies, products, solutions or events by B. Braun and our contractually bound sales partners.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out on the basis of:

• your consent pursuant to Art. 6 para. (1) a GDPR; or
  
• our legitimate interest according to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about further offers and events of B. Braun in order to establish and maintain a long-term customer relationship.

Processed data:

• Name and email address
• Optional: Title and salutation

Storage period and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising and providing information via our website. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted. Your data will be processed by processors (see recipients).

Recipients

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision of the information.

Furthermore, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers or service providers for sending mailings.
  

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent. The risks resulting from the transfer of personal data to third countries can be found in the general part of this privacy notice under "Transfer to third countries".

We use your contact details to send you information about products, services or events that may be of interest to you.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of:

• your consent pursuant to Art. 6 (1) a GDPR or
• our legitimate interest pursuant to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about our own offers and events in order to establish and maintain a long-term customer relationship

At the same time, we observe the local requirements and regulations on advertising.

Processed data

In this context, we process the following personal data:

• by e-mail: Name, title, function, institution, department, address and e-mail address
• by mail: Name, title, function, institution, department, address
• personal interest in products/services and/or events

Storage period and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted.
Your data will be processed by order processors (see recipients).

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.
 

If we have received your contact details as part of a business event, a business appointment or as part of an order, we use your contact details to maintain our business contacts. For this purpose, we transfer your contact data to our CRM system.

Purpose and legal basis

Your data is processed on the basis of our legitimate interest pursuant to Article 6 (1) f GDPR. There is a legitimate economic interest in maintaining contacts that have arisen in the course of business transactions beyond the initial contact and to use them to build up a business relationship and to remain in contact with you for this purpose.

Processed data

In this context, we process the following personal data:

• name, title, function
• institution
• business contact details
• business address
• business e-mail address, telephone number

If requested by you and made available to us:

• private contact details, private address, private e-mail address, telephone number

Storage period and location

We store your data for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally required to do so. In addition, data of business contacts with whom we had no business contact within a defined period of time will be deleted.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

For the organisation, implementation and follow-up it is necessary to process personal data. Depending on the event and the scope of services, different personal data will be collected from you. Please read below how we process your personal data when you participate as a participant or speaker in our events and similar activities (hereinafter referred to as "events").

Participants

Purpose and legal basis

The purpose of the processing is to enable you to participate in the events and take advantage of the services or promotions associated with your participation. The legal basis differs depending on the event

• Legitimate interest pursuant to Art. 6 (1) f GDPR (e.g. to ensure secure and efficient communication).
• Consent according to Art. 6 (1) a GDPR (e.g. your registration)
• Contract according to Art. 6 (1) b GDPR (e.g. hospitation contracts)

Processed data

When you register and participate in one of our events, we process the following data about you:

• master data (e.g. name, title, department, function, address, institution).
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, duration, customer category)
• arrival and departure data
• optional: dietary requirements for participants with allergies

in individual cases additionally:

• specific passport data for the creation of invitation letters for VISA service
• date and place of birth

For paid events we also process:

• payment data (e.g. bank details, invoices, payment history, private address if given)

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Storage period and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event. This may be the case, for example, if we have to forward your contact request to national companies for processing or if you have participated in international events. Furthermore, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Active part (e.g. speakers, advisors, moderators)

Purpose and legal basis

Your data will be processed by us for the purpose of handling your contractual performance. The legal basis is the contractual relationship according to Art. 6 (1) b GDPR.

Processed data

We process the following personal data about you:

• master data (e.g. name, title, department, function, address, institution)
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, term, customer category)
• arrival and departure data
• payment data (e.g. bank details, invoices, payment history, home address)
• optional: dietary requirements in case of allergies

in individual cases additionally:

• specific passport data for the creation of invitation letters for VISA service.

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Storage period and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective activity/assignment:

• financial accounting for payment processing

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay.
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Your product complaint, medical information request or adverse event report related to medicinal products (pharmacovigilance)

The scope of this privacy policy is limited to the processing of personal data in connection with product complaints, medical information requests and pharmacovigilance. Pharmacovigilance is the detection, evaluation, tracking and prevention of adverse events related to medicinal products. Within the framework of pharmacovigilance, we process reports of adverse events in connection with pharmaceuticals (e.g. suspected cases of side effects or lack of drug effect). If you report adverse events or other pharmacovigilance-relevant information to us, we will process this data exclusively for pharmacovigilance purposes.

Purpose and legal basis of the processing – Pharmacovigilance

In terms of pharmacovigilance reporting, we comply with the relevant requirements that oblige us and the responsible regulatory authorities to manage data on adverse events. This serves to protect public health and to ensure a high standard of quality and safety.

We are required to process certain personal data of affected patients and/or reporting persons to report adverse events related to pharmaceuticals to the relevant regulatory authorities. The personal data will only be processed for pharmacovigilance purposes and only when relevant and appropriate to properly document, assess and report such an event in accordance with our pharmacovigilance obligations. The information in question is of great importance to public health and is used for the detection, assessment, understanding and prevention of adverse events and other risks related to our pharmaceuticals. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in the context of adverse event reports related to medicinal products or other aspects of pharmacovigilance (even if provided in the context of a medical request)

Legal basis: This processing is necessary for B. Braun's statutory pharmacovigilance obligations (Good Pharmacovigilance Practice, MPA). (Art. 6 (1) c and Art. 9 (2) i GDPR)

Purposes and legal basis of the processing - Medical requests

Any personal information provided to B. Braun in connection with medical enquiries may be used to respond to and follow up on the enquiry in question. The information in question may be stored in a medical information database for reference purposes. In addition, we may be required by law (for example, as part of pharmacovigilance) to report the data to regulatory authorities. We do not use your data for any other purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data related to a medical request may be used to respond to and follow up on the request

Legal basis: This processing is based on B. Braun's legitimate interest in following up on your requests (Art. 6 (1) f GDPR). If you are a patient, we will only process your personal data with your explicit consent.  (Art. 6 (1) a and Art. 9 (2) a GDPR).

Purposes and legal basis of the processing – Product complaints

Any personal information provided to B. Braun in connection with a product complaint will be used solely for these purposes. The information in question is of great importance to public health and will be used to assess, classify, and evaluate the product complaint, to follow up on related enquiries and to store the data in a product complaint database for reference purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in connection with a product complaint (e.g. for the assessment, classification and evaluation of the product complaint, for the follow-up of the corresponding request and for the storage of the data for reference purposes in a product complaint database) (also if provided in the context of a medical request)

Legal basis: This processing is necessary to comply with the legal obligations applicable to B. Braun (Art.6 (1) c and Art.9 (2) i GDPR).

Categories of data

When submitting a notification, the following data may be processed, depending on the individual case:

Reporting of adverse events related to medicinal products

Reporting person: name, contact details, belonging to an occupational group

Person affected by an adverse event: personal data on health and medical history as far as necessary for the processing and assessment of the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of complying with the obligation to medicines safety and our legal obligations.

Medical requests

Reporting person: name, contact details, belonging to an occupational group

If a medical request includes data on a product complaint or suspected adverse reactions, it will additionally be treated as such.

Product complaints

Reporting person: name, contact details, belonging to an occupational group

In the event that a person has experienced a health impairment in connection with a product complaint, personal data on health and medical history will be collected to the extent necessary to process and assess the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of meeting the obligation to medicines safety and our legal obligations.

Storage period and location 

Due to their importance for public health, pharmacovigilance-related information will be kept for at least 15 years after the withdrawal of the respective products from the market in the last country where they were offered. As information on product complaints is important for public health, complaint records including the corresponding personal data are kept for at least 15 years. Personal data stored in the context of medical information requests will be kept for a maximum of 11 years from the date of receipt.

Recipients

B. Braun may share personal information that you provide to us as necessary to maintain B. Braun's global pharmacovigilance database and to comply with applicable pharmacovigilance legislation. To do this, we may share and/or disclose personal data as follows:

• within the B. Braun Group, to analyse and evaluate a reported adverse event.
• to the competent supervisory authorities, regarding a (suspected) adverse event.
• to service providers, e.g. IT service providers. 
• to other pharmaceutical companies acting as co-marketers, co-distributors, or other licensing partners of the B. Braun Group, if the pharmacovigilance obligations for our product require such exchange of safety information. 
• When information about adverse events is published (for example, in the form of case studies and summaries); in these cases, your data will be anonymised to keep your identity confidential.

In addition, B. Braun is required to share certain pharmacovigilance and product-related information with health authorities worldwide. This also includes authorities for which data protection regulations differ from those of the United Kingdom. Legal basis: Art. 6 (1) c and for transfers outside the United Kingdom Art. 6 (1) f and Art. 49 (1) e GDPR.

The reports in question contain details of the incident in question. Personal data are only included to the extent necessary:

• For patients, the report includes only, as indicated, age, sex, and initials (where indicated), date/year of birth (where disclosure is permitted) but never the patient's name. 
• For reporting persons, the report includes the name, profession (e.g. doctor, pharmacist), initials or address, email address and telephone number (where indicated). The contact information is necessary to be able to contact the reporter to obtain high quality and complete information on adverse events. If the reporter does not wish to share their contact information with B. Braun or authorities, "privacy" will be entered in the reporter's name and contact information field.

If your data is passed on to other companies, business partners or service providers outside the United Kingdom, we ensure that your personal data is adequately protected, e.g. by concluding standard contractual clauses and/or that only necessary data is passed on.

We use the video conferencing tools "Teams" (from the provider Microsoft, USA) and "Zoom" (from the provider Zoom Video Communications Inc., USA) to carry out digital events.

Purpose and legal basis of processing

The legal basis for processing personal data is determined by the specific purpose for which the respective platform is used and the digital event is offered. These can be: 

• Effective implementation of the event we offer to inform participants about professional topics: legal basis is our legitimate interest based on Art. 6 (1) f GDPR. 
• Conducting e.g. group or individual meetings, trainings and events to fulfil a contract with the data subject: legal basis is Art. 6 (1) b GDPR. 
• Conducting group or individual meetings, training sessions and events required for business purposes as part of the employment: the legal basis is the recruitment, performance or termination of the contract of employment pursuant to Section 26 (1) German Data Protection Act. 
• Implementation of group or individual meetings, training sessions and events based on your consent in accordance with Art. 6 (1) a GDPR, which you grant us by participating in the respective digital event.

Categories of data

The scope of the data processed depends on the purpose of the digital event, but in particular also on the information you provide before or during your participation in the event (e.g. use of the chat function): 

• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location.
• Text data: if you use the chat function, your posts are processed to display them within the chat. 
• Audio and video data: If you use the video and audio functions, data from the microphone and/or video camera will be processed for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time.
• Shared files and information: With the help of the " share" function, you can share your screen or files with other participants. All files, content and comments posted by users can be accessed by the people with whom they are shared. These can be individuals or members of a team or channel.
• Documentation of your participation with attendee lists: For certain purposes, such as conducting training or awareness-raising activities, it is necessary to keep a list of attendees and store it as evidence. The video conferencing tools offer the possibility to export a list of participants after an event.

Transfer of data

We use Microsoft and Zoom as a processors within the meaning of Art. 28 GDPR. The providers obtain knowledge of the above-mentioned data to the extent contractually permitted.

Microsoft and Zoom reserve the right to process customer data for its own legitimate business purposes. We have no control over this data processing. To the extent that the providers process personal data in connection with its legitimate business purposes, they are the data controllers for those data processing activities and, as such, are responsible for compliance with all applicable data protection laws. This particularly applies when you access the website s of Microsoft and Zoom or use the video conferencing tools through your browser. If you require information about Microsoft's and Zoom's processing, please refer to their relevant privacy statements.

Data processing outside the European Union

In principle, there is no data processing outside the European Union (EU), as we have limited our storage location to data centres in the EU. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This can be the case in particular if participants are located in a third country.  

Measures to protect your data

The data processed during a digital event is encrypted during transport via the internet and thus protected against unauthorised access by third parties. In addition, we have agreed extensive technical and organisational measures with the providers that correspond to the current state of the art, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.

Deletion of data

We delete personal data when the storage of the data is no longer necessary. In the case of statutory retention obligations, deletion comes into consideration after the expiry of the respective retention obligation.

Your right as a data subject

You have the right to obtain information about the personal data relating to you. Furthermore, you have the right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can revoke your consent at any time with effect for the future. The lawfulness of the processing until the revocation remains unaffected. Finally, you have the right to object to processing within the scope of the law. You also have the right to data portability within the framework of data protection law. You have the right to file a complaint about the processing of personal data by us with a supervisory authority for data protection.

Particular feature: recording of digital events

In certain circumstances, recording of digital events may take place. This is done for the purpose e.g. publication, documentation, etc. The legal basis is your informed (written) consent according to Art. 6 (1) a GDPR, which you grant us by attending the event. If a digital event is to be recorded, we will inform you about this transparently in advance (e.g. as part of the invitation). In addition, a notice will be provided during the event before the recording is started. The system will also inform you that the event is being recorded.

The recording is stored and deleted after expiration of the respective retention period in accordance with data protection regulations. 

Under certain circumstances, it may be necessary to publish the recording to the group of participants, on the intranet or on the internet in order to fulfil the above-mentioned purpose. If the recording is published on the intranet or internet, we would like to point out that the recordings are made accessible to a broad public. Every viewer can use the content on the internet at their own discretion, including misuse, without this being able to be monitored, restricted or prevented. However, within the framework of data minimisation, we take care, especially when publishing recordings, to delete or anonymise personal data in advance that is not relevant for publication (e.g. cropping the video excerpt).

For information on how we handle your personal data when you use one of our apps or websites, please refer to the respective privacy policy.

Visitor, guest and contractor registration

Only persons authorised by the B. Braun Group may enter any of our premises. As a visitor, guest or external company employee, you must provide the categories of data listed below and will usually receive a visitor's pass that entitles you to stay on the factory premises for the duration of your visit/stay.

Purpose and legal basis of processing

The purpose of the processing results primarily from the exercise of domiciliary rights and the protection of the company's property. In addition, the processing serves us to be able to determine at any time who is on the premises and in our buildings, in particular to ensure the safety of the premises and the protection of the persons working there. The legal basis is our legitimate interest pursuant to Article 6 (1) f GDPR, which results from these purposes.

Processed data

The following data is processed:

• Name and first name
• Vehicle registration number, if applicable
• Company for which you work
• Duration of your stay
• Your contact person in our company

Storage period and location

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfill a contract (usually for 1 year). Data may be stored beyond this period if and insofar as this is required by law.

The storage of data differs for each location. The data required for visitor management is stored either in a visitor management system or a visitor book.

Recipients

We partially use processors based within the EU for visitor management (e.g. site security, IT service providers).

Please also note the information on data protection on site.

Safety instruction/ briefing

Purpose and legal basis of processing

The purpose of the instruction is to ensure the health and safety of visitors and contractor employees on the company premises.

Applicable Laws

• The Health and Safety at Work Act 1974
• The Management of Health and Safety at Work Regulations 1999

Processed data

• First and last name
• Company
• Date of birth
• E-mail address
• Date of safety briefing/ visit to the company premises

Storage period and location

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfil a contract. Data may be stored beyond this if and insofar as this is provided for by law.

Video surveillance at UK locations

We use video surveillance to protect our premises and buildings. Surveillance areas are always marked with appropriate signs.

Purpose and legal basis

The video surveillance serves the purpose of crime prevention and security in accordance with our legitimate interest pursuant to Art. 6 (1) f GDPR. Please also note the corresponding information displayed at the respective location. The use of video surveillance is for preventive purposes to prevent persons from committing legal violations to the detriment of B. Braun. The aim of video surveillance is to ensure the preservation of evidence and the clarification of criminal offences as well as the enforcement of claims for damages under civil law in the event of irregularities such as trespass, damage to property, theft or unauthorised entry.

Storage period

The storage period of the records is within the scope of what is operationally necessary and legally permitted and can vary depending on the location. The data is then automatically deleted unless there is a legal interest in further processing.

Recipients

If a criminal offence has occurred, the corresponding video recordings will be passed on to the law enforcement authorities to the extent that is necessary.