Data Privacy Information for Specific Processing Activities

Welcome to this information page on specific processing activities conducted by Bayer AG, Kaiser Wilhelm Allee 1, 51368 Leverkusen (Germany) and all of its affiliates based in the European Economic Area (hereinafter “us” or “we”).

 

What you get

You might be visiting this information page:

 

  • because we invited you to visit this information page in order for you to be able to obtain further information on a specific data processing activity because at the time when we obtained your personal data, we were not able to provide you with all necessary information or

  • because you are searching for publicly available information on how we process personal data not obtained directly from you but, for example, from publicly available sources, where informing each individual proves impossible or would involve a disproportionate effort (Art. 14(5)(b) GDPR).

  • because you have been in contact with / addressing requests to HR Operations. Depending on the recipient of your request to HR Operations, your current or former employer as legal entity within Bayer Group, respectively the Bayer-Beistandskasse VVaG, Bayer-Unterstuetzungskassse GmbH, Bayer-Pensionskasse VVaG or Rheinische Pensionskasse VVaG (hereinafter “us”, “our” and “we”), each in its capacity as controller for the processing of your personal data, wishes to provide you with information on the processing of your personal data.

Please note: This page is not an exhaustive source of information about any kind of processing activity we perform. Where we are able to provide you with all required information at the time we obtain personal data from you, we do so by providing you with data privacy statements specific to the respective processing activity. If you are looking for information regarding the processing of your personal data on this website, for example, please visit our website’s data privacy statement.

Personal Data We Process about You, if …

… you hand over your business card to us

 

business-cardWhen you hand over your business card to us, we might copy it and enter the personal data contained therein into one of our contact management systems.

We use the information contained therein about you in order to contact you. The legal basis for processing your personal data and the respective retention period vary, depending on the purpose for which you have given us your business card. However, we will only store your personal data for as long as is necessary to stay in contact with you.

 

… you communicate with us via email

 

emailWhen you communicate with us via email, we process your email address, the information you provide in your emails (e.g. your name, further contact information from your signature, the content of your emails or any attachments) as well as the email meta data (e.g. time stamp, sender’s IP address, mail user agents, servers used in transit, etc.).

 

Additionally, we may process your email address for cyber security purposes. In order to protect Bayer’s data assets from unauthorized disclosure to third parties, we use a Data Loss Prevention (“DLP”) tool to prevent possible data leakage incidents by detecting and blocking certain data flows of sensitive information. In the case your email address is included in a detected incident, the data is stored as long as necessary to assess and resolve the incident or keep the data as evidence. This data processing is based on our legitimate interest to protect the Bayer group against loss of intellectual property and other sensitive information.

We use this personal data in order to be able to communicate with you. The legal basis for the processing of your personal data and the applicable data retention rules for your personal data may vary depending on the purpose for which we communicate with you. However, our general retention period for email inboxes is six months, unless your email has been archived, in which case the general retention period is four years. Please ask either the person in our organization whom you are in contact with or our data protection officer mentioned above if you want to know more about the purpose, legal basis and data retention rules applicable to your personal data in your individual case.

 

… you are, or work for, one of our customers, suppliers or contract partners

 

partnerWe process contact information (like name, email address, telephone number, position and role in the company) of employees of our customers, suppliers or contract partners (like key account managers, consultants, business partners or legal counsels) or of individuals who directly act as our customers, suppliers or contract partners (such as freelancers). We also might process individuals’ payment data (like bank account information), if applicable.

We use this information to manage our business relationship with you, e.g. to process your orders and deliver service to you, to manage your purchase history, to choose and contact the right supplier, or to pay any due invoices.

 

As the processing of personal data for the aforementioned purposes lies in the legitimate interest of Bayer, the legal basis for processing is Art. 6(1)(f) GDPR. As far as it is necessary to process the data to fulfill a contract with you, the legal basis is  Art. 6(1)(b) GDPR.

 

We retain this kind of personal data for as long as it is necessary to continuously manage our relationship or to perform our contract with the relevant customer, supplier or contract partner. Legal archiving requirements may exceed this retention period, for example to meet tax legislative  requirements for archiving. We delete these personal data as soon as they are no longer needed.

 

You can find more information on the processing of your data in customer service in our country-specific data privacy statements.

 

… you reach out to HR Operations

 

partnerYou can reach out to HR Operations via different channels (e.g. telephone / email / fax / Communication Center in myServices) for various different purposes. We will process personal data that you provide us in the context of your request (e.g. name, date of birth, CWID, address, request) for identification and authentication purposes and to process your request.

The legal basis for the processing of your personal data is Art. 6(1)(b) GDPR.

If you are an active employee on a randomly basis an invitation to participate in a Satisfaction Survey may be sent to you following your contact. This serves the continuous improvement of our HR services. Your participation in such a survey is voluntary and anonymous, unless you voluntarily identify yourself to the survey (for example, by submitting personal data in text fields). In such a case, the legal basis for the further processing of your personal data is also Art. 6(1)(b) GDPR.

We would like to point out that depending on your request in individual cases also conclusions on special categories of personal data are possible. This applies, for example, to the following example cases:

 

Special categories of personal data Description
Information about your sexual orientation If you provide us with your marriage certificate, this will also contain the gender of your spouse.
Information about your religious belief If you provide us with your tax details or a remuneration statement, this may also show your religious belief.
Information about your health If you send us a sick leave, this is information about your health status; If you submit a medical report when you apply for a child allowance, this may provide diagnoses or illnesses.

Retention periods for personal data. Tickets to your requests are stored for a period of 3 years from the date of creation.

 

… you ask us a medical inquiry

 

medical inquiry

When you ask us a medical inquiry we will enter the personal data contained therein into our Medical Information database.


We will process the following personal data for the purpose to manage your medical inquiry and to deliver a respective response:

  • Contact information (e.g. your name, address, phone/fax/mobile phone/email/ or other online contact information)
  • Demographic data (e.g. age/age group, date of birth, gender)


Should such information be part of your request, we furthermore may process information which qualifies as sensitive personal data like

  • information about your health status,
  • your religious beliefs, 
  • your sex life/sexual orientation or 
  • your ethnicity.


An example where this could be the case is a request whether a Bayer product would be suitable for a Kosher diet.
 

Purpose of processing your personal data is to answer your medical request.


Access to your personal data is restricted to Bayer AG and its group entities that are involved in managing and responding to your inquiry, and to the call center operator Conduent Commercial Solutions, LLC and its group companies. These entities may be operating in countries different from your home country.


If the inquiry you ask contains an adverse event, special circumstance or product technical complaint, or is an inquiry outside of the scope of medical information, we will forward your inquiry containing your personal information to the relevant department for respective processing. For this purpose, we transfer your name, contact details and any information you have provided to us including information related to special categories of personal data if this has been provided. 


For the processing of your personal data, we will to some extent use specialized service contractors who act as our data processors including the call center operator Conduent Commercial Solutions, LLC. Such service contractors are carefully selected and regularly monitored by us. They will only process personal data in accordance with our instructions and based on appropriate data processing agreements.


Legal basis for processing your personal data, including your sensitive personal data, is your consent. In addition, it is our legitimate interest to process your personal data for answering your enquiry and for documentation and record keeping purposes. If your request contains information about adverse events or is a product technical complaint, we are legally obliged to process respective information including sharing the information provided with the responsible Marketing Authorization Holder.


We retain your personal data beyond having answered your inquiry for documentation and record keeping purposes and regulatory compliance. Personal data related to sole medical information inquiries (managed in full by medical information staff, without an adverse event, product technical complaint or a need for forwarding to another department for handling) will be anonymized in accordance with local data privacy requirements, except where otherwise provided by law (e.g. in connection with an adverse event). Inquiries containing adverse event or product technical complaint information will be retained to meet regulatory requirements. Data provided to other departments will be retained for processing your inquiry.


Further additional country-specific information related to data privacy can be found on the respective countries’ Bayer internet sites.

… you or others publish your personal data on the internet

 

publish-on-internetWe search the internet for information for various purposes that are explained in more detail below. This information may contain personal data. We also use active online listening services. Active online listening is the process of identifying and assessing what is being said about a company, individual, product, brand or topic with business relevance to the company on the internet. We process the personal data we collect from publicly accessible areas on the internet and in public media by, for example:

 

  • performing keyword searches across the web (e.g. websites, social media platforms, social network communities, blogs, mainstream news sources, forums or photo and video sites);
  • searching, filtering and analyzing conversation streams;
  • viewing visual analytic displays of conversation trends over a specified time range;
  • monitoring publicly available opinions, statements or other interactions on the internet from certain individuals or entities that are important for us and our business (so called thought leaders).

 

Following categories of personal data may be processed:

  • Name, gender, job title/position within an organization/company (e.g., manager, spokesperson, editor, contributor), topic focus
  • Social media accounts (e.g., Twitter) and website addresses 
  • Information on published articles or statements (e.g., date of publication, author, information on media reach, tone on relevant topics, article content)

We use the personal data to obtain insights related to following purposes:

  • Customer and stakeholder insights/Public Relations and Corporate Communications
    We want to identify business opportunities and risks alongside innovations, to better understand sentiment, intent, mood, market and societal trends as well as our customers’ or other stakeholders’ needs, preferences or opinions. For this purpose, we follow public media reporting as well as stakeholder communication and activities on Bayer-related or industry-related topics. Thereby we are able to engage in dialogue more effectively, improve our services, products and the way in which we operate our company as well as capture business opportunities and mitigate business risks. The legal basis for processing the personal data involved in this is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our aforementioned processing purposes. We delete personal data as soon as they are no longer required for the purposes they were initially acquired for, as a rule however, at the latest if they are older than 3 years.

  • Stakeholder Engagement & Management
    After we identified a stakeholder for our company (e.g. through active online listening, at an event, etc.) we process personal data to establish, maintain, cultivate and improve our personal stakeholder relationship in order to facilitate our business interests and activities (e.g. representing of our interests in politics and society, maintaining and participating in direct (legal) dialogues, providing information about our business, research and other activities, managing our public affairs and corporate communication, understanding stakeholder opinion on certain Bayer-related topics, maintaining an overview about our stakeholder contact history etc.) For these purposes, additionally to the personal data mentioned above, we might process the following personal data about you: contact details like phone number, e-mail address, postal address; political opinions; voting behavior; statements; memberships in associations; relationships to other stakeholders; content about topics discussed in meetings, panels/committees, etc. We delete the personal data as soon as they are no longer required for the purpose they were initially acquired for, as a rule however after 7 years of inactivity of our personal stakeholder relationship, except where otherwise provided by law.
    Additionally, we recommend that you always read the terms and conditions of third-party sites, including but not limited to websites, forums and social media channels, where you chose to engage and share your personal data, opinions and perspectives. You have therefore control over your data which is collected. Bayer remains committed that relevant data which is related to your role as a stakeholder and not as a private person is processed. Bayer reinforces this through our commitments to consistently train staff and to ensure compliance through internal policies and via contractual terms with third parties.

  • Product safety and product quality
    As a company that supplies medicinal products and devices, we need to be able to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products. The legal basis for processing the personal data involved in this is either Art. 9(2)(i) GDPR, as processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, or Art. 6(1)(f) GDPR, as it is necessary to pursue our legitimate interests that result from our need to be able to know and react to any safety or quality issues in respect of our products. We delete personal data as soon as they are no longer required for the purposes they were initially acquired, unless the information therein is still required or there is a legal obligation to archive such personal data (e.g. information regarding adverse events). Adverse event information will be stored at least for the duration of the life cycle of the relevant product and for an additional ten years after the product has been taken from the market.

 

Transfer of Personal Data for Commissioned Processing

We might use specialized service contractors to some extent in processing your personal data. Such service contractors are carefully selected and regularly monitored by us. Based on relevant data processing agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.

 

Third party transfer

For requests addressed to HR Operations, if your request cannot be answered or processed by us directly, the personal data required for this purpose will be forwarded to the relevant departments in the Bayer Group for further processing (e.g. for reported technical access problems to the IT service or for requests for shift flat rates to the responsible HR Business Partner). Depending on your concerns, it may also be necessary for us to e.g. get in contact with the relevant tax office or your health insurance company.

 

Processing of Personal Data outside the EU / the EEA

Your personal data may in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have lower data protection standards than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, for example, by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.

Information Regarding Your Rights

The following rights are in general available to you in accordance with applicable data privacy legislation:

  • Right of information about your personal data stored by us;
  • Right to request the correction, deletion or restricted processing of your personal data;
  • Right to object to processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for the purposes of asserting, exercising or defending legal claims;
  • Right to data portability;
  • Right to file a complaint with a data protection authority;
  • You may at any time with future effect revoke your consent to the collection, processing and use of your personal data. For further information, please refer to the chapters above describing the processing of data based on your consent.