Data Privacy Information for Specific Processing Activities
- Profile and Organization
- Our Commitments
- Societal Needs
- Bayer Employees
- Bayer Worldwide
- Corporate Compliance
- Corporate Governance
- Board of Management
- Supervisory Board
- Contact Us
Welcome to this information page on specific processing activities conducted by Bayer AG, Kaiser Wilhelm Allee 1, 51368 Leverkusen (Germany) and all of its German affiliates (hereinafter “us” or “we”).
What you get
You might be visiting this information page:
because we invited you to visit this information page in order for you to be able to obtain further information on a specific data processing activity because at the time when we obtained your personal data, we were not able to provide you with all necessary information or
because you are searching for publicly available information on how we process personal data not obtained directly from you but, for example, from publicly available sources, where informing each individual proves impossible or would involve a disproportionate effort (Art. 14(5)(b) GDPR).
because you have been in contact with / addressing requests to HR Operations. Depending on the recipient of your request to HR Operations, your current or former employer as legal entity within Bayer Group, respectively the Bayer-Beistandskasse VVaG, Bayer-Unterstuetzungskassse GmbH, Bayer-Pensionskasse VVaG or Rheinische Pensionskasse VVaG (hereinafter “us”, “our” and “we”), each in its capacity as controller for the processing of your personal data, wishes to provide you with information on the processing of your personal data.
Please note: This page is not an exhaustive source of information about any kind of processing activity we perform. Where we are able to provide you with all required information at the time we obtain personal data from you, we do so by providing you with data privacy statements specific to the respective processing activity. If you are looking for information regarding the processing of your personal data on this website, for example, please visit our website’s data privacy statement.
Personal Data We Process about You, if …
… you hand over your business card to us
When you hand over your business card to us, we might copy it and enter the personal data contained therein into one of our contact management systems.
We use the information contained therein about you in order to contact you. The legal basis for processing your personal data and the respective retention period vary, depending on the purpose for which you have given us your business card. However, we will only store your personal data for as long as is necessary to stay in contact with you.
… you communicate with us via email
When you communicate with us via email, we process your email address, the information you provide in your emails (e.g. your name, further contact information from your signature, the content of your emails or any attachments) as well as the email meta data (e.g. time stamp, sender’s IP address, mail user agents, servers used in transit, etc.).
Additionally, we may process your email address for cyber security purposes. In order to protect Bayer’s data assets from unauthorized disclosure to third parties, we use a Data Loss Prevention (“DLP”) tool to prevent possible data leakage incidents by detecting and blocking certain data flows of sensitive information. In the case your email address is included in a detected incident, the data is stored as long as necessary to assess and resolve the incident or keep the data as evidence. This data processing is based on our legitimate interest to protect the Bayer group against loss of intellectual property and other sensitive information.
We use this personal data in order to be able to communicate with you. The legal basis for the processing of your personal data and the applicable data retention rules for your personal data may vary depending on the purpose for which we communicate with you. However, our general retention period for email inboxes is six months, unless your email has been archived, in which case the general retention period is four years. Please ask either the person in our organization whom you are in contact with or our data protection officer mentioned above if you want to know more about the purpose, legal basis and data retention rules applicable to your personal data in your individual case.
… you are, or work for, one of our suppliers or contract partners
We process contact information (like name, email address, telephone number, position and role in the company) of employees of our suppliers or contract partners (like key account managers, consultants, business partners or legal counsels) or of individuals who directly act as our suppliers or contract partners (such as freelancers). With regard to the latter, we might also process payment data (like bank account information).
We use this information in order to communicate and manage our relationship with our suppliers or contract partners and to be able to choose and contact the right supplier for any new supply demand from our business or to pay any due invoices.
The legal basis for processing the aforementioned personal data is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our need to be able to communicate with our suppliers or contract partners and to manage our supplier or contract partner portfolio and thereby secure the supply of products and services needed to run our business. In addition, the legal basis for processing the aforementioned personal data of individuals who directly act as our suppliers or contract partners might be Art. 6(1)(b) GDPR, insofar as it is necessary for the performance of a contract with that individual.
We retain this kind of personal data for as long as it is necessary to continuously manage our relationship or to perform our contract with the relevant supplier or contract partner. We delete these personal data as soon as they are no longer needed, for example, when an employee of a supplier is no longer working for that supplier or if the supplier or freelancer is no longer eligible to be a supplier for us, unless legal archiving obligations require us to retain personal data for a longer period of time (e.g. personal data in the context of a contract will need to be archived for a period of ten years according to applicable tax legislation).
… you reach out to HR Operations
You can reach out to HR Operations via different channels (e.g. telephone / email / fax / Communication Center in myServices) for various different purposes. We will process personal data that you provide us in the context of your request (e.g. name, date of birth, CWID, address, request) for identification and authentication purposes and to process your request.
The legal basis for the processing of your personal data is Art. 6(1)(b) GDPR.
If you are an active employee on a randomly basis an invitation to participate in a Satisfaction Survey may be sent to you following your contact. This serves the continuous improvement of our HR services. Your participation in such a survey is voluntary and anonymous, unless you voluntarily identify yourself to the survey (for example, by submitting personal data in text fields). In such a case, the legal basis for the further processing of your personal data is also Art. 6(1)(b) GDPR.
We would like to point out that depending on your request in individual cases also conclusions on special categories of personal data are possible. This applies, for example, to the following example cases:
|Special categories of personal data||Description|
|Information about your sexual orientation||If you provide us with your marriage certificate, this will also contain the gender of your spouse.|
|Information about your religious belief||If you provide us with your tax details or a remuneration statement, this may also show your religious belief.|
|Information about your health||If you send us a sick leave, this is information about your health status; If you submit a medical report when you apply for a child allowance, this may provide diagnoses or illnesses.|
Retention periods for personal data. Tickets to your requests are stored for a period of 3 years from the date of creation.
… you or others publish your personal data on the internet
We search the internet for information for various purposes that are explained in more detail below. This information may contain personal data. We also use active online listening services. Active online listening is the process of identifying and assessing what is being said about a company, individual, product, brand or topic with business relevance to the company on the internet. We process the personal data we collect from publicly accessible areas on the internet and in public media by, for example:
- performing keyword searches across the web (e.g. websites, social media platforms, social network communities, blogs, mainstream news sources, forums or photo and video sites);
- searching, filtering and analyzing conversation streams;
- viewing visual analytic displays of conversation trends over a specified time range;
- monitoring publicly available opinions, statements or other interactions on the internet from certain individuals or entities that are important for us and our business (so called thought leaders).
We use the insights we receive for the following purposes:
Customer and stakeholder insights
We want to identify business opportunities and risks alongside innovations, to better understand sentiment, intent, mood, market and societal trends as well as our customers’ or other stakeholders’ needs, preferences or opinions and thereby to engage in dialogue more effectively, to improve our services, products and the way in which we operate our company as well as to capture business opportunities and mitigate business risks. The legal basis for processing the personal data involved in this is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our aforementioned processing purposes. We delete personal data as soon as they are no longer required for the purposes they were initially acquired. Personal data stored in the profiles of thought leaders are deleted if they are older than 2 years.
Product safety and product quality
As a company that supplies medicinal products and devices, we need to be able to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products. The legal basis for processing the personal data involved in this is either Art. 9(2)(i) GDPR, as processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, or Art. 6(1)(f) GDPR, as it is necessary to pursue our legitimate interests that result from our need to be able to know and react to any safety or quality issues in respect of our products. We delete personal data as soon as they are no longer required for the purposes they were initially acquired, unless the information therein is still required or there is a legal obligation to archive such personal data (e.g. information regarding adverse events). Adverse event information will be stored at least for the duration of the life cycle of the relevant product and for an additional ten years after the product has been taken from the market.
Transfer of Personal Data for Commissioned Processing
We might use specialized service contractors to some extent in processing your personal data. Such service contractors are carefully selected and regularly monitored by us. Based on relevant data processing agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.
Third party transfer
For requests addressed to HR Operations, if your request cannot be answered or processed by us directly, the personal data required for this purpose will be forwarded to the relevant departments in the Bayer Group for further processing (e.g. for reported technical access problems to the IT service or for requests for shift flat rates to the responsible HR Business Partner). Depending on your concerns, it may also be necessary for us to e.g. get in contact with the relevant tax office or your health insurance company.
Processing of Personal Data outside the EU / the EEA
Your personal data may in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have lower data protection standards than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, for example, by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.
Information Regarding Your Rights
The following rights are in general available to you in accordance with applicable data privacy legislation:
- Right of information about your personal data stored by us;
- Right to request the correction, deletion or restricted processing of your personal data;
- Right to object to processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for the purposes of asserting, exercising or defending legal claims;
- Right to data portability;
- Right to file a complaint with a data protection authority;
- You may at any time with future effect revoke your consent to the collection, processing and use of your personal data. For further information, please refer to the chapters above describing the processing of data based on your consent.