Data Privacy Statement for Specific Processing Activities

This Privacy Statement (“Statement”) provides information about how Bayer AG, Kaiser-Wilhelm-Allee 1, 51373 Leverkusen, Germany, and its affiliates (together “Bayer”) process personal data (i.e., any information relating to an identified or identifiable natural person) for specific processing activities as listed below in line with our obligations under applicable data privacy laws, such as, but not limited to, the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”). Processing includes activities such as collecting, using, storing, transferring, or deleting.
Bayer generally provides data privacy information at the time of data collection. This Privacy Statement provides the information about processing of personal data where we are unable to provide such information at the time of data collection, or where we deem it necessary to publish privacy information, due to other reasons.
Please note: This page is not an exhaustive source of information about any kind of processing activities Bayer and its affiliates perform.
- For data privacy information related to our handling of adverse events (pharmacovigilance), medical inquiries or technical product complaints, please visit our dedicated website here.
- For data privacy information relevant for customers contacting our customer / financial service teams in Pharmaceuticals and Consumer Health, please visit our dedicated website here.
- Country-specific data privacy information may also be available on country-specific Bayer websites.
For privacy information regarding the processing of your personal data on this website, please see the data privacy statement at the bottom of this website.
Please note: Where legal bases for processing personal data are described, these refer to the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Alternative legal bases may apply depending on the specific circumstances of data collection and processing. Information on country-specific legal bases is available on our country-specific Bayer websites, or on request.
In the following, we inform about the nature and scope of our processing of personal data for specific processing activities.
1. Nature and Scope of Data Processing
Purpose and scope of processing: When you communicate with us via email, we process your email address and all information provided in the email, including email content, meta data such as time stamp, IP address, servers used in transit, etc.
We use email communication to support our normal business operations. Processing of personal data through email communication will be restricted to what is necessary for such purposes. If we receive personal data via email that are not required within the given business context, we delete such data.
Please do not send any sensitive personal data, such as health information, to us via email without prior agreement or instruction. Otherwise, we may be required to delete such information.
To inform us about adverse events, medical inquiries, or product technical complaints, please use the dedicated systems such as contact forms or hotlines available in your country instead of sending an email.
Legal basis for processing: The legal basis of processing data as part of email communication depends on why we communicate with each other. This may be required, e.g., to fulfill a contract that we have with you (Art. 6 (1) (b) GDPR), to support our business interests (Art. 6 (1) (f) GDPR), to answer a question that you have asked (Art. 6 (1) (a) GDPR), or as part of our IT security policy to protect us against loss of sensitive information (Art. 6 (1) (f) GDPR).
Data retention: The retention of emails depends on why we communicate with each other. Generally, we store emails for four years. Laws and regulations may require us to retain your email for a longer period.
Purpose and scope of processing: During various occasions, e.g., conferences, events, or sales representative’s visits, you may hand over your business card to us to stay in touch with us. We may store this information and use it to contact you. For this purpose, we may process all personal data available on the business card, such as your name and surname, job title, organization, phone number, email address, etc.
Legal basis for processing: Generally, the legal basis of processing your personal data is your consent that you declare by handing out the business card to us (Art. 6 (1) (a) GDPR). Furthermore, it is our legitimate interest to stay in contact with you thereafter (Art. 6 (1) (f) GDPR).
Data retention: We will store your personal data as long as we intend to stay in contact with you.
Purpose and scope of processing: We use Microsoft 365 tools to support our cooperation. In this regard, we process communication data such as name, business email address and telephone number, metadata such as IP address and time stamp, content of documents and the metadata stored in the documents such as author name, name of the commentator, and, in the case of online conferences, audio and video data and, where applicable, video recordings. Typically, the following activities and technologies are typically utilized:
- Access to a collaboration system: Access to the Microsoft 365 environment of Bayer is necessary for cooperation within the scope of the contract between Bayer and you or your employer.
- Communication with Microsoft Teams: MS Teams enables an exchange of information, allows you to participate in video conferences, and make calendar bookings. MS Teams meetings can be recorded in some cases; this is announced by the meeting moderator and clearly indicated in MS Teams.
- Editing of documents: As part of a collaboration, you can create or edit documents and share these with the others within Bayer’s IT environment.
- Polls (MS Forms): Polls can be used to collect information or opinions on a topic relevant to the collaboration. Surveys are anonymous unless expressly stated otherwise.
- Social company network (Yammer): The company's social network is being used for open exchange on specialist topics and for answer to user questions.
As our service provider, Microsoft will process respective personal data such as your profile, communication data (meta data and content), and the content of used files.
Legal basis for processing: Generally, the legal basis for processing of personal data as part of IT-based cooperation will be Bayer’s legitimate interest to enable and support the respective business purposes (Art. 6 (1) (f) GDPR). Depending on the purpose and circumstances of the use of such IT tools, the legal basis may also be to fulfill a contract that we have with you (Art. 6 (1) (b) GDPR), or your consent (Art. 6 (1) (a) GDPR).
Data retention: The retention periods for personal data depend on the concrete information and underlying business purposes.
- Generally, technical information relating to the access to MS 365 systems are stored for maximum 12 months after we end the collaboration with you.
- Access data for MS Teams meetings will be deleted after 90 days.
- Standard deletion period for documents is 4 years after the last processing of a document; longer retention periods may apply, if necessary for business or legal purposes.
- (Group)Chats within MS Teams channels are retained for a maximum of four years from the date of the message. Personal chat messages including their metadata are retained for 30 days.
- Personal data collected as part of the survey will be deleted within 12 months of the start of the survey.
- Data in the Bayer social network will be deleted 4 years after the last change.
- Booking information will be deleted within 12 months after the appointment.
Purpose and scope of processing: We process personal data from employees of our customers, suppliers, or contract partners and from our direct customers, suppliers, or contract partners. We do this to manage our respective business relationships, e.g., to communicate about business relevant aspects, to process orders, to deliver services, to manage purchase history, to choose and contact suppliers, or to pay invoices.
As required for the respective (business) purposes, we may process the following personal data:
- Contact information, e.g., name, email address, telephone number, position and role in the company;
- purchase history;
- service requests;
- payment data, e.g., bank accounts.
If you contact customer / financial service teams in Pharmaceuticals and Consumer Health, please visit our dedicated website here for additional privacy information.
Legal basis for processing: The legal basis for processing the personal data depends on the specific circumstances and purpose. Generally, it is Bayer’s legitimate interest to manage our business relationship with customers, suppliers, and contract partners (Art. 6 (1) (f) GDPR). Where we have a direct contract with individuals who are our customers, suppliers and contract partners, the processing is necessary to fulfill our contract with these individuals (Art. 6(1)(b) GDPR).
Data retention: We retain respective personal data for as long as it is necessary to continuously manage our relationship with our customers, suppliers, or contract partners and to fulfill our respective contract obligations connected to our business relationship. Legal archiving requirements may exceed this period, e.g., to meet tax legislative requirements for archiving.
Purpose and scope of processing: Bayer collects data from publicly accessible sources for the following business purposes:
- Media Insights: We identify trends, market developments and topics discussed publicly, e.g., in newspapers, websites or social media, that may impact Bayer. This includes identifying business opportunities and risks alongside our products and innovations, acknowledgement of opinions and sentiments publicly expressed, tracking societal trends as well as identifying our customers’ or other stakeholders’ needs, preferences, or opinions. Thereby we can engage in dialogue with customers and stakeholders more effectively, improve our services, products, and the way in which we operate our company, better identify business opportunities, and mitigate risks.
- Public Relations and Stakeholder Engagement: We may use insights obtained from our Media Insights activities for our public relations. When identifying stakeholders, we may want to further establish, maintain, and improve our relationship with them to facilitate our business interests and activities.
- Product safety: As a pharmaceutical company we want to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products.
For such purposes, we actively search publicly accessible sources, e.g., by performing keyword searches on the internet, analyzing conversations in public social media channels, or monitoring publicly available publications, opinions, and statements. We may use such “active online listening” also as services provided by specialized agencies.
Information that we obtained in the above manner from public sources may qualify as personal data and include:
- Contact information such as name, phone number, e-mail address, postal address, social media accounts and website addresses;
- Demographic information such as age group or gender;
- Professional information such as job title, role within an organization, and area of expertise;
- Statements, opinions, memberships in associations, relationships to other stakeholders, content about topics discussed in meetings, panels/committees, etc.;
- Safety and quality related information relating to Bayer’s products.
We limit the scope of personal data that we collect and process to what is required for our specific business purposes.
Legal basis for processing: We process personal data on our legitimate interest (Art. 6 (1) (f) GDPR) to improve our business relationships, services, products, and business operations. Moreover, Bayer is interested to capture business opportunities, mitigate business risks and get to know the stakeholders’ opinions on topics that are relevant to Bayer.
As described in this section, personal data relating to product safety and quality are obtained only when they have been published; processing of such data is therefore based on Art. 9 (2) (e) GDPR. Furthermore, we process such data for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation.
Data retention: We delete personal data as soon as they are no longer required for the purposes for which they have been initially acquired, unless there is a legal obligation to further retain such personal data, e.g., information regarding adverse events. We delete personal data of the stakeholder 7 years after our relationship ends, except where otherwise provided by law.
Adverse event information will be stored in accordance with legal requirements governing storage and reporting of Pharmacovigilance related information.
2. Commissioned data processing and sharing of personal data
For the processing of your personal data, we will to some extent use specialized service contractors that process your data on our behalf, e.g., for purposes of operating or supporting IT systems. Such service contractors are carefully selected and regularly monitored by us. Based on respective data processing agreements, they will process personal data only in accordance with our instructions and in compliance with applicable data protection laws/requirements.
We also may share personal data with following categories of recipients if necessary for fulfilling the processing purposes or if legally required
- Bayer Group affiliates;
- Governmental authorities, state institutions, law enforcement agencies;
- External lawyers to support legal decisions and to pursue or defend against legal claims;
- Prospective buyers in case of an acquisition, merger, or any other type of corporate or asset transition involving a change of ownership or control concerning us or our services.
3. International Data Transfers
As part of processing personal data for the purposes as specified above, Bayer may transfer personal data to countries other than those from where the personal data have been collected. Such other countries may have a different (lower) data protection regime than the country of origin. Personal data collected in the European Economic Area (EEA) may therefore be transferred to a country for which the European Commission has not decided that it ensures an adequate level of data protection (“unsafe third countries”).
When transferring data internationally, Bayer takes great care to do this only in compliance with applicable law. This is done, e.g., by concluding specific data privacy contracts with the recipient, or based on a consent. When transferring personal data collected in the EEA to “unsafe third countries”, Bayer generally concludes so-called “standard contractual clauses” adopted by the European Commission as safeguards according to Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be provided upon request. The transfer of personal data collected in the EU may also be based on different legal bases as defined in Art. 49 GDPR, e.g., in case this is required for important reasons of public interest in health care, if it is based on an explicit consent, or if it is required to exercise or defend legal claims.
4. Information Regarding Your Rights
Applicable data privacy laws ensure that individuals have certain privacy rights regarding the processing of their personal data. These rights include the following:
- Request information about personal data processed by Bayer;
- Request the correction of personal data if these are incorrect or incomplete;
- Request the deletion of personal data, e.g., if these are no longer necessary for the purposes for which they have been collected or processed, or if there is no legal basis for their further processing;
- Request the restriction of the processing, e.g., if the accuracy of personal data is contested, or the processing is unlawful;
- Request the transfer of personal data in a commonly utilizable format to the requestor or another controller, e.g., if the processing is based on a consent;
- Object to the processing of personal data as far as such processing is based on Bayer’s legitimate interest;
- Withdraw any consent to processing of personal data that the requestor may have given. Withdrawing a consent does not affect the lawfulness of processing before the consent withdrawal;
- File a complaint with a data protection authority.
Depending on the respective applicable law, additional rights may apply. Information may be available on respective country-specific Bayer websites.
If you want to exercise your rights, please get on contact with us as explained in the section “Contact”.
5. Contact
For any questions you may have with respect to Bayer’s handling of personal data or if you want to exercise your rights please use the provided contact form or contact our company data protection officer at the following address:
Group Data Protection Officer
Bayer AG
51368 Leverkusen, Germany
Bayer AG is designated as representative in the European Union for our non-European legal entities in accordance with Art. 27 GDPR. You may contact the representative at the following address:
Data Privacy Representative
Bayer AG
51368 Leverkusen, Germany
E-Mail: dp-representative@bayer.com
6. Amendment of Privacy Statement
We may update our Privacy Statement for Specific Processing Activities from time to time. Updates of our Privacy Statement will be published on our website. Any amendments become effective upon publication. We therefore recommend that you regularly visit this site to keep yourself informed on possible updates.
For any questions you may have with respect to data privacy, please send an email to data.privacy@bayer.com or contact our company data protection officer at the following address:
Data Protection Officer
Bayer AG
51368 Leverkusen
Germany