Data Privacy Statement for Specific Processing Activities

Purpose and scope of processing: During various occasions, e.g., conferences, events, or sales representative’s visits, you may hand over your business card to us to stay in touch with us. We may store this information and use it to contact you. For this purpose, we may process all personal data available on the business card, such as your name and surname, job title, organization, phone number, email address, etc.

Legal basis for processing: Generally, the legal basis of processing your personal data is your consent that you declare by handing out the business card to us (Art. 6 (1) (a) GDPR). Furthermore, it is our legitimate interest to stay in contact with you thereafter (Art. 6 (1) (f) GDPR).

Data retention: We will store your personal data as long as we intend to stay in contact with you.

Purpose and scope of processing: We use Microsoft 365 tools to support our cooperation. In this regard, we process communication data such as name, business email address and telephone number, metadata such as IP address and time stamp, content of documents and the metadata stored in the documents such as author name, name of the commentator, and, in the case of online conferences, audio and video data and, where applicable, video recordings. Typically, the following activities and technologies are typically utilized:

• Access to a collaboration system: Access to the Microsoft 365 environment of Bayer is necessary for cooperation within the scope of the contract between Bayer and you or your employer.
• Communication with Microsoft Teams: MS Teams enables an exchange of information, allows you to participate in video conferences, and make calendar bookings. MS Teams meetings can be recorded in some cases; this is announced by the meeting moderator and clearly indicated in MS Teams.
• Editing of documents: As part of a collaboration, you can create or edit documents and share these with the others within Bayer’s IT environment.
• Polls (MS Forms): Polls can be used to collect information or opinions on a topic relevant to the collaboration. Surveys are anonymous unless expressly stated otherwise.
• Social company network (Yammer): The company's social network is being used for open exchange on specialist topics and for answer to user questions.

As our service provider, Microsoft will process respective personal data such as your profile, communication data (meta data and content), and the content of used files. 

Legal basis for processing: Generally, the legal basis for processing of personal data as part of IT-based cooperation will be Bayer’s legitimate interest to enable and support the respective business purposes (Art. 6 (1) (f) GDPR). Depending on the purpose and circumstances of the use of such IT tools, the legal basis may also be to fulfill a contract that we have with you (Art. 6 (1) (b) GDPR), or your consent (Art. 6 (1) (a) GDPR).

Data retention: The retention periods for personal data depend on the concrete information and underlying business purposes. 

• Generally, technical information relating to the access to MS 365 systems are stored for maximum 12 months after we end the collaboration with you. 
• Access data for MS Teams meetings will be deleted after 90 days.
• Standard deletion period for documents is 4 years after the last processing of a document; longer retention periods may apply, if necessary for business or legal purposes.
• (Group)Chats within MS Teams channels are retained for a maximum of four years from the date of the message. Personal chat messages including their metadata are retained for 30 days.
• Personal data collected as part of the survey will be deleted within 12 months of the start of the survey.
• Data in the Bayer social network will be deleted 4 years after the last change.
• Booking information will be deleted within 12 months after the appointment.

Purpose and scope of processing: We process personal data from employees of our customers, suppliers, or contract partners and from our direct customers, suppliers, or contract partners. We do this to manage our respective business relationships, e.g., to communicate about business relevant aspects, to process orders, to deliver services, to manage purchase history, to choose and contact suppliers, or to pay invoices.

As required for the respective (business) purposes, we may process the following personal data:

• Contact information, e.g., name, email address, telephone number, position and role in the company;
• purchase history;
• service requests;
• payment data, e.g., bank accounts.

If you contact customer / financial service teams in Pharmaceuticals and Consumer Health, please visit our dedicated website here for additional privacy information.

Legal basis for processing: The legal basis for processing the personal data depends on the specific circumstances and purpose. Generally, it is Bayer’s legitimate interest to manage our business relationship with customers, suppliers, and contract partners (Art. 6 (1) (f) GDPR). Where we have a direct contract with individuals who are our customers, suppliers and contract partners, the processing is necessary to fulfill our contract with these individuals (Art. 6(1)(b) GDPR).

Data retention: We retain respective personal data for as long as it is necessary to continuously manage our relationship with our customers, suppliers, or contract partners and to fulfill our respective contract obligations connected to our business relationship. Legal archiving requirements may exceed this period, e.g., to meet tax legislative requirements for archiving. 

Purpose and scope of processing:  Bayer collects data from publicly accessible sources for the following business purposes:

• Media Insights: We identify trends, market developments and topics discussed publicly, e.g., in newspapers, websites or social media, that may impact Bayer. This includes identifying business opportunities and risks alongside our products and innovations, acknowledgement of opinions and sentiments publicly expressed, tracking societal trends as well as identifying our customers’ or other stakeholders’ needs, preferences, or opinions. Thereby we can engage in dialogue with customers and stakeholders more effectively, improve our services, products, and the way in which we operate our company, better identify business opportunities, and mitigate risks. 
• Public Relations and Stakeholder Engagement: We may use insights obtained from our Media Insights activities for our public relations. When identifying stakeholders, we may want to further establish, maintain, and improve our relationship with them to facilitate our business interests and activities.
• Product safety: As a pharmaceutical company we want to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products.

For such purposes, we actively search publicly accessible sources, e.g., by performing keyword searches on the internet, analyzing conversations in public social media channels, or monitoring publicly available publications, opinions, and statements. We may use such “active online listening” also as services provided by specialized agencies.  

Information that we obtained in the above manner from public sources may qualify as personal data and include:

• Contact information such as name, phone number, e-mail address, postal address, social media accounts and website addresses;
• Demographic information such as age group or gender;
• Professional information such as job title, role within an organization, and area of expertise;
• Statements, opinions, memberships in associations, relationships to other stakeholders, content about topics discussed in meetings, panels/committees, etc.;
• Safety and quality related information relating to Bayer’s products.

We limit the scope of personal data that we collect and process to what is required for our specific business purposes.

Legal basis for processing: We process personal data on our legitimate interest (Art. 6 (1) (f) GDPR) to improve our business relationships, services, products, and business operations. Moreover, Bayer is interested to capture business opportunities, mitigate business risks and get to know the stakeholders’ opinions on topics that are relevant to Bayer. 

As described in this section, personal data relating to product safety and quality are obtained only when they have been published; processing of such data is therefore based on Art. 9 (2) (e) GDPR. Furthermore, we process such data for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation. 

Data retention: We delete personal data as soon as they are no longer required for the purposes for which they have been initially acquired, unless there is a legal obligation to further retain such personal data, e.g., information regarding adverse events. We delete personal data of the stakeholder 7 years after our relationship ends, except where otherwise provided by law. 

Adverse event information will be stored in accordance with legal requirements governing storage and reporting of Pharmacovigilance related information.