Data Privacy Statement for Specific Processing Activities

Purpose and scope of processing: During various occasions, e.g., conferences, events, or sales representative’s visits, you may hand over your business card to us to stay in touch with us. We may store this information and use it to contact you. For this purpose, we may process all personal data available on the business card, such as your name and surname, job title, organization, phone number, email address, etc.

Legal basis for processing: Generally, the legal basis of processing your personal data is your consent that you declare by handing out the business card to us (Art. 6 (1) (a) GDPR). Furthermore, it is our legitimate interest to stay in contact with you thereafter (Art. 6 (1) (f) GDPR).

Data retention: We will store your personal data as long as we intend to stay in contact with you.

Purpose and scope of processing: We use Microsoft 365 tools to support our cooperation. In this regard, we process communication data such as name, business email address and telephone number, metadata such as IP address and time stamp, content of documents and the metadata stored in the documents such as author name, name of the commentator, and, in the case of online conferences, audio and video data and, where applicable, video recordings. Typically, the following activities and technologies are typically utilized:

• Access to a collaboration system: Access to the Microsoft 365 environment of Bayer is necessary for cooperation within the scope of the contract between Bayer and you or your employer.
• Communication with Microsoft Teams: MS Teams enables an exchange of information, allows you to participate in video conferences, and make calendar bookings. MS Teams meetings can be recorded in some cases; this is announced by the meeting moderator and clearly indicated in MS Teams.
• Editing of documents: As part of a collaboration, you can create or edit documents and share these with the others within Bayer’s IT environment.
• Polls (MS Forms): Polls can be used to collect information or opinions on a topic relevant to the collaboration. Surveys are anonymous unless expressly stated otherwise.
• Social company network (Yammer): The company's social network is being used for open exchange on specialist topics and for answer to user questions.

As our service provider, Microsoft will process respective personal data such as your profile, communication data (meta data and content), and the content of used files. 

Legal basis for processing: Generally, the legal basis for processing of personal data as part of IT-based cooperation will be Bayer’s legitimate interest to enable and support the respective business purposes (Art. 6 (1) (f) GDPR). Depending on the purpose and circumstances of the use of such IT tools, the legal basis may also be to fulfill a contract that we have with you (Art. 6 (1) (b) GDPR), or your consent (Art. 6 (1) (a) GDPR).

Data retention: The retention periods for personal data depend on the concrete information and underlying business purposes. 

• Generally, technical information relating to the access to MS 365 systems are stored for maximum 12 months after we end the collaboration with you. 
• Access data for MS Teams meetings will be deleted after 90 days.
• Standard deletion period for documents is 4 years after the last processing of a document; longer retention periods may apply, if necessary for business or legal purposes.
• (Group)Chats within MS Teams channels are retained for a maximum of four years from the date of the message. Personal chat messages including their metadata are retained for 30 days.
• Personal data collected as part of the survey will be deleted within 12 months of the start of the survey.
• Data in the Bayer social network will be deleted 4 years after the last change.
• Booking information will be deleted within 12 months after the appointment.

Purpose and scope of processing: We process personal data from employees of our customers, suppliers, or contract partners and from our direct customers, suppliers, or contract partners. We do this to manage our respective business relationships, e.g., to communicate about business relevant aspects, to process orders, to deliver services, to manage purchase history, to choose and contact suppliers, or to pay invoices.

As required for the respective (business) purposes, we may process the following personal data:

• Contact information, e.g., name, email address, telephone number, position and role in the company;
• purchase history;
• service requests;
• payment data, e.g., bank accounts.

If you contact customer / financial service teams in Pharmaceuticals and Consumer Health, please visit our dedicated website here for additional privacy information.

Legal basis for processing: The legal basis for processing the personal data depends on the specific circumstances and purpose. Generally, it is Bayer’s legitimate interest to manage our business relationship with customers, suppliers, and contract partners (Art. 6 (1) (f) GDPR). Where we have a direct contract with individuals who are our customers, suppliers and contract partners, the processing is necessary to fulfill our contract with these individuals (Art. 6(1)(b) GDPR).

Data retention: We retain respective personal data for as long as it is necessary to continuously manage our relationship with our customers, suppliers, or contract partners and to fulfill our respective contract obligations connected to our business relationship. Legal archiving requirements may exceed this period, e.g., to meet tax legislative requirements for archiving. 

Purpose and scope of processing:  Bayer collects data from publicly accessible sources or may access databases that are provided by third-parties and contain data from publicly accessible sources, for the following business purposes:

• Media Insights: We identify trends, market developments and topics discussed publicly, e.g., in newspapers, websites or social media, that may impact Bayer. This includes identifying business opportunities and risks alongside our products and innovations, acknowledgement of opinions and sentiments publicly expressed, tracking societal trends as well as identifying our customers’ or other stakeholders’ needs, preferences, or opinions. Thereby we can engage in dialogue with customers and stakeholders more effectively, improve our services, products, and the way in which we operate our company, better identify business opportunities, and mitigate risks. 
• Public Relations and Stakeholder Engagement: We may use insights obtained from our Media Insights activities for our public relations. When identifying stakeholders, we may want to further establish, maintain, and improve our relationship with them to facilitate our business interests and activities.
• Product safety: As a pharmaceutical company we want to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products.

For such purposes, we actively search publicly accessible sources, e.g., by performing keyword searches on the internet, analyzing conversations in public social media channels, or monitoring publicly available publications, opinions, and statements or access external databases containing data from publicly accessible sources. We may use such “active online listening” also as services provided by specialized agencies.  

Information that we obtained in the above manner from public sources may qualify as personal data and include:

• Contact information such as name, phone number, e-mail address, postal address, social media accounts and website addresses;
• Demographic information such as age group or gender;
• Professional information such as job title, role within an organization, and area of expertise;
• Scientific communications such as publications, congress presentations, social media posts;
• Involvement in research activities and clinical investigations;
• Statements, opinions, memberships in associations, relationships to other stakeholders, content about topics discussed in meetings, panels/committees, etc.;
• Safety and quality related information relating to Bayer’s products.

We limit the scope of personal data that we collect and process to what is required for our specific business purposes.

Legal basis for processing: We process personal data on our legitimate interest (Art. 6 (1) (f) GDPR) to improve our business relationships, services, products, and business operations. Moreover, Bayer is interested to capture business opportunities, mitigate business risks and get to know the stakeholders’ opinions on topics that are relevant to Bayer. 

As described in this section, personal data relating to product safety and quality are obtained only when they have been published; processing of such data is therefore based on Art. 9 (2) (e) GDPR. Furthermore, we process such data for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation. 

Data retention: We delete personal data as soon as they are no longer required for the purposes for which they have been initially acquired, unless there is a legal obligation to further retain such personal data, e.g., information regarding adverse events. We delete personal data of the stakeholder 7 years after our relationship ends, except where otherwise provided by law. 

Adverse event information will be stored in accordance with legal requirements governing storage and reporting of Pharmacovigilance related information.

Purpose and scope of processing: To plan, organize and perform clinical and observational studies, Bayer need process personal data from healthcare professionals and other personnel of clinical sites who are involved in these studies.
 

Site selection and feasibility: We identify potential study sites and healthcare professionals with whom Bayer may want to work together in future. For these “site selection and feasibility” purposes, we collect publicly available personal data about healthcare professionals as well as site contact personnel from different sources such as the study site’s internet representation, publicly accessible registers, or professional data providers. The data which we collect are business contact details, e.g., name, e-mail, phone, fax, address of site, and qualification information such as scientific activities, activities in clinical and observational studies, general qualification.
 

Study performance: If Bayer as study sponsor and a study site decide to perform a clinical or observational study, Bayer will process personal data from the study site’s study team. Besides business contact information, these personal data may include (if required) information such as curriculum vitae and detailed qualification information, e.g., trainings related to Good Clinical Practice.
 

Access to your personal data will be given to our staff involved in activities related to clinical and observational studies. This includes other Bayer affiliates and service contractors who act as our data processors. For more information about service provider, see the general information below.
 

Legal basis for processing: Where we process personal data for site selection and feasibility purposes, this is based on our legitimate interest (Art. 6 (1) (f) GDPR) to perform clinical and observational studies to develop new drugs and medical devices, and to ensure their appropriate safety profile. For these purposes, we only collect personal data from publicly available sources and dedicated service providers.
 

Where we process personal data for performing a clinical or observational study together with a study site, the processing of personal data is required to fulfil the study contract between Bayer and the study site (Art. 6 (1) (b) GDPR) and to meet regulatory requirements regarding the qualification of the study team (Art. 6 (1) (c) GDPR in conjunction with Good Clinical Practice).
 

Data retention: For site selection and feasibility purposes, we retain your personal data as long as we have a legitimate interest to assess whether we may want to work together with a site and respective healthcare professional. 
 

If a healthcare professional supports the performance of a clinical or observational study of Bayer, respective personal data are retained according to legal retention periods for clinical and observational studies. 

Disclaimer: If you participate in a clinical or observational study of Bayer, Bayer will process your personal data. Bayer and the study site will provide you with detailed information about the study and data privacy aspects, such as which data is processed, and how your privacy is protected.
 

This website provides information how Bayer generally handles personal data in the context of their clinical and observational studies. This information may be interesting if you consider taking part in any study that is organized and conducted by Bayer. 
 

It does not replace the study-specific privacy information that you obtain as part of your study participation. These are more specific and the ultimate document informing you about the specific use of your data in the context of the respective study. 
 

Purpose and scope of processing: 

Scientific study purposes: If you take part in a clinical or observational study organized and conducted by Bayer, it will be necessary to collect and handle certain personal data, including health information. As your study participation is confidential, Bayer and the study site implement protection measures to protect your privacy.
 

During your visits of the study site, the investigator at the study site will collect certain personal data from you. Before transferring this data to Bayer for further analyses, your data will be coded: Your name and other information that could directly identify you will be removed and replaced by a code. This code is usually a number. The information how this code is linked to your identity is kept confidential at the study site. Only your medical records at the study site will remain "un-coded". Bayer does not know your identity.
 

Personal data which the investigator at the study site collects as part of a study typically includes (list not exhaustive):

• Information to arrange your participation in the study, e.g., your name, address, or telephone number (such information remains at the study site only and will not be shared with Bayer).
• Demographic information such as your age, gender, biological sex, or ethnicity.
• Study-related health information such as medical history, medical parameters and conditions, medical images like computer-tomographic scans, results from analyses of biological samples such as blood or body tissues (including genetic analyses).

It depends on the specific medical and scientific scope and question of the study which data will be required, and at which time during the study it will be collected.
 

The study site collects and handles your personal data to organize your study participation and to fulfill the study purposes and medical interventions. Bayer will perform legally required quality checks to ensure the study is carried out correctly.
 

Bayer uses your coded data to answer the questions of this study and, as legally required, to publish the results. Your coded data is also used to develop and register the trial drug as required for commercialization and to meet any regulatory requirements. This includes e.g., answering follow-up questions, ensuring a correct safety profile and a high quality standards of the study drug, and ensuring the scientific integrity of the study.
 

Bayer may also use your coded data for scientific purposes which are compatible with the study purposes, e.g., to identify and analyze your data to answer scientific follow-up questions and to plan follow-up studies. This may include combining and analyzing the data together with data from similar studies.
 

Additional, health-related scientific research: Health related data can be of utmost value to advance scientific and medical knowledge to improve healthcare delivery. As potentially a wide range of meaningful research questions exist, it is not possible to specify the exact purposes at the time of the study. Research questions could be, for example, developing new ways to review and use scientific data, develop diagnostic tests and scientific analysis methods in other therapeutic areas. In each study-related information that is handed out to you when you participate in a study, Bayer will therefore ask for your consent which would allow Bayer to use your coded personal data if it is suitable to support a future research and development purpose in the health space. If you grant your consent, Bayer may use your data for such additional health related research and development activities, and strictly in line with applicable data protection law and ethical standards. 
 

Anonymization of study data: Bayer may anonymize the study data in a way that it cannot be attributed to you anymore considering means reasonably likely to be used for re-identification attempts. Bayer may share such anonymized data with other researchers for scientific use that is in line with generally accepted ethical standards.
 

Disclosure of clinical trial information: Bayer is committed to transparency in clinical trials and discloses information about planned and ongoing trials. Learn more about Bayer's transparency principles here.
 

Discontinuing development of the study drug: In case Bayer considers stopping the further development of the study drug and somebody else is interested in taking over the development or commercialization of the study drug, for example another pharmaceutical company, your coded data may be given to them. That is required to allow the new party to continue the development and/or commercialization and have such medicine available for patients. Any such new party must protect your data in the same way as Bayer. 
 

Legal basis for processing: Participating in a clinical or observational study is voluntary. If you want to participate, you need to sign an explicit study consent. As part of the study, it will be necessary to process your personal data, including health information. The laws of some countries require that you also provide a separate data processing consent in addition to your consent to participate in the study. Laws of other countries do not require such a data processing consent for study related uses but provide other ground to allow the data processing. Once data is collected for a study, it is also necessary to meet requirements of regulatory authorities, ensure the correct safety profile of the investigational product, and maintain the scientific integrity of the study.
 

If Bayer whishes using your data for future research purposes that are not related to the study, Bayer will ask for you consent. Bayer takes care to meet all legal requirements of the country in which a study takes place. This will be explained in the respective study information that you receive when participating in a study.
 

Data retention: Your personal data at the study site and your coded data at Bayer will be retained for as long as legally required for clinical and observational studies and for drugs that receive a market authorization. The retention periods depend on the laws of the country in which the study is performed. This will be explained in the respective study information that you receive when participating in a study.

Purpose and scope of processing: To apply for and manage clinical and observational studies, Bayer needs to send the study application to respective authorities and ask for an ethics approval from independent ethic committees (IEC) / institutional review boards (IRB) as required by law (such as the EU Clinical Trial Regulation 536/2014). As part of this, Bayer may process name and business contact information if provided by authorities or IECs / IRBs. 
 

Legal basis for processing: Obtaining ethics approval for clinical and observational studies is a legal requirement and requires exchange with IECs/IRBs. Processing of personal data therefore is based on Art. 6 (1) (b) GDPR. It furthermore is a legitimate interest of Bayer to establish and maintain contact with health authorities and IECs / IRBs to align on regulatory requirements, ethical standards and scientific requirements related to clinical and observational studies.
 

Data retention: Approvals or favorable opinions from IECs/IRBs are essential documents for the conduct of a clinical or observational study and become part of the overall study documentation which need to be retained according to legal retention periods. Article 58 of the EU Clinical Trial Regulation 536/2014 requires to archive the content of the clinical trial master file for at least 25 years after the end of the clinical trial. For studies outside the scope of Clinical Trial Regulation, deviating retention periods may apply.