Data Privacy Information for Specific Processing Activities

 

Welcome to this information page on specific processing activities conducted by Bayer AG, Kaiser Wilhelm Allee 1, 51368 Leverkusen (Germany) and all of its German affiliates (hereinafter “us” or “we”).

What you get

You might be visiting this information page:

  • because we invited you to visit this information page in order for you to be able to obtain further information on a specific data processing activity because at the time when we obtained your personal data, we were not able to provide you with all necessary information or
  • because you are searching for publicly available information on how we process personal data not obtained directly from you but, for example, from publicly available sources, where informing each individual proves impossible or would involve a disproportionate effort (Art. 14(5)(b) GDPR).

Please note: This page is not an exhaustive source of information about any kind of processing activity we perform. Where we are able to provide you with all required information at the time we obtain personal data from you, we do so by providing you with data privacy statements specific to the respective processing activity. If you are looking for information regarding the processing of your personal data on this website, for example, please visit our website’s data privacy statement.

Personal Data We Process about You, if …

… you hand over your business card to us

When you hand over your business card to us, we might copy it and enter the personal data contained therein into one of our contact management systems.

Read more here: Purpose, legal basis and data retention

We use the information contained therein about you in order to contact you. The legal basis for processing your personal data and the respective retention period vary, depending on the purpose for which you have given us your business card. However, we will only store your personal data for as long as is necessary to stay in contact with you.

… you communicate with us via email

When you communicate with us via email, we process your email address, the information you provide in your emails (e.g. your name, further contact information from your signature, the content of your emails or any attachments) as well as the email meta data (e.g. time stamp, sender’s IP address, mail user agents, servers used in transit, etc.).

Read more here: Purpose, legal basis and data retention

We use this personal data in order to be able to communicate with you. The legal basis for the processing of your personal data and the applicable data retention rules for your personal data may vary depending on the purpose for which we communicate with you. However, our general retention period for email inboxes is six months, unless your email has been archived, in which case the general retention period is four years. Please ask either the person in our organization whom you are in contact with or our data protection officer mentioned above if you want to know more about the purpose, legal basis and data retention rules applicable to your personal data in your individual case.

… you are, or work for, one of our suppliers or contract partners

We process contact information (like name, email address, telephone number, position and role in the company) of employees of our suppliers or contract partners (like key account managers, consultants, business partners or legal counsels) or of individuals who directly act as our suppliers or contract partners (such as freelancers). With regard to the latter, we might also process payment data (like bank account information).

Read more here: Purpose, legal basis and data retention

We use this information in order to communicate and manage our relationship with our suppliers or contract partners and to be able to choose and contact the right supplier for any new supply demand from our business or to pay any due invoices.

The legal basis for processing the aforementioned personal data is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our need to be able to communicate with our suppliers or contract partners and to manage our supplier or contract partner portfolio and thereby secure the supply of products and services needed to run our business. In addition, the legal basis for processing the aforementioned personal data of individuals who directly act as our suppliers or contract partners might be Art. 6(1)(b) GDPR, insofar as it is necessary for the performance of a contract with that individual.

We retain this kind of personal data for as long as it is necessary to continuously manage our relationship or to perform our contract with the relevant supplier or contract partner. We delete these personal data as soon as they are no longer needed, for example, when an employee of a supplier is no longer working for that supplier or if the supplier or freelancer is no longer eligible to be a supplier for us, unless legal archiving obligations require us to retain personal data for a longer period of time (e.g. personal data in the context of a contract will need to be archived for a period of ten years according to applicable tax legislation).

… you or others publish your personal data on the internet

We search the internet for information for various purposes that are explained in more detail below. This information may contain personal data. We also use active online listening services. Active online listening is the process of identifying and assessing what is being said about a company, individual, product, brand or topic with business relevance to the company on the internet. We process the personal data we collect from publicly accessible areas on the internet and in public media by, for example:

  • performing keyword searches across the web (e.g. websites, social media platforms, social network communities, blogs, mainstream news sources, forums or photo and video sites);
  • searching, filtering and analyzing conversation streams;
  • viewing visual analytic displays of conversation trends over a specified time range;
  • monitoring publicly available opinions, statements or other interactions on the internet from certain individuals or entities that are important for us and our business (so called thought leaders).

Read more here: Purpose, legal basis and data retention

We use the insights we receive for the following purposes:

  • Customer and stakeholder insights
    We want to identify business opportunities and risks alongside innovations, to better understand sentiment, intent, mood, market and societal trends as well as our customers’ or other stakeholders’ needs, preferences or opinions and thereby to engage in dialogue more effectively, to improve our services, products and the way in which we operate our company as well as to capture business opportunities and mitigate business risks. The legal basis for processing the personal data involved in this is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our aforementioned processing purposes. We delete personal data as soon as they are no longer required for the purposes they were initially acquired. Personal data stored in the profiles of thought leaders are deleted if they are older than 2 years.
  • Product safety and product quality
    As a company that supplies medicinal products and devices, we need to be able to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products. The legal basis for processing the personal data involved in this is either Art. 9(2)(i) GDPR, as processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, or Art. 6(1)(f) GDPR, as it is necessary to pursue our legitimate interests that result from our need to be able to know and react to any safety or quality issues in respect of our products. We delete personal data as soon as they are no longer required for the purposes they were initially acquired, unless the information therein is still required or there is a legal obligation to archive such personal data (e.g. information regarding adverse events). Adverse event information will be stored at least for the duration of the life cycle of the relevant product and for an additional ten years after the product has been taken from the market.

Transfer of Personal Data for Commissioned Processing

We might use specialized service contractors to some extent in processing your personal data. Such service contractors are carefully selected and regularly monitored by us. Based on relevant data processing agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.

Processing of Personal Data outside the EU / the EEA

Your personal data may in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have lower data protection standards than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, for example, by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.

Information Regarding Your Rights

The following rights are in general available to you in accordance with applicable data privacy legislation:

  • Right of information about your personal data stored by us;
  • Right to request the correction, deletion or restricted processing of your personal data;
  • Right to object to processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for the purposes of asserting, exercising or defending legal claims;
  • Right to data portability;
  • Right to file a complaint with a data protection authority;
  • You may at any time with future effect revoke your consent to the collection, processing and use of your personal data. For further information, please refer to the chapters above describing the processing of data based on your consent.