General privacy policy

Job processing

"Commissioned processing" is a special case in data protection law and means the collection, processing or use of personal data by a processor in accordance with the instructions of the controller on the basis of a contract.

Special categories of personal data/special personal data requiring protection

This is a subset of personal data. Special categories of personal data" include particularly sensitive data such as health data, biometric and genetic data, and religious affiliation, etc.

Third country

Countries outside Switzerland and outside the European Union (EU) or the European Economic Area (EEA) are considered third countries.

Receiver

Recipient" means a natural or legal person, public authority, agency or other body to whom personal data is disclosed.

Personal data

Data is only personal if it relates to an identified (specific) or identifiable (determinable) natural person. A person is "identified" if the data is directly linked to the data subject or if such a link can be established directly. Individual data with personal reference are for example

• Name and identifiers (e.g., date of birth, name affixes, ID number),
• Contact details (e.g. postal address, e-mail address, telephone number),
• physical characteristics (e.g. height, weight, hair color, genetic fingerprint) or
• other data (e.g. location data, usage data, actions, statements, value judgments, professional career, bank details, etc.).
• Pseudonymization

In "pseudonymization", the name or other identifying features are replaced by a pseudonym (e.g., a number) in order to exclude or make it significantly more difficult to establish the identity of the data subject. Pseudonymization means that personal data of a data subject can only be identified with the addition of further information.

Legal basis

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, the legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the protection of the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Responsible

The "controller" (also "Controller") is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processing

Processing" means the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, whether or not carried out by automated means.

B. Braun Medical AG
Seesatz 17
6204 Sempach
Switzerland
Business responsible: info.bbmch@bbraun.com
Data Protection Officer : dataprotection.ch@bbraun.com

B. Braun Medical Care AG
Bahnhofstrasse 104
8902 Urdorf
Switzerland
Business responsible : info-urdorf@bbraun.com
Data Protection Officer: dataprotection.ch@bbraun.com

Sterilog Sterile Supply Lucerne AG
In house 16 of the Cantonal Hospital Lucerne
6000 Lucerne
Business responsible: mail@sterilog.ch
Data Protection Officer: dataprotection.ch@bbraun.com

The responsibility under data protection law depends on which of our companies you are in contact with or work with. More specific information can be found in the supplementary data protection statements.

If it is not clear to you who you should contact, you can contact B. Braun Medical AG at any time using the contact details provided.

If you have any questions about data protection, you can contact the respective data protection officers or our data protection team:

Data Protection Officer
B. Braun Medical AG
Seesatz 17
6204 Sempach
Switzerland
dataprotection.ch@bbraun.com

Your personal data may be processed for the following purposes, among others:

• Communication with our contact persons, interested parties, customers or sales partners (hereinafter referred to as "business partners") regarding products, services and projects
• Responding to inquiries from our business partners
• Planning, execution and administration of the (contractual) business relationship between our business partners and us, e.g. in order to -- process orders, for accounting purposes or to carry out and process deliveries
• Conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests or similar campaigns and events
• Planning, implementation and organization of events, e.g. product training, professional development or job shadowing
• Promotional targeting by email and/or telephone, and development and delivery of advertising (newsletters) tailored to your interests.
• Shipping samples, products and information
• Maintaining the protection and security of our premises, e.g. issuing visitor badges, access control
• Compliance with legal requirements, e.g. tax and commercial law retention obligations, to prevent white-collar crime or money laundering
• Testing, optimization and further development of products and services
• Maintaining and protecting the security of our products and services and our websites, preventing and detecting security risks and crimes, fraud, or other criminal or harmful acts
• Ensuring IT security and IT operations of the Group
• Settling legal disputes, enforcing existing contracts, and asserting, exercising, and defending legal claims.

Which personal data is processed in detail depends on the respective purpose. The scope of the data processed depends on which personal data are required to achieve the specific purpose. Insofar as the specific purpose permits, we process your data pseudonymously or anonymously.

In doing so, we base the processing of your personal data on one of the following legal bases:

For the fulfillment of contractual obligations (Art. 6 para. 1 b DSGVO)

If you are in a contractual relationship with us, the processing is carried out for the fulfillment of the contract. The same applies to the implementation of pre-contractual measures based on your request.

For the fulfillment of legal requirements (Art. 6 para. 1 c DSGVO)

We are subject to a large number of legal requirements, such as the Medical Devices Act, the Medicines Act, the Trade Regulation Act and the Commercial Code. To comply with these requirements, it may be necessary to process personal data.

Based on your consent (Art. 6 para. 1 a DSGVO)

Insofar as you have given us consent to process your personal data for specific purposes, the respective consent is the legal basis for the processing specified in the consent.

You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Based on our legitimate interest (Art. 6 para. 1 f DSGVO)

Insofar as the processing of your personal data is not necessary for the fulfillment of a contract with you or to comply with legal requirements and consent also does not constitute an appropriate legal basis for the processing, the processing is carried out on the basis of our or a third party's overriding legitimate interest. In order to be able to use this legal basis, we check in advance whether the following requirements are met:

We or a third party has a legitimate interest in the processing, the processing is necessary to protect the legitimate interest, and your interests or fundamental rights and freedoms requiring the protection of personal data do not override our legitimate interest.

Your personal data will be disclosed within the B. Braun Group to the extent necessary to fulfill the respective purpose or if the internal organization requires the disclosure (e.g. central financial accounting, sales and marketing, logistics).

Your personal data will only be disclosed to third parties, i.e. entities outside B. Braun, if the disclosure can be based on one of the legal grounds mentioned above. Companies are, for example, legally obligated to disclose data to certain recipients, in particular these include

• Public bodies, such as tax authorities
  
• Jurisdictional/law enforcement agencies, such as police, prosecutors, courts.
• Lawyers and notaries, e.g. in insolvency proceedings
• Auditors

In addition, we use various service providers ("processors" according to Art. 28 DSGVO), which we contractually obligate according to the requirements of the DSGVO. These are, among others, companies from the areas of IT services, printing services, telecommunications or sales and marketing. Processors may only use personal data according to our instructions and for a specific purpose. Compliance with this is controlled and monitored by us.

We transfer your data to countries outside Switzerland or the European Union/European Economic Area (third countries) only to the extent that

• it necessary for the execution of your orders,
• it is required by law or
• you have given us your consent.

If we transfer your data to a third country or to an international organization, this is generally done in accordance with the requirements of the DSG and the DSGVO. Furthermore, in accordance with the principle of data minimization, we only transfer data that is limited to the minimum necessary.

In some cases, we use service providers whose registered office, parent company or sub-service provider is located in a third country. Your data will only be transferred if the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the European Commission have decided that an adequate level of protection exists in a third country (Art. 16 (1) DPA and Art. 45 GDPR), appropriate safeguards are provided (e.g. standard contractual clauses issued by the European Commission) and enforceable rights and effective remedies are available to you as a data subject. We have contractually regulated compliance with the European General Data Protection Regulation and its requirements with the service providers.

Your personal data is disclosed to the EU, the Philippines, Canada, Australia, the UK and the USA. For the data transfer to the USA, Philippines, Canada and Australia, we have taken appropriate measures, in particular data storage location in the EU, conclusion of standard contractual clauses and technical and organizational measures to prevent access by authorities (e.g. encryption and support obligations). 

Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, storage may take place if this is necessary to comply with regulatory or legal requirements.

Legal retention obligations may result in particular from the Code of Obligations and applicable cantonal health laws. As a rule, the retention and documentation periods specified there are ten years.

In the context of our (contractual) business relationship and/or cooperation, you must provide the personal data that is required to achieve the respective purpose or that we are legally obliged to collect. Without this personal data, we will generally not be able to achieve the intended purpose and enter into the business relationship and/or cooperation with you.

We do not use any procedures for automated decision-making. Should we use these procedures in individual cases, we will inform you about this separately if this is required by law.

You can assert the following data subject rights with us:

• You can request information about your personal data processed by us.
  
• If inaccurate personal data is processed, you have a right to rectification.
• If the legal requirements are met, you may request the deletion or restriction of the processing as well as object to the processing.
• If you have consented to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have a right to data portability.

In addition, there is a right of appeal to the European data protection supervisory authorities.

Please note that legal obligations of the responsible parties or national exceptions may mean that your data cannot be permanently deleted or can only be deleted after a certain period of time has elapsed.

To assert one or more of your data subject rights, please contact us using the contact details provided under "Persons responsible and contact persons".

Right of objection

Right to object on a case-by-case basis

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (f) DSGVO; this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right to object to processing of data for direct marketing purposes

We may also use your data for direct advertising within the scope of the statutory provisions. You have the right to object at any time to the processing of your personal data for the purpose of direct marketing; this also applies to profiling, insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made without any formalities. You can find our contact details under "Persons responsible and contact persons".

1.1 Visitor, guest and contractor registration

Only persons authorized by the Group may enter the plant premises. As a visitor, guest or contractor employee, you must provide the categories of data listed below and will generally receive a visitor's pass entitling you to stay on the plant premises for the duration of your visit/stay.

Purpose and legal basis

The purpose of the processing results primarily from the exercise of domiciliary rights as well as the protection of the company's property. In addition, the processing serves to be able to determine at any time who is on the plant premises and in our buildings, in particular to ensure the security of the plant premises and the protection of the persons working there. The legal basis is our legitimate interest pursuant to Article 6 (1) lit. f DSGVO, which results from the aforementioned purposes.

Data categories

• The following data are processed:
• Name and first name
• Possibly license plate number
• Company for which you work
• Duration of your stay
• Your contact person in our company

Storage duration and location

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfill a contract (usually 1 year). Storage may take place beyond this if and insofar as this is provided for by law.

The storage of data differs per site. The data required for visitor management is stored either in a visitor management system or a visitor book.

Receiver

We sometimes use contract processors based within the EU as part of visitor management (e.g. plant security, IT service providers). Please additionally note the information on data protection on site.

1.2 Safety briefing / instruction

Purpose and legal basis

The purpose of the instruction is to ensure the health and safety of visitors and contractor employees on the premises.

Data categories

• First and last name
• Company
• Date of birth
• E-mail address
• Date of safety briefing/ visit or stay on the company premises

Storage duration and location

Your data will be stored for as long as is necessary to achieve the aforementioned purposes or to fulfill a contract. Storage may take place beyond this if and insofar as this is provided for by law.

1.3 Video surveillance at Swiss sites

We use video surveillance to protect our plant premises and buildings. Monitored areas are always indicated by appropriate signs.

Purpose and legal basis

The video surveillance serves the purpose of plant security within the scope of the house right according to our legitimate interest pursuant to Art. 6 para. 1 f DSGVO.

Storage duration

Where video recordings are made, they are deleted after 7 days at the latest.

For information on the handling of your personal data in the context of your application, please refer to the privacy policy of the global job market or the privacy policy of the website of the respective affiliated company or Internet provider (Linkedin, Jobup.ch, Jobs.ch, Yousty.ch).

If you do not apply for a position via the global job market, we obtain and process the relevant data for the purpose of reviewing the application, carrying out the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract. For this purpose, in addition to your contact data and the information from the corresponding communication, we also process in particular the data contained in your application documents and the data as we can additionally obtain about you, for example from job-related social networks, the Internet, the media and from references, if you consent to us obtaining references. In addition, the relevant data protection provisions of the respective platforms mentioned above apply. 

Through our website, you have the opportunity to receive various information (e.g. download of a whitepaper, participation in a webinar/event) on various specialist topics free of charge from B. Braun. For this, it is necessary that you consent to the use of your data for marketing purposes in return for the provision of this information. For the provision of information, we will use the contact data you have provided. You will receive an activation e-mail from us or through your participation after the registration confirmation, through which your data will be confirmed. Thereafter, you will receive access to the broadly presented information and may in the future also be informed about further relevant therapies, products, solutions or events by B. Braun and our contractually bound distribution partners.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis:

your consent according to Art. 6 para. 1 lit a DSGVO or

our legitimate interest according to Art. 6 para. 1 lit. f DSGVO. There is a legitimate economic interest to inform our contacts about further own offers and events in order to establish and maintain a long-term customer relationship.

At the same time, we comply with the requirements of the Unfair Competition Act (UWG).

Processed data:

• Name and e-mail address
• Optional: Title and salutation

Storage duration and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising and providing information via our website. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted. Your data will be processed by order processors (see recipients).

Receiver

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers or service providers for sending mailings

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent. The risks resulting from the transfer of personal data to third countries can be found in the general part of this privacy notice under "Transfer to third countries".

We use Yousty.ch to advertise and fill our apprenticeship positions.

If you apply for a job on Yousty.ch, we obtain and process the relevant data for the purpose of reviewing the application, carrying out the application process and, in the case of successful applications, for the preparation and conclusion of a corresponding contract. For this purpose, in addition to your contact data and the information from the corresponding communication, we also process in particular the data contained in your application documents and the data as we can additionally obtain about you, for example from job-related social networks, the Internet, the media and from references, if you consent to us obtaining references. In addition, the relevant data protection provisions of the above-mentioned platform apply. 

We want to continuously improve our offers and services and for this reason we conduct customer satisfaction surveys according to specific contact points. The surveys take place immediately after a previous customer contact. In this way, we also meet the legal requirements and standards that demand a measurement of customer satisfaction.

We use the services of Qualtrics LLC, 333 W. River Park Drive, Provo UT 84604, USA to conduct customer, product, and brand satisfaction surveys.

We conduct the surveys in order to continuously develop and improve our products and services. If you participate in a satisfaction survey, only so-called "log data" (date and time stamp / information about your browser and your browser settings / information about your terminal device / usage data) will be processed. Participation in a satisfaction survey is voluntary. If you do not wish to participate in a satisfaction survey, you can simply close the survey pop-up.

Cookies are also used as part of Qualtrics services, specifically to maintain the current satisfaction survey during your browsing session.

The cookies set by Qualtrics have the purpose of excluding users from multiple participations within a certain period of time. The cookies have a duration of up to 12 months.

Participation in surveys is voluntary. Surveys are generally anonymous. If a personal survey is conducted, this is done on the basis of consent or conscious participation by the survey participant.

For more information about Qualtrics LLC and Qualtrics' processing of personal data, please visit https://www.qualtrics.com/privacy-statement/.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of

• your consent according to Art. 6 para. 1 lit a DSGVO,
  
• our legitimate interest according to Art. 6 para. 1 lit. f DSGVO. There is a legitimate economic interest to collect the experience with our contacts and thus to be able to continuously improve our service.
• of a contract according to Art. 6 para. 1 lit. b DSGVO (e.g. hospitation contracts)

At the same time, we comply with the requirements of the Unfair Competition Act (UWG).

Processed data

• Name, address, e-mail address, telephone number and comments
  
• Other information you provide to us when completing a survey. In the context of each survey, you will be informed in advance about the purpose of the processing.
• When participating in the survey, you will also be asked to enter comments in free text fields. We strongly recommend that you do not enter any personal data about yourself or any other person. If you nevertheless enter personal data in a free text field, this data may be passed on to the categories of recipients listed below.

Storage duration and location

Your data will be stored in accordance with legal and internal requirements and deleted after a period of 2 years. Your data will be processed within the EU. In the case of technical support, it may happen that your data is passed on to a service provider outside the EU to fulfill your request. In such a case, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Receiver

Your personal data will be processed by us as data controller and, in some cases, by InMoment (a company under German law, registered with the commercial register number HRB92708 at the Hamburg District Court, with its registered office at Borselstrasse 18, 22765 Hamburg, Germany) as data processor.

In addition, we use Qualtrics LLC, 333 W. River Park Drive, Provo UT 84604, USA. Data processing outside the European Union (EU) does not take place as a matter of principle, as we have limited our storage location to data centers in the EU. Due to a ruling of the European Court of Justice, service providers located in the USA currently do not offer an adequate level of data protection. This may be associated with various risks for the legality and security of data processing.

Qualtrics uses standard contractual clauses approved by the EU Commission (pursuant to Art. 46. para. 2 and 3 DSGVO) as the basis for data processing for recipients located in third countries (outside the European Union) or a data transfer there. These clauses oblige Qualtrics to comply with the EU level of data protection when processing relevant data also outside the EU. These clauses are based on an implementing decision of the EU Commission.

For internal surveys we use the software "Forms" from Microsoft Ireland Operations Ltd,

One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The data is stored on Microsoft's servers within the EU and processed by us as the responsible party.

If you contact us via a contact form, an e-mail address or a telephone number, we also process personal data about you. Frequently, you will also be asked for your consent to the processing of personal data for advertising purposes in the context of contact forms. In this regard, please refer to the section "Newsletter/marketing emails".

Purposes and legal basis

The purpose of the processing results in particular from the processing of your inquiry or request and further communication. The legal basis for the processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO, which arises from the aforementioned purposes or your consent pursuant to Art. 6 para. 1 lit. a DSGVO.

If your contact is aimed at the conclusion of a contract / an ongoing contractual relationship with us, the legal basis is the initiation or implementation of the contractual relationship in accordance with Art. 6 para. 1 lit. b DSGVO.

Data categories

The specific data processed results from the respective contact form. As a rule, however, it will be the following data:

• - Master data (e.g. names, addresses)
• - Contact details (e.g. e-mail, telephone numbers)
• - Information about your request
• - Storage duration and location

The storage period depends on your specific request. If, for example, your contact is aimed at concluding a contract with us or we already have a business relationship with you, your data will be stored until the contractual and/or legal obligations have been fulfilled and legal retention periods do not prevent deletion.

Receiver

Depending on the request (e.g. questions about our products and services), your data will be processed further. In order to be able to answer your inquiry/your request in the best possible way, your data will be passed on within the group (if necessary also to group companies outside the EU) to the extent necessary.

In addition, we use order processors (e.g. IT and software service providers).

We use your contact information to send you information about products, services or events that may be of interest to you.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis:

• - your consent according to Art. 6 para. 1 lit a DSGVO or
• - our legitimate interest according to Art. 6 para. 1 lit. f DSGVO. There is a legitimate economic interest to inform our contacts about further own offers and events in order to establish and maintain a long-term customer relationship.

At the same time, we comply with the requirements of the Unfair Competition Act (UWG).

Processed data

• By e-mail: Name, title, function, institution, department, address and e-mail address.
• By mail: Name, title, function, institution, department, address
• Personal interest in products/services and/or events

Storage duration and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted.

Your data is processed by order processors (see recipients).

Receiver

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this privacy notice under "Transfer to third countries".

For information on how we handle your personal data when you use one of our apps or websites, please refer to the respective privacy policy.

For the implementation of digital events, we use the video conferencing tools "Teams" (from the provider Microsoft, USA) and "Zoom" (from the provider Zoom Video Communications Inc., USA)

Purpose and legal basis of processing

The legal basis for the processing of personal data results from the respective purpose for which the respective platform is used and the digital event is offered. These can be:

• Effective implementation of the event we offer to inform participants about professional topics: Legal basis is our legitimate interest based on Art. 6 para. 1 lit. f DSGVO.
• Implementation of e.g. group or individual meetings, trainings and events for the fulfillment of a contract with the data subject: Legal basis is Art. 6 para. 1 lit. b DSGVO.
• Implementation of operationally necessary group or individual meetings, training sessions and events within the scope of the employment relationship: The legal basis is the establishment, implementation or termination of the employment relationship.
• Conducting group or individual meetings, trainings and events on the basis of your consent pursuant to Art. 6 (1) lit. a DSGVO, which you give us by participating in the respective digital event.

Data categories

The scope of the data processed depends both on the purpose of the digital event, but also in particular on the information you provide before or during participation in the event (e.g. use of the chat function):

• User details: e.g. display name, e-mail address if applicable, profile picture (optional), preferred language
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
• Text data: When you use the chat function, your posts are processed to display them within the chat.
• Audio and video data: When you use the video and audio features, data from the microphone and/or video camera on your end device is processed for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time.
• Shared files and information: You can use the Share feature to share your screen or files with other participants. All files, content, and comments posted by users are accessible to the people with whom they are shared. These can be individuals or members of a team or channel.
• Documentation of your participation in the form of attendee lists: For certain purposes, such as the implementation of training or awareness measures, it is necessary to keep a list of attendees and save it for proof. The tools used offer the possibility to export an attendance list after an event.

Data sharing

We use Microsoft as a processor within the meaning of Art. 28 DSGVO. The providers receive knowledge of the above-mentioned data to the extent that this is contractually provided for and permitted. Microsoft reserves the right to process customer data for its own legitimate business purposes. We have no influence on this data processing. To the extent that vendors process personal data in connection with legitimate business purposes, they are independent data controllers for those data processing activities and are therefore responsible for compliance with all applicable data protection laws. This is especially true when you access Microsoft's web pages or use the tools through your browser. If you require information about Microsoft's processing, please refer to the relevant privacy statements.

Data processing outside the European Union

Data processing outside the European Union (EU) does not take place in principle, as we have limited our storage location to data centers in the EU. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This may be the case in particular if participants in an event are in a third country.

Measures to protect your data

The data processed during a digital event is encrypted during transport over the Internet and thus secured against unauthorized access by third parties. In addition, we have agreed extensive technical and organizational measures with the providers that correspond to the currently applicable state of the art, e.g., with regard to access authorization and end-to-end encryption concepts for data line, databases, and servers.

Data deletion

We delete personal data when the storage of the data is no longer necessary. In the case of statutory retention obligations, deletion only comes into consideration after the expiry of the respective retention obligation.

Your rights as a data subject

You have the right to information about the personal data concerning you. Furthermore, you have a right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can revoke your consent at any time with effect for the future. The lawfulness of the processing until the revocation remains unaffected. Finally, you have a right to object to processing within the framework of the legal requirements. A right to data portability also exists within the framework of data protection law. You have the right to complain about the processing of personal data by us to a supervisory authority for data protection.

Special feature: recording of digital events

Under certain circumstances, recording of digital events can take place. This is done, for example, for the purpose of publication, documentation, etc. The legal basis is your informed (written) consent pursuant to Art. 6 (1) lit. a DSGVO, which you give us with your participation. If a digital event is to be recorded, we will inform you about this transparently in advance (e.g. as part of the invitation). In addition, a notice will be provided as part of the event before the recording is started. The system will also inform you that the event is being recorded. The recording will be saved and deleted in accordance with data protection regulations after the relevant deletion period has expired.

Under certain circumstances, it may be necessary to publish the recording for the circle of participants, on the intranet or on the Internet in order to fulfill the above-mentioned purpose. Insofar as the recording is published on the intranet or internet, we would like to point out that the recordings are made available to a broad public. Any person viewing the content on the Internet may use it as he or she sees fit, including misuse, without this being monitored, restricted or prevented. However, within the framework of data economy, we take care, especially when publishing recordings, to delete or anonymize in advance the personal data that is not relevant to the publication (e.g., cropping the video excerpt).

Purpose and legal basis of processing

The processing of your data is based on our legitimate interest pursuant to Article 6 (1) f DSGVO. There is a legitimate economic interest in maintaining contacts that have arisen in the course of business transactions, even beyond the initial contact, and to use them to build a business relationship and to remain in contact with you for this purpose.

Data categories

Name, title, function

• Institution
• Business contact details
• Business address
• Business email address, phone number

If requested by you and provided to us:

• Private contact details, private address, private e-mail address, telephone number

Storage duration and location

We store your data for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally obliged to do so. In addition, data of business contacts with whom we had no business contact within a defined time frame will be deleted.

Receiver

We process your data in a central CRM system (Customer Relationship Management). Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

As part of this processing activity, we disclose your personal data to Australia, Canada and the USA. The risks resulting from the transfer of personal data to these countries can be found in the paragraph "Transfer to third countries".

Your product complaint, medical information request or adverse event report related to medicinal products (pharmacovigilance).

The scope of this declaration is limited to the processing of personal data in connection with product complaints, medical information requests and pharmacovigilance. Pharmacovigilance is the detection, evaluation, tracking and prevention of adverse events related to medicinal products. As part of pharmacovigilance, we handle reports of adverse events related to medicines (e.g., suspected cases of adverse drug reactions or drug failure). If you report adverse events or other pharmacovigilance-related information to us, we will process this data exclusively for pharmacovigilance purposes:

Purpose and legal basis - pharmacovigilance

When reporting in terms of pharmacovigilance, we comply with the relevant requirements that oblige us and the responsible regulatory authorities to process data on adverse events. This serves to protect public health and to ensure a high standard of quality and safety.

We are required to process certain personal data of affected patients* and/or reporting persons in order to report adverse events related to medicinal products to the relevant regulatory authorities. The personal data are processed exclusively for pharmacovigilance purposes and only when relevant and appropriate to properly document, assess and report such an event in accordance with our pharmacovigilance obligations. The information in question has great public health significance and is used for the detection, assessment, understanding and prevention of adverse events and other risks associated with our medicines. In particular, we process your data for the following purposes and legal bases:

Purpose: Personal data in the context of adverse event reports related to medicinal products or other aspects of pharmacovigilance (including when provided in the context of a medical request).

Leal basis: This processing is necessary in order to comply with the statutory pharmacovigilance obligations applicable to B. Braun. Braun's legal pharmacovigilance obligations (GVP, HMG) (Art. 6 para. 1 lit. c and 9 para. 2 lit. i DSGVO).

Purposes and legal basis of the processing - medical requests

Any personal data provided to B. Braun in connection with medical inquiries may be used to respond to and follow up on the inquiry in question. The information in question may be stored in a medical information database for reference purposes. In addition, we may be required by law (for example, as part of pharmacovigilance) to report the data to regulatory authorities. We do not use your data for any other purposes. In particular, we process your data for the following purposes and legal bases:

Purpose: Personal information related to a medical request may be used to respond to and follow up on the request.

Legal basis: This processing is based on B. Braun's legitimate interest in tracking your requests (Art. 6 para. 1 lit. f DSGVO). If you are a patient, we process your personal data only with your explicit consent (Art. 6 para.1 lit. a and 9 para. 2 lit. a DSGVO).

Purposes and legal basis of processing - Product complaints

Any personal data provided to B. Braun in connection with a product complaint will be used solely for these purposes. The information in question is of great importance to public health and is used to assess, classify and evaluate the product complaint, to follow up on related inquiries and to store the data in a product complaint database for reference purposes. In particular, we process your data for the following purposes and legal bases.

Purpose: Personal data in connection with a product complaint (e.g., to assess, classify, and evaluate the product complaint, to follow up on the related inquiry, and to store the data for reference purposes in a product complaint database) (including when provided as part of a medical inquiry).

Legal basis: This processing is necessary in order to comply with the legal obligations applicable to B. Braun (Art. 6 para. 1 lit. c and 9 para. 2 lit. i DSGVO).

Data categories

When submitting a notification, the following data may be processed, depending on the individual case:

Adverse event reports in connection with medicinal products

Reporting person: name, contact details, professional group affiliation

Person affected by an adverse event: Personal data on health and medical history as far as necessary for the processing and assessment of the case. This may include data such as initials, age/date of birth, gender, weight and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of complying with the drug safety obligation and our legal obligations.

Medical requests

Reporting person: name, contact details, professional group affiliation

Additionally, if a medical inquiry includes product complaint data or suspected adverse reaction data, it will be treated as such.

Product complaints

Reporting person: name, contact details, professional group affiliation

To the extent that an individual has experienced a health impairment in connection with a product complaint, personal health and medical history data will be collected to the extent necessary to process and evaluate the case. This may include data such as initials, age/date of birth, gender, weight and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of meeting the drug safety obligation and our legal obligations.

Storage duration and location

Due to their public health importance, pharmacovigilance-related information is retained for at least 15 years after the respective products have been withdrawn from the market in the last country in which they were offered.

Personal data stored as part of medical information requests will be retained for a maximum of 11 years from the date of receipt.

Since information concerning product complaints is important for public health, complaint records including the corresponding personal data are kept for at least 15 years.

Receiver

B. Braun may share personal information that you provide to us as necessary to maintain B. Braun's global pharmacovigilance database and to comply with applicable pharmacovigilance legislation. To this end, we may share and/or disclose personal data as follows:

• within the B. Braun Group to analyze and evaluate a reported adverse event.
• to the competent supervisory authorities, with regard to a (suspected) adverse event.
• to service providers, e.g. IT service providers.
• to other pharmaceutical companies acting as co-commercializers, co-distributors or other licensed partners of the B. Braun Group, if the pharmacovigilance obligations for our product require such exchange of safety information.
• when information about adverse events is published (for example, in the form of case studies and summaries); in these cases, your data will be anonymized to keep your identity confidential.

In addition, B. Braun is required to share certain pharmacovigilance and product-related information with health authorities worldwide. This also includes authorities located in countries outside the EU. In these countries, data protection regulations differ from those in the EU, so that the level of data protection does not correspond to that in the EU. Legal basis: Art. 6 para. 1 lit. c and for transfers outside the EU Art. 6 para. 1 lit. f and Art. 49 para. 1 lit. e DSGVO.

The reports in question contain details of the incident in question. Personal data is included to the extent necessary:

• For patients, the report includes only, as indicated, age, gender and initials (where indicated), date/year of birth (where disclosure is permitted) but never the patient's name.
• For the reporting person, the report includes the name, profession (e.g., physician, pharmacist), initials or address, email address, and telephone number (if provided). The contact information is necessary to contact the reporting person to obtain high quality and complete information about adverse events.

If the reporting person does not wish to share their contact information with B. Braun or authorities, "Privacy" is entered in the name and contact data field of the reporting person.

If your data is transferred to other companies, business partners or service providers outside the European Union, we will ensure that your personal data is adequately protected, e.g. by concluding standard contractual clauses and/or that only such data is transferred as is necessary.

For the organization, implementation and follow-up, it is necessary to process personal data. Depending on the event and the scope of services, different personal data will be collected from you. Read below to find out how we process your personal data when you participate as a participant or speaker in our events and similar activities (hereinafter "events").

If the event takes place on our plant premises, please also read the "Notes on data protection visitor management".

Participating

Purpose and legal basis

The purpose of the processing is to enable you to participate in the events and take advantage of the services or promotions associated with participation. The legal basis differs depending on the event:

• Legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO (e.g. to ensure secure and efficient communication).
• Consent according to Art. 6 para. 1 lit. a DSGVO (e.g. your registration)
• Contract according to Art. 6 para. 1 lit. b DSGVO (e.g. hospitation contracts)
• Processed data

When you register and participate in one of our events, we process the following data from you:

• Master data (e.g. name, title, department, function, addresses, institution)
• Contact details (e.g. e-mail, telephone numbers)
• Contract data (e.g. subject of contract, term, customer category)
• Dates of arrival and departure
• Optional: Eating habits for participants with allergies

additionally in individual cases:

• specific passport data to create invitation letter for VISA service
• Date and place of birth

For paid events, we additionally process:

• Payment data (e.g. bank details, invoices, payment history, private address if given)

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of the obvious (e.g. at thematically oriented events) or is done with your consent.

Storage duration and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period. Your data will be processed within the EU.

Receiver

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period. Your data will be processed within the EU.

Active part (e.g. speakers, consultants, moderators)

Purpose and legal basis

Your data will be processed by us for the purpose of processing your contractual performance. The legal basis is the contractual relationship according to Art. 6 para. 1 lit. b DSGVO.

Processed data

We process the following personal data from you:

• Master data (e.g. name, title, department, function, addresses, institution)
• Contact details (e.g. e-mail, telephone numbers)
• Contract data (e.g. subject of contract, term, customer category)
• Dates of arrival and departure
• Payment data (e.g. bank details, invoices, payment history, home address)
• Optional: Eating habits with allergies

additionally in individual cases:

• specific passport data to create invitation letter for VISA service

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of the obvious (e.g. at thematically oriented events) or is done with your consent.

Storage duration and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period. Your data will be processed within the EU.

Receiver

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the organization, implementation and follow-up of the respective activity/assignment.

Financial accounting for payment processing

In addition, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally
• to hotels and transport companies when you ask us to organize your trip and stay
• to local authorities, in the context of VISA applications
• to credit institutions, within the scope of payment processing

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

As a global company, we work with contracted distributors in certain countries and regions. In order to provide you with information about B. Braun products, therapies, solutions or events, for promotional purposes, to contact you or to respond to your inquiry, we will, with your consent, forward the personal data you have provided to these external sales partners so that they can contact you. Our sales partners work regionally, which means that your data is only passed on to the sales partner with whom we work in your region.