Data Privacy Information for Specific Processing Activities
- Who We Are
Profile and Organization
- Our Vision & Strategy
- Our Values
- Inclusion & Diversity
- Our Contributions
- Team Bayer
- Bayer Worldwide
- Corporate Compliance
- Contact Us
Welcome to this information page on specific processing activities conducted by Bayer AG, Kaiser Wilhelm Allee 1, 51368 Leverkusen (Germany) and all of its affiliates based in the European Economic Area (hereinafter “us” or “we”).
What you get
You might be visiting this information page:
because we invited you to visit this information page in order for you to be able to obtain further information on a specific data processing activity because at the time when we obtained your personal data, we were not able to provide you with all necessary information or
because you are searching for publicly available information on how we process personal data not obtained directly from you but, for example, from publicly available sources, where informing each individual proves impossible or would involve a disproportionate effort (Art. 14(5)(b) GDPR).
because you have been in contact with / addressing requests to HR Operations. Depending on the recipient of your request to HR Operations, your current or former employer as legal entity within Bayer Group, respectively the Bayer-Beistandskasse VVaG, Bayer-Unterstuetzungskassse GmbH, Bayer-Pensionskasse VVaG or Rheinische Pensionskasse VVaG (hereinafter “us”, “our” and “we”), each in its capacity as controller for the processing of your personal data, wishes to provide you with information on the processing of your personal data.
Please note: This page is not an exhaustive source of information about any kind of processing activity we perform. Where we are able to provide you with all required information at the time we obtain personal data from you, we do so by providing you with data privacy statements specific to the respective processing activity. If you are looking for information regarding the processing of your personal data on this website, for example, please visit our website’s data privacy statement.
Personal Data We Process about You, if …
… you hand over your business card to us
When you hand over your business card to us, we might copy it and enter the personal data contained therein into one of our contact management systems.
We use the information contained therein about you in order to contact you. The legal basis for processing your personal data and the respective retention period vary, depending on the purpose for which you have given us your business card. However, we will only store your personal data for as long as is necessary to stay in contact with you.
… you communicate with us via email
When you communicate with us via email, we process your email address, the information you provide in your emails (e.g. your name, further contact information from your signature, the content of your emails or any attachments) as well as the email meta data (e.g. time stamp, sender’s IP address, mail user agents, servers used in transit, etc.).
Additionally, we may process your email address for cyber security purposes. In order to protect Bayer’s data assets from unauthorized disclosure to third parties, we use a Data Loss Prevention (“DLP”) tool to prevent possible data leakage incidents by detecting and blocking certain data flows of sensitive information. In the case your email address is included in a detected incident, the data is stored as long as necessary to assess and resolve the incident or keep the data as evidence. This data processing is based on our legitimate interest to protect the Bayer group against loss of intellectual property and other sensitive information.
We use this personal data in order to be able to communicate with you. The legal basis for the processing of your personal data and the applicable data retention rules for your personal data may vary depending on the purpose for which we communicate with you. However, our general retention period for email inboxes is six months, unless your email has been archived, in which case the general retention period is four years. Please ask either the person in our organization whom you are in contact with or our data protection officer mentioned above if you want to know more about the purpose, legal basis and data retention rules applicable to your personal data in your individual case.
… you work with us in Microsoft 365
We use different platforms such as Microsoft Teams, Microsoft SharePoint or Microsoft Forms to work with you. As part of this cooperation, Microsoft, as our service provider, processes the profile and communication data you provide (name, business email address and telephone number), as well as metadata (e.g. IP address and time stamp) and, in the case of online conferences, your audio data and, if applicable, your cameraimage.
We use this information to enable the following activities and technologies:
- Access to a collaboration system or a survey: Access to the Microsoft 365 environment of Bayer is necessary for cooperation in accordance with the contract between Bayer and you or your employer. The access information will be deleted a maximum of 12 months after the end of the collaboration.
- Video conferencing: Microsoft Teams video conferencing function enables us to offer you participation in audio / video online meetings and events. Teams meetings can in some cases be recorded, this is announced by the meeting moderator and clearly indicated in Teams itself. Your access data for the meeting will be deleted after 90 days.
- (Co-) authoring of documents: During a collaboration / project, documents can be created and / or edited. The personal information in the metadata of the document (name of the author, name of the commentator) can persist throughout the life of the document. The standard deletion period is 4 years after the last processing of a document; longer retention periods may apply in cases where e.g. documents requires longer retention.
- Chat (Teams): The chat can be used as a means of communication as part of the cooperation between Bayer and you. The chat within Teams channels is retained for a maximum of four years from the date of the message. Personal chat messages including metadata are retained for 30 days.
- Polls (Forms): Polls can be used as part of an existing collaboration to collect information or opinions on a topic relevant to the collaboration. Surveys are anonymous unless expressly stated otherwise. The personal data collected as part of the survey will be deleted within 12 months of the start of the survey.
- Social company network (Yammer): The company's social network is used for open exchange on specialist topics and for answering user questions. Data in the Bayer social network will be deleted 4 years after the last change.
- Appointment booking (bookings): For certain services (e.g. consulting) an appointment booking can be offered via a booking tool. The tool helps identify free times in the non-public calendar of yourBayer business partner. Booking information will be deleted a maximum of 12 months after the appointment.
We use this personal data so that we can work with you. The legal basis for the processing is the legitimate interest (Art. 6 (1) (f) GDPR) of Bayer AG and its affiliates to work with you as a business partner. Collaboration would not be possible without this data being collected. The respective retention period varies depending on the case, information can be found in the description of the activities.
We use Microsoft for Microsoft 365 as a data processor. Microsoft 365 is software from Microsoft Ireland Operations Limited, One Microsoft Place, South County BusinessPark, Leopardstown, Dublin 18, D18P521, Ireland.
… you are, or work for, one of our customers, suppliers or contract partners
We process contact information (like name, email address, telephone number, position and role in the company) of employees of our customers, suppliers or contract partners (like key account managers, consultants, business partners or legal counsels) or of individuals who directly act as our customers, suppliers or contract partners (such as freelancers). We also might process individuals’ payment data (like bank account information), if applicable.
We use this information to manage our business relationship with you, e.g. to process your orders and deliver service to you, to manage your purchase history, to choose and contact the right supplier, or to pay any due invoices.
As the processing of personal data for the aforementioned purposes lies in the legitimate interest of Bayer, the legal basis for processing is Art. 6(1)(f) GDPR. As far as it is necessary to process the data to fulfill a contract with you, the legal basis is Art. 6(1)(b) GDPR.
We retain this kind of personal data for as long as it is necessary to continuously manage our relationship or to perform our contract with the relevant customer, supplier or contract partner. Legal archiving requirements may exceed this retention period, for example to meet tax legislative requirements for archiving. We delete these personal data as soon as they are no longer needed.
You can find more information on the processing of your data in customer service in our country-specific data privacy statements.
… you reach out to HR Operations
You can reach out to HR Operations via different channels (e.g. telephone / email / fax / Communication Center in myServices) for various different purposes. We will process personal data that you provide us in the context of your request (e.g. name, date of birth, CWID, address, request) for identification and authentication purposes and to process your request.
The legal basis for the processing of your personal data is Art. 6(1)(b) GDPR.
If you are an active employee on a randomly basis an invitation to participate in a Satisfaction Survey may be sent to you following your contact. This serves the continuous improvement of our HR services. Your participation in such a survey is voluntary and anonymous, unless you voluntarily identify yourself to the survey (for example, by submitting personal data in text fields). In such a case, the legal basis for the further processing of your personal data is also Art. 6(1)(b) GDPR.
We would like to point out that depending on your request in individual cases also conclusions on special categories of personal data are possible. This applies, for example, to the following example cases:
|Special categories of personal data||Description|
|Information about your sexual orientation||If you provide us with your marriage certificate, this will also contain the gender of your spouse.|
|Information about your religious belief||If you provide us with your tax details or a remuneration statement, this may also show your religious belief.|
|Information about your health||If you send us a sick leave, this is information about your health status; If you submit a medical report when you apply for a child allowance, this may provide diagnoses or illnesses.|
Retention periods for personal data. Tickets to your requests are stored for a period of 3 years from the date of creation.
… you ask us a medical inquiry
When you ask us a medical inquiry we will enter the personal data contained therein into our Medical Information database.
We will process the following personal data for the purpose to manage your medical inquiry and to deliver a respective response:
- Contact information (e.g. your name, address, phone/fax/mobile phone/email/ or other online contact information)
- Demographic data (e.g. age/age group, date of birth, gender)
Should such information be part of your request, we furthermore may process information which qualifies as sensitive personal data like
- information about your health status,
- your religious beliefs,
- your sex life/sexual orientation or
- your ethnicity.
An example where this could be the case is a request whether a Bayer product would be suitable for a Kosher diet.
Purpose of processing your personal data is to answer your medical request.
Access to your personal data is restricted to Bayer AG and its group entities that are involved in managing and responding to your inquiry, and to the call center operator Conduent Commercial Solutions, LLC and its group companies. These entities may be operating in countries different from your home country.
If the inquiry you ask contains an adverse event, special circumstance or product technical complaint, or is an inquiry outside of the scope of medical information, we will forward your inquiry containing your personal information to the relevant department for respective processing. For this purpose, we transfer your name, contact details and any information you have provided to us including information related to special categories of personal data if this has been provided.
For the processing of your personal data, we will to some extent use specialized service contractors who act as our data processors including the call center operator Conduent Commercial Solutions, LLC. Such service contractors are carefully selected and regularly monitored by us. They will only process personal data in accordance with our instructions and based on appropriate data processing agreements.
Legal basis for processing your personal data, including your sensitive personal data, is your consent. In addition, it is our legitimate interest to process your personal data for answering your enquiry and for documentation and record keeping purposes. If your request contains information about adverse events or is a product technical complaint, we are legally obliged to process respective information including sharing the information provided with the responsible Marketing Authorization Holder.
We retain your personal data beyond having answered your inquiry for documentation and record keeping purposes and regulatory compliance. Personal data related to sole medical information inquiries (managed in full by medical information staff, without an adverse event, product technical complaint or a need for forwarding to another department for handling) will be anonymized in accordance with local data privacy requirements, except where otherwise provided by law (e.g. in connection with an adverse event). Inquiries containing adverse event or product technical complaint information will be retained to meet regulatory requirements. Data provided to other departments will be retained for processing your inquiry.
Further additional country-specific information related to data privacy can be found on the respective countries’ Bayer internet sites.
… you report a complaint or counterfeit to us
When you report a complaint or counterfeit to us, we will enter the personal data contained therein into our Complaint Management database.
We will process the following personal data for the purpose to manage your report and, if necessary, to deliver a respective response:
- Contact information (e.g., your name, address, phone/fax/mobile phone/email/ or other online contact information)
- Information about the treating hospital or supplying pharmacy (or internet purchasing source) if needed
Should such information be part of your complaint, we furthermore may process information which qualifies as sensitive personal data like:
Information about your health status
Bayer as pharmaceutical company follows Good Manufacturing Practice for handling and reporting complaints. Purpose of processing your personal data is to manage and, where required, to answer your complaint. You have the choice to reject further contacts by Bayer, but this may lead to an incomplete assessment of your complaint information.
Legal basis for processing your personal data, including your sensitive personal data if provided, is your consent according to Article 6 (1) (a) and Article 9 (2) (a) GDPR that you declare by actively contacting us with the expectation to obtain an answer. It then is our legal obligation to process your personal data according to Article 6 (1) (c) GDPR for answering your complaint, to manage the complaint sample request and to fulfill documentation and record keeping requirements. If your complaint contains information about adverse events, we are also legally obliged to process respective information including sharing it with the responsible Marketing Authorization Holder or Legal Manufacturer.
Access to your personal data is restricted to Bayer AG and its group entities that are involved in managing and responding to your complaint report. These entities may be operating in countries different from your home country.
If the complaint you report contains an adverse event or is an inquiry outside of the scope of complaint and counterfeit reporting, we will forward your report including your personal information to the relevant department for respective processing. For this purpose, we transfer your name, contact details and any information you have provided to us including information related to special categories of personal data if this has been provided.
We retain your personal data beyond having answered your complaint for documentation and record keeping purposes and regulatory compliance in accordance with local law. Complaints containing adverse event or product technical complaint information will be retained to meet regulatory requirements. Data provided to other departments will be
retained for processing your complaint.
Further additional country-specific information related to data privacy can be found on the respective countries’ Bayer internet sites.
… you or others publish your personal data on the internet
We search the internet for information for various purposes that are explained in more detail below. This information may contain personal data. We also use active online listening services. Active online listening is the process of identifying and assessing what is being said about a company, individual, product, brand or topic with business relevance to the company on the internet. We process the personal data we collect from publicly accessible areas on the internet and in public media by, for example:
- performing keyword searches across the web (e.g. websites, social media platforms, social network communities, blogs, mainstream news sources, forums or photo and video sites);
- searching, filtering and analyzing conversation streams;
- viewing visual analytic displays of conversation trends over a specified time range;
- monitoring publicly available opinions, statements or other interactions on the internet from certain individuals or entities that are important for us and our business (so called thought leaders).
Following categories of personal data may be processed:
- Name, gender, job title/position within an organization/company (e.g., manager, spokesperson, editor, contributor), topic focus
- Social media accounts (e.g., Twitter) and website addresses
- Information on published articles or statements (e.g., date of publication, author, information on media reach, tone on relevant topics, article content)
We use the personal data to obtain insights related to following purposes:
Customer and stakeholder insights/Public Relations and Corporate Communications
We want to identify business opportunities and risks alongside innovations, to better understand sentiment, intent, mood, market and societal trends as well as our customers’ or other stakeholders’ needs, preferences or opinions. For this purpose, we follow public media reporting as well as stakeholder communication and activities on Bayer-related or industry-related topics. Thereby we are able to engage in dialogue more effectively, improve our services, products and the way in which we operate our company as well as capture business opportunities and mitigate business risks. The legal basis for processing the personal data involved in this is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our aforementioned processing purposes. We delete personal data as soon as they are no longer required for the purposes they were initially acquired for, as a rule however, at the latest if they are older than 3 years.
Stakeholder Engagement & Management
After we identified a stakeholder for our company (e.g. through active online listening, at an event, etc.) we process personal data to establish, maintain, cultivate and improve our personal stakeholder relationship in order to facilitate our business interests and activities (e.g. representing of our interests in politics and society, maintaining and participating in direct (legal) dialogues, providing information about our business, research and other activities, managing our public affairs and corporate communication, understanding stakeholder opinion on certain Bayer-related topics, maintaining an overview about our stakeholder contact history etc.) For these purposes, additionally to the personal data mentioned above, we might process the following personal data about you: contact details like phone number, e-mail address, postal address; political opinions; voting behavior; statements; memberships in associations; relationships to other stakeholders; content about topics discussed in meetings, panels/committees, etc. We delete the personal data as soon as they are no longer required for the purpose they were initially acquired for, as a rule however after 7 years of inactivity of our personal stakeholder relationship, except where otherwise provided by law.
Additionally, we recommend that you always read the terms and conditions of third-party sites, including but not limited to websites, forums and social media channels, where you chose to engage and share your personal data, opinions and perspectives. You have therefore control over your data which is collected. Bayer remains committed that relevant data which is related to your role as a stakeholder and not as a private person is processed. Bayer reinforces this through our commitments to consistently train staff and to ensure compliance through internal policies and via contractual terms with third parties.
Product safety and product quality
As a company that supplies medicinal products and devices, we need to be able to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products. The legal basis for processing the personal data involved in this is either Art. 9(2)(i) GDPR, as processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, or Art. 6(1)(f) GDPR, as it is necessary to pursue our legitimate interests that result from our need to be able to know and react to any safety or quality issues in respect of our products. We delete personal data as soon as they are no longer required for the purposes they were initially acquired, unless the information therein is still required or there is a legal obligation to archive such personal data (e.g. information regarding adverse events). Adverse event information will be stored at least for the duration of the life cycle of the relevant product and for an additional ten years after the product has been taken from the market.
Transfer of Personal Data for Commissioned Processing
We might use specialized service contractors to some extent in processing your personal data. Such service contractors are carefully selected and regularly monitored by us. Based on relevant data processing agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.
Third party transfer
For requests addressed to HR Operations, if your request cannot be answered or processed by us directly, the personal data required for this purpose will be forwarded to the relevant departments in the Bayer Group for further processing (e.g. for reported technical access problems to the IT service or for requests for shift flat rates to the responsible HR Business Partner). Depending on your concerns, it may also be necessary for us to e.g. get in contact with the relevant tax office or your health insurance company.
Processing of Personal Data outside the EU / the EEA
Your personal data may in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have lower data protection standards than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, for example, by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.
Information Regarding Your Rights
The following rights are in general available to you in accordance with applicable data privacy legislation:
- Right of information about your personal data stored by us;
- Right to request the correction, deletion or restricted processing of your personal data;
- Right to object to processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for the purposes of asserting, exercising or defending legal claims;
- Right to data portability;
- Right to file a complaint with a data protection authority;
- You may at any time with future effect revoke your consent to the collection, processing and use of your personal data. For further information, please refer to the chapters above describing the processing of data based on your consent.