Data Privacy Information for Specific Processing Activities

Welcome to this information page on specific processing activities conducted by Bayer AG, Kaiser Wilhelm Allee 1, 51368 Leverkusen (Germany) and all of its affiliates based in the European Economic Area (hereinafter “us” or “we”).


What you get

You might be visiting this information page:


  • because we invited you to visit this information page in order for you to be able to obtain further information on a specific data processing activity because at the time when we obtained your personal data, we were not able to provide you with all necessary information or

  • because you are searching for publicly available information on how we process personal data not obtained directly from you but, for example, from publicly available sources, where informing each individual proves impossible or would involve a disproportionate effort (Art. 14(5)(b) GDPR).

  • because you have been in contact with / addressing requests to HR Operations. Depending on the recipient of your request to HR Operations, your current or former employer as legal entity within Bayer Group, respectively the Bayer-Beistandskasse VVaG, Bayer-Unterstuetzungskassse GmbH, Bayer-Pensionskasse VVaG or Rheinische Pensionskasse VVaG (hereinafter “us”, “our” and “we”), each in its capacity as controller for the processing of your personal data, wishes to provide you with information on the processing of your personal data.

Please note: This page is not an exhaustive source of information about any kind of processing activity we perform. Where we are able to provide you with all required information at the time we obtain personal data from you, we do so by providing you with data privacy statements specific to the respective processing activity. If you are looking for information regarding the processing of your personal data on this website, for example, please visit our website’s data privacy statement.

Personal Data We Process about You, if …

… you hand over your business card to us


business-cardWhen you hand over your business card to us, we might copy it and enter the personal data contained therein into one of our contact management systems.

We use the information contained therein about you in order to contact you. The legal basis for processing your personal data and the respective retention period vary, depending on the purpose for which you have given us your business card. However, we will only store your personal data for as long as is necessary to stay in contact with you.


… you communicate with us via email


emailWhen you communicate with us via email, we process your email address, the information you provide in your emails (e.g. your name, further contact information from your signature, the content of your emails or any attachments) as well as the email meta data (e.g. time stamp, sender’s IP address, mail user agents, servers used in transit, etc.).


Additionally, we may process your email address for cyber security purposes. In order to protect Bayer’s data assets from unauthorized disclosure to third parties, we use a Data Loss Prevention (“DLP”) tool to prevent possible data leakage incidents by detecting and blocking certain data flows of sensitive information. In the case your email address is included in a detected incident, the data is stored as long as necessary to assess and resolve the incident or keep the data as evidence. This data processing is based on our legitimate interest to protect the Bayer group against loss of intellectual property and other sensitive information.

We use this personal data in order to be able to communicate with you. The legal basis for the processing of your personal data and the applicable data retention rules for your personal data may vary depending on the purpose for which we communicate with you. However, our general retention period for email inboxes is six months, unless your email has been archived, in which case the general retention period is four years. Please ask either the person in our organization whom you are in contact with or our data protection officer mentioned above if you want to know more about the purpose, legal basis and data retention rules applicable to your personal data in your individual case.


… you are, or work for, one of our customers, suppliers or contract partners


partnerWe process contact information (like name, email address, telephone number, position and role in the company) of employees of our customers, suppliers or contract partners (like key account managers, consultants, business partners or legal counsels) or of individuals who directly act as our customers, suppliers or contract partners (such as freelancers). We also might process individuals’ payment data (like bank account information), if applicable.

We use this information to manage our business relationship with you, e.g. to process your orders and deliver service to you, to manage your purchase history, to choose and contact the right supplier, or to pay any due invoices.


As the processing of personal data for the aforementioned purposes lies in the legitimate interest of Bayer, the legal basis for processing is Art. 6(1)(f) GDPR. As far as it is necessary to process the data to fulfill a contract with you, the legal basis is  Art. 6(1)(b) GDPR.


We retain this kind of personal data for as long as it is necessary to continuously manage our relationship or to perform our contract with the relevant customer, supplier or contract partner. Legal archiving requirements may exceed this retention period, for example to meet tax legislative  requirements for archiving. We delete these personal data as soon as they are no longer needed.


You can find more information on the processing of your data in customer service in our country-specific data privacy statements.


… you reach out to HR Operations


partnerYou can reach out to HR Operations via different channels (e.g. telephone / email / fax / Communication Center in myServices) for various different purposes. We will process personal data that you provide us in the context of your request (e.g. name, date of birth, CWID, address, request) for identification and authentication purposes and to process your request.

The legal basis for the processing of your personal data is Art. 6(1)(b) GDPR.

If you are an active employee on a randomly basis an invitation to participate in a Satisfaction Survey may be sent to you following your contact. This serves the continuous improvement of our HR services. Your participation in such a survey is voluntary and anonymous, unless you voluntarily identify yourself to the survey (for example, by submitting personal data in text fields). In such a case, the legal basis for the further processing of your personal data is also Art. 6(1)(b) GDPR.

We would like to point out that depending on your request in individual cases also conclusions on special categories of personal data are possible. This applies, for example, to the following example cases:


Special categories of personal data Description
Information about your sexual orientation If you provide us with your marriage certificate, this will also contain the gender of your spouse.
Information about your religious belief If you provide us with your tax details or a remuneration statement, this may also show your religious belief.
Information about your health If you send us a sick leave, this is information about your health status; If you submit a medical report when you apply for a child allowance, this may provide diagnoses or illnesses.

Retention periods for personal data. Tickets to your requests are stored for a period of 3 years from the date of creation.


… you or others publish your personal data on the internet


publish-on-internetWe search the internet for information for various purposes that are explained in more detail below. This information may contain personal data. We also use active online listening services. Active online listening is the process of identifying and assessing what is being said about a company, individual, product, brand or topic with business relevance to the company on the internet. We process the personal data we collect from publicly accessible areas on the internet and in public media by, for example:


  • performing keyword searches across the web (e.g. websites, social media platforms, social network communities, blogs, mainstream news sources, forums or photo and video sites);
  • searching, filtering and analyzing conversation streams;
  • viewing visual analytic displays of conversation trends over a specified time range;
  • monitoring publicly available opinions, statements or other interactions on the internet from certain individuals or entities that are important for us and our business (so called thought leaders).


Following categories of personal data may be processed:

  • Name, gender, job title/position within an organization/company (e.g., manager, spokesperson, editor, contributor), topic focus
  • Social media accounts (e.g., Twitter) and website addresses 
  • Information on published articles or statements (e.g., date of publication, author, information on media reach, tone on relevant topics, article content)

We use the personal data to obtain insights related to following purposes:

  • Customer and stakeholder insights/Public Relations and Corporate Communications
    We want to identify business opportunities and risks alongside innovations, to better understand sentiment, intent, mood, market and societal trends as well as our customers’ or other stakeholders’ needs, preferences or opinions. For this purpose, we follow public media reporting as well as stakeholder communication and activities on Bayer-related or industry-related topics. Thereby we are able to engage in dialogue more effectively, improve our services, products and the way in which we operate our company as well as capture business opportunities and mitigate business risks. The legal basis for processing the personal data involved in this is Art. 6(1)(f) GDPR as it is necessary to pursue our legitimate interests that result from our aforementioned processing purposes. We delete personal data as soon as they are no longer required for the purposes they were initially acquired for, as a rule however, at the latest if they are older than 3 years.

  • Stakeholder Engagement & Management
    After we identified a stakeholder for our company (e.g. through active online listening, at an event, etc.) we process personal data to establish, maintain, cultivate and improve our personal stakeholder relationship in order to facilitate our business interests and activities (e.g. representing of our interests in politics and society, maintaining and participating in direct (legal) dialogues, providing information about our business, research and other activities, managing our public affairs and corporate communication, understanding stakeholder opinion on certain Bayer-related topics, maintaining an overview about our stakeholder contact history etc.) For these purposes, additionally to the personal data mentioned above, we might process the following personal data about you: contact details like phone number, e-mail address, postal address; political opinions; voting behavior; statements; memberships in associations; relationships to other stakeholders; content about topics discussed in meetings, panels/committees, etc. We delete the personal data as soon as they are no longer required for the purpose they were initially acquired for, as a rule however after 7 years of inactivity of our personal stakeholder relationship, except where otherwise provided by law.
    Additionally, we recommend that you always read the terms and conditions of third-party sites, including but not limited to websites, forums and social media channels, where you chose to engage and share your personal data, opinions and perspectives. You have therefore control over your data which is collected. Bayer remains committed that relevant data which is related to your role as a stakeholder and not as a private person is processed. Bayer reinforces this through our commitments to consistently train staff and to ensure compliance through internal policies and via contractual terms with third parties.

  • Product safety and product quality
    As a company that supplies medicinal products and devices, we need to be able to identify any side effects, lack of therapeutic effect, medication errors, gray market products/counterfeit medicines, incorrect or off-label uses, quality complaints and/or other issues regarding the safety or quality of our products. The legal basis for processing the personal data involved in this is either Art. 9(2)(i) GDPR, as processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, or Art. 6(1)(f) GDPR, as it is necessary to pursue our legitimate interests that result from our need to be able to know and react to any safety or quality issues in respect of our products. We delete personal data as soon as they are no longer required for the purposes they were initially acquired, unless the information therein is still required or there is a legal obligation to archive such personal data (e.g. information regarding adverse events). Adverse event information will be stored at least for the duration of the life cycle of the relevant product and for an additional ten years after the product has been taken from the market.


Transfer of Personal Data for Commissioned Processing

We might use specialized service contractors to some extent in processing your personal data. Such service contractors are carefully selected and regularly monitored by us. Based on relevant data processing agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.


Third party transfer

For requests addressed to HR Operations, if your request cannot be answered or processed by us directly, the personal data required for this purpose will be forwarded to the relevant departments in the Bayer Group for further processing (e.g. for reported technical access problems to the IT service or for requests for shift flat rates to the responsible HR Business Partner). Depending on your concerns, it may also be necessary for us to e.g. get in contact with the relevant tax office or your health insurance company.


Processing of Personal Data outside the EU / the EEA

Your personal data may in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have lower data protection standards than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, for example, by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.

Information Regarding Your Rights

The following rights are in general available to you in accordance with applicable data privacy legislation:

  • Right of information about your personal data stored by us;
  • Right to request the correction, deletion or restricted processing of your personal data;
  • Right to object to processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for the purposes of asserting, exercising or defending legal claims;
  • Right to data portability;
  • Right to file a complaint with a data protection authority;
  • You may at any time with future effect revoke your consent to the collection, processing and use of your personal data. For further information, please refer to the chapters above describing the processing of data based on your consent.