Binding Corporate Rules

An adequate and uniform level of data protection

Fresenius needs to follow many data protection laws around the world. The Binding Corporate Rules (BCR) set a uniform and adequate level of data protection. This enables the internal exchange of personal data between the Fresenius entities in scope.

Applicable around the world

The BCR apply to the following Fresenius entities:

• Fresenius Kabi AG including all subsidiaries / affiliates 
• Fresenius Digital Technology GmbH
• Fresenius SE & Co. KGaA

Applicable for certain activities

The BCR apply to the following Personal data processing activities: 

• All activities by European entities.
• Activities of non-European entities:
  • When they collect personal data on behalf of a European Fresenius entity or 
  • When they collaborate with a European Fresenius entity
  • When they receive personal data from European entities
  • When they collect personal data from people located in Europe for the offering of goods and services or related to monitoring behaviour.

BCR apply to both paper based and IT based processes. 
The BCR apply to all processes that allow structured search for personal data.

BCR sets the minimum level

If any local data protection laws require stricter or additional rules on processing of personal data, these need to be observed additionally.

If a local law contradicts the BCR, the Data Protection Officer (DPO) needs to be informed. The DPO will assess the impact and resolves the conflict.

If an entity receives an order of an authority to disclose personal data that is not in line with the BCR requirements, the DPO needs to be informed. The DPO will inform the supervisory authority in Germany.

The BCR are binding to the organisation and our employees

The BCR need to be obliged and are binding for:

• All entities: they sign a contract
• All employees: they have the duty to follow corporate policies based on their employment contract.

Organisations and people can derive rights under these obligations. 
The enforcement of the BCR and potential sanctions because of violations are the same as any other policy violation.

Fresenius Group established an internal data protection organisation, and assigned the following roles and responsibilities:

• The Data Protection Officer (DPO) monitors, i.e. checks and oversees if the BCRs, local laws, rules and processes are followed. The DPO can perform audits, reviews and investigations. The DPO is also the point of contact for the data protection authorities in Europe. Contact details are:
  Data Protection Officer:
  Else-Kröner-Str. 1
  61352 Bad Homburg v.d.H.
  Germany
  Or per mail:
  For Fresenius SE and Netcare: dataprotectionofficer@fresenius.com
  For Fresenius Kabi entities: dataprotectionofficer@fresenius-kabi.com
  
• The Local Data Protection Advisor (LDPA) helps and advises local employees as well as process owners whenever they have any questions or concerns related to data protection. Where necessary the LDPA supports the DPA and DPO, e.g. on request in its monitoring function and contact with supervisory authorities e.g., due to language issues.
• The Data Protection Advisor (DPA) provides supporting and consulting tasks for the LDPAs and is responsible for the data protection management system. Where necessary the DPA supports the DPO on request in its monitoring function and contact with Supervisory Authorities e.g., due to language issues.

When processing personal data, we will follow several principles to protect the fundamental rights and freedoms of individuals in accordance with the BCR. Each entity must comply with the following principles when processing personal data:

Principle 1: Lawfulness

Have a documented legal basis when collecting, using and processing personal data. These legal bases are limitative listed. Examples are: 

• The processing is necessary for the performance of a contract with the individual, such as employee contracts and sales contracts
• The individual has given consent
• The legitimate interests of Fresenius are bigger than the negative consequences for the individuals
• The need to fulfil other legal obligations, such as tax laws, vigilance requirements or GxP requirements.

Special categories of data, such as health data, need additional legal grounds.
If local laws require additional or divergent provisions, these must also be followed (this might for example be relevant for employee data).

Principle 2: Transparency and Fairness

Handle personal data fairly and in a transparent manner. Inform individuals before or at the moment of collecting and using the personal data about: 

• Who is responsible and how we can be contacted
• What data is collected
• How the data is collected
• Why we need the data (purpose)
• With what organisations the data is shared
• If it is shared with other countries
• How long the data will be stored
• The legal basis for collecting and using data and an explanation of that (principle 1)
• If the individuals are profiled
• If we make any decisions by automated means
• If the data must be provided and what happens if that is not done
• The contact details of the DPO and the authority
• The rights that the individuals have.

All this information must be provided in a comprehensive and in an easily accessible form, using clear and plain language.

Principle 3: Purpose Limitation

Only use personal data for the specified, explicit and legitimate purposes for which it is collected. Further use is not allowed, unless this further use is in line with the original purpose and/or additional measures are taken.
Purposes for further processing which are generally deemed in line with the original purpose are: 

• Archiving
• Internal audit
• Investigations.

The (L)DPA will be able to provide guidance if a change of purpose might be permitted. In case of a permitted change of purpose, individuals must be informed of any such changes.

Principle 4: Data minimisation

Only collect and use personal data that is necessary for the defined purpose as communicated to the individual. That means to ensure that personal data is relevant and not excessive in light of the purpose.

Principle 5: Accuracy

Keep personal data accurate and up-to-date. Procedures must be implemented to ensure that inaccurate data is deleted, corrected or updated without delay.

Principle 6: Storage Limitation

Do not keep personal data longer as necessary for the purpose it has been collected for, unless it is required by law. In such case access to it has to be restricted. Delete or anonymise personal data if there is no legal reason or purpose anymore.

Principle 7: Security, Integrity and Confidentiality

Take appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, disclosure or access to personal data (e.g. through appropriate roles & rights concept, backup and restore or by using encryption). 
When implementing such measures, the risks to the individual must be considered. The security of IT systems must be assessed in light of these risks when installing and maintaining IT systems. 
Document and report any breach of security that is likely to result in a risk for the affected Individuals to the data protection organisation. Depending on the situation such breaches must also be notified to the supervisory authority, the individuals or other organisations.

Principle 8: Accountability

Be able to demonstrate compliance with the BCR. This is done by creating and maintaining appropriate documentation such as: 

• records of processing activities
• technical and organisational measures taken to comply with the data protection principles and to address the risks.
• data protection risk and control assessments

Engagement of Processors

Only engage processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the BCR and local data protection laws. This must be ensured by a data protection contract between the respective entity and the processor.

(Onward) Transfers of personal data 

Implement measures to adequately safeguard transfers of personal data to other organisations situated outside of the EEA in compliance with these BCR. This could be done by agreeing standard contractual clauses as adopted by the European Commission with the other organisation.

Data protection risk assessment

For every data processing activity, a data protection risk assessment needs to be carried out. This assessment is a formal process to assess the impact of the activity on the rights and freedom of the respective concerned data subjects.

The identified control gaps and potential risks must be reported and documented. Mitigating technical and organisational measures must be implemented before the data processing activity is started.

Data protection impact assessments

If the result of the data protection risk assessment is a high risk, a Data Protection Impact Assessment (DPIA) needs to be carried out. The advice of the DPO will be sought.

Where a DPIA identifies a high risk of a specific data processing activity, adequate measures to mitigate such risks prior to the start of the processing activity must be implemented. If the DPIA still indicates high risk after the implementation of the measures, the concerned supervisory authority, before processing the data, should be consulted.

Individuals must be enabled to exercise their rights (data subject rights):

• Right to access personal data: The individual can ask to access/receive information about individual personal data processed by Fresenius (e.g. the purpose of processing, the categories of personal data concerned, the recipients, storage periods, any existence of automated decision-making).
• Right to rectify personal data: The individual can ask to correct inaccurate or incomplete personal data.
• Right to erase personal data: The individual can ask to delete his/her personal data unless it must be maintained e.g. due to legal retention requirements. 
• Right to restrict processing of personal data: The individual can ask to restrict the processing of his/her personal data if either the accuracy of the personal data is contested, or the processing is unlawful (no longer required for the pursued purposes).
• Right to receive personal data in a portable format: The individual can ask to receive their personal data in a commonly used and machine-readable format, if the following conditions are met: 
  • Personal data have been provided by the individual
  • The processing is based on the individual’s consent or on a contract with the individual
  • The processing is carried out by automated means.
• Right to object to the processing of personal data: The individual can, due to his or her personal situation, object to processing of his or her personal data based on legitimate or public interest. Such request must be assessed. Further the individual can object to direct marketing and profiling. The processing must then stop.
• Right not to be subject to automated decision making: The individual has the right not to be subject to automated decision making (incl. profiling) which could lead to legal or similar significant effects on the individual, unless:
  • It is necessary for entering into or performance of a contract between the individual and the respective entity
  • It is based on the individual’s explicit consent.

Access to BCR

The BCR must be available for individuals in an appropriate manner. The BCR will be published on the internet and intranet. 
Individuals can also access the BCR by contacting the respective DPO or any member of the data protection organisation. 

BCR complaint handling

Each individual is entitled to:

• Claim violation of the BCR, local data protection laws, orders by supervisory authorities, internal policies and guidelines, or voluntary self-commitments related to data protection
• Address its individual rights
• Enforce any other right of the BCR.

Any such complaints can be submitted e.g. via phone, by email or letter, orally by approaching the respective DPO, the respective (L)DPA or the compliance hotline. 
In case the complaint is considered justified, the entity will take adequate action(s) to address the complaint and inform the individual respectively within a month.

Liability and Enforcement

Individuals who are affected by or have suffered damages as a result of the processing of their respective personal data, are entitled to enforce these parts of the BCR and if applicable to receive compensation before a competent court.
In case of proven violations by parties established outside the EU/EFA, FSE accepts responsibility and liability for any damages towards the individuals. The entity, who caused the damage, shall provide reasonable assistance to FSE to respond to such complaints or requests in a timely manner.

Cooperation with Supervisory Authorities

Each entity is required to cooperate with the supervisory authorities, to comply with advice concerning the interpretation of these BCR and to accept being audited by the concerned supervisory authorities.

Training

Each entity will enrol and oblige their employees to participate in a training on the BCR and data protection and to regularly repeat such training. General training must be provided at least bi-annually to all relevant employees. Furthermore, role specific training (e.g. for HR or procurement departments) is provided considering the specific needs of certain roles/persons.

Auditing

All parties will commit to be regularly audited (through planned or ad hoc audits) to evaluate and test compliance with the BCR and implement adequate and sufficient mechanisms to remedy non-compliance of an entity with the BCR. The data protection organisation will follow up on any conducted audit to assess whether proposed corrective actions have been appropriately implemented and document any outcomes in the audit report. Each entity will make audit reports available to supervisory authorities upon request. 

Update of BCR

Parties will review local data protection laws and indicate if changes to BCR are necessary. Fresenius can amend the BCR if needed. Any significant changes to the BCR will promptly be reported to each entity and to the supervisory authority. Any other non-substantive amendments to the BCR will be reported to the parties as soon as practicable.