When processing personal data, we will follow several principles to protect the fundamental rights and freedoms of individuals in accordance with the BCR. Each entity must comply with the following principles when processing personal data:
Principle 1: Lawfulness
Have a documented legal basis when collecting, using and processing personal data. These legal bases are limitative listed. Examples are:
- The processing is necessary for the performance of a contract with the individual, such as employee contracts and sales contracts
- The individual has given consent
- The legitimate interests of Fresenius are bigger than the negative consequences for the individuals
- The need to fulfil other legal obligations, such as tax laws, vigilance requirements or GxP requirements.
Special categories of data, such as health data, need additional legal grounds.
If local laws require additional or divergent provisions, these must also be followed (this might for example be relevant for employee data).
Principle 2: Transparency and Fairness
Handle personal data fairly and in a transparent manner. Inform individuals before or at the moment of collecting and using the personal data about:
- Who is responsible and how we can be contacted
- What data is collected
- How the data is collected
- Why we need the data (purpose)
- With what organisations the data is shared
- If it is shared with other countries
- How long the data will be stored
- The legal basis for collecting and using data and an explanation of that (principle 1)
- If the individuals are profiled
- If we make any decisions by automated means
- If the data must be provided and what happens if that is not done
- The contact details of the DPO and the authority
- The rights that the individuals have.
All this information must be provided in a comprehensive and in an easily accessible form, using clear and plain language.
Principle 3: Purpose Limitation
Only use personal data for the specified, explicit and legitimate purposes for which it is collected. Further use is not allowed, unless this further use is in line with the original purpose and/or additional measures are taken.
Purposes for further processing which are generally deemed in line with the original purpose are:
- Archiving
- Internal audit
- Investigations.
The (L)DPA will be able to provide guidance if a change of purpose might be permitted. In case of a permitted change of purpose, individuals must be informed of any such changes.
Principle 4: Data minimization
Only collect and use personal data that is necessary for the defined purpose as communicated to the individual. That means to ensure that personal data is relevant and not excessive in light of the purpose.
Principle 5: Accuracy
Keep personal data accurate and up-to-date. Procedures must be implemented to ensure that inaccurate data is deleted, corrected or updated without delay.
Principle 6: Storage Limitation
Do not keep personal data longer as necessary for the purpose it has been collected for, unless it is required by law. In such case access to it has to be restricted. Delete or anonymise personal data if there is no legal reason or purpose anymore.
Principle 7: Security, Integrity and Confidentiality
Take appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, disclosure or access to personal data (e.g. through appropriate roles & rights concept, backup and restore or by using encryption).
When implementing such measures, the risks to the individual must be considered. The security of IT systems must be assessed in light of these risks when installing and maintaining IT systems.
Document and report any breach of security that is likely to result in a risk for the affected Individuals to the data protection organization. Depending on the situation such breaches must also be notified to the supervisory authority, the individuals or other organisations.
Principle 8: Accountability
Be able to demonstrate compliance with the BCR. This is done by creating and maintaining appropriate documentation such as:
- records of processing activities
- technical and organizational measures taken to comply with the data protection principles and to address the risks.
- data protection risk and control assessments
Engagement of Processors
Only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the BCR and local data protection laws. This must be ensured by a data protection contract between the respective entity and the processor.
(Onward) Transfers of personal data
Implement measures to adequately safeguard transfers of personal data to other organisations situated outside of the EEA in compliance with these BCR. This could be done by agreeing standard contractual clauses as adopted by the European Commission with the other organisation.