Important information: Notes on data protection
Dear business partner,
Data protection is important to us and we take it very seriously. We will continue to rely on a trusting cooperation with you in the future, as we have in the past. Naturally, this also applies to handling your personal data. With these instructions on data protection, we inform you about the processing of your personal data by the B. Braun Group and the rights you are entitled to in accordance with the provisions of the General Data Protection Regulation (GDPR).
In our internal data protection guidelines, we have set out the requirements for the processing of personal data for suppliers in the B. Braun Group. These comply with the requirements of the European Data Protection Guideline and ensure compliance with the principles of national and international data protection laws applicable worldwide. This enables us to set a valid data protection and data security standard in our company and regulate the exchange of data between the companies in our Group. We have defined seven data protection policies as benchmarks—including transparency, data economy and data security.
B. Braun is obligated to adhere to the data protection regulations and to observe the respective data protection laws.
Further information on data protection in the B. Braun Group can be found at www.bbraun.com/dataprotection.
1. Who is responsible for data processing and who can you contact?
The office responsible for data security is:
B. Braun Melsungen AG
Phone: +49 (0)5661 71 - 0
You can contact our company’s Data Protection Officer at:
B. Braun Melsungen AG
Data Protection Officer
Phone: +49 (0)5661 71 - 0
2. Which sources and data do we use?
We process personal data that we receive from you in the course of our business relationship. This is the data we receive directly from you, e.g., in the context of inquiries, orders, offers, order confirmations, contracts or through personal contact with our employees. In addition, we process the personal data which we may obtain from publicly accessible sources (e.g., commercial and association registers, press, Internet) or which is legitimately transmitted to us by other companies of the B. Braun Group to the extent necessary for the provision of our services, (see Annex 1).
Specifically, we process the following data:
- Contact master data (e.g., name, address, contact details)
- Order data (e.g., in the context of processing orders)
- Documentation data (e.g., call notes)
- Data on the initiation and implementation of our business relationships
- Correspondence (e.g., correspondence)
3. What do we process your data for (purpose of processing) and on what legal basis?
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). In the following paragraphs we will inform you about the legal basis on which we process your data.
3.1 For the fulfillment of contractual obligations (Article 6 (1) (b) GDPR)
The processing of data takes place to fulfill a contract with you or for the execution of pre-contractual activities that take place on the basis of an inquiry. The purposes of data processing depend in detail on the specific business relationship.
3.2 In the context of balancing interests (Article 6 (1) (f) GDPR)
If necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. This is done for the following purposes, among others:
- General business management
- Testing, optimization and development of products and services
- Assertion of legal claims and defense in legal disputes
- Ensuring the IT security and IT operations for the Group^
- Prevention and investigation of criminal offences
- Transfer of data within the B. Braun Group, insofar as it is necessary for the transaction of the respective business relationship
Our interest in the respective processing arises from the specific purposes and apart from that is of an economic nature (efficient performance of tasks, distribution, avoidance of legal risks). As far as the specific purpose permits, we process your data in pseudonymized or anonymized form.
3.3 On the basis of your consent (Article 6 (1) (a) GDPR)
If you have given us your consent to process personal data for specific purposes, the respective consent is the legal basis for the processing stated there.
This applies in particular to
- Transmission of data within the B. Braun Group
- Transmission of data to third parties
You can revoke your consent at any time. This also applies to the revocation of declarations of consent that you have given us before the validity of the GDPR, i.e., before 25 May 2018. The revocation of consent is only valid for future processing.
3.4 Due to legal requirements (Article 6 (1) (c) GDPR)
We are subject to various legal obligations, e.g., by the Medical Devices Act, Medicines Act, Industrial Code, Commercial Act. The purposes of this processing include, among others
- Enforcement of our general terms and conditions
- Administration of our business
- Processing for the fulfilment of legal storage or documentation obligations
4. Who gets my data?
Your data will be passed on within the B. Braun Group if this is necessary to fulfill our contractual and legal obligations or if the internal organization requires disclosure of said data (e.g., central financial accounting, purchasing, development, production and logistics). Within the B. Braun Group, appropriate legal requirements have been established to protect your personal data.
Your personal data will not be passed on to third parties (entities outside the B. Braun Group) unless you have given us your prior consent, or if a legal basis exists. A legal obligation applies in particular with the following recipients:
- Public authorities, regulating authorities and bodies, e.g., tax revenue authorities
- Jurisprudence/law enforcement agencies, e.g., police, public prosecutors, courts
- Lawyers and notaries, e.g., in insolvency proceedings
In addition, we employ various service providers (contractors according to Article 28 GDPR), which we contractually commit to the requirements of the GDPR and whose compliance we monitor. These include companies in the areas of IT services, printing services, telecommunications, contract manufacturing, consulting or sales and marketing. Order data processors may only use personal data in accordance with our instructions and for a specific purpose.
Exempted from this is the transfer to service partners, such as logistics service providers or forwarding agencies, insofar as the transmission of information is required for their order. They receive the data required for delivery for their own use. We limit ourselves to the transmission of the data necessary for delivery.
5. Is data transferred to a third country or to an international organization?
We only transfer your data to countries outside the European Economic Area (third countries) if
- It is necessary for the production of our products and for the execution of our orders,
- it is required by law, or
- you have given us your consent.
If we transfer your data to a third country or an international organization, this is always done in accordance with the provisions of the GDPR. In addition, in accordance with the principle of data minimization, we only transmit data that is limited to the minimum amount necessary.
In some cases, we use service providers whose headquarters, parent company or subcontractor is located in a third country. Your data will only be transferred if the European Commission has decided that an adequate level of protection exists in a third country (Article 45 GDPR), if suitable safeguards are provided (e.g., standard contractual clauses adopted by the European Commission) and enforceable rights and effective remedies are available to you as the party concerned. We have a contract with the service provider to ensure compliance with the basic European data protection regulation and its requirements.
6. How long will my data be stored?
If necessary, we process your personal data for the duration of the business relationship, this includes the initiation and processing of this as well as the storage due to legal retention periods.
If the data is no longer required for the fulfilment of contractual or legal obligations, it will be deleted. Unless there are legal obligations of the person responsible against a deletion. This can be the case for the following purposes, among others:
- Fulfilment of commercial and tax storage obligations in accordance with e.g., the German Commercial Code (HGB), Tax Code (AO), Money Laundering Act (AMLA). The periods for storage and documentation specified there range from two to ten years.
- Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.
7. Is there an obligation for me to provide data?
As part of our business relationship, you must provide the personal data required to establish and execute the relevant business relationship and fulfill the associated contractual obligations or we are required by law to collect it. Without this data we will generally not be able to enter into the business relationship with you and to fulfill the resulting obligations.
8. To what extent is there an automated decision-making process?
In principle, we do not use fully automated decision making according to Article 22 GDPR for the establishment and implementation of the business relationship. Should we use these procedures in individual cases, we will inform you separately insofar as this is required by law.
9. Is there any form of profiling?
We process your data in a partially automated process with the aim to evaluate certain personal data (profiling). We for example use profiling in the following cases:
- targeted provision of products interesting for you
10. What data protection rights do I have?
In accordance with Article 15 GDPR you can require information about your personal data processed by us. If your details are not (or are no longer) accurate you can request a correction (Article 16 GDPR). If your details are incomplete, you may request a completion. If we have passed on your details to third parties, we will inform these third parties about your correction—insofar as this is required by law.
According to Article 17 GDPR you can request the deletion of your personal data if
- Your personal data is no longer required for the purposes for which it was collected
- You revoke your consent and there is no other legal basis for retaining it
- You object to the processing and there are no overriding reasons for processing that are worthy of protection
- Your personal data has been processed unlawfully
- Your personal data must be deleted to comply with legal requirements
Please note that the legal obligations of the person responsible can lead to the fact that your data cannot be finally deleted or only after expiration of a period of time.
In addition, you have a right to limitation of processing in accordance with Article 18 GDPR, the right of objection under Article 21 GDPR and the right to data transferability under Article 20 GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right to information and the right to erase. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).
11. Information about your right to object according to Article 21 GDPR
Right of objection on a case-by-case basis
You have the right to object to the processing of personal data at any time for reasons arising from your particular situation on the basis of Article 6(1)(f) GDPR (data processing on the basis of a balance of interests), including profiling within the meaning of Article 4(4) GDPR based on this provision. If you object, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.