Data Privacy & Privacy Statement

We welcome your interest in Fresenius Kabi SwissBiosim GmbH (“Fresenius Kabi”) and more specifically the Expression Days campaign and the Figure Art Project by Fresenius Kabi.

Protecting privacy for our patients, healthcare professionals, suppliers, customers and business partners is important to us. As a global healthcare company in the digital age, data forms a cornerstone and enabler of our worldwide business. With data being one of our key assets, we need to ensure that it is appropriately handled and protected.

We would like to provide you with the relevant information on how our organisation incorporates data privacy into its operations. With this, we aim to ensure compliance and provide transparency and trust. You will also find information on how to execute your rights as a patient, healthcare professional, supplier or customer or website user.

1. Our approach to data protection >
2. How we use your data >
3. Obtain insight in your data >
4. Privacy Statement >

1. Our approach to data protection

Our data privacy organisation

Fresenius Kabi operates a central data privacy centre of competence. This centre has set up a data privacy management framework in alignment with ISO 29100 (Privacy framework for the protection of personally identifiable information). The competence centre aims to implement a harmonised and consistent way of processing personal data across all Fresenius Kabi entities. It sets the policies, procedures and standards for data privacy and provides tools and processes for the employees as well as training and awareness material. Furthermore, this centre provides expertise on all data privacy topics.

Our data protection and security policies, and associated procedures and guidelines for processing personal data create a uniform and basic level of adequate data protection across all Fresenius Kabi entities.

Our local data privacy advisors at the various Fresenius Kabi legal entities support local management in their compliance efforts. They do this by executing risk and compliance assessments for the different data processing activities. With these assessments, we aim to integrate privacy requirements into the design of a process or a system.

Our internal IT service provider, Fresenius Netcare, has implemented a certified management system for information security according to ISO 27001 in order to provide high security standards for data centres. Our Global Cybersecurity Defense Team (CERT) identifies, evaluates and responds to security incidents and acts as a central contact point for security-related topics.

The monitoring of our compliance efforts is overseen by our Data Protection Officer.

Our Data Privacy Policy

Our data privacy policy sets out the requirements for our employees when collecting and processing personal data. It includes that all processing activities that are introduced are subject to a risk and compliance assessment process.

In these assessments, we ensure that all relevant data protection principles have been taken into consideration within the design. In certain cases, a data protection impact assessment might be necessary before starting the respective processing activity.

We register the data processing activities within Fresenius Kabi in the “Records of Processing Activities”. This register contains essential information to comply with the data protection laws.

2. How we use your data

If you interact with us, we collect and use your personal data while adhering to the data protection principles. This means that we collect and use your personal data only lawfully, fairly, in a transparent manner and only for the purposes they were collected.

Privacy statement for Expression Days and Figure Art Project Participants

As our Expression Days and Figure Art Project participants, we process your personal data to carry out the Expression Days campaign and in order to prepare, fulfill or perform the participation agreement with you for the provision of the expected deliverable mentioned in the agreement on Participation in the Expression Days campaign.

In section 4 “Privacy Statement for Expression Days and Figure Art Project Participants Data” you will find further details on the processing of your personal data.

Privacy statement for Website Users

If you are using our website, we also collect data about you. How and why we do that is stated in our Privacy Statement and Cookie Statement.

3. Obtain insight in your data

By using our data privacy contact form, you can request information regarding the processing of your personal data including, but not limited to, the origin and recipients of your data and the purposes of the processing. You can also request to have access to your data or to object to the processing of your data. If your personal data are incorrect, incomplete or not processed in compliance with applicable law, you have the right to have this data rectified, deleted or blocked. Furthermore, you can in certain cases, also ask to directly transfer them to another organisation (portability).

If you submit a request, our data protection organisation may contact you for additional information to confirm your identity and to ensure rapid clarification of your question. We provide information free of charge unless requests are manifestly unfounded or excessive. In that case we may charge a fee.

We aspire to answer your request within one month. We reserve the right to extend the period within the scope of the admissibility by law and will inform you if this is the case. Please do not enquire about your processing status.

You also have the right to file a complaint about the way we manage your personal data with our Data Protection Officer.

Find out more about how we handle your request in a dedicated Privacy Statement.

The security of your data is important to us and we have made significant effort to ensure that your personal information is respected and protected.

4. Privacy Statement for Expression Days and Figure Art Project Participants Data

As a valued participant in the Expression Days campaign, Fresenius Kabi SwissBioSim GmbH (“we”) will collect and use certain personal data from you. Protecting your privacy is important to us and we would like to inform you on how we collect personal data, what type of information we collect and explain to you how that information is used. Processing of personal data by us is governed by the General Data Protection Regulation of the European Union and other applicable data protection laws (“GDPR”).

How we collect your data

We collect your personal data when you supply this to us through inputting your details and uploading of your artwork through the submission form on the Expression Days website. Data is only collected upon your consent provided by a ticking the relevant checkbox in the participation agreement when you submit your artwork through the submission form on the Expression Days website.

Such personal data - including health data - via the submission form includes your full name, your email address, your full address, your condition, where you live, age when you were first diagnosed, age at submission, what you love to do in your spare time, how you feel about your condition, which symptoms affect you the most, what it is like to live with the symptoms every day, which part of your body is most affected by your symptoms and how this affects you, the colour you would like emphasised on a figure, your preferred art technique.

Why we collect and use the data

We collect and use these data for the purposes mentioned in the agreement on the project participation.

• To allow us to contact you with regards to your artwork submission and/or questionnaire
• To create a short story from the material you provided, which will enable recipients to learn more about you as the source portrayed within the art on the figure and to understand what it is like living with a disease such as yours;
• To display and make publicly accessible the short story together with the created figure to visitors of the various events/exhibitions until the end of 2025 across the European Union where Fresenius Kabi’s Expression Daystakes place
• To use the short story together, with the created figure in media coverage activities of Fresenius Kabi’s Figure Art Project in this year and until the end of 2024 in Fresenius Kabi’s intranet and on Fresenius Kabi’s websites www.fresenius-kabi.com/ and https://biosimilars.fresenius-kabi.com/ (both including its country subsites)
• To contact you via email with regular updates on the campaign, if provided consent via the subscription box on the homepage of the website
  Legal basis for processing

We process your personal data on one of the following legal bases:

• The processing of your personal data is necessary in order to carry out the contract concluded between you and us (Art. 6.1 b GDPR).
• The processing of your personal data is necessary for us in order to comply with a legal obligation we are subject to e.g. laws on anti-money laundering, customs and export, secure supply chain requirements, product tracing requirements, statutory disclosure and notification requirements or similar compliance requirements that might require us to process certain of your personal data (Art. 6.1 c GDPR).
• Processing is necessary for purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6.1 f GDPR). These legitimate interests are:
• Fulfilling our contract with the company you are working for, including the enforcement of any rights we may have under such contract;
• Gather information on knowledge management related to internal processes, products and services;
• Development, optimisation and improvement of our products and services;
• Optimisation of internal communication;
• Optimisation of administration;
• Carrying out research work;
• Organisational management;
• Risk Management: safeguarding against e.g. financial / reputational risks;
• Maintenance of the IT infrastructure, IT security, guarantee of IT support and the detection and correction of errors; and
• Complying with legal requirements outside the EEA.

Where we have requested your consent for processing of your personal data, your consent (Art. 6.1 a and Art. 9.2 a GDPR).

You can always withdraw your consent. You can withdraw your consent to all processing or for individual purposes of your choice. The withdrawal of consent will not affect the lawfulness of processing based on your consent before the withdrawal. You can withdraw your consent by sending an email to our Data Protection Officer.

We share your data

We share your data with other entities within the Fresenius Group for performing the campaign across the European Union where Fresenius Kabi’s Expression Days takes place. These entities can be around the world in countries where the Fresenius Kabi group is active (Please refer to the overview of the locations at: https://www.fresenius-kabi.com/entities). The data will be shared only on a need-to-know basis.

We make use of other organisations, such as commissioned service providers that support us with the performance of the campaign, such as to make the Expression Days website available to you. In some cases, these organisations have access to parts or all your data to perform the tasks they are contracted to do so. The organisations that support us are:

- prior to November 25, 2020: emotive (Agency) Ltd., 57 Rathbone Place, Holden House, London, W1T 1JU, United Kingdom, and since November 25, 2020: Medicom Group Limited, aka Havas Life Medicom, Havas House Hermitage Court, Hermitage Lane, Maidstone, Kent, England, ME16 9NT (“Havas”). Havas makes use of Vivid Atom Limited located at The Old School House, Bridge Road, Hunton Bridge, Kings Langley, WD4 8SZ. This organisation provides the hosting of the website.

As Havas and Vivid Atom have their place of business in the United Kingdom, i.e. outside the European Union (EU) / European Economic Area (EEA) / a country listed by the EU Commission as having an adequate level of protection, the appropriate safeguards are made by means of the Standard Contractual Clauses that have been issued by the European Commission, set up between Fresenius Kabi (data controller) and Havas (data processor outside the EU).

We do not share the information with other organisations, unless legally required to do so.

International data transfers

We may transfer your personal data in parts or as a whole to Fresenius group recipients and other organisations, such as commissions services providers in countries, which are not member states of the European Union or international organisations, for the purposes listed above.

The European Commission has determined an adequate level of data protection to be in place that matches the level of data protection within the European Union for the following countries / international organisations in which Fresenius entities and other organisations are established: Argentina, Canada, New Zealand, Switzerland or Uruguay. With regards to such international data transfers to third countries, for which the European Commission has not decided that an adequate level of data protection exists, we have provided appropriate safeguards in order to secure your personal data to a degree that equals the level of data protection in the European Union.

These safeguards are:

• Standard Contractual Clauses that have been issued by the European Commission.

You can obtain a copy of these Standard Contractual Clauses from our Data Protection Officer online, using the contact details as provided below.

How long do we retain the data?

Generally, we store your personal data for as long as its storage is required for the achievement of the purposes for which it was collected, i.e. the performance of the Expression Day campaign, which includes the exhibition of your submissions until the end of 2025 on the Expression Days website, as well as for the duration of the statutory retention periods, if the law dictates longer retention periods. Afterwards, your personal data will be deleted.

Requests, inquiries and complaints

Depending on the situation, you have the following rights with respect to your personal data:

Right of access

You have the right to request at any time information on which personal data about you we process.

Right to rectification of incorrect data

If your personal data are inaccurate, you have the right to get them corrected without undue delay.

Right to erasure

In certain situations, you have the right to request the erasure of your personal data. In particular, you may ask us to erase personal data, if:

• It is no longer needed for the purposes for which it was collected or otherwise processed,
• The personal data has been unlawfully processed,
• You object to the processing and there are no overriding legitimate grounds for the processing,
• The personal data has to be erased due to compliance with a legal obligation in Union or Member State law to which we are subject or
• You withdraw your consent on which the processing is based and there is no other legal ground for the processing.

Right to restriction of processing

You have the right to obtain from us restriction of processing, where one of the following applies:

• The accuracy of the personal data is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal data,
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead,
• We no longer need the personal data for the purposes of the processing, but are required by you to keep them for the establishment, exercise or defense of legal claims or
• You have objected to processing and the verification whether our legitimate interests override yours is pending.

Right to data portability

According to Art. 20 GDPR you have the right to receive a copy the personal data about you, which you have provided to us, in a structured, commonly used and machine-readable format.

Right to object

In line with Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on our legitimate interest (Art. 6.1 f GDPR). We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.

In all of the above cases, please contact our Data Protection Officer, using the contact details as provided below.

Right to lodge a complaint

You also have the right to lodge a complaint with a supervisory authority. The responsible supervisory authority for Fresenius Kabi is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit

Presse- und Öffentlichkeitsarbeit

Gustav-Stresemann-Ring 1

65189 Wiesbaden

Requirements to provide personal data

You may need to provide your personal data to us for the purpose of participating in the Expressions Day campaign If you fail to provide your personal data, you may not be able to participate in the campaign.

Automated decision making

An automated decision making (Art. 22.1, 2 GDPR) occurs according to our obligation to conduct a sanction-control-procedure. This may also be necessary for participating in the Expressions Day campaign. The consequence of this can be the refusal of participation in the campaign.

Further information for specific situations and contact

We might process your personal data also in different contexts, e.g. when you visit our website. Please see the specific information on the processing of your personal data in these situations.

If you have any questions on data protection at Fresenius Kabi, please contact us at dataprotectionofficer@fresenius-kabi.com.

Controller and contact

Controller:

The controller and responsible entity for processing of personal data is:

‘Fresenius Kabi AG and its affiliates (“Fresenius Kabi”)’.
A list of Fresenius Kabi subsidiaries can be found on: https://www.fresenius-kabi.com/entities

Terre Bonne Business Park

Route de Crassier 23 - Bâtiment A3

CH - 1262 Eysins
www.fresenius-kabi.com
Phone : +41223076100
Email: biosimilars@fresenius-kabi.com

The representative of Fresenius Kabi SwissBioSim GmbH in the EU is:
Fresenius Kabi AG
Data Protection Officer
Else-Kröner-Straße 1
61352 Bad Homburg
Germany
Phone: +49 6172 686 0

E-mail: communication@fresenius-kabi.com

Data protection officer:

We have designated a group-wide Data Protection Officer. You can contact our data protection officer for all requests and questions concerning your personal data via:

Fresenius Kabi AG

Data Protection Officer

Else-Kröner-Straße 1

61352 Bad Homburg

Germany

Email: dataprotectionofficer@fresenius-kabi.com

Changes to this Data Protection Information

As our collection and processing of your data may change over time, we might also modify this Data Protection Information to always correctly reflect our data processing practices. We encourage you to review it from time to time.