Data Privacy Statement for Handling of Adverse Events (Pharmacovigilance), Medical Inquiries and Product Complaints

This Privacy Statement (“Statement”) provides important information about how Bayer AG, Kaiser-Wilhelm-Allee 1, 51373 Leverkusen, Germany, and its affiliates (together “Bayer”) process Personal Data (i.e., any information relating to an identified or identifiable natural person) to monitor drug safety (pharmacovigilance), handle medical inquiries and manage product complaints, in line with our obligations under applicable data privacy laws, such as, but not limited to, the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).

For data privacy information relating to other purposes, please visit bayer.com/dppa.

Additional country-specific data privacy information may be available on country-specific Bayer websites.

If you have any questions about this Statement or about how we use Personal Data, please contact us via our contact details at the end of this Statement.

Bayer develops and markets prescription medicines, medical devices, and over-the-counter products such as medicines, food supplements and cosmetics for human use (“Bayer Health Products”). The safety of all Bayer Health Products worldwide that are in development or are marketed in any country has to be monitored.

We process Personal Data for safety reasons (Pharmacovigilance). Pharmacovigilance means activities that aim to the detect, assess, understand, and prevent adverse effects with pharmaceutical products including prescription medicines, over-the-counter medicines, and medical devices. Bayer is obliged to monitor and report on adverse effects related to Bayer Health Products to protect public health and ensure high standards of quality and safety.

Our Pharmacovigilance obligations require us to process safety-related information. Such information may allow to identify a person directly or indirectly and, in this case, are Personal Data which are protected by data privacy laws. 

As part of our Pharmacovigilance activities, we may process Personal Data to

• investigate the adverse event;
• contact you for further information about the adverse event you reported;
• collate the information about the adverse event with information about other adverse events received by Bayer to analyze the safety of a production batch, Bayer Health Product or active ingredient as a whole; and
• provide mandatory reports to national and/or regional competent regulatory authorities so that they can analyze the safety of a production batch, Bayer Health Product, generic or active ingredient. 

When publishing information about adverse events (such as case studies and summaries), we will remove any identifying information to keep your identity private.

We process Personal Data to answer medical inquiries. In case you contact us with a question relating to Bayer Health Products, we may process your Personal Data to

• take care of your inquiry;
• enter the request into our medical information database;
• contact you for follow-up questions and clarification purposes;
• analyze the inquiry;
• ensure the quality of our services;
• provide a respective response.

Depending on local regulations and governmental requirements, our answer may need to take into account whether you are a health care professional or not.

We process Personal Data to manage product complaints. Bayer has implemented strong controls to ensure quality of Bayer Health Product. Nevertheless, it may occur that a Bayer Health Product shows a certain defect or does not meet your quality expectations.

Your feedback or questions regarding quality of Bayer Health Products help us to improve our quality and control methods and manufacturing processes. To manage your feedback or requests, we may process personal data to

• take care of your complaint;
• enter the data into the complaint management database;
• contact you for follow-up questions and clarification purposes;
• analyze the product complaint;
• ensure the quality of our services;
• provide a respective response.

Keeping your Personal Data secure. We have implemented technical and organizational measures to safeguard all Personal Data that we process, including safeguards and procedures designed to restrict access to Personal Data to those employees who need it to perform their job responsibilities.

We maintain physical, electronic, and procedural measures to safeguard Personal Data from accidental loss, destruction or damage and unauthorized access, use and disclosure. Where reasonably possible, we process Personal Data in key coded/pseudonymized form.

Depending on the purpose, we need to process specific Personal Data. Processing includes activities such as collecting, handling, analyzing, transferring, storing and deleting.

For safety purposes (pharmacovigilance), we may process the following Personal Data:

Data relating to the reporter of adverse events may include:

• Contact information such as name, address, phone/fax/mobile phone/email/ or other contact information;
• Profession (this allows to determine the follow-up questions you are asked depending on your assumed level of medical knowledge);
• Relationship with the subject of the report.

Data relating to the person suffering from an adverse event may include:

• Information allowing to identify the case and prevent double reporting, such as name and/or initials (if provided);
• Demographic data such as date of birth, age group, sex, weight, or height;
• Medical information concerning the adverse event, such as:
  • Details of the Bayer Health Product suspected to cause the adverse event, including dosage, reasons for application, or changes to the usual regimen;
  • Details of concomitant medication, including dosage, application duration, reasons for application, or changes to the usual regimen;
  • Details of the adverse event, the treatment in that regard, potential long-term effects the adverse event has caused, or and other medical information considered relevant including documents like lab reports, medication histories and patient histories;
• Information about health, racial or ethnic origin, religious beliefs, and sexual life.

To handle medical inquiries, we may process the following Personal Data:

Data relating to the person submitting the medical inquiry may include:

• Contact information such as name, address, phone/fax/mobile phone/email/ or other contact information;
• Profession such as health care professional;
• Demographic data such as data of birth, age group, sex, weight, or height;
• Information as being provided as part of the inquiry or complaint;
• Information about health, racial or ethnic origin and sexual life.

To handle product complaints, we may process the following Personal Data:

Data relating to the person submitting the product complaint may include:

• Contact information such as name, address, phone/fax/mobile phone/email/ or other contact information);
• Demographic data such as data of birth;
• Information as being provided as part of the inquiry or complaint;
• Information about purchase/origin of product such as pharmacy, hospital, internet;
• Information about caregivers who may have handled the product.

Any processing of Personal Data requires a specific legal basis. In the following, we explain the typical legal bases that we rely our processing of Personal Data on. References to law have illustrating character; depending on country-specific legislation, additional and/or alternative references may apply.

Processing for safety (pharmacovigilance) purposes. Bayer processes information about adverse events relating to Bayer Health Products as required by applicable Pharmacovigilance legislation. Where such information includes Personal Data, this processing is done for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation and local data privacy laws). Processing also may lie in the legitimate interest of Bayer to further improve Bayer Health Products (Art. 6 (1) (f) GDPR). 

Where adverse event related Personal Data need to be transferred from the European Economic Area (EEA) to countries with a lower data protection level than in the EEA, e.g., for reporting to health authorities of such countries, such transfers may be based on Art. 49 (1) (d) GDPR. 

Processing for medical inquiry purposes. Bayer processes your Personal Data to answer your medical inquiry. Where possible and legally required, we ask for your consent when being contacted (Art. 6 (1) (a) and 9 (2) (a) GDPR). In addition, it is our legitimate interest to process your Personal Data to answer your request and to comply with documentation and recording requirements (Art. 6 (1) (f) GDPR). 

Medical Inquiries that include information about adverse events are handled according to requirements for pharmacovigilance.

Processing for product complaint purposes. Bayer processes your Personal Data to answer your product complaint. This is based on the implied consent that you provide by actively contacting us with the expectation to receive an answer (Art. 6 (1) (a) GDPR). It then is our legal obligation to process your personal data for answering your complaint, to manage the complaint sample request and to fulfill documentation and record keeping requirements including sharing the information provided with the responsible Legal Manufacturer (Art. 6 (1) (c) GDPR).

Product complaints that include information about adverse events are handled according to requirements for pharmacovigilance.

Bayer retains Personal Data for the period required to fulfill the purposes for which they have been collected and to meet legal retention periods or other legal processing requirements.

Safety (pharmacovigilance). We use and store Personal Data in accordance with legal requirements governing storage and reporting of Pharmacovigilance related information. We therefore may be required to retain such information for the duration of the product lifecycle and for an additional period, which depends on local regulations, after the respective medicinal product or medical device has been taken from the market. 

Medical Inquiries. After having answered your inquiry, we retain information about the inquiry as long as required for local record keeping purposes and regulatory compliance. It then will be anonymized if in line with local data privacy requirements. 

Medical Inquiries that include information about adverse events are handled according to requirements for pharmacovigilance.

Product Complaints. After having answered your complaint, we retain information about it for record keeping purposes and regulatory compliance as long as required according to local laws. 

Product complaints that include information about adverse events are handled according to requirements for pharmacovigilance.

As part of our processing of Personal Data for safety, medical inquiry, or complaint management purposes, we may transfer Personal Data to following categories of recipients:

• Affiliates of the Bayer Group in order to process the safety information, medical inquiry or complaint.
• Service providers that support the processing of adverse events, medical inquiries or complaints on behalf of Bayer, such as call center operators, IT hosting providers, or agencies that support the assessment of single cases. Among those, services from the following service providers are frequently used:
  • Accenture Services GmbH and international affiliates: Assessment of adverse events, IT hosting.
  • Capgemini Deutschland GmbH and international affiliates: IT services.
  • Conduent Commercial Solutions, LLC. and international affiliates: Call centers for medical inquiries.
  • TATA Consultancy Services Deutschland GmbH and international affiliates: Assessment of adverse events.
  • TransPerfect Remote Interpreting, Inc.: Translation services.
• Pharmaceutical companies who are Bayer’s co-marketing, co-distribution, or license partners, where pharmacovigilance obligations for a Bayer Health Product require the exchange of safety information. Bayer has agreed data privacy contracts with such Pharmaceutic companies.
• Regulatory authorities where such a transfer is legally required, e.g., in respect of a (suspected) adverse event.
• Third-party successor in business in the event of a sale, assignment or transfer of a specific Bayer Health Product or related project.
• External lawyer if necessary to support legal decisions and to pursue or defend against legal claims.

Bayer has agreed data privacy contracts with all service providers processing Personal Data on Bayer’s behalf. Service providers are regularly monitored to ensure that they handle Personal Data according to the data privacy contracts and safeguards specified therein.

International transfer of Personal Data. As part of processing Personal Data for safety, medical inquiry or product complaint purposes, Bayer may transfer Personal Data to countries other than those from where the Personal Data have been collected. Such other countries may have a different (lower) data protection regime than the country of origin. 

Personal Data collected in the European Economic Area (EEA) may be transferred to a country for which the European Commission has not decided that it ensures an adequate level of data protection (“unsafe third-countries”).

When transferring data internationally, Bayer takes great care to do this only in compliance with applicable law. This is done, e.g., by concluding specific data privacy contracts with the recipient, or based on a consent (examples not exhaustive).

For Personal Data collected in the EEA, Bayer generally applies so-called standard contractual clauses adopted by the European Commission as appropriate safeguards according to Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be provided on request. The transfer of Personal Data collected in the EU to unsafe third countries may also be based on different legal bases, e.g., in case this is required for important reasons of public interest (Art. 49 (1) GDPR).

Applicable data privacy laws ensure that persons from whom we process Personal Data have certain privacy rights regarding their Personal Data. Generally, these rights may include the following:

• Request information about Personal Data processed by Bayer;
• Request the correction of Personal Data if these are incorrect or incomplete;
• Request the deletion of Personal Data, e.g., if these are no longer necessary for the purposes for which they have been collected or processed, or if there is no legal basis for their further processing;
• Request the restriction of the processing, e.g., if the accuracy of Personal Data is contested, or the processing is unlawful;
• Request the transfer of Personal Data in a commonly utilizable format to the requestor or another controller, e.g., if the processing is based on a consent;
• Object to the processing of Personal Data as far as such processing is based on Bayer’s legitimate interest;
• Withdraw any consent to processing of Personal Data that the requestor may have given. Withdrawing a consent does not affect the lawfulness of processing before consent withdrawal;
• File a complaint with a data protection authority.

Depending on the respective applicable law, additional rights may apply. Information may be available on respective country-specific Bayer websites.

For any questions you may have with respect to data privacy relating to Bayer’s handling of adverse event, medical inquiries or product complaints, please use the provided contact form or contact our company data protection officer at the following address:

Group Data Protection Officer
Bayer AG
51368 Leverkusen, Germany

Bayer AG is designated as representative in the European Union for our non-European legal entities in accordance with Art. 27 GDPR. You may contact the representative at the following address:

Data Privacy Representative
Bayer AG
51368 Leverkusen, Germany
E-mail: dp-representative@bayer.com

Local data privacy contacts are available on respective country-specific Bayer websites.

We may update our Privacy Statement for Handling of Adverse Events (Pharmacovigilance), Medical Inquiries and Product Complaints from time to time. Updates of our Privacy Statement will be published on our website. Any amendments become effective upon publication on our website. We therefore recommend that you regularly visit the site to keep yourself informed on possible updates.