Data Privacy Statement for Handling of Adverse Events, Medical Inquiries, and Product Technical Complaints

This Data Privacy Statement ("Statement") explains how Bayer AG, Kaiser-Wilhelm-Allee 1, 51373 Leverkusen, Germany, and its group companies (together "Bayer") process Personal Data to handle adverse event information, medical inquiries, and product technical complaints. Personal Data is any information relating to an identified or identifiable natural person. Personal Data is protected by applicable data privacy laws, such as, but not limited to, the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).


For data privacy information relating to other purposes, please visit bayer.com/dppa.


Additional country-specific data privacy information may be available on country-specific Bayer websites.


If you have any questions about this Statement or about how we use Personal Data, please contact us via our contact details at the end of this Statement.

1. Why do we need to process Personal Data?

Bayer develops and markets prescription medicines, medical devices, and over-the-counter products such as medicines, food supplements and cosmetics for human use (“Bayer Health Products”). During the development process and while Bayer Health Products are on the market, users of our products might experience adverse events, have questions related to our products, or suspect that our products have a technical defect. When we are contacted to deal with such situations, we might need to process Personal Data.


We process Personal Data to handle adverse events. 


Bayer is legally obliged to monitor the safety of all Bayer Health Products that are in development or are marketed in any country. Our so-called "Pharmacovigilance" activities aim at detecting, assessing, understanding, and preventing adverse effects with pharmaceutical products including prescription medicines, over-the-counter medicines, and medical devices (device incidents).  These activities are performed to protect public health and to ensure high standards of quality and safety of our products. We might obtain information about adverse events because they are reported to us, or because we identify them in case they are published, e.g., on social media channels.


As part of our Pharmacovigilance obligations, we may need to process safety-related information to

  • investigate the adverse event; 

  • enter the adverse event in our global safety database;

  • contact you for further information about the adverse event;

  • collate the information about the adverse event with information about other adverse events received by Bayer to analyze the safety of a production batch, Bayer Health Product or active ingredient as a whole; and

  • provide mandatory reports to national and/or regional competent regulatory authorities so that they can analyze the safety of a production batch, Bayer Health Product, generic or active ingredient. 

These activities might be supported by IT systems that utilize artificial intelligence. Where possible, identifying information will be redacted in these cases. Anonymized adverse event information may be used to further improve our systems and processes.


When publishing information about adverse events (such as case studies and summaries), we will remove any identifying information to keep your identity private.


We process Personal Data to answer medical inquiries. 


In case you contact us with a question relating to Bayer Health Products, we may process your Personal Data to

  • take care of your inquiry and provide a respective response;

  • enter the request into our medical information database. This might include capturing details exchanged with our agents via a web chat;

  • contact you for follow-up questions and clarification purposes;

  • analyze the inquiry; This might include creating a temporary, anonymized call transcript which a backend IT system uses to provide relevant information to the call agent during the call;

  • ensure the quality of our services. For this, we might also ask for your permission to record the call. 

In some countries, we might offer medical information services via web- or phone-based AI (artificial intelligence) bots. Interactions with AI bots will be marked as such. 


To answer your inquiry, we need to take into account whether you are a health care professional or not.


If you are a health care professional with an established contact to Bayer, we might use your inquiry and your feedback about our medical information services to better prepare future interactions with you. For this, we might combine your medical inquiry with information from other internal sources.


We process Personal Data to manage product technical complaints. 


Bayer has implemented strong controls to ensure quality of Bayer Health Products. Nevertheless, it may occur that a Bayer Health Product shows a certain defect or does not meet your quality expectations.


Your feedback or questions regarding quality of Bayer Health Products help us to improve our quality and control methods and manufacturing processes. To manage your feedback or requests, we may process personal data to

  • take care of your complaint and provide a respective response;

  • enter the data into the complaint management database;

  • contact you for follow-up questions and clarification purposes;

  • analyze the product complaint;

  • ensure the quality of our services.

2. Which personal data do we process?

Depending on the purpose, we need to process specific Personal Data. Processing includes activities such as collecting, handling, analyzing, transferring, storing and deleting.


To handle adverse events, we may process the following Personal Data:


Data relating to the reporter of adverse events may include:

  • Contact information such as name, address, phone/fax/mobile phone/email/ or other contact information;
  • Profession (this allows to determine the follow-up questions you are asked depending on your assumed level of medical knowledge);
  • Relationship with the subject of the report.

Data relating to the person suffering from an adverse event may include:

  • Information allowing to identify the case and prevent double reporting, such as name and/or initials (if provided);
  • Demographic data such as date of birth, age group, sex, weight, or height;
  • Medical information concerning the adverse event, such as:
    • Details of the Bayer Health Product suspected to cause the adverse event, including dosage, reasons for application, or changes to the usual regimen;
    • Details of concomitant medication, including dosage, application duration, reasons for application, or changes to the usual regimen;
    • Details of the adverse event, the treatment in that regard, potential long-term effects the adverse event has caused, or and other medical information considered relevant including documents like lab reports, medication histories and patient histories;
  • Information about health, racial or ethnic origin, religious beliefs, and sexual life.

To handle medical inquiries, we may process the following Personal Data:


Data relating to the person asking the medical inquiry may include:

  • Contact information such as name, address, phone/fax/mobile phone, or email;
  • Profession if it's relevant for our answer;
  • Demographic data such as date of birth, age group, sex, weight, or height;
  • Information as being provided as part of the inquiry, such as health, racial or ethnic origin and sexual life;
  • Audio recording of our calls (based on your consent);
  • Your opinion about our medical information services.

To handle product technical complaints, we may process the following Personal Data:


Data relating to the person submitting the product complaint may include:

  • Contact information such as name, address, phone/fax/mobile phone/email/ or other contact information);
  • Demographic data such as data of birth;
  • Information as being provided as part of the complaint;
  • Information about purchase/origin of product such as pharmacy, hospital, internet;
  • Information about caregivers who may have handled the product.

3. Why are we allowed to process your data?

Any processing of Personal Data requires a specific legal basis. In the following, we explain the typical legal bases that apply when we process Personal Data to handle adverse events, medical inquiries, or product technical complaints. References to law have illustrative character; depending on country-specific legislation, additional or alternative references may apply.


Processing to handle adverse events:


Handling adverse events is required by Pharmacovigilance legislation and is done for reasons of public interest in the area of public health such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation and local data privacy laws). Processing also may lie in the legitimate interest of Bayer to further improve Bayer Health Products (Art. 6 (1) (f) GDPR). 


Processing to handle medical inquiries:


Bayer processes your Personal Data to answer your medical inquiry based on Bayer's legitimate interest to answer your request and to comply with documentation and recording requirements (Art. 6 (1) (f) GDPR). Where possible and where legally required, we ask for your consent when being contacted (Art. 6 (1) (a) and 9 (2) (a) GDPR).  


Processing to handle product technical complaints:


Bayer processes your Personal Data to answer your product complaint. This is based on the implied consent that you provide by actively contacting us with the expectation to receive an answer (Art. 6 (1) (a) GDPR). It then is our legal obligation to process your personal data for answering your complaint, to manage the complaint sample request and to fulfill documentation and record keeping requirements including sharing the information provided with the responsible Legal Manufacturer (Art. 6 (1) (c) GDPR).

4. How long will we keep your data?

Bayer retains Personal Data for the period required to fulfill the purposes for which they have been collected and to meet legal retention periods or other legal processing requirements.


Adverse events. We use and store Personal Data in accordance with legal requirements governing storage and reporting of safety (pharmacovigilance) related information. We may be required to retain such information for the duration of the product lifecycle and for an additional period after the respective medicinal product or medical device has been taken from the market. 


Medical Inquiries. After having answered your inquiry, we retain information about the inquiry, including a transcript if applicable, for record keeping, regulatory compliance and other legal reasons, such as liability. In case you use services from an AI bot, these information include a full transcript of your interaction. After the retention period, your Personal Data will be deleted or anonymized if in line with local data privacy requirements. 


Our general retention period for Personal Data obtained as part of medical inquiries is 10 years. To meet specific local requirements, in some countries different retention schedules apply, see link.


In case you consent to a call recording for quality purposes, such recording will be retained for up to 1 year.


Feedback on our medical information services from healthcare professionals with an established contact with Bayer will be stored for 36 months.


Product Technical Complaints. After having answered your complaint, we retain information about it for record-keeping purposes and regulatory compliance as long as required according to local laws. 

5. To whom will we transfer your data?

To process Personal Data for safety, medical inquiry, or complaint management purposes, we may transfer Personal Data to following categories of recipients:

  • Companies of the Bayer Group in order to process the safety information, medical inquiry or technical complaint.
  • Service providers that support the processing of adverse events, medical inquiries or technical complaints on behalf of Bayer, such as call center operators, IT hosting providers, or agencies that support the assessment of single cases. Among those, services from the following service providers are frequently used:
    • Accenture Services GmbH and international affiliates: Assessment of adverse events, IT hosting.
    • Capgemini Deutschland GmbH and international affiliates: IT services.
    • Conduent Commercial Solutions, LLC. and international affiliates: Call centers for medical inquiries.
    • TATA Consultancy Services Deutschland GmbH and international affiliates: Assessment of adverse events, IT services.
    • TransPerfect Remote Interpreting, Inc.: Translation services.
  • Pharmaceutical companies who are Bayer’s co-marketing, co-distribution, or license partners, where pharmacovigilance obligations for a Bayer Health Product require the exchange of safety information. Bayer has agreed data privacy contracts with such Pharmaceutic companies.
  • Regulatory authorities where such a transfer is legally required, e.g., in respect of a (suspected) adverse event.
  • Third-party successors in business in the event of a sale, assignment or transfer of a specific Bayer Health Product or related project.
  • External lawyers if necessary to support legal decisions and to pursue or defend against legal claims.

Bayer has agreed data privacy contracts with all service providers processing Personal Data on Bayer’s behalf. Service providers are regularly monitored to ensure that they handle Personal Data according to the data privacy contracts and safeguards specified therein.


International transfer of Personal Data


Bayer may transfer Personal Data to countries other than those from where the Personal Data have been collected. Such other countries may have a different (lower) data protection regime than the country of origin. 


Personal Data collected in the European Economic Area (EEA) may be transferred to a country for which the European Commission has not decided that it ensures an adequate level of data protection (“unsafe third-countries”).


When transferring Personal Data, Bayer takes great care to do this in compliance with applicable law. This is done, e.g., by concluding specific data privacy contracts with the recipient, or based on a consent (examples not exhaustive).


For Personal Data collected in the EEA, Bayer generally applies so-called standard contractual clauses adopted by the European Commission as appropriate safeguards according to Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be provided on request. The transfer of Personal Data collected in the EEA to unsafe third-countries may also be based on other legal bases, e.g., in case this is required for important reasons of public interest (Art. 49 (1)(d) GDPR).

6. Which privacy rights do you have?

Applicable data privacy laws ensure that persons from whom we process Personal Data have certain privacy rights regarding their Personal Data. These rights may include the following:

  • Request information about Personal Data processed by Bayer;
  • Request the correction of Personal Data if these are incorrect or incomplete;
  • Request the deletion of Personal Data, e.g., if these are no longer necessary for the purposes for which they have been collected or processed, or if there is no legal basis for their further processing;
  • Request the restriction of the processing, e.g., if the accuracy of Personal Data is contested, or the processing is unlawful;
  • Request the transfer of Personal Data in a commonly utilizable format to the requestor or another controller, e.g., if the processing is based on a consent;
  • Object to the processing of Personal Data as far as such processing is based on Bayer’s legitimate interest;
  • Withdraw any consent to processing of Personal Data that the requestor may have given. Withdrawing a consent does not affect the lawfulness of processing before consent withdrawal;
  • File a complaint with a data protection authority.

Depending on the respective applicable law, additional rights may apply. Information may be available on respective country-specific Bayer websites.

7. Contact

For any questions you may have with respect to data privacy relating to Bayer’s handling of adverse event, medical inquiries or product technical complaints, please use the provided contact form or contact our company data protection officer at the following address:


Group Data Protection Officer
Bayer AG
51368 Leverkusen, Germany
E-mail: data.privacy@bayer.com


Bayer AG is designated as representative in the European Union for our non-European legal entities in accordance with Art. 27 GDPR. You may contact the representative at the following address:


Data Privacy Representative
Bayer AG
51368 Leverkusen, Germany
E-mail: dp-representative@bayer.com


Local data privacy contacts are available on respective country-specific Bayer websites.

8. Amendment of Privacy Statement

We may update our Privacy Statement for Handling of Adverse Events (Pharmacovigilance), Medical Inquiries and Product Complaints from time to time. Updates of our Privacy Statement will be published on our website. Any amendments become effective upon publication on our website. We therefore recommend that you regularly visit the site to keep yourself informed on possible updates.


Current version: DP-PVMIPTC-2409