UK Data Protection Regulation

Product Quick Finder

Choose a category or subcategory

Right to be informed under Article 13 and 14 GDPR

This information on data protection explains how and for what purposes B. Braun Medical Limited and/or its affiliates (hereinafter "B. Braun" or "we"), in their capacity as the respective controller, process your personal data. Personal data is collected and processed in compliance with the UK General Data Protection Regulation (hereinafter "GDPR") and other applicable laws on data protection, such as Data Protection Act 2018.

This information on data protection is divided into two parts. In the first part you will find general information about the handling of your personal data, in the second part you will find detailed information. Please dick on the respective tab to find out more.

General information on data protection

Contoller

The "controller“ is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processing on behalf of the controller

"Data processing on behalf of the controller" is a special case in data protection law and means the collection, processing or use of personal data by a processor in accordance with the instructions of the controller on the basis of a contract.

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Legal basis

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Personal data

Personal data relates to an identified (specific) or identifiable (determinable) natural person. A person is "identified" if the data is directly linked to the data subject or if such a link can be established directly. Individual data with personal reference are, for example

  • name and identification features (e.g. date of birth, name affixes, ID number),
  • contact data (e.g. postal address, e-mail address, telephone number),
  • physical characteristics (e.g. height, weight, hair color, genetic fingerprint) or
  • other data (e.g. location data, usage data, actions, statements, value judgments, professional career, bank details, etc.).

Processing

"Processing" shall mean the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, regardless of whether the processing is carried out by automated means or not.

Pseudonymisation

In the case of "Pseudonymisation", the name or other identification characteristics are replaced by a pseudonym (e.g. a number) in order to exclude the identification of the data subject or to make it significantly more difficult to establish. Through “Pseudonymisation”, personal data of a data subject can now only be identified with the addition of further information.

Recipient

"Recipient" means a natural or legal person, public authority, agency or other body to whom personal data is disclosed.

Special categories of personal data

This is a subcategory of personal data. "Special categories of personal data" include particularly sensitive data, such as health data, biometric and genetic data, as well as religious confession, etc.

Third Country

Countries outside the United Kingdom are referred to as "third countries" in the UK GDPR.

The controller is:
B. Braun Medical Limited
Brookdale Road
Sheffield S35 2PW

Phone: 0114 225 9000

The responsibility under data protection law depends on which of our companies you are in contact with or work with. More specific information can be found in the additional information on data protection.

If it is not clear to you who you should contact, you can contact B. Braun Medical Limited at any time using the contact details provided.

If you have any questions regarding data protection, you can contact the respective data protection officer or our data protection team:

Data Protection Department
Brookdale Road
Sheffield S35 2PW

E-mail: dataprotection.uk@bbraun.com

Your personal data may be processed for the following purposes, among others:

  • communicating with our contacts, prospective customers, customers or sales partners (hereinafter "business partners") about products, services and projects
  • answering inquiries from our business partners
  • planning, implementing, and managing the (contractual) business relationship between our business partners and us, e.g. in order to process orders, for accounting purposes or to carry out and process deliveries
  • conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests or similar promotions and events
  • planning, implementation, and organization of events, e.g. product training, professional development or job shadowing
  • advertising by e-mail and/or telephone as well as developing and providing advertising (newsletters) tailored to your interests
  • sending samples, products and information
  • maintaining the protection and security of our premises, e.g. issuing visitor passes, access control
  • compliance with legal requirements, e.g. tax and commercial law retention obligations, in order to prevent white-collar crime or money laundering
  • testing, optimising and further developing products and services
  • maintaining and protecting the security of our products and services as well as our websites, preventing and detecting security risks and crimes, fraudulent actions or other criminal or damaging actions
  • ensuring the group's IT security and operations
  • settling legal disputes, enforcing existing contracts and asserting, exercising and defending legal claims

Which personal data is processed in detail depends on the respective purpose. The scope of the data processed depends on which personal data are required to achieve the specific purpose. To the extent permitted by the specific purpose, we process your data pseudonymously or anonymously.

In doing so, we base the processing of your personal data on one of the following legal bases:

For the performance of a contract (Art. 6 (1) b GDPR)

If you are in a contractual relationship with us, the processing is carried out to fulfil the contract. The same applies to the implementation of pre-contractual measures based on your request.

For compliance with a legal obligation (Art. 6 (1) c GDPR)

We are subject to a large number of legal requirements, such as the Human Medicines Act 2012 and the UK Medical Devices Regulations 2002. In order to comply with these requirements, it may be necessary to process personal data

Based on your consent (Art. 6 (1) a GDPR)

Insofar as you have given us your consent to process your personal data for certain purposes, the respective consent is the legal basis for the processing specified in the respective consent form.

You can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

Based on our legitimate interest (Art. 6 (1) f GDPR)

Insofar as the processing of your personal data is not necessary for the fulfilment of a contract with you or to comply with legal requirements and consent also does not constitute an appropriate legal basis for the processing, the processing is carried out on the basis of our or a third party's predominant legitimate interest. In order to be able to use this legal basis, we check in advance whether the following requirements are met:

  • we or a third party has a legitimate interest in the processing,
  • the processing is necessary to achieve the legitimate interest, and
  • your interests or fundamental rights and freedoms requiring the protection of personal data do not override our legitimate interest.

Your personal data will be disclosed within the B. Braun group to the extent necessary to fulfill the respective purpose or if the internal organisation requires the disclosure (e.g. central financial accounting, sales and marketing, logistics).

Your personal data will only be passed on to third parties, i.e. bodies outside B. Braun, if the transfer can be based on one of the legal bases mentioned above. Companies are, for example, required by law to disclose data to certain recipients, including in particular

  • public authorities, e.g. tax authorities
  • judicial/law enforcement authorities, e.g. police, public prosecutors, courts
  • lawyers and notaries, e.g. in insolvency proceedings
  • auditors

In addition, we use various service providers ("processors" in accordance with Art. 28 GDPR), which we contractually obligate in accordance with the requirements of the GDPR. These include companies from sectors such as IT services, printing services, telecommunications or sales and marketing. Processors may only use personal data according to our instructions and for a specific purpose. Compliance with this is controlled and monitored by us.

As an internationally active group, we may also process your personal data in countries outside of the United Kingdom ("third countries"). If a transfer to these countries is necessary, the transfer will only take place if:

  • there is an adequacy decision pursuant to Art. 45 GDPR or appropriate safeguards pursuant to Art. 46 GDPR are in place (e.g. standard contractual clauses issued by the European Commission)
  • it serves the performance of a contract
  • explicit consent has been given by you
  • it is for the assertion, exercise or defence of legal claims
  • there is any other exemption pursuant to Art. 49 GDPR

In particular, in accordance with the principle of data minimisation, we only transfer the personal data that are necessary for the fulfilment of the respective processing purpose.

Your personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. In addition, storage may take place if this is necessary to comply with regulatory or legal requirements. Legal storage obligations may result, for example, from the Companies Act 2006, Proceeds of Crime Act 2002.  The periods specified there for storage or documentation are generally two to ten years.

Within the scope of our (contractual) business relationship and/or cooperation, you must provide the personal data that is required to achieve the respective purpose or that we are legally obliged to collect. Without this personal data, we will generally not be able to achieve the intended purpose and enter the business relationship and/or cooperation with you.

We do not use any procedures for automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately, insofar as this is required by law.

According to the GDPR, you can assert the following data subject rights with us:

  • You can request information about your personal data processed by us in accordance with Art. 15 GDPR.
  • If inaccurate personal data is processed, you have a right to rectification (Art. 16 GDPR).
  • If the legal requirements are met, you may request erasure (“right to be forgotten”) or restriction of processing as well as object to processing (Art. 17, 18 and 21 GDPR).
  • If you have given consent to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have the right to data portability (Art. 20 GDPR).
  • In addition, you have the right to lodge a complaint with your respective data protection supervisory authority (Art. 77 GDPR).

Please note that legal obligations of the controller or national exceptions may mean that your data cannot be permanently deleted or can only be deleted after a certain period of time has elapsed.

To assert one or more of your data subject rights, please contact us using the contact details provided under "controller and contact person".

Right to object according to Art. 21 GDPR

Individual right to object
You have the right to object at any time, on the basis of your particular situation, to the processing of your personal data carried out on the basis of Art. 6 (1) f GDPR; this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Right to object to processing of personal data for direct marketing purposes
We may also use your personal data for direct marketing purposes within the framework of the legal provisions. You have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally. You will find our contact details under "contoller and contact person".

Detailed information on data protection

We use your contact details to send you information about products, services or events that may be of interest to you.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of:

  • your consent pursuant to Art. 6 (1) a GDPR or
  • our legitimate interest pursuant to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about our own offers and events in order to establish and maintain a long-term customer relationship

At the same time, we observe the local requirements and regulations on advertising.

Processed data

In this context, we process the following personal data:

  • by e-mail: Name, title, function, institution, department, address and e-mail address
  • by mail: Name, title, function, institution, department, address
  • personal interest in products/services and/or events

Storage period and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted.
Your data will be processed by order processors (see recipients).

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

  • to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.
 

If we have received your contact details as part of a business event, a business appointment or as part of an order, we use your contact details to maintain our business contacts. For this purpose, we transfer your contact data to our CRM system.

Purpose and legal basis

Your data is processed on the basis of our legitimate interest pursuant to Article 6 (1) f GDPR. There is a legitimate economic interest in maintaining contacts that have arisen in the course of business transactions beyond the initial contact and to use them to build up a business relationship and to remain in contact with you for this purpose.

Processed data

In this context, we process the following personal data:

  • name, title, function
  • institution
  • business contact details
  • business address
  • business e-mail address, telephone number

If requested by you and made available to us:

  • private contact details, private address, private e-mail address, telephone number

Storage period and location

We store your data for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally required to do so. In addition, data of business contacts with whom we had no business contact within a defined period of time will be deleted.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

  • to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

For the organisation, implementation and follow-up it is necessary to process personal data. Depending on the event and the scope of services, different personal data will be collected from you. Please read below how we process your personal data when you participate as a participant or speaker in our events and similar activities (hereinafter referred to as "events").

Participants

Purpose and legal basis

The purpose of the processing is to enable you to participate in the events and take advantage of the services or promotions associated with your participation. The legal basis differs depending on the event

  • Legitimate interest pursuant to Art. 6 (1) f GDPR (e.g. to ensure secure and efficient communication).
  • Consent according to Art. 6 (1) a GDPR (e.g. your registration)
  • Contract according to Art. 6 (1) b GDPR (e.g. hospitation contracts)

Processed data

When you register and participate in one of our events, we process the following data about you:

  • master data (e.g. name, title, department, function, address, institution).
  • contact data (e.g. e-mail, telephone numbers)
  • contract data (e.g. subject of contract, duration, customer category)
  • arrival and departure data
  • optional: dietary requirements for participants with allergies

in individual cases additionally:

  • specific passport data for the creation of invitation letters for VISA service
  • date and place of birth

For paid events we also process:

  • payment data (e.g. bank details, invoices, payment history, private address if given)

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Storage period and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event. This may be the case, for example, if we have to forward your contact request to national companies for processing or if you have participated in international events. Furthermore, it may be necessary to pass on personal data to other parties:

  • to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
  • to hotels and transport companies if you ask us to organise your travel and stay
  • to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

 

Active part (e.g. speakers, advisors, moderators)

Purpose and legal basis

Your data will be processed by us for the purpose of handling your contractual performance. The legal basis is the contractual relationship according to Art. 6 (1) b GDPR.

Processed data

We process the following personal data about you:

  • master data (e.g. name, title, department, function, address, institution)
  • contact data (e.g. e-mail, telephone numbers)
  • contract data (e.g. subject of contract, term, customer category)
  • arrival and departure data
  • payment data (e.g. bank details, invoices, payment history, home address)
  • optional: dietary requirements in case of allergies

in individual cases additionally:

  • specific passport data for the creation of invitation letters for VISA service.

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Storage period and location

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

Recipients

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective activity/assignment:

  • financial accounting for payment processing

In addition, it may be necessary to pass on personal data to other parties:

  • to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
  • to hotels and transport companies if you ask us to organise your travel and stay.
  • to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Your product complaint, medical information request or adverse event report related to medicinal products (pharmacovigilance)

The scope of this privacy policy is limited to the processing of personal data in connection with product complaints, medical information requests and pharmacovigilance. Pharmacovigilance is the detection, evaluation, tracking and prevention of adverse events related to medicinal products. Within the framework of pharmacovigilance, we process reports of adverse events in connection with pharmaceuticals (e.g. suspected cases of side effects or lack of drug effect). If you report adverse events or other pharmacovigilance-relevant information to us, we will process this data exclusively for pharmacovigilance purposes.

Purpose and legal basis of the processing – Pharmacovigilance

In terms of pharmacovigilance reporting, we comply with the relevant requirements that oblige us and the responsible regulatory authorities to manage data on adverse events. This serves to protect public health and to ensure a high standard of quality and safety.

We are required to process certain personal data of affected patients and/or reporting persons to report adverse events related to pharmaceuticals to the relevant regulatory authorities. The personal data will only be processed for pharmacovigilance purposes and only when relevant and appropriate to properly document, assess and report such an event in accordance with our pharmacovigilance obligations. The information in question is of great importance to public health and is used for the detection, assessment, understanding and prevention of adverse events and other risks related to our pharmaceuticals. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in the context of adverse event reports related to medicinal products or other aspects of pharmacovigilance (even if provided in the context of a medical request)

Legal basis: This processing is necessary for B. Braun's statutory pharmacovigilance obligations (Good Pharmacovigilance Practice, MPA). (Art. 6 (1) c and Art. 9 (2) i GDPR)

Purposes and legal basis of the processing - Medical requests

Any personal information provided to B. Braun in connection with medical enquiries may be used to respond to and follow up on the enquiry in question. The information in question may be stored in a medical information database for reference purposes. In addition, we may be required by law (for example, as part of pharmacovigilance) to report the data to regulatory authorities. We do not use your data for any other purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data related to a medical request may be used to respond to and follow up on the request

Legal basis: This processing is based on B. Braun's legitimate interest in following up on your requests (Art. 6 (1) f GDPR). If you are a patient, we will only process your personal data with your explicit consent.  (Art. 6 (1) a and Art. 9 (2) a GDPR).

Purposes and legal basis of the processing – Product complaints

Any personal information provided to B. Braun in connection with a product complaint will be used solely for these purposes. The information in question is of great importance to public health and will be used to assess, classify, and evaluate the product complaint, to follow up on related enquiries and to store the data in a product complaint database for reference purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in connection with a product complaint (e.g. for the assessment, classification and evaluation of the product complaint, for the follow-up of the corresponding request and for the storage of the data for reference purposes in a product complaint database) (also if provided in the context of a medical request)

Legal basis: This processing is necessary to comply with the legal obligations applicable to B. Braun (Art.6 (1) c and Art.9 (2) i GDPR).

 

Categories of data

When submitting a notification, the following data may be processed, depending on the individual case:

Reporting of adverse events related to medicinal products

Reporting person: name, contact details, belonging to an occupational group

Person affected by an adverse event: personal data on health and medical history as far as necessary for the processing and assessment of the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of complying with the obligation to medicines safety and our legal obligations.

Medical requests

Reporting person: name, contact details, belonging to an occupational group

If a medical request includes data on a product complaint or suspected adverse reactions, it will additionally be treated as such.

Product complaints

Reporting person: name, contact details, belonging to an occupational group

In the event that a person has experienced a health impairment in connection with a product complaint, personal data on health and medical history will be collected to the extent necessary to process and assess the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of meeting the obligation to medicines safety and our legal obligations.

Storage period and location 

Due to their importance for public health, pharmacovigilance-related information will be kept for at least 15 years after the withdrawal of the respective products from the market in the last country where they were offered. As information on product complaints is important for public health, complaint records including the corresponding personal data are kept for at least 15 years. Personal data stored in the context of medical information requests will be kept for a maximum of 11 years from the date of receipt.

Recipients

B. Braun may share personal information that you provide to us as necessary to maintain B. Braun's global pharmacovigilance database and to comply with applicable pharmacovigilance legislation. To do this, we may share and/or disclose personal data as follows:

  • within the B. Braun Group, to analyse and evaluate a reported adverse event.
  • to the competent supervisory authorities, regarding a (suspected) adverse event.
  • to service providers, e.g. IT service providers. 
  • to other pharmaceutical companies acting as co-marketers, co-distributors, or other licensing partners of the B. Braun Group, if the pharmacovigilance obligations for our product require such exchange of safety information. 
  • When information about adverse events is published (for example, in the form of case studies and summaries); in these cases, your data will be anonymised to keep your identity confidential.

In addition, B. Braun is required to share certain pharmacovigilance and product-related information with health authorities worldwide. This also includes authorities for which data protection regulations differ from those of the United Kingdom. Legal basis: Art. 6 (1) c and for transfers outside the United Kingdom Art. 6 (1) f and Art. 49 (1) e GDPR.

The reports in question contain details of the incident in question. Personal data are only included to the extent necessary:

  • For patients, the report includes only, as indicated, age, sex, and initials (where indicated), date/year of birth (where disclosure is permitted) but never the patient's name. 
  • For reporting persons, the report includes the name, profession (e.g. doctor, pharmacist), initials or address, email address and telephone number (where indicated). The contact information is necessary to be able to contact the reporter to obtain high quality and complete information on adverse events. If the reporter does not wish to share their contact information with B. Braun or authorities, "privacy" will be entered in the reporter's name and contact information field.

If your data is passed on to other companies, business partners or service providers outside the United Kingdom, we ensure that your personal data is adequately protected, e.g. by concluding standard contractual clauses and/or that only necessary data is passed on.

Purpose and legal basis of processing

The legal basis for processing personal data when using Microsoft Teams is determined by the specific purpose for which the platform is used and the digital event is offered. These can be: 

  • Effective implementation of the event we offer to inform participants about professional topics: legal basis is our legitimate interest based on Art. 6 (1) f GDPR. 
  • Conducting e.g. group or individual meetings, trainings and events to fulfil a contract with the data subject: legal basis is Art. 6 (1) b GDPR. 
  • Conducting group or individual meetings, training sessions and events required for business purposes as part of the employment: the legal basis is the recruitment, performance or termination of the contract of employment pursuant to Section 26 (1) German Data Protection Act. 
  • Implementation of group or individual meetings, training sessions and events based on your consent in accordance with Art. 6 (1) a GDPR, which you grant us by participating in the respective digital event.

Which data is processed?

The scope of the data processed depends on the purpose of the digital event, but in particular also on the information you provide before or during your participation in the event (e.g. use of the chat function): 

  • Meeting metadata: e.g. date, time, meeting ID, phone numbers, location.
  • Text data: if you use the chat function, your posts are processed to display them within the chat. 
  • Audio and video data: If you use the video and audio functions, data from the microphone and/or video camera will be processed for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time.
  • Shared files and information: With the help of the " share" function, you can share your screen or files with other participants. All files, content and comments posted by users in Microsoft Teams can be accessed by the people with whom they are shared. These can be individuals or members of a team or channel within a team.
  • Documentation of your participation with attendee lists: For certain purposes, such as conducting training or awareness-raising activities, it is necessary to keep a list of attendees and store it as evidence. Microsoft Teams offers the possibility to export a list of participants after an event.

Transfer of data

We use Microsoft as a processor within the meaning of Art. 28 GDPR. However, as the provider of Microsoft Teams, Microsoft obtains knowledge of the above data to the extent contractually permitted.

Microsoft reserves the right to process customer data for its own legitimate business purposes. We have no control over this data processing by Microsoft. To the extent that Microsoft Teams processes personal data in connection with its legitimate business purposes, Microsoft is the data controller for those data processing activities and, as such, is responsible for compliance with all applicable data protection laws. This particularly applies when you access the Microsoft Teams website or use Microsoft Teams through your browser. If you require information about Microsoft's processing, please refer to the relevant Microsoft privacy statement.

Data processing outside the European Union

In principle, there is no data processing outside the European Union (EU), as we have limited our storage location to data centres in the EU. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This can be the case in particular if participants are located in a third country.  

Measures to protect your data

The data processed during a digital event is encrypted during transport via the internet and thus protected against unauthorised access by third parties. In addition, we have agreed extensive technical and organisational measures with Microsoft that correspond to the current state of the art, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.

Deletion of data

We delete personal data when the storage of the data is no longer necessary. In the case of statutory retention obligations, deletion comes into consideration after the expiry of the respective retention obligation.

Your right as a data subject

You have the right to obtain information about the personal data relating to you. Furthermore, you have the right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can revoke your consent at any time with effect for the future. The lawfulness of the processing until the revocation remains unaffected. Finally, you have the right to object to processing within the scope of the law. You also have the right to data portability within the framework of data protection law. You have the right to file a complaint about the processing of personal data by us with a supervisory authority for data protection.

Particular feature: recording of digital events

In certain circumstances, recording of digital events may take place. This is done for the purpose e.g. publication, documentation, etc. The legal basis is your informed (written) consent according to Art. 6 (1) a GDPR, which you grant us by attending the event. If a digital event is to be recorded, we will inform you about this transparently in advance (e.g. as part of the invitation). In addition, a notice will be provided during the event before the recording is started. The system will also inform you that the event is being recorded.

The recording is stored and deleted after expiration of the respective retention period in accordance with data protection regulations. 

Under certain circumstances, it may be necessary to publish the recording to the group of participants, on the intranet or on the internet in order to fulfil the above-mentioned purpose. If the recording is published on the intranet or internet, we would like to point out that the recordings are made accessible to a broad public. Every viewer can use the content on the internet at their own discretion, including misuse, without this being able to be monitored, restricted or prevented. However, within the framework of data minimisation, we take care, especially when publishing recordings, to delete or anonymise personal data in advance that is not relevant for publication (e.g. cropping the video excerpt).