With this privacy statement, Bayer SA-NV, Kouterveldstraat 7A 301A, 1831 Diegem, Belgium (hereinafter “we”, “us” or “we”) wishes to provide you with information about how we handle your personal data in the context of our medical, marketing and sales activities and interactions with you as a healthcare professional or non-healthcare professional (being others with a potential involvement in or influence on the prescribing, dispensing and use of medicines), hereinafter collectively referred to as “HCPs”. We are also responsible for the processing of your personal data (the data controller) unless otherwise indicated.
1 What personal data we collect?
The personal information we may collect about you includes:
| Identification & contact information | Information necessary to identify you and/or contact and communicate with you, such as your name, academic title, date of birth, RIZIV-number or other professional identifiers, postal address, phone/mobile/fax-numbers, email, or other digital contact information. |
| Information on your relationship with Bayer | Information on your relationship with us and our affiliates, especially about the communication and interactions with Bayer representatives (e.g. communication content and details, meeting history and minutes, what materials you have been shown, what marketing campaigns or target lists we have used to engage with you), but also for example whether we have assigned you to certain partner clusters, categories or marketing segments. |
| Information on use/engagement with Bayer’s brands, products, or services | Information related to your use of or engagement with Bayer’s brands, products, or services, including prescription patterns. |
| Information on your professional and medical expertise | Information about your professional and medical expertise such as educational background, profession and workplace history, place of work, position and function, areas of expertise and specialty, treatment areas, role in the scientific community. |
| Information on your scientific & research activities | Information on your research and scientific activities, for example scientific publications, participations in research projects, conference or event participation and presentations, clinical trial involvement, ongoing and past research, and research collaborations. |
| Information on your networking activities | Information on your professional networking activities such as memberships in scientific and professional associations or respective activities on professional or social networks. |
| Your feedback, interests & preferences | Information on which topics and content you may be interested in, your preferences on ways in which we communicate and interact with you as well as any other feedback from you regarding our medical, marketing, and sales operations or Bayer’s products and services. |
| Information on your use of websites and communications | Information on your use of Bayer websites and communications, for example whether you opened an electronic communication, or which links you clicked etc. |
| Technical information and Log Data | This includes technical information on the devices you use to access Bayer websites (e.g., operating system, browser type and version etc.) and digital identifiers (e.g., IP address, username and password of a Bayer login account, account ID, time zone, settings, and location etc.) as well as digital records of events occurring within a Bayer software system. This category also contains log data and data related to managing consent (e.g. consents given or withdrawn) as well as authorisations for internal systems to process your personal data. |
| Product sample data | Information in relation to product samples you received from us. |
2 How we collect your personal data
We collect information directly from you, for example, when you interact with us in face-to-face or remote meetings, via our websites, apps, social media, take part in market research or campaigns, participate in our events, or communicate with us in any other form.
Furthermore, we may collect information from publicly available sources and receive information from third parties, especially specialized companies that gather, maintain, and analyse professional information relevant for the medical and pharmaceutical industry (“commercial data providers”). Such commercial data providers may provide us with information collected directly from you or gathered from publicly available sources such as websites of organisations or congresses.
In particular, we receive information from:
• IQVIA Solutions Belgium, Corporate Village, Davos Building, Da Vincilaan 7, 1930 Zaventem, Belgium;
• Veeva Systems Inc., 4280 Hacienda Drive, Pleasanton, CA 94588, United States of America
3 How we use personal data
In the following, we describe the purposes of the processing as well as with respect to each purpose, the categories of data that are relevant for it, the respective legal basis and for the cases where the data is collected from you, whether providing the data is required and the possible consequences of not providing the data:
3.1 Customer and Partner Relationship Management (CRM)
| In order to build and foster customer and partner relationships we maintain an CRM-database with personal data of HCPs, which enables us to identify relevant HCPs, understand their interests and plan and manage our engagement activities with them. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer • Information on use/engagement with Bayer’s brands, products, or services • Information on your professional and medical expertise • Information on your scientific & research activities • Information on your networking activities • Your feedback, interests & preferences • Information on your use of websites and communications • Technical information and Log Data |
Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce or prevent the engagement we may have with you, both for scientific and medical, as well as promotional activities. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to build and foster customer and partner relationships, Art. 6(1)(f) General Data Protection Regulation (“GDPR”). |
3.2 Communication and interactions
| Deliver information on brands, products, services, and events (“marketing communications”): |
| As we want to provide you with up-to-date information on our brands, products, events, and services, we use your data to: • send you information via e-Mail on newest drug and product developments, research, and scientific activities such as networking events from your Bayer Medical Science Liaison (medical content) • send you promotional information via e-Mail on our approved products, brands, and brand launches (promotional content) from your Bayer Representative • send you e-Mail Newsletters providing you with general information and updates on our brands, products, and services from our regional campaign teams. • send you e-Mail Newsletters on specific topics after you actively subscribed to them. • send you timely information on specific topics via digital messaging applications to your mobile phone. • send you timely information on specific topics via Short Message Services (SMS) to your mobile phone. • do promotional phone calls and send you faxes from our in-house sales teams. • display customized advertisements tailored to your interests to you on our or other websites and apps. • send you postal mail to your address. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: •Identification & contact information •Information on your relationship with Bayer •Your feedback, interests & preferences •Information on your use of websites and communications •Technical information and Log Data |
Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may prevent you from receiving such communications. | Regarding phone calls, e-mail or any other electronic communication, the legal basis for the processing of your data for this purpose is your consent, Art. 6 (1) (a) GDPR. Regarding non-electronic communication, the legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to provide you with up-to-date information on our brands, products, events, and services, Art. 6(1)(f) GDPR. |
| Deliver required educational material and risk and safety related communications We may be required to directly communicate with you to deliver educational material as part of educational programmes ordered by competent authorities to minimise an important risk and/or to maximise the risk-benefit balance of a medicinal product. We may also send direct healthcare professional communication to inform you of important new safety information about a medicine and any actions you should take. We may also be required to keep documentation of such activities to be able to demonstrate compliance. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer• Information on use/engagement with Bayer’s brands, products, or services | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may prevent you from receiving such important educational material or risk and safety related communications. | The legal basis for the processing of your data for this purpose is either (i) that the processing is necessary for compliance with a legal obligation from a EU law or a law of a EU member state to which we are subject, Art. 6(1)(c) GDPR or (ii) that the processing is necessary to pursue the legitimate interests of us or our affiliates to be compliant with other laws or orders of competent authorities, Art. 6(1)(f) GDPR. |
| Further communication and interactions In addition to the communication purposes already mentioned, we may also process data for further communication and interactions with you, e.g. to meet with you, to respond to your requests, to provide you with information, products or services that you request from us and provide related support to you, to send you non-promotional communications as a follow up to a meeting or other engagement activity, to communicate with you on changes to our policies or terms and conditions etc. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer • Information on use/engagement with Bayer’s brands, products, or services• Information on your professional and medical expertise • Information on your scientific & research activities • Information on your networking activities • Your feedback, interests & preferences• Information on your use of websites and communications• Technical information and Log Data | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce or prevent the engagement we may have with you. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to enable the relevant communication and interaction with customers and partners as part of the business activities of a pharmaceutical company, Art. 6(1)(f) GDPR. |
3.3 Improving Bayer’s medical, marketing, and sales operations
| Market research We may process data to conduct or commission market research studies in order to analyse market trends and enable strategic decision making. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer• Feedback, Interests & Preferences • Information on your use of websites and communications• Technical information and Log Data | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to do market research in order to analyse market trends and enable strategic decision making, Art. 6(1)(f) GDPR. |
| Data analytics for improving product and services experience, communications and business operations We want to provide you with a good experience, when interacting with us and using our offerings and services, and that the information we share is valuable to you. Therefore, we analyse your data to better understand your interests and preferences in order to improve and personalize the design and content of our communications and services and create recommendations for engagement actions for our medical and sales representatives. The analysis also helps in general to improve our business operations and strategies, e.g., by creating target groups and audiences for campaigns and campaign journeys and categorize customers/partners into groups based on specific characteristics or preferences to tailor fitting engagement strategies and communications to different segments. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer• Information on use/engagement with Bayer’s brands, products, or services• Information on your professional and medical expertise • Information on your scientific & research activities • Information on your networking activities • Your feedback, interests & preferences• Information on your use of websites and communications• Technical information and Log Data | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | Processing is based on legitimate interests of us or our affiliates to promote our products and services, to improve customer experience and efficiently operate and conduct business as a pharmaceutical company. (Art. 6(1)(f) GDPR. The processing of data through website tracking technologies (e.g., cookies) which are not necessary for the functionality of the platform is always based on your consent provided directly on the respective website, Art. 6(1)(a) GDPR. |
3.4 Business continuity, security, and compliance
| Account management and HCP verification We may process your data for account management and HCP verification in order to enable you to create and maintain a user account in our systems to better use our services and we may need to verify you as an HCP, for example for giving you access to medical content. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer • Technical information and Log Data | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce your access to relevant content or prevent you from creating and maintaining a customer/partner account with us. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to enable you to create and maintain user accounts and give you access to medical content, Art. 6(1)(f) GDPR. |
| IT security We may process your data when we maintain, monitor, test or improve the integrity and functionality of our IT systems in order to manage network and system security, detect and respond to threats and ensure adequate data quality |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer• Information on use/engagement with Bayer’s brands, products, or services• Information on your professional and medical expertise • Information on your scientific & research activities • Information on your networking activities • Your feedback, interests & preferences• Information on your use of websites and communications• Technical information and Log Data | Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to maintain, monitor, test or improve the integrity and functionality of our IT systems, Art. 6(1)(f) GDPR. |
| Compliance and business continuity We store and process data to ensure and be able to demonstrate that our medical, marketing, and sales operations and interactions with you (including all communications and its content) is compliant with applicable laws and industry codes. Data we hold may also be processed to support the detection, investigation, and prevention of fraud and misconduct or other non-compliant behaviours. Additionally, we may process data for business continuity requirements such as defending against legal claims, supporting activities relating to sale, divestment, or other business changes. |
| Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| We may process for this purpose: • Identification & contact information • Information on your relationship with Bayer • Information on use/engagement with Bayer’s brands, products, or servicesv• Information on your professional and medical expertise • Information on your scientific & research activities • Information on your networking activities • Your feedback, interests & preferences • Information on your use of websites and communications • Technical information and Log Data • Product sample data |
Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates in compliance and business continuity, Art. 6(1)(f) GDPR. |
3.5 Further processing purposes covered under more specific privacy statements:
• Contract management: We may process your personal data when necessary for the performance of a certain contract with you or in order to take steps at your request prior to entering into such a contract. You can find details on such processing activities attached with the specific contract.
• Sample tracking: We retain and process your personal data when we are obliged to track distribution of product samples. The data mentioned on your written request will be kept for 10 years.
• Events management: We may process your personal data for the purposes of organizing and planning events, booking, coordinating, reimbursing travels and accommodation for you and we track event participation and activities during events. You can find details of such processing activities when you register for an event in the General Conditions of Participation.
• Transparency disclosures: We may process your personal data to follow transparency disclosure requirements, including disclosure under EFPIA Code of Practice in relation to Transfers of Value. You can find details of such processing activities in the annex to the specific contract.
• Handling Adverse Events (Pharmacovigilance), Medical Inquiries, and Product Complaints: We process personal data to detect, assess, understand, and prevent adverse effects with pharmaceutical products, to answer questions on Bayer pharmaceutical and health products, and to manage product complaints. For more information see this link.
• Customer/financial service teams activities: We may process your personal data if you contact Bayer’s customer/financial service teams in Pharmaceuticals and Consumer Health by phone, e-mail, fax or letter. For more information see this link.
4 How long we keep personal data
We will store your personal data as long as necessary for the aforementioned purposes, unless a longer period may be required by applicable laws. Accordingly, your data will be stored with respect to the purposes of the processing as follows:
| Processing Purpose(s) | Retention period |
| • Customer and Partner Relationship Management (CRM)• Communication and interactions• Improving Bayer’s medical, marketing, and sales operations | Unless otherwise indicated for certain categories of data below, all data relevant for these purposes will be retained for as long as you are active as an HCP in an area relevant to Bayer’s medical, marketing, and sales operations. |
| Account management and HCP verification | Data that is only relevant for this purpose will be stored until you delete your user account. |
| IT security | Technical information and Log Data relevant for this purpose will in general be stored no longer than 6 months. |
| Compliance and business continuity | Technical information and Log Data relevant for this purpose will in general be stored no longer than 6 months, unless such data is necessary to demonstrate compliance with law, e.g. GDPR requirements, in which case they a regularly stored for 3 years. |
| Deliver required educational material and risk and safety related communications | The information about the communications for this purpose will be stored for as long as the relevant product is on the market and for a further 10 years thereafter. |
5 With whom we share personal data
We may share personal data about you:
• With our affiliates from the Bayer Group, where necessary for the purposes described above.
• With contractors who act as our data processors. We will to some extent use specialized service contractors that process your personal data on our behalf e.g., for IT support or cloud services, sending communications for us, conducting market research on our behalf, organising and planning events or executing marketing programs and promotions. Such service contractors are carefully selected and regularly monitored by us. They will only process personal data in accordance with our instructions and on the basis of an respective data processing agreement.
• With independent partners that need to be involved in managing a service or communication towards you, e.g. hotels, travel agencies or financial service providers.
• With independent market research agencies, where necessary for the purposes described above.
• With commercial data providers to coordinate what data we already have or to alert them to inaccurate data.
• With law enforcement agencies or other authorities and state institutions if legally required or necessary for the purposes described above.
• With external lawyers, where necessary to pursue or defend against legal claims.
• With a prospective buyer in case of an acquisition, merger or any other type of corporate or asset transition involving a change of ownership or control concerning us or our services.
• With the public when disclosure or publishing of certain information is required by law or under industry codes, e.g. transparency disclosures around transfers of value according to the EFPIA Disclosure Code.
6 Processing of personal data outside the EU/EEA
Your personal data may partly be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”) for which the European Commission has not issued a decision that the country would ensure an adequate level of data protection. In such cases, we will ensure that a sufficient level of protection is provided for your personal data, e.g. by making use of the Standard Contractual Clauses adopted by the European Commission (copy available on request), or we will ask for your explicit consent to such processing.
7 Information regarding your rights
The following rights are in general available to you according to applicable data privacy laws:
• Right of information about your personal data stored by us;
• Right to request the correction, deletion or restricted processing of your personal data;
• Right to object to a processing based on legitimate interest or public interest, unless we are able to proof that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for purposes of the assertion, exercise or defense of legal claims;
• Right to data portability;
• Right to file a complaint with a data protection authority;
• Where you have provided your consent to the processing of your personal data, you may at any time withdraw your consent with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the withdrawal.
If you wish to exercise your rights, please address your request to the contact indicated below (“Contact”).
8 Contact
For any questions you may have with respect to data privacy, or if you wish to exercise your rights, please address your request to our contact form or send an email to data.privacy@bayer.com. You may also contact our Data Protection Officer at the following address: Bayer SA-NV, Data Protection Officer, Kouterveldstraat 7A 301A, 1831 Diegem, Belgium or via dataprivacy.belux@bayer.com.
You may also reach out to:
Bayer AG
Group Data Protection Officer
51368 Leverkusen, Germany
Bayer AG is designated as representative in the European Union for our non-European legal entities in accordance with Art. 27 GDPR.
9 Changes to this Statement
This Privacy Statement may be changed from time to time to reflect changing legal, regulatory, or operational requirements. We therefore encourage you to periodically visit our website to keep yourself informed on possible updates.