Privacy Policy for Healthcare Professionals (HCPs)

Content

1. Scope

 

At Bayer, we are committed to protecting the privacy of our customers and partners (later “You”), and to processing the personal data of our customers and partners in compliance with all applicable laws. This privacy statement applies to our medical, marketing, and sales operations and interactions with our professional customers and partners (namely, Healthcare Professionals as defined under the EFPIA HCP Code), with whom we do business.

2. Who is the Data Controller of your personal information in this context?

 

The data controller for the processing described in this notice is: 


Bayer SA-NV
Jan Mommaertslaan 14
1831 Diegem
Belgium

 

If you have questions regarding this Privacy Notice, please contact us by email at dataprivacy.belux@bayer.com.

3. How do we collect data?

 

We collect Personal Data about You, i.e., any data that may identify you as an individual, in various ways.  

 

In most situations the information is collected directly from you, for example when you sign up for our communication channels, products, or services or during face-to-face or remote interactions, including when we pay visits to you, you participate in remote meetings, or when you interact with our website, apps, or social media, take part in market research or campaigns, participate in our events, or communicate with us in any other form. 

 

Furthermore, we receive information from commercial data providers, or publicly available sources, e.g., medical websites, university websites and congress websites. These sources contain information about your area of medical expertise, your scientific activities such as publication of scientific articles, participation in research projects and professional congresses.

 

The list of commercial data vendors from whom we collect your information include:

  • IQVIA Solutions Belgium BV, Da Vincilaan 7, 1930 Zaventem, Belgium.

4.  What data do we collect?

We collect and process different categories of Personal Data about you. We primarily collect and process personal data related to your professional role and capacity as a customer or business partner.

 

The personal data we collect about you include in particular:

 

Identity and Contact Data This includes your name (including titles), date of birth, customer identification number, professional identifier, profession/position/function, email or other online contact information, fax/mobile/phone number, hospital/medical practice, postal and workplace address.
Expertise DataThis includes data on your professional and medical expertise, your scientific activities (such as publications, participations in research projects or congresses), study-related data like number and type of patients, treatment preferences and routines regarding patients and diagnosis, information about contacts with Bayer and information on your interests. Expertise Data may be received also from commercial data providers or market research agencies.
Customer Relations Data

This includes information about services used by you, such as our individual contacts with you, our lists and databases, meeting minutes of meeting with you including discussion details (e.g., topics discussed, your knowledge of our business, what kind of material we have displayed to you and any feedback that you have provided, within the scope of promotional and/or medical/scientific driven interactions and similar information), feedback and survey responses and other similar information, demographic data and information on target groups, segments, and audiences to which you belong and information on your role in the working community. 

This also includes data derived from analysing the customer and usage data we have received on you, such as segmentation, target groups and next best action recommendations. 

Customer / Partner Marketing & Communications PreferencesThis includes your preferences on content (e.g. about our products, services) and means (e.g., email) for receiving marketing and other communications from us and our partners.
Usage Data on Website and Marketing Communications

This includes information about how you use and interact with our website, social media, and other communication and services, including information on your stays at our website, campaign activity and interaction with and interest in our services. 

As you interact with our website, apps, or services, we may collect Technical Data and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and similar technologies. 

Technical, Log, and Audit Data

This includes your IP address, your login data, log data, browser type and version, time zone settings and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. 

This may also include technical data for development and testing and for internal and external audits, and data on consents given.

Sample DataThis includes data in relation to samples you receive from us.

 

5. How do we use personal information?

We will use your personal data in compliance with applicable law(s). In the table below we describe all the purposes for which we will use/process your personal data and the legal basis on which we process your personal data. Where appropriate, we have also identified our legitimate interests. 

 

In particular, we will use your personal data in the following circumstances:

 

Activity / PurposeActivity DescriptionData Types
Professional Identity 
Verification, Account Management, and 
Customer / Partner Relationship Management


 

Verification of your identity as a healthcare professional and enabling Account Management for you in our systems.

Creating and maintaining our database of healthcare professionals to identify and, if applicable, engage with you. This includes the collection, purchase and storing of your personal data.

Identity, Contact, Customer Relations, and Expertise Data
Lawful Basis: Processing is necessary to pursue our legitimate interests of maintaining an up-to-date database of our customers and partners, and verifying your identity or/and creating an account for you. In some cases, verifying your identity might also be necessary to fulfil our legal obligations such as compliance with the local codes of conduct. 
Customer / Partner Engagement Management, Reporting, Feedback Collection, and Analyses

Customer Engagement enabling, planning and management, including communication between us and you through phone, remote meeting devices or face-to-face for this purpose. Enabling communication / responses on your medical inquiries and requests. Communication is either agreed upon previously (e.g., planned visit, remote meeting) or initiated by you. This also includes planning our interactions with you.

Enriching your data with your feedback and with information collected during meetings held with you.

Analysing your engagement with our website and apps, communications, preferences, events, face-to-face meetings, and services to improve content you receive, provide you with relevant information, optimise our communication and enhance their relevance for you. We may also assign you to different segments and, based on segmentation, manage the type, content, and frequency of specific communication measures for specific target groups.

Identity, Contact, Customer Relations, and Expertise Data

Lawful Basis: Processing is necessary to pursue our legitimate interests to keep track of our engagement with you, to keep track of your interests and expertise, and develop our services and make you feel heard and understood by us.
Customer / Partner Agreement ManagementCustomer / Partner Agreement management to ensure the provision of services to you are agreed appropriately and lawfully, including with respect to determination of fair market value remuneration based on your expertise data, and can be performed in accordance with the rights and obligations set out in that agreement.Identity, Contact, Customer Relations, and Expertise Data
Lawful Basis: Processing is necessary to pursue our legitimate interest to keep track of our service agreements with you, OR – where applicable - processing is necessary to fulfil our contract with you.
Analysing Data for Preference Management, Personalisation, and InsightsAnalysing or predicting your preferences, personalizing content, and gathering insight on your needs by combining directly identifiable data on you and observing your actions on our websites or other forms of communication. We may also assign you to different segments and, based on segmentation, manage the type, content, and frequency of specific communication measures for specific target groups.Identity, Contact, Expertise, Technical Data, Customer / Partner Marketing & Communications Preferences; Usage Data on Website and Marketing Communications
Lawful Basis: Where you have provided your consent, including with respect to cookie collection, OR – where applicable - processing is necessary to pursue our legitimate interest of developing our services and make you feel heard and understood by us.
Success Analyses of Marketing Communication and Website UsageGathering information on how you use our services and what type of marketing and communications you want to receive based on your choices, usage of our website and other services and interests.Identity, Contact, Technical Data, Usage Data on Website and Marketing Communications
Lawful Basis: Consent, where you have provided this, including with respect to cookie collection, OR – where applicable - processing is necessary to pursue our legitimate interest of developing our services and make you feel heard and understood by us.
Market ResearchConducting market studies independently or providing third parties with your personal data to conduct such market studies.Identity and Contact Data
Lawful Basis: Where processing is necessary to pursue our legitimate interest to conduct or help third parties to conduct market research.
Digital Marketing in the form of Promotional or Medical CommunicationProviding you with marketing and promotional, possibly customized, communications on scientific/health matters (digitally or otherwise), which is personalized to your professional area and interests. We send you communications that we deem interesting to you or which you have specifically requested from us.Technical, Usage and Marketing & Communications Preferences Data
Lawful Basis: Where you have provided your consent to receive digital marketing in the form of Promotional or Medical Communication.
Events ManagementOrganizing and planning events as well as booking and coordinating travels and accommodation for such events and, when agreed, paying, or reimbursing your expenses. Analysing event participation and activities during events.Identity and Contact Data
Lawful Basis: Processing is necessary to pursue our legitimate interest to offer you the events you have been invited to or have signed up for, OR – where applicable - processing is necessary to fulfil our contract with you.

System Development and Testing 
Using the collected data to test the functionalities of our new systems and services insofar it is impossible to use false or synthetic data. Improving, testing, or developing new IT systems and applications that we use to conduct and improve our business operations.Technical, Log and Audit Data
Lawful Basis: Processing is necessary to pursue our legitimate interest to develop and assess the functionalities of our new systems and services.
Sample TrackingProcessing your information to facilitate sample tracking. Identity, Contact, Sample Distribution Data
Lawful Basis: Processing is necessary to pursue our legitimate interests to keep track of samples we have shared with You, and to keep track of your interest in such samples.
Compliance and Business Continuity

Compliance requirements include, for example, retaining information for tax purposes, for managing consent records, delivering urgent medical information, answering medical inquiries, and keeping necessary records of HCP communications, adverse events. 
 

Business continuity requirements include, for example, managing network security, defending against legal claims, supporting activities relating to sale, divestment or other business changes and communicating with You on changes to our policies, terms and conditions.

Where appropriate, data we hold may be processed to support the detection, investigation, and prevention of fraud and misconduct, or other illegal behaviours.
 

All data groups where applicable
Lawful Basis: Processing is necessary to pursue our legitimate interest to ensure compliance with ethical standards and to investigate or prevent illegal or harmful events OR - where applicable - it is necessary to fulfil our legal obligation..
Transparency Disclosures  Transparency disclosure requirements, including disclosure under EFPIA code of practice in relation to Transfers of Value.Identity, Contact, Customer Relations, Customer Contracts (payment and transaction)
Lawful Basis: Consent, where you have provided this, OR – where applicable - processing is necessary to pursue our legitimate interest, as well as the legitimate interest of the wider public, in providing transparency about our HCP engagements, supporting ethical practice, trust, and collaboration across the pharma industry and medical community.
Safety ReportingSafety / adverse event reporting requirements, required to support the identification and management of risks of harm to patients, and to uphold Good Pharmacovigilance PracticeIdentity, Contact
Lawful Basis: Processing is necessary to pursue legitimate interests in managing risks to patients, OR - where applicable - it is necessary to fulfil our legal obligation.

 

Where we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted an appropriate balancing test. The purpose of the balancing test is to ensure that our legitimate interest is not overridden by your interests or fundamental rights and freedoms.

6. How long do we keep personal data?   

We retain the personal information we collect where we have a valid purpose and an ongoing legitimate need to do so. Where we have no ongoing legitimate need to process your personal information, we will either delete or anonymize it. The retention periods are based on market practise and are regularly reviewed and updated. 

 

Data may be retained for longer period if we are legally obliged to do so, or if retention is necessary to establish, exercise or defend legal claims.

 

Data typeRetention period
  • Identity and Contact Data
  • Expertise Data
  • Customer Relations Data 
  • Customer / Partner Marketing & Communications Preferences
  • Usage Data on Website and Marketing Communications

Data will be retained for the duration of the active customer relationship, with a retention period of two years from last interaction with you, determined at the start of the new calendar year annually.

Example: Our last interaction with You takes place on 01 September 2025. In this instance, a two-year retention period will be initiated from 01 January 2026, with data retained until 01 January 2028.
 

  • Technical, Log, and Audit Data

Technical data: date of collection + max. 6 months
Audit and Log data for compliance and business continuity: + 2 years

 

  • Sample Data
  • General: End of the respective calendar year + 10 years
  • For the purpose of defending against legal claims: End of the year in which the claim arose, and the person entitled to compensation gains knowledge of the circumstances and the identity of the obligor or would have obtained such knowledge if he had not shown gross negligence + 3 years

 

7. How do we keep your data secure?

At Bayer, we implement appropriate physical, technical, and organizational security measures to protect your Personal Information at all times. The controls we implement provide a level of security appropriate to the risk of processing of your Personal Information.
 

8. How do we share the data we collect?

We may share your personal data within Bayer Affiliates (http://www.bayer.com/en/bayer-worldwide.aspx) where required for the above specified purposes. We undertake this sharing on our legitimate interest to transmit personal data within the Bayer Group for internal administrative and operational purposes, such as for the purposes of using centralized IT systems and alignment of business operations and strategies. We only share your personal data internally when it is necessary for the purposes listed in section 5.

 

We share information, including personal information, with Bayer Affiliates and/or our trusted third-party service providers that we use to provide services to us, to the extent that such parties process your data on our behalf and under our instruction, e.g., hosting of data and maintenance of IT-systems, conducting market research, providing cookies for our website, organizing events, planning and conducting marketing operations, customer support and service, payment processing, delivery of products to you, analytics and other services for us. These third-party service providers may have access to or process your personal information for the purpose of providing services for/to us. We do not permit our third-party service providers to use the personal information that we share with them for any other purpose than (as specified by us in the relevant data processing agreement concluded with these parties) in connection with the services they provide to us. We have entered into data processing agreements with our data processors.

 

Additionally, we share information, including personal information, with relevant regulatory bodies and public authorities where required by law.

We disclose or share your personal data to (independent) third parties in the following cases:

  • with hotels or airlines in connection with events
  • with tax advisers
  • with a prospective buyer in case of an acquisition, merger, or any other type of corporate or asset transition involving a change of ownership or control concerning us, our brands, products, or our services. 
  • when we believe in good faith that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.
  • when required by law we may disclose your personal data to public authorities such as health authorities, tax authorities, and law enforcement authorities
  • when required under industry codes of practice or regulations we may disclose or publish information about you where allowed under our legitimate interest in doing so, your consent to do so, or our legal obligation to do so, as applicable (e.g., transparency disclosures around Transfers of Value under EFPIA requirements or applicable regulations)
  • where necessary, to support legal decisions and to pursue or defend against legal claims, we may share your personal data with external lawyers.

All sharing of data collected is based on an appropriate lawful basis.  

9. Will we transfer your data to third countries, and how would we do this?

We will not transfer your personal data to recipients outside EU or EEA unless we have ensured compliance with GDPR Chapter V.

Your personal data will (may be partly) in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which could have a lower data protection level than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your personal data, e.g., by concluding specific agreements (with our contractual partners or Bayer Affiliates), or we will ask for your explicit consent to such processing. 
 

10. How may we use Automated Decision Making and Artificial Intelligence in relation to your information?

We may use automated approaches in decision-making activities, for example in segmentation and profiling for purposes such as marketing, or for determining fair market value rates based on your level of experience and professional expertise. Decisions based on automated approaches will typically be done by individuals and will not have any significant effect upon you. However, we will ensure that appropriate transparency information is provided to you and, where appropriate/necessary, your prior consent is established, in relation to any automated decision-making which has significant effect upon you.

 

Where Artificial Intelligence technologies and processes are used in relation to your data, we will always ensure that appropriate transparency information is provided to you, and that processing is undertaken in accordance with applicable legal and ethical principles.

11. How can you exercise your data protection rights?

You have certain rights available to you when it comes to your personal information. Below is a summary of those rights, how to exercise them and any limitations.

 

Under certain circumstances, you have the following rights:

  • Right to request access to your personal data. This entitles you to request information about whether we process your personal data and how, and to receive a copy of the personal data we hold about you 
  • Right to request rectification of the personal data that we hold about you. This entitles you to have any incomplete or inaccurate data we hold about you corrected, subject to any legal requirement which may prohibit that we amend entries in certain cases.
  • Right to request erasure of your personal data. This entitles you to ask us to delete or remove personal data where there is no good reason for us to continue processing it subject to any legal requirement which may prohibit that we delete entries in certain cases.
  • Right to object to processing of your personal data where we are relying on our legitimate interest (or that of a third party) as a legal basis for processing. 
  • Right to request the restriction of processing of your personal data. This entitles you to ask us to suspend and/or restrict the processing of personal data about you, for example if you want us to establish accuracy of the data or the reason for processing the data.
  • Right to request that we transmit your personal data to another party (also known as data portability).
  • Right to not be subject to decisions based solely on automated processing, where this has a significant effect upon you. 
  • Where our processing is solely based on your consent, the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise your rights, please address your request with our contact form (https://www.bayer.com/en/contacting-data-privacy) or to our company data protection office indicated below. 

 

You have the right to complain to your local data protection authority if you have concerns with our data protection practices. In Belgium you can lodge a complaint with the Office of the Data Protection Authority at www.gegevensbeschermingsautoriteit.be.

12. How can you contact the Data Protection Office in regards to this Privacy Statement?

If you wish to contact our data protection office, please send your request to Bayer SA-NV, Data Protection Officer, J.E. Mommaertslaan 14, 1831 Diegem (Machelen), Belgium or to dataprivacy.belux@bayer.com.

13. How will changes to this Privacy Statement be managed and communicated?

This Privacy Statement can be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices.


If there are any material changes to this privacy notice, and you are a registered customer, you will be notified by email prior to the change becoming effective. 

 

 

Date last revised: 15/12/2023

CON-BE-00015-1