Table of Contents
1 What personal data we collect
2 How we collect personal data
3 How we use personal data
3.2 Communication and interactions
3.3 Improving Bayer’s medical, marketing, and sales operations
3.4 Business continuity, security, and compliance
3.5 Event Management
3.6 To process your purchases
3.7 Further processing purposes covered under more specific privacy statements:
4 How long we keep personal data
5 With whom we share personal data
6 Processing of personal data outside the UK
7 Information regarding your rights
8 Contact
9 Changes to this Statement
Privacy Statement for Healthcare Professionals (HCPs)
In this document, Bayer plc (hereinafter “us”, “our” or “we”) wishes to provide you with information on how we handle your personal data in the context of our medical, marketing, and sales operations and interactions with you. We are responsible for the processing of your personal data (the data controller) unless otherwise indicated.
1 What personal data we collect
The personal data we may collect about you include:
Identification & contact information | Information necessary to identify you and/or contact and interact with you such as your name, academic title, date of birth, professional registration number or other professional identifiers, postal address, phone/mobile/fax-numbers, email, or other digital contact information. |
Information on your relationship with Bayer | Information on your relationship with us and our affiliates, especially about the communication and interactions with Bayer representatives (e.g. communication content and details, meeting history and minutes, what materials you have been shown, what marketing campaigns or target lists we have used to engage with you), but also for example whether we have assigned you to certain partner clusters, categories or marketing segments. |
Information on use/engagement with Bayer's brands, products, or services | Information related to your use of or engagement with Bayer’s brands, products, or services, including prescription patterns. |
Information on your professional and medical expertise | Information about your professional and medical expertise such as educational background, profession and workplace history, place of work, position and function, areas of expertise and specialty, treatment areas, role in the scientific community. |
Information on your scientific & research activities | Information on your research and scientific activities, for example scientific publications, participations in research projects, conference or event participation and presentations, clinical trial involvement, ongoing and past research, and research collaborations. |
Information on your networking activities | Information on your professional networking activities such as memberships in scientific and professional associations or respective activities on professional or social networks. |
Your feedback, interests & preferences | Information on which topics and content you may be interested in, your preferences on ways in which we communicate and interact with you as well as any other feedback from you regarding our medical, marketing, and sales operations or Bayer's products and services. |
Information on your use of websites and communications | Information on your use of Bayer websites and communications, for example whether you opened an electronic communication, or which links you clicked etc. |
Technical information and Log Data | This includes technical information on the devices you use to access Bayer websites (e.g., operating system, browser type and version etc.) and digital identifiers (e.g., IP address, username and password of a Bayer login account, account ID, time zone, settings, and location etc.) as well as digital records of events occurring within a Bayer software system. This category also contains log data and data related to managing consent (e.g. consents given or withdrawn) as well as authorisations for internal systems to process your personal data. |
Product sample data | Information in relation to product samples you received from us. |
2 How we collect personal data
We collect information directly from you, for example, when you interact with us in face-to-face, remote meetings or in writing; via our websites, apps or social media channels; when you take part in market research or campaigns; when you participate in our events, or communicate with us in any other way.
Furthermore, we may collect information from publicly available sources and receive information from third parties, especially specialised companies that gather, maintain, and analyse professional information relevant for the medical and pharmaceutical industry (“commercial data providers”). Such commercial data providers may provide us with information collected directly from you or gathered from publicly available sources such as websites of organisations or congresses and social media platforms.
3 How we use personal data
In the following, we describe the purposes of the processing. For each purpose we then (i) list the categories of data that are relevant for it, (ii) provide the respective legal basis and (iii) for the cases where the data is collected from you, we state whether providing the data is required and the possible consequences of not providing the data.
3.1 Customer and Partner Relationship Management (CRM)
In order to build and foster customer and partner relationships we maintain an CRM-database with personal data of HCPs, which enables us to identify relevant HCPs, understand their interests and plan and manage our engagement activities with them. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce or prevent the engagement we may have with you, both for scientific and medical, as well as promotional activities. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to build and foster customer and partner relationships, Art. 6(1)(f) General Data Protection Regulation as implemented in the UK (“GDPR”). |
3.2 Communication and interactions
Deliver information on brands, products, services, and events (“marketing communications”):
| ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may prevent you from receiving such communications. | Regarding e-mail to your non-business email address, SMS, digital messaging, or any other electronic communication, the legal basis for the processing of your data for this purpose is your consent, Art. 6(1)(a) GDPR. Where you are an existing customer, we may use soft opt-in rather than your explicit consent. Regarding all other forms of communication, the legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to provide you with up-to-date information on our brands, products, events, and services, Art. 6(1)(f) GDPR. |
Deliver required educational material and risk and safety related communications We may be required to directly communicate with you to deliver educational material as part of educational programmes ordered by competent authorities to minimise an important risk and/or to maximise the risk-benefit balance of a medicinal product. We may also send direct healthcare professional communication to inform you of important new safety information about a medicine and any actions you should take. We may also be required to keep documentation of such activities to be able to demonstrate compliance. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may prevent you from receiving such important educational material or risk and safety related communications. | The legal basis for the processing of your data for this purpose is either (i) that the processing is necessary for compliance with a legal obligation to which we are subject, Art. 6(1)(c) GDPR or (ii) that the processing is necessary to pursue the legitimate interests of us or our affiliates to be compliant with other laws or orders of competent authorities, Art. 6(1)(f) GDPR. |
Further communication and interactions In addition to the communication purposes already mentioned, we may also process data for further communication and interactions with you, e.g. to meet with you, to respond to your requests, to provide you with information, products or services that you request from us and provide related support to you, to send you non-promotional communications as a follow up to a meeting or other engagement activity, to seek your feedback on events or material, to communicate with you on changes to our policies or terms and conditions etc. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce or prevent the engagement we may have with you. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to enable the relevant communication and interaction with customers and partners as part of the business activities of a pharmaceutical company, Art. 6(1)(f) GDPR |
3.3 Improving Bayer’s medical, marketing, and sales operations
Market research We may process data to conduct or commission market research studies in order to analyse market trends and enable strategic decision making. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | The legal basis for the processing of your data for this purpose is your consent, Art. 6(1)(a) GDPR. |
Data analytics for improving product and services experience, communications and business operations We want to provide you with a good experience, when interacting with us and using our offerings and services, and that the information we share is valuable to you. Therefore, we analyse your data to better understand your interests and preferences in order to improve and personalize the design and content of our communications and services and create recommendations for engagement actions for our medical and sales representatives. The analysis also helps in general to improve our business operations and strategies, e.g., by creating target groups and audiences for campaigns and campaign journeys and categorize customers/partners into groups based on specific characteristics or preferences to tailor fitting engagement strategies and communications to different segments. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you. | Processing is based on legitimate interests of us or our affiliates to promote our products and services, to improve customer experience and efficiently operate and conduct business as a pharmaceutical company. (Art. 6(1)(f) GDPR. The processing of data through website tracking technologies (e.g., cookies) which are not necessary for the functionality of the platform is always based on your consent provided directly on the respective website, Art. 6(1)(a) GDPR. |
3.4 Business continuity, security, and compliance
Account management and HCP verification We may process your data for account management and HCP verification in order to enable you to create and maintain a user account in our systems to better use our services and we may need to verify you as an HCP, for example for giving you access to medical content. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your data may reduce your access to relevant content or prevent you from creating and maintaining a customer/partner account with us. | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to enable you to create and maintain user accounts and give you access to medical content, Art. 6(1)(f) GDPR.
|
IT security We may process your data when we maintain, monitor, test or improve the integrity and functionality of our IT systems in order to manage network and system security, detect and respond to threats and ensure adequate data quality. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you | The legal basis for the processing of your data for this purpose is that the processing is necessary to pursue the legitimate interests of us or our affiliates to maintain, monitor, test or improve the integrity and functionality of our IT systems, Art. 6(1)(f) GDPR. |
Compliance and business continuity We store and process data to ensure and be able to demonstrate that our medical, marketing, and sales operations and interactions with you (including all communications and its content) is compliant with applicable laws and industry codes. Data we hold may also be processed to support the detection, investigation, and prevention of fraud and misconduct or other non-compliant behaviours. Additionally, we may process data for business continuity requirements such as defending against legal claims, supporting activities relating to sale, divestment, or other business changes. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
We may process for this purpose:
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. Not providing your personal data will not adversely affect you | The legal basis for the processing of your data for this purpose is either (i) that the processing is necessary to pursue the legitimate interests of us or our affiliates in compliance and business continuity, Art. 6(1)(f) GDPR, or (ii) that the processing is necessary for compliance with a legal obligation to which we are subject, Art. 6(1)(c) GDPR. |
3.5 Event Management
We will use the personal data that you provide to us to administer your attendance at the event or meeting, e.g. by creating materials relating to the event or meeting (badges, attendance lists etc.), organising any appropriate accommodation, subsistence and processing travel expenses (if applicable). We will also use your personal data to send you information about the event or meeting (by email, text and other messaging system) including reminders about the event or meeting, logistics for registration, and post event/meeting follow up, which may include feedback forms and presentation slides. If you receive any travel or subsistence from Bayer which would constitute a transfer of value under the ABPI Code, full details of how your information is used to fulfil our transparency obligations under the ABPI Code, are set out in a separate privacy statement provided at the time that the funding is offered. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your personal data may mean that you cannot attend the event. | The legal basis for the processing of your data for this purpose is for the performance of a contract between Bayer and you, Article 6(1)(b) GDPR. |
3.6 To process your purchases
In case you place an order with us, we process your information in order to process your order, including organizing shipment to you. The legal basis for the processing is the conclusion and fulfilment of the purchase contract for the ordered goods or services, Art. 6 (1)(b) GDPR. If you choose to pay on account, i.e. we provide our products or services before payment, we may carry out a credit check to protect us against payment defaults. | ||
Data categories | Voluntariness and consequences of not providing data. | Legal Basis |
| Where we collect this data directly from you, you are neither obligated (by law or contract) to provide your data nor is providing your data necessary to enter into a contract. However, not providing your personal data may mean that you cannot attend the event. | The legal basis for the processing of your data for this purpose is the conclusion and fulfilment of the purchase contract for the ordered goods or services, Art. 6 (1)(b) GDPR.
|
3.7 Further processing purposes covered under more specific privacy statements:
- Contracting for ABPI code relevant activities: We may process your personal data to administer a contract with you, for example, for speaker or consultancy services. Please see here.
- Transparency disclosures: We may process your personal data to follow transparency disclosure requirements, including disclosure under the ABPI Code of Practice in relation to Transfers of Value.
Please see here - Handling Adverse Events (Pharmacovigilance), Medical Inquiries, and Product Complaints: We process personal data to detect, assess, understand, and prevent adverse effects with pharmaceutical products, to answer questions on Bayer pharmaceutical and health products, and to manage product complaints.
Please see here.
4 How long we keep personal data
We will store your personal data as long as necessary for the aforementioned purposes, unless a longer period may be required by applicable laws. Accordingly, your data will be stored with respect to the purposes of the processing as follows:
Processing Purpose(s) | Retention period |
| Unless otherwise indicated for certain categories of data below, all data relevant for these purposes will be retained for as long as you are active as an HCP in an area relevant to Bayer's medical, marketing, and sales operations. |
Account management and HCP verification | Data that is only relevant for this purpose will be stored until you delete your user account. |
IT security | Technical information and Log Data relevant for this purpose will in general be stored no longer than 6 months. |
Compliance and business continuity | Technical information and Log Data relevant for this purpose will in general be stored no longer than 6 months, unless such data is necessary to demonstrate compliance with law, e.g. GDPR requirements, in which case they a regularly stored for 3 years. |
Deliver required educational material and risk and safety related communications | The information about the communications for this purpose will be stored for as long as the relevant product is on the market and for a further 10 years thereafter.
|
5 With whom we share personal data
We may share personal data about you:
- With our affiliates from the Bayer Group, where necessary for the purposes described above.
- With contractors who act as our data processors. We will to some extent use specialized service contractors that process your personal data on our behalf e.g., for IT support or cloud services, sending communications for us, conducting market research on our behalf, organising and planning events or executing marketing programs and promotions. Such service contractors are carefully selected and regularly monitored by us. They will only process personal data in accordance with our instructions and on the basis of an respective data processing agreement.
- With independent partners that need to be involved in managing a service or communication towards you, e.g. hotels, travel agencies or financial service providers.
- With independent market research agencies, where necessary for the purposes described above.
- With commercial data providers to coordinate what data we already have or to alert them to inaccurate data.
- With law enforcement agencies or other authorities and state institutions if legally required or necessary for the purposes described above.
- With external lawyers, where necessary to pursue or defend against legal claims.
- With a prospective buyer in case of an acquisition, merger or any other type of corporate or asset transition involving a change of ownership or control concerning us or our services.
- With the public when disclosure or publishing of certain information is required by law or under industry codes, e.g. transparency disclosures around transfers of value according to the ABPI Disclosure Code.
6 Processing of personal data outside the UK
Your personal data may partly be processed in countries outside the UK, for which the UK has not issued a decision that the country would ensure an adequate level of data protection. In such cases, we will ensure that a sufficient level of protection is provided for your personal data, e.g. by making use of the Standard Contractual Clauses adopted by the UK (copy available on request), or we will ask for your explicit consent to such processing.
7 Information regarding your rights
The following rights are in general available to you according to applicable data privacy laws:
- Right of information about your personal data stored by us;
- Right to request the correction, deletion or restricted processing of your personal data;
- Right to object to a processing based on legitimate interest or public interest, unless we are able to prove that compelling, warranted reasons superseding your interests, rights and freedom exist, or that such processing is done for purposes of the assertion, exercise or defense of legal claims;
- Right to data portability;
- Right to file a complaint with a data protection authority;
Where you have provided your consent to the processing of your personal data, you may at any time withdraw your consent with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the withdrawal.
If you wish to exercise your rights, please address your request to the contact indicated below (“Contact”).
8 Contact
If you wish to exercise your rights, please address your request to the Data Protection Officer at Bayer plc on dataprotection-uk-eire@bayer.com clearly stating the nature of the enquiry and your identity. You also have the right to make a complain to the UK regulator, the Information Commissioner’s Office (https://ico.org.uk/global/contact-us/).
9 Changes to this Statement
This Privacy Statement may be changed from time to time to reflect changing legal, regulatory, or operational requirements. We therefore encourage you to periodically visit our website to keep yourself informed on possible updates.
Last updated September 2024
PP-OTH-GB-1216