GDPR 

Contoller
The "controller“ is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Data Processing on behalf of the controller

"Data processing on behalf of the controller" is a special case in data protection law and means the collection, processing or use of personal data by a processor in accordance with the instructions of the controller on the basis of a contract.

Legal basis

Any processing of personal data requires a legal basis. The legal basis may be the consent of a data subject, the performance of a contract, a legal obligation of the controller, the protection of vital interests of the data subject, the performance of public or sovereign tasks or the legitimate interests of the controller or a third party. In addition, there are other legal bases for the processing of e.g. special categories of personal data.

Personal data
Personal data relates to an identified (specific) or identifiable (determinable) natural person. A person is "identified" if the data is directly linked to the data subject or if such a link can be established directly. Individual data with personal reference are, for example

• name and identification features (e.g. date of birth, name affixes, ID number),
• contact data (e.g. postal address, e-mail address, telephone number),
• physical characteristics (e.g. height, weight, hair color, genetic fingerprint) or
• other data (e.g. location data, usage data, actions, statements, value judgments, professional career, bank details, etc.).

Processing
“Processing" shall mean the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, regardless of whether the processing is carried out by automated means or not.

Pseudonymisation
In the case of "pseudonymisation", the name or other identification characteristics are replaced by a pseudonym (e.g. a number) in order to exclude the identification of the data subject or to make it significantly more difficult to establish. Through pseudonymisation, personal data of a data subject can now only be identified with the addition of further information.

Recipient
"Recipient" means a natural or legal person, public authority, agency or other body to whom personal data is disclosed.

Special categories of personal data
This is a subcategory of personal data. "Special categories of personal data" include particularly sensitive data, such as health data, biometric and genetic data, as well as religious confession, etc.

Third Country
Countries outside the European Union (EU) or the European Economic Area (EEA) are referred to as "third countries" in the GDPR.

The controller is:

SUTUREX & RENODEX

B. Braun Medical 26, rue Armengaud

92210 Saint-Cloud

France

Tel: +33 1 41 10 53 00

E-Mail: info@suturex-renodex.com

The responsibility under data protection law depends on which of our companies you are in contact with or work with. More specific information can be found in the additional information on data protection.
If it is not clear to you who you should contact, you can contact SUTUREX & RENODEX at any time using the contact details provided.

If you have any questions regarding data protection, you can contact the respective data protection officer or our data protection team:

B. Braun Medical Délégué à la protection des données

Direction juridique 26, rue Armengaud

92210 Saint-Cloud

France

E-Mail: donneespersonnelles.fr@bbraun.com

Your personal data may be processed for the following purposes, among others:

• communicating with our contacts, prospective customers, customers or sales partners (hereinafter "business partners") about products, services and projects
  
• answering inquiries from our business partners
  
• planning, implementing, and managing the (contractual) business relationship between our business partners and us, e.g. in order to process orders, for accounting purposes or to carry out and process deliveries
  
• conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests or similar promotions and events
  
• planning, implementation, and organization of events, e.g. product training, professional development or job shadowing
  
• advertising by e-mail and/or telephone as well as developing and providing advertising (newsletters) tailored to your interests
  
• sending samples, products and information
  
• maintaining the protection and security of our premises, e.g. issuing visitor passes, access control
  
• compliance with legal requirements, e.g. tax and commercial law retention obligations, in order to prevent white-collar crime or money laundering
  
• testing, optimising and further developing products and services
  
• maintaining and protecting the security of our products and services as well as our websites, preventing and detecting security risks and crimes, fraudulent actions or other criminal or damaging actions
  
• ensuring the group's IT security and operations
  
• settling legal disputes, enforcing existing contracts and asserting, exercising and defending legal claims
  

Which personal data is processed in detail depends on the respective purpose. The scope of the data processed depends on which personal data are required to achieve the specific purpose. To the extent permitted by the specific purpose, we process your data pseudonymously or anonymously.

In doing so, we base the processing of your personal data on one of the following legal bases:

If you are in a contractual relationship with us, the processing is carried out to fulfil the contract. The same applies to the implementation of pre-contractual measures based on your request.

We are subject to a large number of legal requirements, such as the Medical Devices Act, the Medicines Act, the Trade Regulation Act and the Commercial Code. In order to comply with these requirements, it may be necessary to process personal data.

Insofar as you have given us your consent to process your personal data for certain purposes, the respective consent is the legal basis for the processing specified in the respective consent form.

You can withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

Insofar as the processing of your personal data is not necessary for the fulfilment of a contract with you or to comply with legal requirements and consent also does not constitute an appropriate legal basis for the processing, the processing is carried out on the basis of our or a third party's predominant legitimate interest. In order to be able to use this legal basis, we check in advance whether the following requirements are met:

• we or a third party has a legitimate interest in the processing,
  
• the processing is necessary to achieve the legitimate interest, and
  
• your interests or fundamental rights and freedoms requiring the protection of personal data do not override our legitimate interest.
  

Your personal data will be disclosed within SUTUREX & RENODEX to the extent necessary to fulfill the respective purpose or if the internal organisation requires the disclosure (e.g. central financial accounting, sales and marketing, logistics).

Your personal data will only be passed on to third parties, i.e. bodies outside SUTUREX & RENODEX, if the transfer can be based on one of the legal bases mentioned above. Companies are, for example, required by law to disclose data to certain recipients, including in particular

• public authorities, e.g. tax authorities
• judicial/law enforcement authorities, e.g. police, public prosecutors, courts
• lawyers and notaries, e.g. in insolvency proceedings
• auditors

In addition, we use various service providers ("processors" in accordance with Art. 28 GDPR), which we contractually obligate in accordance with the requirements of the GDPR. These include companies from sectors such as IT services, printing services, telecommunications or sales and marketing. Processors may only use personal data according to our instructions and for a specific purpose. Compliance with this is controlled and monitored by us.

As an internationally active group, we may also process your personal data in countries outside of the EU or the EEA ("third countries"). If a transfer to these countries is necessary, the transfer will only take place if

• there is an adequacy decision pursuant to Art. 45 GDPR or appropriate safeguards pursuant to Art. 46 GDPR are in place (e.g. standard contractual clauses issued by the European Commission)
• it serves the performance of a contract
  
• explicit consent has been given by you
  
• it is for the assertion, exercise or defence of legal claims
  
• there is any other exemption pursuant to Art. 49 GDPR
  

In particular, in accordance with the principle of data minimisation, we only transfer the personal data that are necessary for the fulfilment of the respective processing purpose.

Your personal data will be deleted or blocked as soon as the purpose for storing it no longer applies. In addition, storage may take place if this is necessary to comply with regulatory or legal requirements.

Legal storage obligations may result, for example, from the German Commercial Code, the German Fiscal Code or the German Money Laundering Act. The periods specified there for storage or documentation are generally two to ten years.

Within the scope of our (contractual) business relationship and/or cooperation, you must provide the personal data that is required to achieve the respective purpose or that we are legally obliged to collect. Without this personal data, we will generally not be able to achieve the intended purpose and enter the business relationship and/or cooperation with you.

We do not use any procedures for automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you of this separately, insofar as this is required by law.

According to the GDPR, you can assert the following data subject rights with us:

• You can request information about your personal data processed by us in accordance with Art. 15 GDPR.
• If inaccurate personal data is processed, you have a right to rectification (Art. 16 GDPR).
• If the legal requirements are met, you may request erasure (“right to be forgotten”) or restriction of processing as well as object to processing (Art. 17, 18 and 21 GDPR).
• If you have given consent to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have the right to data portability (Art. 20 GDPR).
• In addition, you have the right to lodge a complaint with your respective data protection supervisory authority (Art. 77 GDPR).

Please note that legal obligations of the controller or national exceptions may mean that your data cannot be permanently deleted or can only be deleted after a certain period of time has elapsed (e.g. the restrictions according to § 34 and § 35 of the German Federal Data Protection Act apply within the scope of the right to information and deletion).

To assert one or more of your data subject rights, please contact us using the contact details provided under "controller and contact person".

Individual right to object

You have the right to object at any time, on the basis of your particular situation, to the processing of your personal data carried out on the basis of Art. 6 (1) f GDPR; this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Right to object to processing of personal data for direct marketing purposes

We may also use your personal data for direct marketing purposes within the framework of the legal provisions. You have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally. You will find our contact details under "contoller and contact person".

For information on how your personal data is processed in the context of your application, please refer to the privacy policy of the global job market or the privacy policy of the website of the respective affiliated company.

If you contact us via a contact form, an e-mail address or a telephone number, we also process personal data about you. You will often also be asked for your consent to the processing of personal data for advertising purposes in the context of contact forms. In this regard, please refer to the section "Newsletter/marketing emails".

The purpose of the processing results from the handling of your enquiry or request and further communication. The legal basis for the processing is our legitimate interest according to Art. 6 (1) f GDPR, which results from the aforementioned purposes, or your consent according to Art. 6 (1) a GDPR.

If your contact is aimed at the conclusion of a contract / an ongoing contractual relationship with us, the legal basis is the initiation or implementation of the contractual relationship in accordance with Art. 6 (1) b GDPR.

The specific data processed results from the respective contact form. As a rule, however, it will be the following data:

• Master data (e.g. names, addresses)
• Contact details (e.g. e-mail, telephone numbers)
  
• Information about your request
  

The storage period depends on your specific request. If, for example, your contact is aimed at concluding a contract with us or we already have a business relationship with you, your data will be stored until the contractual and/or legal obligations have been fulfilled and legal retention periods do not prevent deletion.

Depending on the request (e.g. questions about our products and services), your data will be processed further. In order to be able to answer your enquiry/your request in the best possible way, your data will be passed on to the necessary extent within the group (if necessary also to group companies outside the EU).

In addition, we use order processors (e.g. IT and software service providers).

As a global company, we work with contracted distributors in certain countries and regions. In order to provide information on SUTUREX & RENODEX products, therapies, solutions or events, for promotional purposes, to contact you or to respond to your enquiry, we will, with your consent, pass on the personal data you have entered to these external sales partners so that they can contact you. Our sales partners work regionally, which means that your data is only passed on to the sales partner with whom we work in your region.

We want to continuously improve our offerings and services and for this reason we conduct customer satisfaction surveys after certain contact points. The surveys take place immediately after a previous customer contact. In this way, we also comply with the legal requirements and standards that require us to measure customer satisfaction.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out by us on the basis of

• your consent in accordance with Art. 6(1) lit a GDPR,
• our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. There is a legitimate economic interest in gathering experience with our contacts and thus being able to continuously improve our service.
• of a contract according to Art. 6 (1) lit. b GDPR (e.g. hospitation contracts).

At the same time, we comply with the provisions of the German Unfair Competition Act.

Processed data

• Name, address, e-mail address, telephone number as well as comments
• Other information you provide to us when completing a survey. In the context of each survey, you will be informed in advance about the purpose of the processing.

When participating in the survey, you will also be asked to enter comments in free text fields. We strongly recommend that you do not enter any personal data about yourself or any other person. If you nevertheless enter personal data in a free text field, this data may be passed on to the categories of recipients listed below.

Storage period and location

Your data will be stored in accordance with legal and internal requirements and deleted after this period of 2 years. Your data will be processed within the EU. In the case of technical support, it may happen that your data is passed on to a service provider outside the EU in order to fulfil your request. In such a case, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Recipients

Your personal data is processed by us as data controller and in some cases by InMoment (a company under German law, registered with the commercial register number HRB92708 at the Hamburg District Court, with its registered office at Borselstraße 18, 22765 Hamburg) as data processor.

In addition, we use Qualtrics LLC, 333 W. River Park Drive, Provo UT 84604, USA. Data processing outside the European Union (EU) does not take place as a matter of principle, as we have restricted our storage location to data centres in the EU. Following a ruling by the European Court of Justice, service providers based in the USA do not currently offer an adequate level of data protection. This may entail various risks for the legality and security of data processing.

Qualtrics uses standard contractual clauses approved by the EU Commission (according to Art. 46 (2) and (3) DSGVO) as the basis for data processing with recipients based in third countries (outside the European Union) or a transfer of data there. These clauses oblige Qualtrics to comply with the EU level of data protection when processing relevant data outside the EU. These clauses are based on an implementing decision of the EU Commission.

For internal surveys we use the software "Forms" from Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The data is stored on Microsoft's servers within the EU and processed by us as data controller.

Through our website, you have the opportunity to receive various information (e.g. download a white paper, participate in a webinar/event) on various specialist topics free of charge from SUTUREX & RENODEX. For this purpose, it is necessary that you consent to the use of your data for marketing purposes in return for the provision of this information. We will use the contact details you provide for the provision of information. You will receive an activation email from us or by joining after the registration confirmation, through which your data will be confirmed. Thereafter, you will receive access to the broadly presented information and may also be informed in the future about other relevant therapies, products, solutions or events by SUTUREX & RENODEX and our contractually bound sales partners.

Purpose and legal basis

The processing of your data for the purpose of advertising is carried out on the basis of:

• your consent pursuant to Art. 6 para. (1) a GDPR or
• our legitimate interest according to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about further offers and events of our own in order to establish and maintain a long-term customer relationship.
  

At the same time, we observe the requirements of the Unfair Competition Act (UWG).

Processed data:

• Name and email address
• Optional: Title and salutation

Storage period and location

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising and providing information via our website. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted. Your data will be processed by processors (see recipients).

Recipients

We process your data in a central CRM system. Within this framework, your data may be passed on within the B. Braun Group if this is necessary for the provision.

Furthermore, it may be necessary to pass on personal data to other bodies:

• to service providers, e.g. IT service providers or service providers for sending mailings

In doing so, we observe the principle of data economy and only pass on the personal data required in each case.

If your data is transferred to other companies, service providers or other entities outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent. The risks resulting from the transfer of personal data to third countries can be found in the general part of this privacy notice under "Transfer to third countries".

If we have received your contact details as part of a business event, a business appointment or as part of an order, we use your contact details to maintain our business contacts. For this purpose, we transfer your contact data to our CRM system.

Your data is processed on the basis of our legitimate interest pursuant to Article 6 (1) f GDPR. There is a legitimate economic interest in maintaining contacts that have arisen in the course of business transactions beyond the initial contact and to use them to build up a business relationship and to remain in contact with you for this purpose.

In this context, we process the following personal data:

• name, title, function
• institution
  
• business contact details
  
• business address
  
• business e-mail address, telephone number
  

If requested by you and made available to us:

• private contact details, private address, private e-mail address, telephone number

We store your data for the duration of the business relationship. If you object to the processing, we will continue to store your personal data for as long as we are legally required to do so. In addition, data of business contacts with whom we had no business contact within a defined period of time will be deleted.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

We use your contact details to send you information about products, services or events that may be of interest to you.

The processing of your data for the purpose of advertising is carried out by us on the basis of:

• your consent pursuant to Art. 6 (1) a GDPR or
• our legitimate interest pursuant to Art. 6 (1) f GDPR. There is a legitimate economic interest in informing our contacts about our own offers and events in order to establish and maintain a long-term customer relationship

At the same time, we observe the local requirements and regulations on advertising.

In this context, we process the following personal data:

• by e-mail: Name, title, function, institution, department, address and e-mail address
• by mail: Name, title, function, institution, department, address
  
• personal interest in products/services and/or events
  

As soon as you have revoked your consent or objected to the processing, your personal data will no longer be used for the purpose of advertising. If a business relationship continues to exist, your data will continue to be processed for these purposes, otherwise they will be deleted.

Your data will be processed by order processors (see recipients).

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the provision.

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by post or digitally

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

The risks resulting from the transfer of personal data to third countries can be found in the general part of this information on data protection under “transfer to third countries”.

For the organisation, implementation and follow-up it is necessary to process personal data. Depending on the event and the scope of services, different personal data will be collected from you. Please read below how we process your personal data when you participate as a participant or speaker in our events and similar activities (hereinafter referred to as "events").

If the event takes place on our premises, please also read the "Privacy policy for visitor management".

Participants

The purpose of the processing is to enable you to participate in the events and take advantage of the services or promotions associated with your participation. The legal basis differs depending on the event

• Legitimate interest pursuant to Art. 6 (1) f GDPR (e.g. to ensure secure and efficient communication).
• Consent according to Art. 6 (1) a GDPR (e.g. your registration)
• Contract according to Art. 6 (1) b GDPR (e.g. hospitation contracts)

When you register and participate in one of our events, we process the following data about you:

• master data (e.g. name, title, department, function, address, institution).
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, duration, customer category)
• arrival and departure data
• optional: dietary requirements for participants with allergies

in individual cases additionally:

• specific passport data for the creation of invitation letters for VISA service
• date and place of birth

For paid events we also process:

• payment data (e.g. bank details, invoices, payment history, private address if given)

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective event. This may be the case, for example, if we have to forward your contact request to national companies for processing or if you have participated in international events. Furthermore, it may be necessary to pass on personal data to other parties:

• o service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Active part (e.g. speakers, advisors, moderators)

Your data will be processed by us for the purpose of handling your contractual performance. The legal basis is the contractual relationship according to Art. 6 (1) b GDPR.

We process the following personal data about you:

• master data (e.g. name, title, department, function, address, institution)
• contact data (e.g. e-mail, telephone numbers)
• contract data (e.g. subject of contract, term, customer category)
• arrival and departure data
• payment data (e.g. bank details, invoices, payment history, home address)
• optional: dietary requirements in case of allergies

in individual cases additionally:

specific passport data for the creation of invitation letters for VISA service.

If we process health-related data (e.g. on allergies), religious, political or other special categories of data in this context, this is done within the scope of disclosure (e.g. for theme-based events) or is done with your consent.

Your data will be stored in accordance with legal requirements (e.g. for invoices max. 10 years) and deleted after this period has expired. Your data will be processed within the EU.

We process your data in a central CRM system. In this context, your data may be passed on within the B. Braun Group if this is necessary for the organisation, implementation and follow-up of the respective activity/assignment:

• financial accounting for payment processing

In addition, it may be necessary to pass on personal data to other parties:

• to service providers, e.g. IT service providers, printing service providers or service providers for sending mailings by mail or digitally
• to hotels and transport companies if you ask us to organise your travel and stay.
• to local authorities e.g. in the context of applying for VISA

In this context, we observe the principle of data minimisation and only pass on the personal data required in each case.

If your data is passed on to other companies, service providers or other bodies outside the EU, we ensure adequate protection of your personal data, e.g. by concluding standard contractual clauses or asking for your consent.

Your product complaint, medical information request or adverse event report related to medicinal products (pharmacovigilance)

The scope of this privacy policy is limited to the processing of personal data in connection with product complaints, medical information requests and pharmacovigilance. Pharmacovigilance is the detection, evaluation, tracking and prevention of adverse events related to medicinal products. Within the framework of pharmacovigilance, we process reports of adverse events in connection with pharmaceuticals (e.g. suspected cases of side effects or lack of drug effect). If you report adverse events or other pharmacovigilance-relevant information to us, we will process this data exclusively for pharmacovigilance purposes.

Purpose and legal basis of the processing – Pharmacovigilance

In terms of pharmacovigilance reporting, we comply with the relevant requirements that oblige us and the responsible regulatory authorities to manage data on adverse events. This serves to protect public health and to ensure a high standard of quality and safety.

We are required to process certain personal data of affected patients and/or reporting persons to report adverse events related to pharmaceuticals to the relevant regulatory authorities. The personal data will only be processed for pharmacovigilance purposes and only when relevant and appropriate to properly document, assess and report such an event in accordance with our pharmacovigilance obligations. The information in question is of great importance to public health and is used for the detection, assessment, understanding and prevention of adverse events and other risks related to our pharmaceuticals. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in the context of adverse event reports related to medicinal products or other aspects of pharmacovigilance (even if provided in the context of a medical request)

Legal basis: This processing is necessary for SUTUREX & RENODEX's statutory pharmacovigilance obligations (Good Pharmacovigilance Practice, MPA). (Art. 6 (1) c and Art. 9 (2) i GDPR)

Purposes and legal basis of the processing - Medical requests

Any personal information provided to SUTUREX & RENODEX in connection with medical enquiries may be used to respond to and follow up on the enquiry in question. The information in question may be stored in a medical information database for reference purposes. In addition, we may be required by law (for example, as part of pharmacovigilance) to report the data to regulatory authorities. We do not use your data for any other purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data related to a medical request may be used to respond to and follow up on the request

Legal basis: This processing is based on SUTUREX & RENODEX's legitimate interest in following up on your requests (Art. 6 (1) f GDPR). If you are a patient, we will only process your personal data with your explicit consent.  (Art. 6 (1) a and Art. 9 (2) a GDPR).

Purposes and legal basis of the processing – Product complaints

Any personal information provided to SUTUREX & RENODEX in connection with a product complaint will be used solely for these purposes. The information in question is of great importance to public health and will be used to assess, classify, and evaluate the product complaint, to follow up on related enquiries and to store the data in a product complaint database for reference purposes. In particular, we process your data for the following purposes and on the basis of the legal bases listed in the chart below.

Purpose: Personal data in connection with a product complaint (e.g. for the assessment, classification and evaluation of the product complaint, for the follow-up of the corresponding request and for the storage of the data for reference purposes in a product complaint database) (also if provided in the context of a medical request)

Legal basis: This processing is necessary to comply with the legal obligations applicable to SUTUREX & RENODEX (Art.6 (1) c and Art.9 (2) i GDPR).

Categories of data  

When submitting a notification, the following data may be processed, depending on the individual case:

Reporting of adverse events related to medicinal products

Reporting person: name, contact details, belonging to an occupational group

Person affected by an adverse event: personal data on health and medical history as far as necessary for the processing and assessment of the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of complying with the obligation to medicines safety and our legal obligations.

Medical requests

Reporting person: name, contact details, belonging to an occupational group

If a medical request includes data on a product complaint or suspected adverse reactions, it will additionally be treated as such.

Product complaints

Reporting person: name, contact details, belonging to an occupational group

In the event that a person has experienced a health impairment in connection with a product complaint, personal data on health and medical history will be collected to the extent necessary to process and assess the case. This may include data such as initials, age/date of birth, sex, weight, and height. Personal data considered sensitive by law, such as health status and ethnicity, will only be processed if it appears relevant and necessary for the accurate documentation of the response, as well as fulfilling the purpose of meeting the obligation to medicines safety and our legal obligations.

Storage period and location 

Due to their importance for public health, pharmacovigilance-related information will be kept for at least 15 years after the withdrawal of the respective products from the market in the last country where they were offered. As information on product complaints is important for public health, complaint records including the corresponding personal data are kept for at least 15 years. Personal data stored in the context of medical information requests will be kept for a maximum of 11 years from the date of receipt.

Recipients

SUTUREX & RENODEX may share personal information that you provide to us as necessary to maintain B. Braun's global pharmacovigilance database and to comply with applicable pharmacovigilance legislation. To do this, we may share and/or disclose personal data as follows:

• within the B. Braun Group, to analyse and evaluate a reported adverse event.
• to the competent supervisory authorities, regarding a (suspected) adverse event.
• to service providers, e.g. IT service providers. 
• to other pharmaceutical companies acting as co-marketers, co-distributors, or other licensing partners of the B. Braun Group, if the pharmacovigilance obligations for our product require such exchange of safety information. 
• When information about adverse events is published (for example, in the form of case studies and summaries); in these cases, your data will be anonymised to keep your identity confidential.

In addition, SUTUREX & RENODEX is required to share certain pharmacovigilance and product-related information with health authorities worldwide. This also includes authorities for which data protection regulations differ from those of the EU. Legal basis: Art. 6 (1) c and for transfers outside the EU Art. 6 (1) f and Art. 49 (1) e GDPR. 

The reports in question contain details of the incident in question. Personal data are only included to the extent necessary:

• For patients, the report includes only, as indicated, age, sex, and initials (where indicated), date/year of birth (where disclosure is permitted) but never the patient's name. 
• For reporting persons, the report includes the name, profession (e.g. doctor, pharmacist), initials or address, email address and telephone number (where indicated). The contact information is necessary to be able to contact the reporter to obtain high quality and complete information on adverse events. If the reporter does not wish to share their contact information with Suturex & Renodex or authorities, "privacy" will be entered in the reporter's name and contact information field.

If your data is passed on to other companies, business partners or service providers outside the European Union, we ensure that your personal data is adequately protected, e.g. by concluding standard contractual clauses and/or that only necessary data is passed on.

We use the video conferencing tools "Teams" (from the provider Microsoft, USA) and "Zoom" (from the provider Zoom Video Communications Inc., USA) to carry out digital events.

The legal basis for processing personal data is determined by the specific purpose for which the respective platform is used and the digital event is offered. These can be: 

• Effective implementation of the event we offer to inform participants about professional topics: legal basis is our legitimate interest based on Art. 6 (1) f GDPR. 
• Conducting e.g. group or individual meetings, trainings and events to fulfil a contract with the data subject: legal basis is Art. 6 (1) b GDPR. 
• Conducting group or individual meetings, training sessions and events required for business purposes as part of the employment: the legal basis is the recruitment, performance or termination of the contract of employment pursuant to Section 26 (1) German Data Protection Act. 
• Implementation of group or individual meetings, training sessions and events based on your consent in accordance with Art. 6 (1) a GDPR, which you grant us by participating in the respective digital event.

The scope of the data processed depends on the purpose of the digital event, but in particular also on the information you provide before or during your participation in the event (e.g. use of the chat function): 

• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location.
• Text data: if you use the chat function, your posts are processed to display them within the chat. 
• Audio and video data: If you use the video and audio functions, data from the microphone and/or video camera will be processed for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time.
• Shared files and information: With the help of the " share" function, you can share your screen or files with other participants. All files, content and comments posted by users can be accessed by the people with whom they are shared. These can be individuals or members of a team or channel.
• Documentation of your participation with attendee lists: For certain purposes, such as conducting training or awareness-raising activities, it is necessary to keep a list of attendees and store it as evidence. The video conferencing tools offer the possibility to export a list of participants after an event.

We use Microsoft and Zoom as a processors within the meaning of Art. 28 GDPR. The providers obtain knowledge of the above-mentioned data to the extent contractually permitted.

Microsoft and Zoom reserve the right to process customer data for its own legitimate business purposes. We have no control over this data processing. To the extent that the providers process personal data in connection with its legitimate business purposes, they are the data controllers for those data processing activities and, as such, are responsible for compliance with all applicable data protection laws. This particularly applies when you access the website s of Microsoft and Zoom or use the video conferencing tools through your browser. If you require information about Microsoft's and Zoom's processing, please refer to their relevant privacy statements.

In principle, there is no data processing outside the European Union (EU), as we have limited our storage location to data centres in the EU. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This can be the case in particular if participants are located in a third country.  

The data processed during a digital event is encrypted during transport via the internet and thus protected against unauthorised access by third parties. In addition, we have agreed extensive technical and organisational measures with the providers that correspond to the current state of the art, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.

We delete personal data when the storage of the data is no longer necessary. In the case of statutory retention obligations, deletion comes into consideration after the expiry of the respective retention obligation.

You have the right to obtain information about the personal data relating to you. Furthermore, you have the right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law. You can revoke your consent at any time with effect for the future. The lawfulness of the processing until the revocation remains unaffected. Finally, you have the right to object to processing within the scope of the law. You also have the right to data portability within the framework of data protection law. You have the right to file a complaint about the processing of personal data by us with a supervisory authority for data protection.

In certain circumstances, recording of digital events may take place. This is done for the purpose e.g. publication, documentation, etc. The legal basis is your informed (written) consent according to Art. 6 (1) a GDPR, which you grant us by attending the event. If a digital event is to be recorded, we will inform you about this transparently in advance (e.g. as part of the invitation). In addition, a notice will be provided during the event before the recording is started. The system will also inform you that the event is being recorded.

The recording is stored and deleted after expiration of the respective retention period in accordance with data protection regulations. 

Under certain circumstances, it may be necessary to publish the recording to the group of participants, on the intranet or on the internet in order to fulfil the above-mentioned purpose. If the recording is published on the intranet or internet, we would like to point out that the recordings are made accessible to a broad public. Every viewer can use the content on the internet at their own discretion, including misuse, without this being able to be monitored, restricted or prevented. However, within the framework of data minimisation, we take care, especially when publishing recordings, to delete or anonymise personal data in advance that is not relevant for publication (e.g. cropping the video excerpt).

For information on how we handle your personal data when you use one of our apps or websites, please refer to the respective privacy policy.