Corporate website

General Privacy Notice

Privacy notice available in other languages.

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and well-being of people around the world. Its three main business units - Biopharma, Diagnostic and Bio Supplies - develop, produce and market innovative solutions and services that are sold in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European Union General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 7 for specific provisions. It outlines Grifols' data collection practices and the choices that data subjects have about the way Grifols collects, uses and shares their personal data.

This data protection notice explains the processing of the personal data we collect when you interact with us through different channels and when we collect your image and other identifying features.

Grifols has specific data protection notices for other processing of personal data which can be found on the company's corporate website in the "Privacy Notices" section.

1. Identification of the data controller(s)/owner(s) of the personal data

The data controller(s)/owner(s) is/are:

The Grifols' group company to which the data subjects submit information requests, suggestions and/or queries;
The Grifols' group company operating and identified as such in the websites, landing pages, apps and in any other similar digital platform through which the personal data of the data subjects are processed; or
The Grifols' group company contacting the data subjects (as identified in the methods used to establish said contact) for the remaining purposes set out in Section 3.
The company in the Grifols group identified in the authorisation document for the recording and use of images and other identifying features or in other similar communications.

The identity and contact details of the Grifols' group of companies are available here. The company or companies of the Grifols Group that act as data controller/s will be referred to as "Grifols".

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you to ensure Grifols' complies with the data protection legislation and to protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer at each of these companies at dsb@grifols.com and dsb@haema.de, respectively.

3. Purposes, lawful basis, categories and recipients of personal data

Purpose

To analyse and, where appropriate, respond to any requests for information, suggestions and/or queries made through the means provided for this purpose.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹
Contact details².
Professional data³.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Legitimate interest

To carry out maintenance tasks in websites, landing pages, and apps to offer a secure environment to its users.

Categories of personal data and recipients

Categories of personal data:

Browsing history data⁴.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Legitimate interest

To manage corporate reorganization activities.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.
Browsing history data⁴.
Interests and preferences.

Recipients:

Grifols' group companies.
Providers of products and services.
Potential investors or purchasers.

Lawful basis: Legitimate interest

To interact (i.e., respond to messages or comments, generate reactions, share content, etc.) with users of Grifols' profiles on social networks, which would involve the communication of certain data (i.e., IP address and browsing history data) to the providers of these social networks.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Browsing history data⁴.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Legitimate interest

To customize certain functionalities of websites, landing pages, and apps based on the data subjects' browsing preferences and analyse their browsing behaviour with the aim of improving the services offered through these platforms. The information about profiling activities and behavioural analysis is available in this privacy notice and, if applicable, in the Cookies Policy of the relevant website, landing page, or app.

Categories of personal data and recipients

Categories of personal data:

Browsing history data⁴.
Interests and preferences.

Recipients:

Grifols' group companies.
Providers of products and services

Lawful basis: Consent

To create profiles of data subjects based on their preferences and personal interests which is obtained from information provided by their own data subjects, obtained from the third-party sources detailed in Section 5, and from analysing their behaviour (by reading cookies or similar technologies) when receiving or interacting with communications from Grifols or when browsing the internet. Grifols will use these profiles to send communications that are tailored to the preferences, interests and behaviour shown by the data subjects. Automated decisions will not be taken based on such profiles. As set out in Section 6, data subjects may exercise their right to object and withdraw their consent to the processing of their personal data for direct marketing purposes. In some cases, data subject profiling will be done in aggregate form so that Grifols does not know the identity of data subjects in any way and, in such cases, will use the aggregated information for the purpose of analysing the behaviour of segments of data subjects.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.
Browsing history data⁴.
Interests and preferences.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Consent

To send scientific, educational, and commercial information about Grifols' group products, services and activities, by any means, including electronic ones, when a contractual relationship with the data subject does not exist. As set out in Section 6, data subjects may withdraw their consent to have their data processed for direct marketing purposes.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Consent

To manage and control the registration, participation and attendance of data subjects to symposiums, conferences, webinars, training sessions, or similar events, in person or virtual ones, organized by Grifols or third parties.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.
Interests and preferences.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Consent

To respond to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Legal obligation

To manage and control the registration, access, and use of resources available on websites, landing pages and apps.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact details².
Professional data³.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis

Execution of a contract

Consent (if no contract exists)

To contact data subjects with the intention of conducting surveys or similar activities carried out directly by Grifols or by service providers. These activities may involve the communication of certain data with said providers.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Contact data².
Professional data³.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis

Consent

Legitimate interest

To deal with, manage, evaluate and award, in accordance with internal policies and procedures, sponsorships, grants and donations for the implementation of projects of a diverse nature.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Professional data².

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Legitimate interest

The capture, recording and use of images, voice and other identifying features including images and audiovisual recordings of oneself for the purposes described in the authorisation document or in another communication with similar characteristics. Such recordings may include data on the health status of the data subjects, if they are patients. In accordance with Section 7, data subjects may withdraw their consent to the processing of their personal data for direct marketing purposes.

Categories of personal data and recipients

Categories of personal data:

Identification data and personal characteristics¹.
Special category data⁵.

Recipients:

Grifols' group companies.
Providers of products and services.

Lawful basis: Consent

¹ For example, name, last name, signature, sex, nationality, number of national/foreigner's ID/passport document, username on social platforms, image, voice.

² For example, home address, email and personal phone number.

³For example, professional contact details, job position, place of work, member of professional associations.

⁴ For example, IP address, device or user ID, browser type and version, visited sections and country from which the connection is made.

⁵ For example, health data

¹ For example, name, last name, signature, sex, nationality, number of national/foreigner's ID/passport document, username on social platforms, image, voice.

² For example, home address, email and personal phone number.

³For example, professional contact details, job position, place of work, member of professional associations.

⁴ For example, IP address, device or user ID, browser type and version, visited sections and country from which the connection is made.

⁵ For example, health data
Purpose	Categories of personal data and recipients	Lawful basis
To analyse and, where appropriate, respond to any requests for information, suggestions and/or queries made through the means provided for this purpose.	Categories of personal data: Identification data and personal characteristics¹ Contact details². Professional data³. Recipients: Grifols' group companies. Providers of products and services.	Legitimate interest
To carry out maintenance tasks in websites, landing pages, and apps to offer a secure environment to its users.	Categories of personal data: Browsing history data⁴. Recipients: Grifols' group companies. Providers of products and services.	Legitimate interest
To manage corporate reorganization activities.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Browsing history data⁴. Interests and preferences. Recipients: Grifols' group companies. Providers of products and services. Potential investors or purchasers.	Legitimate interest
To interact (i.e., respond to messages or comments, generate reactions, share content, etc.) with users of Grifols' profiles on social networks, which would involve the communication of certain data (i.e., IP address and browsing history data) to the providers of these social networks.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Browsing history data⁴. Recipients: Grifols' group companies. Providers of products and services.	Legitimate interest
To customize certain functionalities of websites, landing pages, and apps based on the data subjects' browsing preferences and analyse their browsing behaviour with the aim of improving the services offered through these platforms. The information about profiling activities and behavioural analysis is available in this privacy notice and, if applicable, in the Cookies Policy of the relevant website, landing page, or app.	Categories of personal data: Browsing history data⁴. Interests and preferences. Recipients: Grifols' group companies. Providers of products and services	Consent
To create profiles of data subjects based on their preferences and personal interests which is obtained from information provided by their own data subjects, obtained from the third-party sources detailed in Section 5, and from analysing their behaviour (by reading cookies or similar technologies) when receiving or interacting with communications from Grifols or when browsing the internet. Grifols will use these profiles to send communications that are tailored to the preferences, interests and behaviour shown by the data subjects. Automated decisions will not be taken based on such profiles. As set out in Section 6, data subjects may exercise their right to object and withdraw their consent to the processing of their personal data for direct marketing purposes. In some cases, data subject profiling will be done in aggregate form so that Grifols does not know the identity of data subjects in any way and, in such cases, will use the aggregated information for the purpose of analysing the behaviour of segments of data subjects.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Browsing history data⁴. Interests and preferences. Recipients: Grifols' group companies. Providers of products and services.	Consent
To send scientific, educational, and commercial information about Grifols' group products, services and activities, by any means, including electronic ones, when a contractual relationship with the data subject does not exist. As set out in Section 6, data subjects may withdraw their consent to have their data processed for direct marketing purposes.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Recipients: Grifols' group companies. Providers of products and services.	Consent
To manage and control the registration, participation and attendance of data subjects to symposiums, conferences, webinars, training sessions, or similar events, in person or virtual ones, organized by Grifols or third parties.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Interests and preferences. Recipients: Grifols' group companies. Providers of products and services.	Consent
To respond to medical and technical (non-commercial) requests for information about products manufactured or distributed by Grifols.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Recipients: Grifols' group companies. Providers of products and services.	Legal obligation
To manage and control the registration, access, and use of resources available on websites, landing pages and apps.	Categories of personal data: Identification data and personal characteristics¹. Contact details². Professional data³. Recipients: Grifols' group companies. Providers of products and services.	Execution of a contract Consent (if no contract exists)
To contact data subjects with the intention of conducting surveys or similar activities carried out directly by Grifols or by service providers. These activities may involve the communication of certain data with said providers.	Categories of personal data: Identification data and personal characteristics¹. Contact data². Professional data³. Recipients: Grifols' group companies. Providers of products and services.	Consent Legitimate interest
To deal with, manage, evaluate and award, in accordance with internal policies and procedures, sponsorships, grants and donations for the implementation of projects of a diverse nature.	Categories of personal data: Identification data and personal characteristics¹. Professional data². Recipients: Grifols' group companies. Providers of products and services.	Legitimate interest
The capture, recording and use of images, voice and other identifying features including images and audiovisual recordings of oneself for the purposes described in the authorisation document or in another communication with similar characteristics. Such recordings may include data on the health status of the data subjects, if they are patients. In accordance with Section 7, data subjects may withdraw their consent to the processing of their personal data for direct marketing purposes.	Categories of personal data: Identification data and personal characteristics¹. Special category data⁵. Recipients: Grifols' group companies. Providers of products and services.	Consent

Without prejudice to the categories of personal data listed in the table above, we inform you that the categories of personal data processed in order to comply with legal obligations may differ depending on the jurisdiction of the data controller.

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process personal data by purpose. In this section, you can find additional details of the lawfulness of the processing.

Consent: data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action. Data subjects may withdraw their consent at any time, as set out in Section 6.
Legitimate interest (of Grifols or any third parties): Grifols is interested in contributing to the advancement of scientific knowledge and research in a secure environment with the aim of guaranteeing people's health, as well as initiatives for social purposes related to its stakeholders through scholarships, sponsorships and donations. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
- Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols' group, and
- Creation of a secure information system infrastructures for preventing unlawful or malicious activities that may compromise the personal data stored in the information systems.

In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

Legal obligation: Grifols needs to process the personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations.

Section 7 mentions the legislation that requires the processing of personal data applicable to Grifols.

Execution of a contract: failure to provide the personal data requested by Grifols could result in the impossibility of executing or maintaining such contract.

3.2. Recipients of personal data

The following is a list of the different categories of recipients to whom Grifols may provide the personal data identified by purpose in the table in Section 3, and additional information about them, where applicable:

Grifols' group of companies: the list is available here.
Providers of products and services: for example, IT service providers, marketing agencies, photographers, camera operators or other media agencies, among others.

Grifols' website may include social network plugins, which can be recognised by the social network's logo or name, so that users can access Grifols' profile on these platforms. By clicking these buttons, users' personal data (including, IP address and browsing data) will be transferred to the providers of said social networks. Grifols will not be liable for any further processing theta the providers of the social networks may carry out with this personal data. The purpose and scope of the collection of data and its subsequent processing and use by the providers of these social networks, as well as the related rights and the possibilities of configuring privacy settings can be consulted in the data protection information of each of these companies.

The owners of the media in which the images are included.
Potential investors or purchasers.

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable). Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless required by the applicable law or authorised by the data subject.

4. Retention period

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

5. Sources of personal data

If the data subjects do not provide Grifols with their personal data directly, Grifols may obtain personal data directly from the applicant's personal data in the case of grants, donations and sponsorships.

Should data subjects provide personal data of third parties for the purpose of executing and maintaining a contractual relationship, the data subjects must inform these third parties in advance of the processing of their personal data by providing them with a copy of this data protection notice.

6. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights

Access

Content: You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

Content: You may request the rectification of your personal data if inaccurate.

Erasure

Content: You may request the erasure of your persona data.

Objection

Content: You may request that your personal data is not processed under specific circumstances.

Portability

Content: You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

Content

You may request a restriction on how your personal data is processed when:

the accuracy of the personal data is being verified after you have contested its accuracy.
processing your personal data is unlawful and you object to its erasure.
Grifols does no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent

Content: You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

Rights	Content
Access	You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification	You may request the rectification of your personal data if inaccurate.
Erasure	You may request the erasure of your persona data.
Objection	You may request that your personal data is not processed under specific circumstances.
Portability	You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.
Restriction of processing	You may request a restriction on how your personal data is processed when: the accuracy of the personal data is being verified after you have contested its accuracy. processing your personal data is unlawful and you object to its erasure. Grifols does no longer need the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim. you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
Withdrawal of consent	You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "General requests". To that end, Grifols may request further information or documents if necessary or convenient to identify you.

For residents in the United States, please contact the Privacy Office at US-PrivacyRights@Grifols.com.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of business, or place of the alleged infringement.

7. Specific provisions

Brazil
When Grifols Brasil Ltda. is the data controller, see full privacy notice here.

United States
You can check the privacy notice here.

France
When Grifols France S.A.R.L. is the data controller, the data subjects have the right to provide guidance on the management of their data after death.

Portugal
When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. Is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.

When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.

United Kingdom
All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland.

People's Republic of China
Mainland China: when your personal data is being processed by any Grifols' group company in mainland of the People's Republic of China, the addendum available here applies to you. The addendum is set out in addition to and forms an integral part of this privacy notice.

Thailand
When Grifols (Thailand) Ltd. is the data controller, see full privacy notice here.

European Union
The legal bases for processing the personal data identified in Section 3 are regulated in the following provisions of the GDPR:

Consent: Article 6(1)(a) of the GDPR
Performance of a Contract: Article 6.1(b) of the GDPR
Legitimate interest (of Grifols and/or any third party): Article 6.1(f) of the GDPR
Legal obligation: article 6.1(c) of the GDPR

The legal obligation referred to in Section 3 is regulated in Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the community code relating to medicinal products for human use and any other applicable regulations implementing, developing, complementing and replacing the aforementioned.

The processing of special categories of personal data is based on the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Last update: July 2024

Privacy notice available in other languages

DE - Allgemeiner datenschutzhinweis

ENG - General Privacy Notice

ESP - Aviso de protección de datos general

FR - Notice d'information Gènèrale

ZH - 一般隐私声明