Austria
The rights of information, access, rectification erasure, restriction of processing and notification of personal data breaches will not result applicable in circumstances where it is required to protect the identity of an individual or to avoid obstructing or undermining follow-up measures, in particular during the term of investigative, administrative or judicial proceedings.
Czech Republic
The legal obligation referred to in Section 3 is regulated in the Czech Act No. 171/2023 of 2 June 2023.
European Union
The lawful basis to process personal data identified in Section 3 are regulated in the following provisions of the GDPR:
- Legal obligation: article 6.1(c) of GDPR
- Public interest: article 6.1 (e) of GDPR
- Legitimate interest (of Grifols and/or any third party): article 6.1(f) of GDPR
- Consent: article 6.1(a) of GDPR
The processing of special categories of personal data is based on the establishment, exercise or defence of legal claims (article 9.2(f) of the GDPR), or reasons of substantial public interest on the basis of the Whistleblowing Directive and its implementing local regulations (article 9.2(g) of the GDPR).
The processing of personal data related to criminal convictions and offences is permitted only under the control of official authority or covered by the fulfilment of legal obligations (article 10 of the GDPR).
The legal obligation referred to in Section 3 is regulated in the Directive 2019/1937 on the Protection of Whistleblowers and in the transposed EU members' national laws.
France
The legal obligation referred to in Section 3 is regulated in the Law No. 2022-401 of 21 March 2022.
When Grifols France S.A.R.L. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death.
Italy
Data subjects' rights may not be addressed if actual and concrete prejudice to the confidentiality of the whistleblower's identity is conceivable. The reported data subject may, however, exercise their rights through the Garante (Italian Data Protection Authority), pursuant to article 160 of the Italian Privacy Code, as provided for in the third paragraph of article 2-undecies of the Privacy Code.
The legal obligation referred to in Section 3 is regulated in the Whistleblower Protection Law (179/2017).
Ireland
The legal obligation referred to in Section 3 is regulated in the Protected Disclosures (Amendment) Act of 2022.
Portugal
The legal obligation referred to in Section 3 is regulated in the Law No. 93/2021 of 20 December.
When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the exercise of their data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.
When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.
People's Republic of China
Mainland China: when data subjects' personal data is being processed by any Grifols' group company in mainland of the People's Republic of China, the addendum available here applies to the data subject. The addendum is set out in addition to and forms an integral part of this privacy notice.
Spain
The legal obligation referred to in Section 3 is regulated in Law, 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.
Without prejudice to Section 3.2, the identity of the individuals making the report shall in any case be kept confidential and shall not be communicated to the persons to whom the facts reported relate or to third parties.
In the event that the data subject to whom the facts relate in the report exercises the right to object, it shall be presumed, in the absence of proof to the contrary, that there are compelling legitimate grounds for the processing of his or her personal data.
Sweden
The legal obligation referred to in Section 3 is regulated in the Whistleblowing Act (Swedish Act (2021:890) on special protection against reprisals for workers who report irregularities).
United Kingdom
All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland.