Grifols Ethics Line - Privacy Notice

Privacy notice available in other languages.

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and well-being of people around the world. Its three main business units – Biopharma, Diagnostic and Bio Supplies – develop, produce and market innovative solutions and services in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 7 for specific provisions. It outlines Grifols' data collection practices and data subjects' rights in the context of Grifols collection, use and sharing of their personal data.

This privacy notice applies to the processing of personal data of the (a) individuals reporting questions, doubts or potential violation of laws, rules and regulations as well as internal policies and procedures, (b) the reported individuals, and (c) any other third persons involved in said report.

1. Identification of the data controller(s)/owner(s) of the personal data

The joint data controllers/owners are Grifols, S.A. with the Grifols' group company based in the country from which the report is received or to which it relates.

The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as joint controllers will be referred to as "Grifols".

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controllers are Grifols Deutschland GmbH or Haema AG, in which case you may contact the data protection officer of each of these companies at dsb@grifols.com and dsb@haema.de, respectively.

The data subjects may ask, if they wish so, the data protection officer for more information on the essential aspects of the joint controllership agreement resulting from what is set out in Section 1.

3. Purposes, lawful basis for processing, categories and recipients of personal data

Purpose

To manage and document individuals' reports addressing questions, doubts or potential violation of laws, rules and regulations as well as internal policies and procedures, including the relevant assessment of the facts reported and the adoption of the corresponding disciplinary measures and appropriate legal actions against the offenders.

Categories of personal data and recipients

Categories of personal data:

- Identification data and personal characteristics¹.

- Private contact data².

- Professional data³.

- Special categories of personal data⁴.

- Criminal data (potential violations of laws, rules and regulations as well as internal policies and procedures).
Recipients:

Grifols' group companies.
Providers of products and services.
Public bodies.

Lawful basis

Legal obligation

Public interest: when Grifols (a) is not legally required to have a whistleblowing system, and (b) shares the results of its own investigations with public organizations or other organizations vested with such public authority.

Legitimate interest: when sharing with Grifols' group companies for internal administrative purposes.

Consent: to document verbal reportings.

¹For example, name, last name and the personal characteristics in the factual description of the issue.

²For example, private phone number, e-mail address and address.

³ For example, the condition of employee or not, title/position and place of work.

⁴ For example, health data, sex life and sexual orientation, racial or ethnic origin, political opinions, trade union membership, genetic data, biometric data and religious or philosophical beliefs.

¹For example, name, last name and the personal characteristics in the factual description of the issue.

²For example, private phone number, e-mail address and address.

³ For example, the condition of employee or not, title/position and place of work.

⁴ For example, health data, sex life and sexual orientation, racial or ethnic origin, political opinions, trade union membership, genetic data, biometric data and religious or philosophical beliefs.
Purpose	Categories of personal data and recipients	Lawful basis
To manage and document individuals' reports addressing questions, doubts or potential violation of laws, rules and regulations as well as internal policies and procedures, including the relevant assessment of the facts reported and the adoption of the corresponding disciplinary measures and appropriate legal actions against the offenders.	Categories of personal data: - Identification data and personal characteristics¹. - Private contact data². - Professional data³. - Special categories of personal data⁴. - Criminal data (potential violations of laws, rules and regulations as well as internal policies and procedures). Recipients: Grifols' group companies. Providers of products and services. Public bodies.	Legal obligation Public interest: when Grifols (a) is not legally required to have a whistleblowing system, and (b) shares the results of its own investigations with public organizations or other organizations vested with such public authority. Legitimate interest: when sharing with Grifols' group companies for internal administrative purposes. Consent: to document verbal reportings.

Without prejudice of the categories of personal data shown in the table above, please be informed that the categories of personal data that are processed for compliance with legal obligations may differ depending on the jurisdiction of the relevant data controller.

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:

Legal obligation: applies when processing personal data is necessary to comply with the legal obligations that apply to Grifols. Section 7 includes details of the specific regulations applicable to Grifols that requires the processing of personal data. Failure to provide the personal data requested could result in Grifols being unable to comply with such legal obligations.
Public interest: Grifols needs to process the personal data for the performance of a task carried out in the public interest or in the exercise of official authority.
Legitimate interest (of Grifols and/or any third party): Grifols needs to detect, assess and prevent infringements of applicable laws, regulations and internal policies and procedures in accordance with its corporate principles and values. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
- Prevention of fraud, and
- Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols group.

In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

Consent: it must be obtained through a clear affirmative action, for example, by clicking acceptance buttons or similar and for a particular purpose. Data subjects may withdraw their consent at any time, as detailed in Section 6. Data subjects refusal to grant the consent requested will not negatively affect their contractual relationship with Grifols.

The processing of special categories of personal data and data related to criminal convictions and offences is permitted only according to the regulations in each country. See Section 7 for details.

3.2. Recipients of personal data

The table above shows categories of recipients with whom Grifols may share personal data by purpose. This section includes additional information regarding these recipients when applicable:

Grifols' group of companies: The list is available here.
Providers of products and services: for example, information technology providers and lawyers.
Public bodies: for example, governmental organizations, police or judicial authorities.

Grifols will endeavour that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g. the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless it is authorised by the data subject or required by the applicable law.

4. Retention period

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

5. Sources of personal data

If data subjects do not directly provide Grifols with their personal data, Grifols may obtain the personal data from the reporter and third persons involved in the report (e.g. managers/supervisors and witnesses).

If the individual making the report provides personal data of any third parties, Grifols will provide this privacy notice to said third parties. The provision of this privacy notice to these third parties could be delayed if Grifols, after a case-by-case analysis, considers that providing this information at an early stage could affect the investigation.

6. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Right

Access

Content: You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

Content: You may request the rectification of your personal data if inaccurate.

Erasure

Content: You may request the erasure of your personal data.

Objection

Content: You may request that your personal data is not processed under specific circumstances.

Portability

Content: You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

Content

You may request a restriction on how your personal data is processed when:

the accuracy of the personal data is being verified after you have contested its accuracy.
processing of your personal data is unlawful and you object to its erasure.
Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Withdrawal of consent

Content: You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

Right	Content
Access	You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification	You may request the rectification of your personal data if inaccurate.
Erasure	You may request the erasure of your personal data.
Objection	You may request that your personal data is not processed under specific circumstances.
Portability	You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.
Restriction of processing	You may request a restriction on how your personal data is processed when: the accuracy of the personal data is being verified after you have contested its accuracy. processing of your personal data is unlawful and you object to its erasure. Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim. you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.
Withdrawal of consent	You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Whistleblowing". To that end, Grifols may request further information or documents if necessary and appropriate to identify you.

For residents in the United States please contact the Privacy Office at US-PrivacyRights@Grifols.com.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

7. Specific Provisions

Austria

The rights of information, access, rectification erasure, restriction of processing and notification of personal data breaches will not result applicable in circumstances where it is required to protect the identity of an individual or to avoid obstructing or undermining follow-up measures, in particular during the term of investigative, administrative or judicial proceedings.

Czech Republic

The legal obligation referred to in Section 3 is regulated in the Czech Act No. 171/2023 of 2 June 2023.

European Union

The lawful basis to process personal data identified in Section 3 are regulated in the following provisions of the GDPR:

Legal obligation: article 6.1(c) of GDPR
Public interest: article 6.1 (e) of GDPR
Legitimate interest (of Grifols and/or any third party): article 6.1(f) of GDPR
Consent: article 6.1(a) of GDPR

The processing of special categories of personal data is based on the establishment, exercise or defence of legal claims (article 9.2(f) of the GDPR), or reasons of substantial public interest on the basis of the Whistleblowing Directive and its implementing local regulations (article 9.2(g) of the GDPR).

The processing of personal data related to criminal convictions and offences is permitted only under the control of official authority or covered by the fulfilment of legal obligations (article 10 of the GDPR).

The legal obligation referred to in Section 3 is regulated in the Directive 2019/1937 on the Protection of Whistleblowers and in the transposed EU members' national laws.

France

The legal obligation referred to in Section 3 is regulated in the Law No. 2022-401 of 21 March 2022.

When Grifols France S.A.R.L. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death.

Italy

Data subjects' rights may not be addressed if actual and concrete prejudice to the confidentiality of the whistleblower's identity is conceivable. The reported data subject may, however, exercise their rights through the Garante (Italian Data Protection Authority), pursuant to article 160 of the Italian Privacy Code, as provided for in the third paragraph of article 2-undecies of the Privacy Code.

The legal obligation referred to in Section 3 is regulated in the Whistleblower Protection Law (179/2017).

Ireland

The legal obligation referred to in Section 3 is regulated in the Protected Disclosures (Amendment) Act of 2022.

Portugal

The legal obligation referred to in Section 3 is regulated in the Law No. 93/2021 of 20 December.

When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the exercise of their data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.

When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.

People's Republic of China

Mainland China: when data subjects' personal data is being processed by any Grifols' group company in mainland of the People's Republic of China, the addendum available here applies to the data subject. The addendum is set out in addition to and forms an integral part of this privacy notice.

Spain

The legal obligation referred to in Section 3 is regulated in Law, 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

Without prejudice to Section 3.2, the identity of the individuals making the report shall in any case be kept confidential and shall not be communicated to the persons to whom the facts reported relate or to third parties.

In the event that the data subject to whom the facts relate in the report exercises the right to object, it shall be presumed, in the absence of proof to the contrary, that there are compelling legitimate grounds for the processing of his or her personal data.

Sweden

The legal obligation referred to in Section 3 is regulated in the Whistleblowing Act (Swedish Act (2021:890) on special protection against reprisals for workers who report irregularities).

United Kingdom

All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland.