Notification of Adverse Events

Privacy notice available in other languages

Grifols is a global healthcare group founded in Barcelona in 1909 committed to improving the health and well-being of people around the world. Its three main business units – Biopharma, Diagnostic and Bio Supplies – develop, produce and market innovative solutions and services in more than 100 countries.

Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data and is committed to complying with the data protection regulations applicable in each country.

This privacy notice has been prepared in accordance with the European General Data Protection Regulation (the "GDPR") and applicable privacy and data protection laws; see Section 7 for specific provisions. It outlines Grifols' data collection practices and the data subjects’ rights in the context of Grifols collection, use and sharing of their personal data.

This privacy notice applies to the processing of personal data of the (a) individuals reporting an adverse event related to Grifols' products, (b) the individuals suffering the adverse event, and (c) healthcare professionals involved in the adverse event. For the purpose of this privacy notice, "data subject" refers to three types of individuals.

1. Identification of the data controller(s)/owner(s) of the personal data

The data controllers/owners are:

the Grifols' group company that holds a marketing authorization of the pharmaceutical product in any given territory or the Grifols' group company with pharmacovigilance functions at a national level, or
the Grifols' group companies acting as sponsor of clinical trials jointly with Grifols Worldwide Operations Ltd.

The identity and contact details of the Grifols' companies that are marketing authorization holders, that hold pharmacovigilance functions at national level and/or that are clinical trial sponsors in a specific country are available here. These Grifols’ companies will be collectively referred to as "Grifols".

2. Identification of the data protection officer

The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols’ compliance with the data protection legislation and best protect your rights under such legislation. You may contact the data protection officer at dpo@grifols.com, unless the data controller is Grifols Deutschland GmbH, in which case you may contact the data protection officer at dsb@grifols.com

The data subjects may ask, if they wish so, the data protection officer for more information on the essential aspects of the joint controllership agreement resulting from what is set out in Section 1.

3. Purposes, lawful basis for processing, categories and recipients of personal data

Purposes

To comply with all pharmacovigilance related obligations as a pharmaceutical company, including without limitation:
- Continuous monitoring of the pharmacovigilance data submitted, including its scientific evaluation of risks;
- Ensuring the quality, integrity and completeness of the information submitted on the risks of medicinal products, and
- Effective communication with the data subjects and competent authorities.

Categories of personal data and recipients

Categories of personal data:

For reporters of an adverse event and healthcare professionals involved in the adverse event:

Identification data¹.
Contact data².
Professional data³.

For individuals exposed to the adverse event:

Demographic data⁴.
Data related to the product.
Special categories of personal data⁵.

Recipients:

Grifols' group of companies (pharmacovigilance teams and any other competent teams).
Providers of products and services.
Public or private organizations

Lawful basis: Legal obligation
Vital interest
Public interest
Legitimate interest

To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to users.

Categories of personal data and recipients

Categories of personal data:

Browsing history data⁶.

Recipients:

Grifols' group of companies.
Providers of products and services.

Lawful basis: Legitimate interest

To manage corporate reorganization activities.

Categories of personal data and recipients

Categories of personal data:

Identification data¹.
Contact data².
Professional data³.
Demographic data⁴.
Special categories of personal data⁵.
Browsing history data⁶.

Recipients:

Grifols' group of companies.
Providers of products and services.

Lawful basis: Legitimate interest

¹ For example, name, last name and relationship with the patient.
² For example, phone number, e-mail address and location.
³ For example, phone number, e-mail address, job position and place of work.
⁴ For example, gender, age in years and country.
⁵ For example, race/ethnic origin, health data and factual description of the adverse event.
⁶ For example, IP address, device or user ID, browser type and version, visited sections, country from which the connexion is made.

¹ For example, name, last name and relationship with the patient.
² For example, phone number, e-mail address and location.
³ For example, phone number, e-mail address, job position and place of work.
⁴ For example, gender, age in years and country.
⁵ For example, race/ethnic origin, health data and factual description of the adverse event.
⁶ For example, IP address, device or user ID, browser type and version, visited sections, country from which the connexion is made.
Purposes	Categories of personal data and recipients	Lawful basis
To comply with all pharmacovigilance related obligations as a pharmaceutical company, including without limitation: Continuous monitoring of the pharmacovigilance data submitted, including its scientific evaluation of risks; Ensuring the quality, integrity and completeness of the information submitted on the risks of medicinal products, and Effective communication with the data subjects and competent authorities.	Categories of personal data: For reporters of an adverse event and healthcare professionals involved in the adverse event: Identification data¹. Contact data². Professional data³. For individuals exposed to the adverse event: Demographic data⁴. Data related to the product. Special categories of personal data⁵. Recipients: Grifols' group of companies (pharmacovigilance teams and any other competent teams). Providers of products and services. Public or private organizations	Legal obligation Vital interest Public interest Legitimate interest
To carry out maintenance tasks in websites, landing pages and apps to offer a secure environment to users.	Categories of personal data: Browsing history data⁶. Recipients: Grifols' group of companies. Providers of products and services.	Legitimate interest
To manage corporate reorganization activities.	Categories of personal data: Identification data¹. Contact data². Professional data³. Demographic data⁴. Special categories of personal data⁵. Browsing history data⁶. Recipients: Grifols' group of companies. Providers of products and services.	Legitimate interest

Without prejudice of the categories of personal data shown in the table above, please be informed that the categories of personal data that are processed for compliance with legal obligations may differ depending on the jurisdiction of the relevant data controller.

3.1. Additional information about the lawful basis to process personal data

The table above shows the applicable lawful basis to process the personal data by purpose. In this section, you can find additional details of the lawfulness of the processing:

Legal obligation: Grifols needs to process the requested personal data to comply with legal obligations. Failure to provide the personal data requested could result in the impossibility for Grifols to comply with such legal obligations. Section 7 includes details of the specific regulations applicable to Grifols that require the processing of personal data.
Vital interest: Grifols needs to process patients' personal data suffering an adverse event to protect his/her vital interest, even where the patient has not been notified due to its health condition.
Public interest in the area of public health: the processing of special categories of personal data (e.g. race/ethnic origin or health data, including the factual description of the adverse event) is based on reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices on the basis of applicable law on pharmacovigilance.
Legitimate interest of Grifols and/or third parties: Grifols is interested in contributing to the advancement of medicinal products in a secure environment with the aim of guaranteeing people's health. Therefore, Grifols pursues the following legitimate interests which override the fundamental rights and freedoms of the data subjects, given that the processing is within the data subjects' reasonable expectations based on their relationship with Grifols:
- Daily management of a multinational group of companies and internal administration, which means sharing information with the companies of the Grifols' group, and
- Creation of a secure information system infrastructure for preventing unlawful or malicious activities that may compromise the personal data.

In any event, data subjects may request further information on the legitimate interest or exercise their right to object to the processing of their personal data based on legitimate interest by addressing their request to privacy@grifols.com.

3.2. Recipients of personal data

The table above shows categories of recipients with whom Grifols may share personal data by purpose. This section includes additional information regarding these recipients when applicable:

The following Grifols' group of companies:

Company name

Grifols, S.A.

Country: Spain

Contact Details: Avenida de la Generalitat, 152, 08174, Sant Cugat del Valles (Barcelona)

Instituto Grifols, S.A.

Country: Spain

Contact Details: Polígono Levante, Calle Can Guasch, s/n, 08150, Parets del Vallès (Barcelona)

Grifols Therapeutics LLC

Country: USA

Contact Details: 8368 US Hwy 70 West
Clayton, North Carolina
27520

Grifols Deutschland, GmbH.

Country: Deutschland

Contact Details: Colmarer Str. 22 60528 Frankfurt am Main

Grifols Biologicals, LLC.

Country: USA

Contact Details: Lillyvale Avenue Los Angeles, California 90032

Grifols Australia Pty, Ltd

Country: Australia

Contact Details: 5/80 Fairbank Rd. Clayton South, Victoria 3169

Company name	Country	Contact Details
Grifols, S.A.	Spain	Avenida de la Generalitat, 152, 08174, Sant Cugat del Valles (Barcelona)
Instituto Grifols, S.A.	Spain	Polígono Levante, Calle Can Guasch, s/n, 08150, Parets del Vallès (Barcelona)
Grifols Therapeutics LLC	USA	8368 US Hwy 70 West Clayton, North Carolina 27520
Grifols Deutschland, GmbH.	Deutschland	Colmarer Str. 22 60528 Frankfurt am Main
Grifols Biologicals, LLC.	USA	Lillyvale Avenue Los Angeles, California 90032
Grifols Australia Pty, Ltd	Australia	5/80 Fairbank Rd. Clayton South, Victoria 3169

Public or private organizations: for example, national or international competent health authorities, healthcare professionals or companies with whom Grifols has signed commercial and/or license agreements or who are responsible of assessing the pharmaceutical products, with the sole purpose of complying with the pharmacovigilance obligations.
Providers of products and services: for example, IT service providers, call center service providers, insurance providers, regulatory affairs agencies and clinical research organizations.
Potential investors or purchasers

Grifols will endeavor that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed in countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards (e.g., the standard contractual clauses included in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, if GDPR is applicable) to carry out such international data transfers in accordance with the applicable data protection legislation. Specific information on the appropriate safeguards applicable to each international data transfer can be obtained from Grifols at privacy@grifols.com.

Grifols does not share personal data with any other third party unless it is authorized by the data subject or required by the applicable law.

4. Retention period

Grifols will retain the personal data for the time strictly necessary for the fulfilment of the purposes for which it has been collected or, if applicable, until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.

5. Sources of personal data

If you do not directly provide Grifols with your personal data, Grifols may obtain your personal data from the reporter or patient's healthcare professional. The personal data of the healthcare professional could be obtained from the reporter or from any other third person.

6. Data protection rights

The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.

Rights

Access

Content: You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.

Rectification

Content: You may request the rectification of your personal data if inaccurate.

Erasure

Content: You may request the erasure of your personal data.

Objection

Content: You may request that your personal data is not processed under specific circumstances.

Portability

Content: You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.

Restriction of processing

Content

You may request a restriction on how your personal data is processed when:

the accuracy of the personal data is being verified after you have contested its accuracy.
processing of your personal data is unlawful and you object to its erasure.
Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim.
you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

Rights	Content
Access	You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
Rectification	You may request the rectification of your personal data if inaccurate.
Erasure	You may request the erasure of your personal data.
Objection	You may request that your personal data is not processed under specific circumstances.
Portability	You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.
Restriction of processing	You may request a restriction on how your personal data is processed when: the accuracy of the personal data is being verified after you have contested its accuracy. processing of your personal data is unlawful and you object to its erasure. Grifols no longer needs the personal data for the purposes of processing it, but you need it in order to prepare, exercise or defend a legal claim. you have objected to the processing of the personal data for the performance of a task carried out in the public interest or necessary for the purposes of a legitimate interest, while verifying if Grifols' legitimate grounds override yours.

You may exercise, when appropriate, your data protection rights by, for example, sending a written communication to Grifols at privacy@grifols.com with the subject line "Pharmacovigilance – Adverse Events Notification". To that end, Grifols may request further information or documents if necessary and appropriate to identify you.

In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.

7. Specific Provisions

European Union

The lawful basis to process personal data identified in Section 3 are regulated in the following provisions of the GDPR:

Vital Interest: (article 6.1(d) of GDPR)
Legitimate interest (of Grifols and/or any third party): article 6.1(f) of GDPR
Legal obligation: article 6.1(c) of GDPR.

The processing of special categories of personal data (e.g. race/ethnic origin or health data, including the factual description of the adverse event) is covered by public interest in the area of public health (article 9.2(i) of GDPR)

The legal obligation referred to in Section 3 regarding the performance of pharmacovigilance activities is regulated by:

Commission Implementing Regulation (EU) No. 520/2012 of 19 June 2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No. 726/2004 of the European Parliament and of the Council of 31 March 2004, and
Directive 2001/83/EC of the European Parliament and of the Council

and any applicable legislation supplementing or replacing these, including national laws.

People's Republic of China

Mainland China: when your personal data is being processed by any Grifols' group company in mainland of the People's Republic of China, the addendum available here applies to you. The addendum is set out in addition to and forms an integral part of this privacy notice.

France

When Grifols France S.A.R.L. is the data controller, the applicable lawful bases for processing personal data in the context of pharmacovigilance are exclusively the fulfilment of legal obligations (article 6 of GDPR) and the public interest in the area of public health (article 9 of GDPR). Also, the data subjects have the right to provide guidance on the management of their data after death.

Portugal

When Grifols Portugal – Produtos Farmacêuticos e Hospitalares, Lda. Is the data controller, the data subjects have the right to provide guidance on the management of their data after their death. When guidance on the management of their data has not been provided by the deceased data subjects, the exercise of the data protection rights defined in Section 6 may be carried out by their heirs. The data subjects may also determine the impossibility of exercising these rights after their death.

When there is a legal obligation of secrecy, the rights of the data subjects cannot be exercised.

United Kingdom

All references throughout the document to the GDPR also refer to, as applicable, the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland.

Last update: August 2024

Privacy notice available in other languages

DE – Datenschutzhinweis - Meldung unerwünschter Ereignisse

ES – Aviso de protección de datos – Notificación de reacciones adversas

FR – Notice d'information – Notification d'evenements sanitaires indesirables

IT - Informativa Privacy – Notificazione di reazioni avverse