Data protection and privacy

The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps to train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.

Roles and responsibilities

Group Data Privacy is part of our global Group Compliance and Data Privacy function. In addition, we have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers act independently. As part of our compliance reporting, Group Data Privacy regularly prepares data privacy updates as well as a comprehensive data privacy report. This report is part of the compliance report submitted to the Executive Board and the Supervisory Board.

Our Data Privacy Management System

Our goal is to establish a global and consistent Data Privacy Management System (DPMS) by the end of 2022. It will be based on the following three pillars: Data Privacy portfolio, people, and communication. The Data Privacy portfolio consists of eight key elements, covering all parts of a functioning DPMS, in line with legal requirements and industry standards. In 2021, we rolled out the revised Data Privacy Policy and Data Breach Standard and updated the e-learning environment amongst other deliverables.

Ensuring IT security

It is vital for our businesses that we protect our information systems, their contents, and our communication channels against criminal or unwanted activities of any kind, such as e-crime and cyberattacks, including unauthorized access, information leakage, and misuse of data or systems. Our Group Security and IT Security units maintain organizational, process-related and technical information security countermeasures based on recognized international standards. We employ harmonized electronic and physical security controls (e.g. access control, security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.

Our commitment: Guidelines and standards

Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We also take steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.

Training and IT tools

In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. We launched a content update to this training course in May 2021.

We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2021, we began implementing a new, enhanced tool, which is expected to go live in 2022.

We registered no sanctioned complaints or incidents concerning breaches of customer privacy, data leaks, theft, or loss of customer data in 2021. In three cases, minor personal data breaches were reported to the supervisory authority. These were not sanctioned.