For a leading innovative, science- and technology-driven company such as ours, compliant handling of information is of utmost importance. When using personal data, the individuals’ rights must be appropriately protected. In this regard, we strive to safeguard the rights of any person whose data we process, including but not limited to our employees, patients, customers, healthcare professionals, suppliers, visitors, and other business partners.
Our approach to data privacy
The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps to build our employees’ capacity to handle data correctly and with clear accountability and it safeguards our company by providing data privacy risk assurance. Group Data Privacy also contributes to creating value for the development of digital business models.
How we ensure data privacy
Group Data Privacy is part of our global Group Compliance and Data Privacy function. As required by law, this unit acts independently. As part of our compliance reporting, it prepares frequent data privacy updates as well as a regular, comprehensive data privacy report. This report is part of the compliance report submitted to the Executive Board and the Supervisory Board. In addition to the Group Data Privacy unit with a Group Data Privacy Officer who reports centrally, we also have a network of Local Data Privacy Officers at various sites Group-wide.
Our goal is to establish a fully global and consistent Data Privacy Management System (DPMS) by the end of 2022. It will be based on the following three pillars: Data Privacy portfolio, people and communication. The Data Privacy portfolio will consist of eight key processes and topics broken down into 26 detailed sub-elements, thus covering all elements of a functioning DPMS in line with legal requirements and industry standards.
Our DPMS applies similar elements as the compliance portfolio but adapted to the needs of data privacy. These include policies and procedures, risk assessment and documentation, training and awareness, programs and tools, individual’s requests, monitoring and reporting, incident management, and continuous improvement.
Ensuring IT security
It is essential for our business that we also protect our information systems, their contents and our communication channels against criminal or unwanted activities of any kind, such as e-crime and cyberattacks, including unauthorized access, information leakage and misuse of data or systems. Our Group Security and IT Security units maintain organizational, process-related and technical information security countermeasures based on recognized international standards. We employ harmonized electronic and physical security measures (e.g. access control) to bolster our ability to handle sensitive data, such as trade secrets.
Our commitment: guidelines and standards
Our Data Privacy Policy and the corresponding standards and procedures define our principles and standards for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers, and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We also take steps to meet local data privacy requirements where these are stricter than our Group-wide standards.
Data privacy training
In line with the EU GDPR and our global approach to ensure data privacy, we regularly conduct e-learning training courses in ten languages. An update to this training course is planned for the first quarter of 2021. Additionally, Local Data Privacy Officers complement the execution of our Group-wide training plan by conducting training for specific target groups.
IT tools for documentation
We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. This tool will be redesigned in 2021. Additionally, we use our company intranet for further communication, including answering data privacy questions and providing standardized templates. We registered no sanctioned complaints or incidents concerning breaches of customer privacy, leaks, thefts, or losses of customer data in 2020. In three cases, minor personal data breaches were reported to the supervisory authority which were not sanctioned.