Data Protection

GRI 418

As a globally operating company, we process the personal data of our patients, employees, customers, suppliers, business partners, and all other data subjects. We take responsibility for handling the data entrusted to us with care. This has priority for Fresenius as a trusted partner. We continuously enhance our data protection measures to fulfill our responsibility.

Our approach

Fresenius is committed to respect the right to informational self-determination and the privacy of all those from whom we receive or process data in the course of our business. This also includes the processing of personal data by third parties on our behalf. This commitment is set out in the Fresenius Code of Conduct.

Data protection is a core task for us at Fresenius. We therefore constantly work on developing our data protection management systems to tackle new challenges. Operational activities in the area of data protection management are the responsibility of the functional departments. The functional departments are supported by basic processes of our Data Protection Management Systems. In addition, selected processes are also supported by the compliance management systems, such as general risk assessments or investigation of possible data protection violations. We continuously work to fulfill the requirements of the EU General Data Protection Regulation (EU-GDPR) and other applicable national and international data protection regulations.

Risk assessment

We regularly assess risks related to data protection and IT security in every business segment, as well as at Fresenius SE & Co. KGaA, using standardized methods in a top-down approach. All business segments and Fresenius SE & Co. KGaA record their data processing activities in central IT applications and subject them to a data protection review, including a risk assessment. For this purpose, we organize business processes in such a way that data protection is integrated into the design of new data processing activities as early as possible. This allows us among others to implement the principles of data protection and include the necessary technical and organizational measures in processing to meet the legal requirements, e.g. from the GDPR and minimize potential risks. Implementation of new or significantly changed IT systems is subject to a standardized review process to examine the implementation of data protection and IT security requirements.

Data subject rights

We at Fresenius respect and protect the rights of all persons whose data we collect or process. This applies to employees, patients, customers, and our business partners as well as to other data subjects. We process personal data for the respective legal purposes in accordance with legal requirements. All business segments and Fresenius SE & Co. KGaA guarantee the rights of data subjects by informing them appropriately about their rights and through established processes and tools to ensure that requests are answered on time. We inform our employees on their rights through privacy employee notices. We inform data subjects about processing of their data and limit data processing to the originally agreed purposes. Where necessary, we also request consent for data processing activities. In addition, we have implemented technical and organizational measures to protect data subject rights according to the GDPR requirements. We offer data subjects – both outside and inside the company – an easy way to request information on their data processed or saved by us. To this end, Fresenius SE & Co. KGaA and Fresenius Kabi have developed easily accessible technical solutions that can be used to send data subject requests. These requests are handled and answered centrally. With these solutions, we support data subjects in timely exercising their rights to access, rectification, restriction, objection, portability and deletion of their personal data. We also process deletion requests in accordance with legal requirements.

Patient data

The patient’s well-being always comes first at Fresenius. This also applies in particular to how we handle their data. We are aware of our responsibility arising from the special bond of trust we have with them. Therefore, we take measures beyond the fundamental respect of data subject rights, to ensure the protection of their sensitive data. We design our processes accordingly to provide reasonable protection in the handling of our patients’ personal information. We inform all patients of whom we take care at Fresenius and whose data we process about their rights in an adequate manner. We process data of our patients only after obtaining consent or on another legal basis and only to the extent necessary. A privacy impact assessment is conducted for processing activities that involve processing of personal data, in particular patient data. We also protect patient data by restricting and limiting access to the data required for processing according to the principle of minimum access rights.

International data transfer

As a globally operating company, we give high priority to ensuring an appropriate level of data protection in all international data transfers as defined by the GDPR. All business segments and Fresenius SE & Co. KGaA only transfer data to third countries outside the European Union based on a potential adequacy decision of the European Commission, generally recognized certifications, or other legal safeguards. To this end, we conclude additional specific agreements on data processing with data recipients besides the regular commercial contracts. In these, we also contain EU model clauses provided by the European Commission. New developments in the area of international data transfer, such as the European Court of Justice ruling in the Schrems II case on the Privacy Shield, are closely monitored and considered in risk assessments. In addition, Fresenius SE & Co. KGaA and Fresenius Kabi submitted Binding Corporate Rules (BCR), i.e. mandatory internal guidelines, to the respective data protection authorities for review and approval and are already preparing their internal implementation. BCRs are used by the participating companies to establish a uniform level of data protection based on the standards of the GDPR and contribute to compliant processing of personal data in accordance with international law. In addition, Helios Germany processes personal data – especially patient data – preferably within its internal networks. Also, if data is processed in countries outside the European Union by third parties, the contractor will be examined carefully, and measures are implemented to guarantee compliance with privacy regulations.


We train employees on current requirements and threats in relation to data protection and data security. To this end, we offer them a comprehensive range of e-learning courses, face-to-face training, and additional training measures. General training is supplemented with training measures for specific employee groups. In this way, we ensure that employees responsible for data processing activities are aware of current legal and internal requirements.

We inform new employees about confidentiality and handling sensitive data when they start work and commit them to secrecy. As an example, new hired employees of Helios Germany are also given mandatory data protection training within a defined time period. Every Helios Germany and Fresenius Medical Care entity is required to provide evidence at least every two years that their employees are trained in data protection. Fresenius Vamed conducts a yearly mandatory training on data protection for employees.

Organization and responsibilities
Organizational structure

Fresenius SE & Co. KGaA and all business segments have established data protection organizations in accordance with their organizational and business structure. These include appointed independent Data Protection Officers who report to the respective company’s management. The data protection organizations support the management of the respective companies in complying with and monitoring applicable legal data protection requirements. Fresenius Netcare also maintains its own data protection organization in order to fulfill its particular responsibility as a data processor for the business segments. All data protection organizations have both advisory and monitoring functions with complementary tasks. The data protection officers are responsible to monitor compliance with data protection requirements. They are contact persons for national and international supervisory authorities and are supported by competent data protection advisors and coordinators. These advise all departments in operational data protection questions – because we understand data protection as a joint effort of all employees of the Fresenius Group. Depending on the business segment, data protection advisors are organized centrally, regionally, and locally. Helios Spain for example has established Data Protection Committees at clinic level. All data protection responsibles groupwide support managers in fulfilling data protection regulations. In total, more than 300 employees at Fresenius are entrusted with data protection tasks.

Data protection responsibles from all business segments and Fresenius SE & Co. KGaA exchange regularly on best practices and initiatives, for example in the context of Group Coordination Meetings and conferences, Jour Fixes and other formats, to establish comparable and effective data protection measures. In 2020, all exchanges have been organized virtually.

Involvement of the Management Board and reporting

The overall responsibility for data protection on the Fresenius Corporate level lies within the responsible Management Board member for Legal, Compliance and Human Resources of Fresenius Management SE. The Data Protection Officer of Fresenius SE & Co. KGaA has a direct reporting line to this Management Board member.

In addition, data protection is a regular topic in the Compliance Steering Committee, which the responsible Management Board member for Legal, Compliance and Human Resources is part of. The responsible Data Protection Officers of the four business segments regularly report to the respective management.

Guidelines and regulations

Data protection is a shared effort of all employees of the Fresenius Group. This is based on the joint commitment of all business segments and Fresenius SE & Co. KGaA to data protection, as specified in their Codes of Conduct. In the Fresenius Code of Conduct we state to acting with care when handling data and the right of the individual on their own information. We commit ourselves respect the rights and privacy of all persons about whom we collect or receive data.

Furthermore, all business segments and Fresenius SE & Co. KGaA have created policies for data protection and hand-ling personal data. The data protection policies are complemented by other guidelines, standards, and operating procedures These support our employees in implementing GDPR requirements and other relevant legal regulations within their area of responsibility.

Progress and measures 2020

To ensure structured and efficient handling of reported potential data breaches, Fresenius Kabi has implemented a guideline as well as a technical solution to receive such reports by employees, which were also part of dedicated training measures. Furthermore, the technical solutions for execution and documentation of risk assessments for processing activities, as well as for recording and processing data subject requests were enhanced.

Fresenius Vamed has its data protection management progress reviewed by an external law firm on a yearly basis. In 2020, the focus of Fresenius Vamed’ activities was on updating data processing agreements and registers of processing activities.

Fresenius Medical Care has rolled out a Global Privacy Awareness communication and awareness campaign. In 2020, Fresenius Medical Care continued to roll out their data privacy training as part of an international training program that provides details on their values and the measures they take to protect personal data. In 2020, they offered more than 160 training classes on data privacy to Fresenius Medical Care employees around the world.

Helios Germany has strengthened various aspects of its data protection management system in 2020. This included additional requirements and materials on risk assessments for data processing activities, a revision of the Helios audit concept and adjusted local and central reporting processes for risk assessments for data processing activities. In addition, a new central function for data protection questions in research has been created. Furthermore, processing of personal data in relation to COVID-19 as well as ensuring compliance of hospital information systems with data protection regulations have been key topics of the year.

Helios Spain has continued its roll-out of privacy impact assessments, including additional indicators on technological or information security risks and has created a company-wide training on data protection, which will be rolled out in 2021. New procedures on the investigation and processing of personal data, remote monitoring of clinical trials and data retention have been set up. In addition, Helios Spain has conducted multiple data protection related audits and achieved information security certifications in various hospitals.

Fresenius SE & Co. KGaA has continuously developed its data protection management system in 2020. Besides further improving the existing process for efficient assessment of potential data breaches, the audit concept was further developed and implemented. In addition, data protection risk assessments for data processing activities have been adjusted and implemented to represent the risk-based approach. Processing of personal data in relation to measures on COVID-19 have also been a priority this year.


Audits und Monitoring

A number of governance functions regularly perform controls with a different focus in all business segments to ensure compliance with data protection regulations. The Internal Audit Departments conduct independent audits in all business segments and Group entities. Hereby, aspects of data protection and IT security are included in the reviews, with a particular focus on compliance with data protection regulations and the consistent implementation of internal guidelines and processes. For this purpose, an exchange takes place with the respective data protection officer. All business segments and Fresenius SE & Co. KGaA have defined corresponding auditing concepts for this purpose.

In addition, data protection controls are part of various internal control frameworks in the business segments. We use insights on potential improvements identified in the audits and reviews to continuously enhance our data protection processes. For example, the audit concept at Helios Germany requires that each entity is reviewed regularly – at least once a year – with regard to data protection and IT security in an internal audit.

Reporting system

All employees of the Fresenius Group have the possibility to report potential violations of data protection regulations or internal guidelines via existing whistleblowing systems or dedicated e-mail addresses. We take all reports on potential violations as an opportunity to clarify the case as quickly as possible and to review and adjust our company processes where needed. If necessary, we inform affected persons about possible data protection violations promptly and in accordance with legal requirements. You will find information on the number of received reports on data protection above in this chapter.


Human Rights