As a globally operating company, we process the personal data of, among others, our patients, employees, customers, suppliers, and other business partners. Careful handling of the data provided to us is of great importance for Fresenius. To meet this responsibility, we are continuously developing our data protection measures.
Our approach
Fresenius is committed to the right to informational self-determination and the privacy of all individuals from whom we receive and process data in the course of our business. This also includes the processing of personal data by third parties on our behalf. The Fresenius Code of Conduct forms the framework of our daily actions. A key component of this is the Group’s commitment to handling personal data responsibly. Data protection is thus a core task for us at Fresenius. To meet new requirements or to accommodate new technologies, we are constantly developing our data protection management systems. The operational tasks of data protection management are managed by the functional departments. In these tasks they are supported by processes of our Data Protection Management System. In certain areas, our Compliance Management System provides additional support, such as through general risk assessments or the investigation of potential data privacy violations.
We continuously work to ensure that all processing of personal data that we hold meets the requirements of the EU General Data Protection Regulation (EU-GDPR) and other national and international data protection regulations.
Risk assessment
We regularly assess risks related to data protection and IT security in every business segment and at Fresenius SE & Co. KGaA, using standardized methods in a top-down approach. All business segments and Fresenius SE & Co. KGaA record their data processing activities in central IT applications or systems and subject them to a data protection review, including a risk assessment. For this purpose, we organize business processes in such a way as to integrate data protection into the design of new, or amended, data processing activities as early as possible. Among other things, this enables us to implement the data protection principles and incorporate the technical and organizational measures in processing that are necessary to meet the legal requirements, e. g., from the GDPR, and to minimize potential risks. The introduction of new or modified IT systems is subject to standardized review processes to examine the implementation of data protection and IT security requirements.
Data subject rights
Fresenius SE & Co. KGaA and all business segments respect and protect the rights of all persons whose data is processed. Personal data is processed for the legal purposes specified in each case, in accordance with legal requirements. We also require third parties with whom data is shared for specified purposes to comply with our policies. All business segments and Fresenius SE & Co. KGaA safeguard the rights of data subjects by adequately informing them of their rights and by having established processes and tools in place to ensure that requests are answered in a timely manner. Fresenius informs data subjects – whether employees or external parties – about the processing, e. g., collecting and storing, of their data. We inform employees of any amendments to the data protection information.
We have also implemented technical and organizational measures, including appropriate measures that serve to safeguard the rights of data subjects in accordance with the GDPR. We provide data subjects with an uncomplicated way to find out what personal data we process about them. Fresenius SE & Co. KGaA and Fresenius Kabi have developed easily accessible technical solutions with which data subjects can address their inquiries to the companies. The requests are evaluated and responded to at both corporate and local level. Fresenius Kabi, for example, monitors the receipt of requests centrally, although the collection of and responses regarding all requested information may also be carried out locally if deemed necessary. This takes place in the local language with the assistance of local data protection advisors.
Helios Spain processes requests from data subjects in accordance with the requirements for hospitals and is supported by central Data Protection Officers. A technical solution for submitting data requests is to be implemented at Helios Spain in 2022.
Fresenius Medical Care developed a number of standard operating procedures allowing for individuals whose personal data the business segment holds to exercise their rights as data subjects.
With these solutions, Fresenius Medical Care supports data subjects in exercising their rights to access, rectification, restriction, objection, portability, and deletion of their personal data in a timely manner. The business segment complies with requests for deletion in accordance with legal requirements.
Reporting systems
At Fresenius SE & Co. KGaA, we have a zero-tolerance policy regarding data protection violations. External parties and all employees of the Fresenius Group may raise concerns regarding data protection via the existing whistleblowing systems or dedicated e-mail addresses. We investigate and evaluate all reported indications of potential infringements as quickly as possible and, where necessary, question and adjust our corporate processes. When required, we report privacy breaches to the authorities and inform those affected promptly and in accordance with legal requirements. The data protection organizations of the business segments and of Fresenius SE & Co. KGaA conduct their own audits and document possible violations. Information on data protection notifications received can be found in the Compliance chapter.
International data transfer
As a globally operating company, we give high priority to ensuring an appropriate level of data protection in all international data transfers as defined by the GDPR and all other international legal requirements relating to data transfer. Thus, Fresenius SE & Co. KGaA and Fresenius Kabi have submitted what are known as Binding Corporate Rules (BCRs), i.e., mandatory internal company guidelines, to the responsible data protection authorities for review and approval and are preparing their internal implementation. BCRs help the participating companies to establish a uniform level of data protection aligned with the standards of the GDPR and contribute to the lawful processing of personal data internationally. In accordance with the EU-GDPR or other legal safeguards and contracts, the business segments and Fresenius SE & Co. KGaA only transfer data to third countries outside the European Union on the basis of an adequacy decision of the European Commission, recognized certifications, or other legal safeguards. To this end, in addition to commercial contracts, we also enter into specific supplementary data processing agreements with data recipients. In these, we also make use of the current EU model clauses, which were last issued by the European Commission in June 2021. The latest developments in the area of international data transfer, such as the European Court of Justice ruling in the Schrems II case on the Privacy Shield and the corresponding recommendations of the European Data Protection Board and of the national authorities and their committees, are closely monitored and taken into account in risk assessments and when concluding contracts. The internally published templates are adapted without delay. When data is processed in countries outside the EU by third parties, the contractor is subjected to a careful review and measures are taken to ensure compliance with privacy regulations.
As part of Fresenius Medical Care´s international business operations, the business segment may transfer personal data to third parties that undertake business activities on its behalf or within the Fresenius Group. The business segment expects these third parties to meet applicable laws, the business segment´s own standards of conduct, and to comply with the information security and privacy policies. Fresenius Medical Care prioritizes the protection of data in all transfers, in line with the EU General Data Protection Regulation (GDPR) and other international data transfer laws. New developments concerning international data transfers have been assessed internally. Fresenius Medical Care considers the results of these assessments in its new guidance and its process for engaging with third parties based outside of the European Economic Area. Corresponding training has been developed and rolled out to relevant employees.
Training
We train employees on current requirements and threats in connection with data protection and data security. To this end, we use an extensive range of e-learning courses, face-to-face training, and other training measures. We supplement general training with training measures for specific employee groups. In this way, we ensure that employees entrusted with processing data are informed about the current legal situation and the corresponding internal requirements.
We inform new employees about the appropriate handling of sensitive data and oblige them to maintain confidentiality. Newly hired employees at Fresenius SE & Co. KGaA, Fresenius Kabi, and Fresenius Helios also receive online mandatory instruction in data protection within a specified period. Each company at Fresenius Kabi and Fresenius SE & Co. KGaA must provide evidence regarding the instruction of employees in data protection at least every two years. At Helios Germany, each company must train all employees in data protection at least once every two years. Fresenius Vamed organizes an annual e-learning course, which is obligatory for employees. In-depth training sessions are also held on an ad-hoc basis. The mandatory e-learning course and the re-certifications of the Data Protection Officers were carried out in 2021.
Organization and responsibilities
Organizational structure
Fresenius SE & Co. KGaA and all business segments maintain data protection organizations in line with their organizational and business structure. These include independent Data Protection Officers, who report to the management of the respective companies. All data protection organizations, separated according to functions, have both advisory and controlling functions, which complement each other in their tasks. The data protection organizations support the management and specialist departments of the assigned companies in operational data protection issues and in complying with and monitoring the applicable data protection requirements. The respective Data Protection Officers are responsible for monitoring compliance with these requirements. They are the contact persons for national and international supervisory authorities and are supported by competent data protection advisors and coordinators. Depending on the business segment, the data protection advisors are organized centrally, regionally or locally.
Fresenius Kabi lists the contact details of the local data protection advisors appointed by the site manager on its intranet, together with the relevant country and site. They support the data protection officer, for example in the local language, in any communication with the local data protection authority, in inquiries from employees, and in the implementation of internal processes.
Helios Spain, for example, has set up data protection committees at the hospital level.
Fresenius Medical Care has a network of local country and sub-regional Privacy Liasons, who liaise between country management and the regional privacy leads to ensure compliance with local law and implementation of the Code of Ethics and Business Conduct which also defines the privacy standards and guides the business segment´s approach to protecting personal information.
In total, more than 300 employees at Fresenius are entrusted with data protection tasks.
The Data Protection Officers from the business segments and Fresenius SE & Co. KGaA regularly exchange information on best practices and initiatives, including at Group Coordination Meetings and conferences, jours fixes, and other formats. In 2021, all events took place purely virtually.
Involvement of the Management Board and reporting
Overall responsibility for data protection at the level of the Fresenius Group lies with the Management Board member responsible for Human Resources, Risk Management and Legal of Fresenius Management SE. The Data Protection Officer of Fresenius SE & Co. KGaA reports directly to this Management Board member.
In addition, data protection is a regular topic for the Compliance Steering Committee, which includes the Management Board member for Human Resources, Risk Management, Legal and Compliance of Fresenius Management SE. The Data Protection Officers responsible for the four business segments report regularly to the respective management.
Guidelines and regulations
Data protection is a joint task of all employees of the Fresenius Group. At the core of this is the joint commitment of all business segments and Fresenius SE & Co. KGaA to data protection, as specified in their Codes of Conduct. In the Fresenius Code of Conduct, we clearly commit ourselves to the careful handling of data and the right to informational self-determination: we undertake to respect the rights and privacy of all persons from whom we collect or receive data. This also applies to suppliers and business partners. For instance, Fresenius Kabi obligates its suppliers to handle data carefully by means of a Code of Conduct.
All business segments and Fresenius SE & Co. KGaA have also drawn up policies for data protection and the handling of personal data. The data protection policies are complemented by further guidelines, standards, or standard operating procedures. These support the employees in implementing GDPR requirements and other relevant local laws and regulations in their areas of responsibility.
Progress and measures in 2021
In 2021, at Fresenius SE & Co. KGaA and within the business segments, data protection was further developed with a view to global operational activities. Our measures therefore focused on the development of new training content and the implementation of existing training concepts, as well as on the expansion of audit concepts to take regulatory changes into account. There was also a focus on data protection measures in connection with the increasing use of virtual health offerings.
Risk management
Fresenius SE & Co. KGaA further developed its data protection management system in 2021. In addition to the ongoing development of the already-existing process for efficient investigation of potential breaches of data protection, this also included the expansion and implementation of the data protection audit concept. In order to implement the risk-based approach, the data protection risk assessments of data processing activities are also constantly optimized and implemented. In 2021, significant further developments took place in the areas of data deletion and international data transfer.
Fresenius SE & Co. KGaA has implemented guidelines for the creation and implementation of deletion concepts. The requirements of the European Data Protection Board were implemented in the course of a revision of contracts and of the additional risk assessment in connection with this. The use and implementation of specific applications for the future performance of the data protection risk assessment also played a key role in the ongoing developments. In order to further strengthen risk management, new e-learning units on data protection and on the BCRs are currently being developed at Fresenius SE & Co. KGaA. A further focal point was the permissible processing of personal data in connection with COVID-19 measures.
At Fresenius Kabi, a risk assessment of data processing activities in an application is performed in several stages on the basis of templates developed for this purpose. The application will be further developed so that future risk assessments will no longer be performed in separate templates, but within the application. Data privacy impact assessments are performed on an ongoing basis; in the future, the process will be an integral part of the application for recording data processing activities. To ensure structured and efficient processing of notifications on data protection incidents and potential data protection violations, Fresenius Kabi has implemented internal guidelines; these are accompanied by a technical solution with which notifications on data protection incidents can be recorded by local data protection advisors on the basis of a notification by employees. The technical applications for conducting and documenting, recording, and processing data subject inquiries were further developed. A report developed for this purpose provides information on the number, type, and processing status of data privacy incidents and data privacy inquiries.
Helios Germany strengthened various instruments of the data protection management system in 2021. Additional materials such as checklists for auditing processing activities, e.g., were made available to the sites, the Helios audit concept was updated, and the notification processes for auditing new processing activities were revised centrally and locally due to the implementation of the Helios Digitization Board (DIGI Board). In 2021, the focus was on, e. g., the adoption of Helios Group regulations on data privacy, the further development of auditing processes, and the continued data-privacy-compliant design of hospital information systems (e. g., access logging and auditing for improper access, both independently and on an ad hoc basis). Many measures were also necessary at Fresenius Helios as a result of COVID-19, e. g., in relation to vaccination and surveying of the vaccination status of employees. This required close coordination with the relevant authorities.
Helios Spain has continued to implement data protection impact assessments and has expanded them to include additional indicators for information security or technological risks.
Fresenius Vamed has progress in data protection management evaluated and documented annually by an external law firm. In 2021, the business segment focused in particular on updating directories and revising the deletion concept for its processing activities.
Training
In 2021, Fresenius SE & Co. KGaA developed a new data protection training program consisting of various modules, which will be rolled out in 2022. In addition to a comprehensive module on data protection, this also includes explicit training on the applicable data protection guidelines.
Since 2021, Fresenius Medical Care included privacy awareness in its mandatory Code of Ethics and Business Conduct training. The business segment offers a range of e-learning opportunities and classroom training courses and combines general training with targeted measures for specific employee groups. In 2021, the business segment offered more than 60 training classes on data privacy to its employees and contractors around the world. Training in North America is aligned with HIPAA (Health Insurance Portability and Accountability Act of 1996) requirements. In the European Union, it covers GDPR requirements. In 2021, Fresenius Medical Care launched an awareness campaign as part of its first International Privacy Day celebrations. This involved the introduction of a privacy website in countries in Europe, Middle East, and Africa, as well as Latin America, and Asia-Pacific.
In the reporting year, Fresenius Kabi completely revised its training on data protection and information security in the form of an e-learning course and divided it thematically into individual modules. The training content was expanded to include how to deal with data protection incidents and possible data protection violations as well as a separate module on Binding Corporate Rules (BCRs). The training was rolled out globally as an e-learning course in the final quarter of the reporting year. Data privacy advisors and compliance employees were also trained in dealing with data privacy incidents. Training on data privacy clauses in contracts, data privacy agreements, conducting a risk assessment, or handling data subject inquiries were developed as accompanying training measures. A question and answer page on the intranet provides information on individual questions with references to further information, contacts and internal company applications.
Helios Germany has added a new online training course on data protection and FlexWork to its existing training portfolio in response to new work requirements. Helios Spain introduced company-wide data protection training in 2021. In 21 clinics, face-to-face training was also conducted during the pandemic.
In 2021, employees at Fresenius Vamed participated in data protection e-learning courses. Furthermore, 48 people received an initial or re-certification as Data Protection Officers.
Evaluation
Audits and monitoring
To ensure compliance with data protection regulations, several governance functions in the Group perform regular checks with different focuses in all business segments. The Internal Audit departments carry out independent audits to improve the effectiveness of risk management, control and governance processes in all business segments. Aspects of data protection are also taken into account on a risk basis. The data protection related results of the audits are analyzed by the respective data protection officers and are incorporated into the continuous improvement of existing measures of the respective business segment. All business segments and Fresenius SE & Co. KGaA have defined corresponding audit concepts for this purpose.
In addition, data protection controls are an integral part of various internal control frameworks in the business segments. Findings on potential improvements from audits and reviews are used to continuously develop our data protection processes. Helios Germany’s audit concept, for example, stipulates that each company is to be reviewed regularly – at least once a year – in the course of internal audits and supplemented by a central, annual risk analysis (on January 31 of each year for the previous fiscal year) with regard to data protection.
Helios Spain’s audit concept requires all hospitals to be audited every second year. This is performed as an internal audit conducted by the company’s data protection team and an external law firm. Every year without an on-site audit, a self-audit checklist is distributed by the data protection team and filled out by the hospitals.
Fresenius Kabi conducts data protection audits on the basis of an internal process by the Data Protection Officer and records the results of data protection audits performed in tabular form. The Internal Audit departments carry out independent audits to improve the effectiveness of risk management, control and governance processes in all business segments. In this context, aspects of data protection are also taken into account on a risk-based approach. Thematically identical deviations are grouped and communicated as preventive measures. The measures resulting from audit deviations are also documented and the status updated by the respective local data protection advisors. The progress of the implementation of measures resulting from audit deviations is regularly reviewed.