We bear responsibility in a sensitive environment on which the lives and health of many people depend. Accordingly, we know how to reconcile high quality standards with economical, IT-supported processes in our regulated markets. In doing so, we are always aware of the increasing sensitivity and need for protection of the data and information we process. In this way, we design efficient processes and create scope for what is really important: the protection and safety of patients.
The Fresenius Group and its operating entities process, e. g., personal and other data of
- our patients,
- our employees,
- suppliers, and other business partners.
Data protection is core to our operating business and embedded in our Fresenius Group Code of Conduct. To meet new requirements or to accommodate new technologies, we are constantly developing our data protection management systems and the accompanying data protection measures. The aspect of information security is also a crucial part of cybersecurity at the Fresenius Group. It refers to the processes designed for data security.
Information on the Group Cybersecurity function and related responsibilities and the governance structure are included in the Cybersecurity chapter.
Organization and responsibilities
The Management Board member of the Fresenius Group responsible for Human Resources (Labor Relations Director), Risk Management and Legal assumes responsibility for data protection at the level of Fresenius Corporate. The Data Protection Officer of Fresenius SE & Co. KGaA reports directly to this Management Board member. Within the Fresenius Group Management Board, the Chief Executive Officers (CEOs) of the business segments are responsible for the implementation of adequate governance systems in their business segment, including data protection. The management boards of the business segments define the management approaches and regulate responsibility for data protection, e. g. via a business allocation plan.
In addition, data protection is a regular topic for the Risk Steering Committee, which includes the Management Board member for Human Resources (Labor Relations Director), Risk Management and Legal of Fresenius Management SE, among other members. The Data Protection Officers responsible for the four business segments report regularly to the respective management. In their role, the Data Protection Officers act independently regarding the exercising of their tasks and are not controlled by a superior Group function.
Fresenius SE & Co. KGaA and all business segments maintain data protection organizations in line with their organizational and business structure including aforementioned independent Data Protection Officers. All data protection organizations, separated according to functions, have both advisory and monitoring duties, which complement each other in their tasks. The data protection organizations support the management and specialist departments of the assigned companies in operational data protection issues and in complying with and adhering to the applicable data protection requirements in the respective countries. The respective Data Protection Officers are responsible for monitoring compliance with these requirements. They are the contact persons for national and international supervisory authorities and are supported by internal experts, e. g. data protection advisors and coordinators. Depending on the business segment, the data protection advisors are organized centrally, regionally, and/or locally.
Operating tasks of data protection management lies with the respective expert functions. These functions are supported by processes of the Data Protection Management System. In certain areas, our Compliance Management System provides additional support, e. g. comprehensive risk analysis or the assessment of potential data protection incidents and breaches.
Regular alignment meetings of experts in dedicated committees at business segment level and at corporate level ensure that IT security and data protection topics are discussed. Based on the outcomes of these meetings, measures may be derived, or strategic decisions are formulated and proposed to the respective management.
In addition, the Data Protection experts from the business segments and Fresenius SE & Co. KGaA regularly exchange information on best practices and initiatives, including at Group Coordination Meetings and conferences, jours fixes, and in other formats. In total, more than 300 employees at Fresenius are entrusted with data protection tasks.
Guidelines and regulations
The realization of data protection is a joint task of all employees of the Fresenius Group. At the core of this is the joint commitment of all business segments and Fresenius SE & Co. KGaA to data protection, as specified in their Codes of Conduct. In the Fresenius Code of Conduct, we clearly commit ourselves to the careful handling of data and the right to informational self-determination: we undertake to respect the rights and privacy of all persons from whom we collect or receive data. This applies to patients and employees as well as to suppliers and business partners. The privacy statements are publicly available, for example, on the website of Fresenius SE & Co. KGaA.
All business segments and Fresenius SE & Co. KGaA have also implemented policies for data protection and the handling of personal data. The data protection policies are complemented by further standard operating procedures, working instructions guidelines and standards. These support the employees in implementing EU General Data Protection Regulation (GDPR) requirements and other relevant local laws and regulations in their areas of responsibility.
Audits and monitoring
To ensure compliance with data protection regulations, several functions in the Group perform regular checks with different focuses in all business segments. Internal Audit departments carry out independent audits to improve the effectiveness of risk management, control and governance processes in all business segments. Aspects of data protection are also taken into account on a risk basis. The data protection related results of performed audits are analyzed by the respective data protection officers and are incorporated into the continuous improvement of existing measures of the respective business segment. In addition Data Protection Officers perform regular and specific data protection audits. All business segments and Fresenius SE & Co. KGaA have defined corresponding audit concepts for this purpose.
In addition, data protection controls are an integral part of various internal control frameworks, such as data protection risk assessments, in the business segments. Findings on potential improvements from audits, assessments and reviews are used to continuously develop our data protection processes.
We regularly assess risks related to data protection and IT security using standardized methods. All business segments and Fresenius SE & Co. KGaA record their data processing activities in central IT applications and subject them to a data protection review, including a risk assessment. For this purpose, we organize business processes in such a way as to integrate data protection into the design of new, or amended, data processing activities as early as possible. Among other things, this enables us to implement the data protection requirements by the use of technical and organizational measures in processing personal data and to minimize potential risks. The introduction or the design of new or modified IT systems is subject to the same standardized review processes to examine the implementation of data protection and IT security requirements. If a risk assessment is performed, an evaluation of the results and wether the assessment is up-to-date carried out, accompanied by audits performed by the respective Data Protection Officers. Regular reviews are conducted, for example, at least every three years or at shorter intervals. At Helios Spain, internal data protection audits are outsourced every two years. Further, in case of any changes to a processing activity that will affect the status as documented the respective process owner is obliged to initiate an update.
Data subject rights
Fresenius SE & Co. KGaA and all business segments respect and protect the rights of all individuals whose data is processed. Personal data is processed only for the legal purposes specified in each case, in accordance with legal requirements. We also require third parties with whom data is shared for specified purposes, e. g. for service or support provisioning, to comply with applicable data protection requirements. If deviations occur, they are documented, reported, and evaluated based on applicable reporting guidelines and procedures. Depending on the severity of the incident, additional protection measures or the adjustment of contractual clauses can take place to improve the protection of data subject rights.
All business segments and Fresenius SE & Co. KGaA are committed to safeguarding the rights of data subjects by adequately informing them of their rights and by having established processes and tools in place to ensure that requests are answered sufficiently and in a timely manner. Fresenius informs data subjects – whether employees or external parties – about the processing, e. g., collecting and storing, of their data via privacy notices. We inform employees of any amendments to the data protection information that affect them. These changes are communicated via the established internal communication channels, coordinated by the respective data protection function.
We have also implemented technical and organizational measures, including appropriate measures that serve to safeguard the rights of data subjects in accordance with the GDPR. We provide data subjects with information in a concise, transparent, intelligible and easily accessible way for them to find out what personal data about them we process. The requests are evaluated and responded to at corporate or segment level in our Group, or both. The collection of and responses regarding all requested information may also be carried out locally if deemed necessary. This takes place in the local language with the assistance of local data protection advisors. For example, Helios Spain processes requests from data subjects in accordance with the requirements for hospitals and is supported by central Data Protection Officers. A technical solution for submitting data requests was implemented at Helios Spain in 2022.
With these solutions, we aim to support data subjects in exercising their rights to access, rectification, restriction, objection, portability, and deletion of their personal data in a timely manner insofar as no other regulations prevent us from doing so, especially when erasing data. We comply with such requests in compliance with legal requirements. For example, data subjects are informed about the respective deletion process at the point in time when their data is collected.
At Fresenius SE & Co. KGaA, we have a zero-tolerance policy regarding data protection violations. External parties and all employees of the Fresenius Group may raise concerns regarding data protection via the existing reporting systems or dedicated e-mail addresses. We investigate and evaluate all reported indications of potential infringements as quickly as possible and, where necessary, question and adjust our corporate processes. When required, we report privacy breaches to the relevant authorities and inform those affected without undue delay and in accordance with legal requirements. The data protection organizations of the business segments and of Fresenius SE & Co. KGaA conduct their own investigations and document possible violations.
International data transfer
As a globally operating company, we give high priority to ensuring an appropriate level of data protection in all international data transfers as defined by the EU GDPR and all other international legal requirements relating to international data transfer. These include Binding Corporate Rules (BCR) that have been approved by the responsible European data protection authorities in 2022 for Fresenius Corporate and Fresenius Kabi, accompanied by mandatory internal company policy and guidelines. BCR ensure the participating companies establish a uniform level of data protection aligned with the standards of the EU GDPR and contribute to the lawful processing of personal data internationally within the companies. In accordance with the EU GDPR or legal safeguards and contracts, the business segments and Fresenius SE & Co. KGaA transfer data to third countries outside the European Union on the basis of an adequacy decision of the European Commission, recognized certifications, or other legal safeguards such as Standard Contractual Clauses. To this end, in addition to commercial contracts, we also enter into specific supplementary data transfer agreements with data recipients. The latest developments in the area of international data transfer are closely monitored and taken into account in risk assessments and when concluding contracts. The internally published templates are adapted subsequently. When data is processed in another country by third parties, the contractor is subjected to a careful review and measures, such as additional safeguards like pseudonymization measures to establish and maintain an appropriate data protection level, are taken to ensure compliance with privacy regulations. The data protection departments are involved in any negotiation relating to data protection contracts.
We train employees on current requirements and threats in connection with data protection and data security. The data protection department differentiates between specialist functions and responsibilities, the scope of training, and between voluntary and mandatory content. In principle, basic training on data protection is mandatory for all employee. At Fresenius Vamed, for example, data protection training is mandatory for employees in relevant positions, like all senior managers, employees in Human Resources (HR), Legal and IT departments, reception staff, and others. To this end, we use an extensive range of e-learning courses, face-to-face training, and other training measures. We supplement general training with training measures for specific employee groups. In this way, we ensure that employees entrusted with processing data are informed about the current legal situation and the corresponding internal requirements. Mandatory training must be tracked by the respective supervisors and participation in training must be documented.
We inform new employees about the appropriate handling of sensitive data and oblige them to maintain confidentiality. This is confirmed in written form. Newly hired employees at Fresenius SE & Co. KGaA, Fresenius Kabi, and Fresenius Helios also receive online mandatory instruction in data protection within a defined period, which varies between the business segments. The business segments and Fresenius SE & Co. KGaA have internal provisions on how often evidence has to be provided regarding the instruction of employees in data protection. Within our Group, this ranges between eight weeks for initial training courses to at least every two years for update training courses in the following.
Progress and measures in 2022
In 2022, at Fresenius SE & Co. KGaA and within the business segments, data protection was further developed with a view to global operational activities. Our measures in this area focused on the development of new training content and the implementation of existing training concepts, as well as on the expansion of audit concepts to take regulatory changes into account. There was also a focus on data protection measures in connection with the performance of risk assessments, thus strengthening the established risk control processes.
Fresenius SE & Co. KGaA issued a new data protection training in 2022 containing different modules that can be provided over a 18 to 24 month timeframe. At Fresenius Kabi, new data protection training had been developed in the previous year, with four modules comprising BCR, which has been offered mandatorily to its employees since the end of 2021 and completed within the reporting period. The training will be repeated every two years. The Management approaches of Fresenius Helios and Fresenius Vamed remained unchanged compared to the previous year. Measures conducted within the business segments aimed at the alignment of guidelines or processes based on the latest developments, if deemed necessary.
In the reporting year, no data breach was reported via the reporting channels that had a direct impact on the financial position or reputation of the company. Audits and risk assessments took place on segment or local level, as described in the Audits and monitoring section. Findings of these audits are remediated on the respective level. Further information on opportunities and risks can be found in the Opportunities and Risk Report.
The data privacy officers prepare reports on the number, type and processing status of data protection incidents and data subject inquiries, which are communicated in accordance with the organizational structure explained.