Data protection

Index

Our goals and ambitions

It is our ambition to raise our employees’ awareness of data-protection-compliant handling of personal data as much as possible through our data protection activities. They should be enabled to avoid data protection violations through extensive knowledge and careful handling of personal data and be able to identify any data protection violations immediately in order to take the necessary measures without delay. We report on data protection incidents in the Compliance section.

We are also supported in this by internal guidelines and documented processes, such as responding to requests from data subjects in a timely manner, reporting data breaches to the relevant authority within the specified timeframe, and providing appropriate documentation.

Our approach

As a healthcare provider, we bear responsibility in a sensitive environment on which the lives and health of many people depend. Accordingly, we know how to reconcile high quality standards with economical, efficient IT-supported processes in our regulated markets. In doing so, we are always aware of the sensitivity and increasing need for protection of the data and information we process.

The Fresenius Group and its operating entities process, e. g., personal and other data of

our patients,
our employees,
customers,
suppliers, and other business partners.

We are committed to respecting and protecting the rights and freedoms of all data subjects and personal data is processed only for purposes specified in each case, in accordance with legal requirements. We also require third parties with whom data is shared for specified purposes, e. g., for service provisioning, to comply with applicable data protection requirements. This is also verified by external audits, as explained in the Strategy and management chapter. Data protection is core to our operating business and embedded in our Fresenius Group Code of Conduct. To meet new requirements or to accommodate new technologies, we are constantly developing our data protection management systems and the accompanying data protection measures.

Organization and responsibilities

Within the Group Management Board the Group Management Board member responsible for, Legal, Compliance, Risk Management, ESG, Human Resources and the business segment Fresenius Vamed (subsequently ESG Board member) assumes responsibility for data protection. The Data Protection Officer¹ of Fresenius SE & Co. KGaA reports directly to this person.

The Management and Management Boards of the business segments are responsible for the implementation of data-protection-related governance systems in their business segment. The business segments have defined responsibility for data protection, e. g., via a business allocation plan.

In addition, data protection is a regular topic for the Risk Steering Committee, which includes the ESG Board member, among other members. The Data Protection Officers of the business segments act independently regarding the exercising of their tasks and report to their respective Management. Further information on the Risk Steering Committee can be found in the Compliance section.

Fresenius SE & Co. KGaA and all business segments maintain data protection organizations in line with their organizational and business structure, including the aforementioned independent Data Protection Officers. The data protection organizations support the management and specialist departments of the assigned companies in operational data protection issues and in complying with and adhering to the applicable data protection requirements in the respective countries. The respective Data Protection Officers are responsible for monitoring compliance with these requirements. They are the contact persons for national and international supervisory authorities and are supported internally by other specialists. Depending on the business segment, the data protection advisors and specialists are organized centrally, regionally, and / or locally. The data protection advisors have the task of advising the Business Process Owners (BPOs) and other employees on the Group in data protection matters and coordinating data protection activities. A BPO is a natural person in the company who is responsible for processes in which, among other things, data processing takes place.

Responsibility for operating data protection tasks lies with the respective expert functions, supported by processes of the data protection management system. In certain topics, our compliance management system provides additional support, e. g., risk analysis.

Regular alignment meetings of experts, not only from data protection, but also from other departments such as IT, in dedicated committees ensure that IT security, information security, and data protection topics are discussed. Based on the outcomes of these meetings, measures may be derived, or strategic decisions formulated and proposed to the respective management.

In addition, the data protection experts regularly exchange information on best practices and initiatives, including at Group Coordination Meetings and conferences, jours fixes, and in other formats.

¹ The term Data Protection Officer is used in the following chapter as a synonym for the various functions and designations for those responsible for data protection.

Reporting systems

External parties and all employees of the Fresenius Group may raise concerns regarding data protection via the existing reporting systems or dedicated email addresses. We investigate and evaluate all reported indications of potential infringements as quickly as possible and, where necessary, question and adjust our corporate processes. When required, we report privacy breaches to the relevant authorities and inform those affected without undue delay and in accordance with legal requirements. The data protection organizations conduct their own investigations and document possible violations.

In 2023, no data breach was reported via the reporting channels that had a direct impact on the financial position or reputation of the company. A total of 25 reports were submitted in the reporting year, as explained in the Compliance section.

Audits and risk assessments took place at segment or local level, as described below. Findings of these audits are remediated on the respective level, if necessary. For further information on opportunities and risks, please refer to the Opportunities and Risk Report.

The Data Protection Officers prepare reports on the number, type, and processing status of data protection incidents and data subject inquiries, which are communicated in accordance with the organizational structure explained.

In the event of data protection breaches, additional protective measures or the adaptation of contractual clauses may be necessary to improve the protection of rights and freedoms, depending on the degree of severity identified.

Guidelines and regulations

The realization of data protection is a joint task of all employees of the Fresenius Group. At the core of this is the joint commitment of all business segments and Fresenius SE & Co. KGaA to data protection, as specified in their Codes of Conduct. In the Fresenius Code of Conduct, we clearly commit ourselves to the careful handling of data and the right to informational self-determination. The privacy statements are publicly available, for example on the website of Fresenius SE & Co. KGaA.

We have also implemented mandatory internal policies for data protection and the handling of personal data, known as Binding Corporate Rules (BCR). In the reporting year, we rolled out the BCR as a new data protection guideline at the Corporate / Other segment and Fresenius Kabi. The BCR are complemented by further standard operating procedures and working instructions guidelines. These support the employees in implementing the BCR in their areas of responsibility.

To ensure compliance with data protection regulations, several functions in the Group perform regular checks with different focuses in all business segments. Internal Audit departments carry out independent audits to improve the effectiveness of risk management, control, and governance processes in all business segments. Aspects of data protection are also taken into account on a risk basis. The data-protection-related results of performed audits are analyzed by the respective Data Protection Officers and are incorporated into the continuous improvement of existing measures. Furthermore, Data Protection Officers, among others, perform regular specific data protection audits. We are also subject to external controls and, if necessary, use third parties to carry out audits of business partners who implement data processing activities for us.

In addition, data protection controls and data protection risk assessments are an integral part of various internal control frameworks in the business segments. Findings on potential improvements from data privacy audits, risk assessments, and reviews are used to continuously develop our data protection processes.

Risk assessment

We regularly assess risks related to data protection, IT security, and information security using standardized methods. All business segments and Fresenius SE & Co. KGaA record their data processing activities in central IT applications and subject them to a data protection review, including a risk assessment, as early as possible in the implementation or adaptation process. In this context, the data protection officers support those responsible in preparing a data protection impact assessment if required. Among other things, this enables us to implement the data protection requirements through the use of appropriate technical and organizational measures in processing person-related data and to minimize potential risks. Regular reviews are conducted to ensure that they are up to date, e. g., with regard to technical developments. Further, it is the responsibility of the respective process owner to provide notification of relevant planned changes in data processing activities in order to subsequently enable a new data protection review to be carried out if necessary. For more information on IT security, please refer to the Cybersecurity chapter.

The regular internal and external controls, analyses and audits by the responsible data protection advisors, data protection management systems or external audit functions are supplemented by the audit activities of the Group Internal Audit function. In this juncture data protection measures such as guidelines and their implementation are also considered in a risk-oriented manner. In 2023, eight audits with the audit reference data protection were carried out. The results of the audits are analyzed by the data protection organisations and incorporated into the continuous improvement of existing measures.

Training

We train employees on current requirements and threats in connection with data protection and data security, using an extensive range of e-learning courses, face-to-face training, and other training measures. Therein, we differentiate between specialist functions and responsibilities, the scope of training, and between voluntary and mandatory training. We supplement general training with training measures for specific employee groups. In this way, we ensure that employees entrusted with processing data are informed about the current legal situation and the corresponding internal requirements. In principle, basic training on data protection is mandatory for all employees.

We inform new employees about the appropriate handling of sensitive data and oblige them to maintain confidentiality. Newly hired employees also receive online mandatory instruction in data protection within a defined period. When and how often evidence has to be provided regarding the instruction of employees in data protection is also determined. Within our Group, this ranges between eight weeks for initial training courses to at least every two years for update training courses thereafter.

Data subject rights

All business segments and Fresenius SE & Co. KGaA are committed to safeguarding the rights of data subjects by adequately informing them and by having established processes and tools in place to ensure that requests are answered sufficiently and in a timely manner. Fresenius informs data subjects – whether employees or external parties – about the processing, e. g., collecting and storing, of their data via privacy notices. We inform employees via internal communication channels of any amendments to the data protection information that affect them.

Our technical and organizational measures, including the implementation of corresponding applications, serve to safeguard the rights of data subjects in accordance with the European Union’s General Data Protection Regulation (EU-GDPR). We provide data subjects with information in a concise, transparent, intelligible, and easily accessible way for them to find out what personal data about them we process. The requests can be evaluated and responded to at corporate or segment level in our Group, or both, or in the local language.

With these solutions, we aim to support data subjects in exercising their rights to access, rectification, restriction, objection, portability, and deletion of their personal data in a timely manner. We comply with such data subject requests or rights in compliance with legal requirements.

International data transfer

As a globally operating company, we assign high priority to ensuring an appropriate level of data protection in all international data transfers as defined by the EU-GDPR and all other international legal requirements relating to international data transfer. These include our BCR, accompanied by mandatory internal company policy and guidelines. BCR ensure the participating companies establish a uniform level of data protection aligned with the standards of the EU-GDPR and contribute to the lawful processing of personal data internationally within the companies. The latest developments in the area of international data transfer are closely monitored and taken into account in risk assessments and when concluding contracts. The internally published templates are subsequently adapted. When data is processed in another country by third parties, the contractor is subjected to a careful review. We take measures, such as additional safeguards like pseudonymization, to ensure compliance with privacy regulations and maintain an appropriate data protection level. The data protection departments are involved in any negotiation relating to data protection contracts.