Grifols is a global healthcare group committed to improving the health and wellbeing of people around the world. Its four divisions – Bioscience, Diagnostic, Hospital and Bio Supplies – develop, produce and market innovative solutions and services in over a 100 countries.
Grifols respects the privacy rights of all data subjects who entrust Grifols with their personal data, and is committed to complying with the data protection regulations applicable in each country.
This privacy notice has been prepared in accordance with the General Data Protection Regulation (the "GDPR"). It outlines Grifols' data collection practices and the choices that data subjects make about the way Grifols collects, uses and shares their personal data.
1. Identification of the data controller(s)/owner(s) of the personal data
The data controller(s)/owner(s) is/are:
- The Grifols' group company with which the institution to which the data subjects belong have a contractual relationship,
- The Grifols' group companies to which the data subjects submit requests for information, suggestions and/or queries.
- The Grifols' group company operating and identified as such in the websites, landing pages, apps, and any other similar digital platforms through which the personal data of the data subjects are processed, or
- The Grifols' group company contacting the data subjects (as identified in the methods used to establish said contact) for the remaining purposes set out in Section 3.
The identity and contact details of the Grifols' group companies are available here. The Grifols' group company/ies acting as controller/s or joint controllers will be referred to as "Grifols".
2. Identification of the data protection officer
The data protection officer acts as an interlocutor between Grifols and you in order to ensure Grifols' compliance with the data protection legislation and to guarantee your rights under such legislation. You may contact the data protection officer at email@example.com. Although the essential aspects of the joint controllership agreement resulting from what is set out in Section 1 are provided in this Privacy Notice, the data subjects may ask, if they wish so, the data protection officer for more information.
3. Purposes and legal basis for processing
Legitimate interest of Grifols and/or third parties (article 6.1(f) of GDPR):
Grifols is interested in contributing to the advancement of scientific knowledge and research in a secure environment with the aim of guaranteeing people's health. Therefore, Grifols considers that the legitimate interest in which bases the processing of the personal data overrides the fundamental rights and freedoms of the data subjects, given that the processing:
In any event, data subjects may request further information on the legitimate interest or exercise their right to object by addressing their request to firstname.lastname@example.org.
Consent (article 6.1(a) of the GDPR):
Data subjects may provide their consent through the data collection forms, by clicking acceptance buttons or ticking boxes, replying to e-mails or making any other affirmative clear action.
Data subjects may withdraw their consent at any time, as set out in Section 7.
4. Recipients of personal data
Grifols may share the personal data including, if applicable, the profile of the data subjects with:
- Grifols' group of companies. The list of companies is available here.
- Providers of products and services hired by Grifols to achieve the mentioned purposes. These providers are information technology service providers, among others.
Grifols will ensure that the personal data is only transferred to countries that offer an adequate level of data protection. If the personal data is processed from countries that do not offer said level of protection, Grifols and/or the providers (as the case may be) will adopt, if necessary, the appropriate safeguards to carry out such international data transfers in accordance with the applicable data protection legislation. Information on the appropriate safeguards for international data transfers can be obtained from Grifols at email@example.com.
Grifols does not share personal data with any other third party, unless required by the applicable law.
5. Retention period
Once the purposes for which the personal data is processed have been achieved, Grifols will retain the personal data until the end of the statutes of limitation of any liabilities that may arise, and during the term required to comply with any applicable legal obligation.
6. Sources and categories of personal data
Grifols only processes personal data that is relevant to the purposes mentioned in Section 3.
If data subjects do not directly provide Grifols with their personal data, Grifols may obtain the personal data from event organizers databases and public sources, such as websites and publications from the healthcare sector, professional social networks or social listening tools (that is, tools aimed at identifying and evaluating the market's perception about a specific brand, product, company, topic or problem).
Regardless of the legal basis for processing the data and of whether it was obtained from third-party sources or from the data subject, Grifols processes the following categories of personal data:
- Identification data (e.g. name and last name)
- Professional contact details (e.g. professional e-mail address)
- Professional data (e.g. job position, place of work, membership in scientific societies or associations)
- Personal interests and preferences
- Browsing history data (e.g. IP address, visited web pages and country from which the connection is made)
Except for data regarding the browsing history and the personal interests and preferences (which will only be processed for the purposes expressly specified in Section 3), Grifols will process the remaining personal data categories, as required, to achieve each of the purposes set out in this Privacy Notice.
7. Data protection rights
The following data protection rights are applicable under the GDPR. Grifols undertakes to respect other data protection rights that may be applicable in accordance with the data protection legislation of each country.
You may request confirmation as to whether or not your personal data is being processed and, if so, you can obtain access to your personal data included in Grifols' files.
You may request the rectification of your personal data if inaccurate.
You may request the erasure of your personal data.
You may request that your personal data is not processed under specific circumstances.
You may request receiving, in an electronic file, the personal data that you provided Grifols with, as well as the right to transmit it to other parties.
Restriction of processing
You may request a restriction on how your personal data is processed when:
Withdrawal of consent
You may withdraw your consent without affecting the lawfulness of the processing based on consent before its withdrawal.
You may exercise, when appropriate, your data protection rights by sending a written communication to Grifols at firstname.lastname@example.org with the subject line "Website Plasma Management Services". To that end, Grifols may request a copy of your ID card/passport in force or any other valid document that proves your identity.
In addition, you may lodge a complaint with a data protection authority, including the one at your residence, place of work or place of the alleged infringement.
Last update: May 2021