Compliant handling of information is highly important for a leading innovative, science- and technology-driven company. When using personal data, the individuals’ rights must be appropriately protected. We strive to safeguard the rights of any person whose data we process, including but not limited to our employees, patients, customers, and healthcare professionals.
Our approach to data privacy
The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps to train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.
Roles and responsibilities
Group Data Privacy is part of our global Group Compliance and Data Privacy function. In addition, we have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers act independently. As part of our compliance reporting, Group Data Privacy regularly prepares data privacy updates as well as a comprehensive data privacy report. This report is part of the compliance report submitted to the Executive Board and the Supervisory Board.
Our Data Privacy Management System
Our goal is to establish a global and consistent Data Privacy Management System (DPMS) by the end of 2022. It will be based on the following three pillars: Data Privacy portfolio, people and communication. The Data Privacy portfolio consists of eight key elements, covering all parts of a functioning DPMS, in line with legal requirements and industry standards. In 2021, we rolled out the revised Data Privacy Policy and Data Breach Standard and updated the e-learning environment amongst other deliverables.
Our DPMS applies similar elements as the compliance portfolio but adapted to the needs of data privacy. These include policies and procedures, risk assessment and documentation, training and awareness, programs and tools, individual requests, monitoring and reporting, incident management, and continuous improvement.
Ensuring IT security
It is vital for our businesses that we protect our information systems, their contents and our communication channels against criminal or unwanted activities of any kind, such as e-crime and cyberattacks, including unauthorized access, information leakage and misuse of data or systems. Our Group Security and IT Security units maintain organizational, process-related and technical information security countermeasures based on recognized international standards. We employ harmonized electronic and physical security controls (e.g. access control, security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.
Our commitment: guidelines and standards
Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We also take steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.
Data privacy training
In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. We launched a content update to this training course in May 2021. Additionally, Local Data Privacy Officers support the execution of our Group-wide training plan by conducting training for specific target groups, on request.
IT tools for documentation
We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2021, we began implementing a new, enhanced tool, which is expected to go live in 2022. Additionally, we use our corporate intranet for further communication, including answering data privacy questions and providing standardized templates. We registered no sanctioned complaints or incidents concerning breaches of customer privacy, data leaks, theft or loss of customer data in 2021. In three cases, minor personal data breaches were reported to the supervisory authority. These were not sanctioned.