Data Protection Notice Fresenius Training

The processing of personal data is subject to the EU General Data Protection Regulation (“GDPR”). This data protection notice informs you about how Fresenius Kabi AG, Fresenius Medical Care AG & Co KGaA, Helios Kliniken GmbH, Vamed AG and their affiliates ("we" or "Fresenius") processes your personal data ("you") related to your participation in the Fresenius Training Offer und the performance of trainings.

By “personal data” we mean any information related to you.

By “processing” we mean any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

We take the protection of your personal data very seriously. All processing of personal data by us is governed by the General Data Protection Regulation of the European Union (“GDPR”). This Data Protection Notice informs you about how we process your personal data.

With this data protection information we explain to you in detail,

• Who is responsible for processing your personal data and who you can contact if you have questions or complaints (section 1)
• How we collect your data, what data we collect and for what purposes we process this personal data (sections 2.1 and 2.2)
• The legal basis on which we base this (Section 2.3)
• To whom we may transfer your data (Sections 3 and 4)
• How long we store your data (section 5)
• How you can update, correct or delete this data and exercise other rights in relation to your data (section 6)
• Why we need to obtain your data (section 7)
• Which cookies we use (section 8) and
• Further information and contact details (section 9)

1 Controller and contact

1.1 Controller

Your employer, i.e. the Fresenius company with which you have concluded your employment contract, is the controller under the GDPR for processing of your personal data, because this company uses your personal data in the context of your employment. Please refer to your employment contract for the address and name of your employer.

1.2  Data Protection Officer

We have designated a data protection officer. You can contact the data protection officer by sending a letter to his/her attention to the postal address of the respesctive controller or by e-mail:

• Fresenius Kabi: dataprotectionofficer@fresenius-kabi.com
• Fresenius Medical Care: datenschutzbeauftragter@fmc-ag.com
• Fresenius Helios: datenschutzbeauftragter@helios-gesundheit.de
• Fresenius Vamed: datenschutz@vamed.com

2  Processing of personal data

2.1 How we collect your data

In the course of using the websites, we collect and store certain data automatically. This includes: the IP address or device ID assigned to the respective terminal device, which we require for the transmission of the requested content (e.g. in particular content, texts and images), the type of respective terminal device, the URL of the previously visited website, the browser type and operating system used, as well as date and time.

We process personal data you provide to us when you fill in the mandatory fields in the contact forms for registration and the data you provide to us when participating in the training. Such personal data include your first name, last name, your email-address, your employee ID as well as optional data such as you age and data referring to the starting date of your contract. Furthermore, we process information related to your department, cost centre, role, your supervisor, your invoice as well as optional information regarding your professional and disciplinary leadership. For your registration we process your user-ID and registration data.

2.2 Purposes of Processing

We process the personal data to enable you to use the website and to participate in the trainings as well as to enable Fresenius to provide you with the offers for continuing education and training and to conduct the trainings.

We offer digital learning offerings via the Moodle learning platform. When you register for a digital course, your personal data, such as your username and email address, will be processed to provide you with the booked digital courses on the Moodle learning platform.

2.3 Legal Basis for Processing

Your personal data is processed on the basis of legal regulations that allow data processing because it appears necessary to carry out the employment relationship (Art. 88 GDPR, § 26 para. 1 Federal Data Protection Act (BDSG)), because it is necessary for the provision of the website/service to you (Art. 6 para. 1 lit.b GDPR) or because we have a legitimate interest in enabling you to participate in and enable us to carry out the training without your overriding interest (Art. 6 para. 1 lit. f GDPR).

3 Possible recipients or categories of recipients of your personal data

In order to fulfill these purposes, we may need to share your personal data with others. These are service providers, i.e. companies that offer us their products and services, such as providers of IT systems and IT support. Furthermore, your data can be shared with trainers who carry out the training with you. In addition, it is also possible for your personal data to be shared with the service providers for catering and room booking. They can also be shared with the hotels for any necessary room bookings. Apart from that we can share your personal data with the HR department and your superior to inform them about the course registrations and to obtain approval of the participation costs. 

4 International data transfers

In order to fulfill the previously mentioned purposes, it may happen that we transfer your personal data to recipients outside of Germany. Transfers within the European Economic Area (EEA) always take place in accordance with the uniform EU data protection level. Transfers to third countries always take place in compliance with the supplementary requirements of Art. 44 et seq. GDPR.

Your personal data may be transferred to certain third countries for which an adequacy decision of the EU Commission determines that an adequate level of protection exists in accordance with the uniform EU data protection level. The complete list of these countries is available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions

In general, EU standard contractual clauses are concluded with the recipient for transfers to other third countries. These clauses were issued by the EU Commission to safeguard such international data transfers and can be requested via the contact details mentioned in section 1.2.

Ultimately, personal data can be transferred on the basis of an exception according to Art. 49 GDPR.

5 Retention period

Your personal data in Training.Fresenius will be anonymized by an automated process six (6) months after course completion.

The Moodle user account for digital courses is available to you for the duration of a learning activity (at least for 6 months). However, the account will be automatically deleted after six (6) months of inactivity.

6  Your rights and your personal data

You have the following rights with respect to your personal data:

6.1 Right of access

You have the right to request from us information on which personal data about you we process at any time[1].

6.2  Right to rectification of incorrect data

If data about you is inaccurate, you have the right to obtain from us rectification of such data without undue delay[2].

6.3 Right to erasure

Under specific requirements you have the right to request from us the erasure of your personal data. In particular you may ask us to erase personal data, if (i) it is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the personal data has been unlawfully processed, (iii) you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, (iv) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject or (v) you withdraw your consent on which the processing is based and there is no other legal ground for the processing[3].

This does not affect the opportunity that you can delete your data independently within your profile. In this case your data will be deleted immediately and irrevocably.

6.4 Right to restriction of processing

You have the right to obtain from us restriction of processing, where one of the following applies: (i) The accuracy of the personal data is contested by you, processing will be restricted for a period enabling us to verify the accuracy of the personal data, (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, (iii) we no longer need the personal data for the purposes of the processing, but are required by you to keep them for the establishment, exercise or defence of legal claims or (iv) you have objected to processing pursuant to Art. 21(1) GDPR and the verification whether our legitimate interests override yours is pending[4].

6.5 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format[5].

6.6 Right to object

Right to object Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point e) or f) of Art 6 para. 1 GDPR. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims. In all of the above cases, please use the contact form or send your request to the postal or email address stated above.

6.7 Right to lodge a complaint

You also have the right to lodge a complaint with a supervisory authority[6]. A list of data protection supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en 

The right of complaint is without prejudice to any other administrative or judicial remedy.

7  Why we need your personal data

We need your personal data, otherwise we cannot guarantee that the training will run smoothly. Only by providing your personal data we have the opportunity to properly plan and manage the training.

8   Cookies

We use cookies to ensure that our website functions properly.

We therefore use so-called session cookies to maintain a usage session. Session cookies are small units of information in which a randomly generated identification number, the so-called session ID, is stored. These are saved in the main memory of your computer. Information about its origin and the storage period is also stored in a session cookie. These cookies cannot save any other data. The session cookie used here bears the designation "ci_session" and is automatically and immediately deleted as soon as you close our website again. You cannot reject this session cookie, as it is required for the proper use of the website.

The processing of the data takes place on the basis of legal regulations, which permit the data processing, because it is necessary for the intended and comprehensive provision of the website as well as the functionalities offered on it (§ 25 para. 2 No 2 Telecommunications Telemedia Data Protection Act (TTDSG), Art. 6 (1) (b) GDPR).

9  Further information for specific situations and contact

This data protection information informs you exclusively about the processing of personal data when participating in the Fresenius Training. Please be aware that we also might process your personal data in different contexts. Please see the respective specific information on the processing of your personal data in these situations.

If you have any questions on data protection at Fresenius, please contact us via the contact details mentioned in section 1.2.

[1] Art. 15 GDPR
[2] Art. 16 GDPR
[3] Art. 17 GDPR
[4] Art. 18 GDPR
[5] Art. 20 GDPR
[6] Art. 77 GDPR