Privacy
Disclosure requirement |
|
Title with reference |
|---|---|---|
S4 SBM-2 |
|
|
S4 SBM-3 |
|
Material impacts, risks, and opportunities and their interaction with strategy and business model |
S4-1 |
|
|
S4-2 |
|
Process for engaging with consumers, and end-users about impacts |
S4-3 |
|
Process to remediate negative impacts and channels for consumers and end-users to raise concerns |
S4-4 |
|
|
S4-5 |
|
Our impacts, risks, and opportunities [S4 SBM-3] Material impacts, risks, and opportunities and their interaction with strategy and business model
Digitalization opens up pivotal opportunities for high-quality, sustainable patient care. Yet it also requires meticulous handling of personal and especially sensitive medical data within the Group.
Our Group-wide data protection concept forms the foundation for offering high-quality healthcare services. Thanks to our resilient data protection concept, we have an actual positive impact on information security, both for patients personal data and business segments company data. The data protection concept also has a positive impact on communication between healthcare professionals and institutions; it furthermore supports data compliance during the implementation of research and development (R & D) activities and clinical studies, thus contributing to our goal of further improving healthcare.
However, inadequate data protection, possible data breaches, and data leaks can have a potential negative impact on our patients. These factors can also prevent us from delivering healthcare services effectively. In this context, there are short-term financial risks for the Group: Failure to comply with legal regulations and to effectively protect health data can lead to reputational damage, sanctions, and far-reaching compliance incidents.
Our approach [S4-1] Policies related to consumers and end-users
Group-wide data protection concept
We have to align high-quality standards with economical, efficient IT-supported processes in our regulated markets, and are always mindful of the sensitivity of and increasing need to protect the data and information we process.
The Group and its operating companies may process personal and other information of our
- patients,
- employees,
- customers, and
- suppliers, as well as other business partners.
We are committed to respecting and protecting the rights and freedoms of all data subjects. Personal data is processed only for purposes specified in each case and in accordance with legal requirements. We also require third parties with whom we share data for specified purposes, such as providing services, to comply with applicable data protection requirements.
To meet new requirements or accommodate new technologies, we continually evolve our data protection management systems and related data protection measures. The monitoring process for impacts, risks, and opportunities is explained in the standard ESRS 2, section GOV-1 Our sustainability organization. You will also find explanations of our internal controls, our activities in geographies, and information on the upstream and downstream value chain as well as our stakeholders.
Group-wide governance and responsibilities
At the Fresenius corporate level, the Sustainability Board member is accountable for data protection. The Data Protection Officer1 of Fresenius SE & Co. KGaA reports directly to this person.
In 2024, the Group function Data Protection was introduced, headed by the Group Head of Data Protection. Business segment Heads of Data Protection were also established. Together, they form the Group Data Protection Management Team.
The Management of the business segments and Management Boards are responsible for implementing data-protection-related governance systems in their respective business segment. The business segments have defined responsibility for data protection, e.g., via a business allocation plan. The business segments Data Protection Experts act independently in the performance of their duties and report to their respective management.
In addition, data protection is a regular topic of discussion in the Risk Steering Committee, which includes the Sustainability Board member, among others.
Apart from the above functions, Fresenius SE & Co. KGaA and all business segments maintain data protection organizations in line with their organizational and business structure, including the aforementioned independent Data Protection Experts. The data protection organizations support the management and specialist departments of the assigned companies in operational data protection issues and in complying with and adhering to the applicable data protection requirements in the respective countries. The respective Data Protection Experts are responsible for monitoring compliance with these requirements. They are the point of contact for national and international supervisory authorities and are supported internally by other specialists. Depending on the business segment, the Data Protection Experts are organized centrally, regionally, and / or locally. Their role is to advise Business Process Owners (BPOs) and other employees in the Group on data protection matters and coordinating data protection activities. A BPO is a natural person in the company who is responsible for processes in which, among other things, data is processed.
The responsibility for operating data protection tasks lies with the respective expert functions, supported by the processes of the data protection management system. In certain topics, such as risk analysis, our compliance management system provides additional support.
Guidelines and regulations
The realization of data protection is a joint task of all employees of Fresenius. At the core of this is the commitment of all business segments and Fresenius SE & Co. KGaA to the careful handling of data and the right to informational self-determination, as specified in the Fresenius Code of Conduct and the business segments Codes of Conduct. Further information on the corporate Code of Conduct can be found under the topical standard G1 Business conduct.
Moreover, we have implemented mandatory internal policies for data protection and the handling of personal data. Binding Corporate Rules (BCRs) have been established as the compliant data transfer mechanism for EU personal data transfers to third countries for Fresenius Corporate (Fresenius Management SE, Fresenius SE & Co. KGaA and all affiliates in the reporting segment Fresenius Group) and Fresenius Kabi (entities directly or indirectly controlled by Fresenius Kabi AG). Other legal entities in the Group utilize standard contractual clauses (SCCs) for the same purpose. Their BCRs, SCCs, and data protection policies from other segments are complemented by further Group regulations, Standard Operating Procedures (SOPs), or working instructions and guidelines. The respective expert functions of the data protection organization make the applicable policies and SOPs available and comprehensible to stakeholders. Our guidelines apply to the geographies in which we operate production sites or healthcare facilities.
We also consider the upstream and downstream value chain if required due to contractual or regulatory provisions, e.g. in the aftersale service of medical technical equipment. Our stakeholder groups are explained in standard ESRS 2, section SBM-2 Stakeholders and partnerships.
Extensive data protection information is also provided. The Privacy Employee Notice informs employees about the data processing taking place in the respective company and is made available to them online and on bulletin boards. Additionally, data protection information is accessible on the Fresenius SE & Co. KGaA website www.fresenius.com.
To ensure compliance with data protection regulations, several functions in the Group perform regular monitoring activities. Internal Audit departments perform independent audits to enhance the effectiveness of risk management, control, and governance processes in all business segments. Data protection aspects are also taken into account based on risk. In this context, data protection measures, including guidelines and their implementation, are considered from a risk-oriented perspective. In 2024, eight audits focusing on data protection were conducted. The data-protection-related results from these audits are analyzed by the respective Data Protection Experts and are integrated into the continuous improvement of existing measures. Furthermore, Data Protection Experts, among others, perform regular specific data protection audits. We are also subject to external controls and, if necessary, (use third parties to) carry out audits of business partners involved in our data processing activities.
In addition, data protection controls and data protection risk assessments are integral components of various internal control frameworks in the business segments. Findings on potential improvements from data privacy audits, risk assessments, and reviews are used to continuously improve our data protection processes.
Risk assessment
We regularly assess risks related to data protection, IT security, and information security using standardized methods. All business segments and Fresenius SE & Co. KGaA record their data processing activities in central IT applications and subject the data processing activities to a data protection review, including a risk assessment and, if necessary, a data protection impact assessment, as early as possible in the implementation process. In this context, the data protection experts support those responsible in preparing a data protection impact assessment, if required. This approach enables us to implement the data protection requirements through the use of appropriate technical and organizational measures in processing personal data and to minimize potential risks. Regular reviews are conducted to ensure that they are up to date, for example with regard to technical developments. Our internal control system also supports the review of data protection controls and the performance of testing. Existing controls are also checked for their implementation. Additionally, it is the responsibility of the respective process owner to provide notification of relevant planned changes in data processing activities, thereby enabling a new data protection review to be conducted if necessary.
International data transfer
As a multinational organization operating globally, we assign high priority to ensuring an appropriate level of data protection in all international data transfers, as defined by the European Union’s General Data Protection Regulation (EU GDPR) and other international legal requirements. This includes our BCRs, supported by mandatory internal company policies and guidelines. BCRs ensure that participating companies establish a uniform level of data protection aligned with the EU-GDPR standards and contribute to the lawful processing of personal data internationally within the companies. We closely monitor the latest developments in the area of international data transfer and incorporate them into risk assessments and contract negotiations. Internally published templates are subsequently adapted. When data is processed in another country by third parties, the contractor undergoes a careful review. We take measures, such as additional safeguards like pseudonymization, to ensure compliance with privacy regulations and maintain an appropriate data protection level. The data protection departments are involved in all negotiations relating to data protection contracts.
Training
We train employees on current requirements and threats related to data protection and data security, using an extensive range of e-learning courses, face-to-face training, and other training measures. Therein, we differentiate between specialist functions and responsibilities, the scope of training, and between voluntary and mandatory training. We supplement general training with training measures for specific employee groups. In this way, we ensure that employees entrusted with processing data are informed about the current legal situation and the corresponding internal requirements. Basic training on data protection is mandatory for all employees.
We inform new employees about the appropriate handling of sensitive data and oblige them to maintain confidentiality. Newly hired employees also receive online mandatory instruction in data protection within a defined period. It is furthermore specified when and how often evidence must be provided regarding the instruction of employees in data protection. Within our Group, this ranges from eight weeks for initial training courses to at least every two years for subsequent updated training courses.
We take the interests of patients into account through the procedures described in the following section on their involvement.
1 In the following, the term Data Protection Expert is used as a synonym for the various functions and designations for those responsible for data protection, including Data Protection Officers.
Engaging with patients [S4-2] Processes for engaging with consumers and end-users about impacts [S4-3] Processes to remediate negative impacts and channels for consumers and end-users to raise concerns
Data subject rights
All business segments and Fresenius SE & Co. KGaA are committed to safeguarding the rights of data subjects by adequately informing them and by having established processes and tools in place to ensure that requests are answered sufficiently and in a timely manner. Fresenius informs data subjects – whether employees or external parties – about the processing of their data, such as collection and storage, via privacy notices. Via internal communication channels, we notify employees of any amendments to the data protection information that affect them.
We provide data subjects with information in a concise, transparent, intelligible, and easily accessible way, enabling them to understand what personal data we process about them. Requests can be evaluated and responded to at corporate or segment level, or both, and in the local language. Our technical and organizational measures, including the implementation of corresponding applications, are designed to safeguard the rights of data subjects in accordance with the EU-GDPR.
With these solutions, we aim to support data subjects in exercising their rights to access, rectification, restriction, objection, portability, and erasure of their personal data in a timely manner. We comply with such data subject requests or rights in accordance with legal requirements.
In order to inform our decisions and activities related to data protection, we frequently engage with specialists in the field who represent the interests of stakeholders such as patients and end-users of our products. These discussions and possible operational implementation are within the responsibility of the data protection organizations. Regular alignment meetings of experts from data protection and other departments such as IT ensure in dedicated committees that IT security, information security, and data protection topics are discussed. Based on the outcomes of these meetings, measures may be derived, or strategic decisions formulated and proposed to the respective management.
In addition, the Data Protection Experts regularly exchange information on best practices and initiatives during Group Coordination Meetings and conferences, jours fixes, and in other formats.
In principle, all personal data and company data is protected. Our patients’ health data, in particular, is subject to strict data protection regulations, and all data processing activities are checked for their legality and appropriateness. This also includes implementing appropriate technical and organizational measures to safeguard personal data.
Reporting systems
External parties and all employees of the Group may raise concerns regarding data protection either via the existing reporting systems provided by a third-party processor or dedicated email addresses, or a contact form on the corporate website. We provide information about our whistleblower systems through our compliance organization. Data protection violations can also be reported via this system. Our data protection information includes in addition contact details of the Data Protection Experts and general functional mailbox addresses directly routing to the respective data protection organization.
We promptly investigate and evaluate all reported indications of potential infringements and adjust our processes as necessary. When required, we report privacy breaches to the relevant authorities and inform affected individuals without undue delay and in accordance with legal requirements. The data protection organizations conduct their own investigations and document possible violations.
As detailed in the respective guidelines, incoming reports are treated confidentially to protect the reporting persons. The Data Protection Experts prepare reports on the number, type, and processing status of data protection incidents and data subject inquiries, which are communicated in accordance with the organizational structure explained. If a negative impact on consumers or end users has materialized, the effectiveness of corrective measures is reviewed.
The responsibility for this review lies with the responsible data protection organization. For detailed information on our reporting systems, their confidentiality, and the outcomes from the reporting year, please also see the topical standard G1 Business conduct.
In 2024, our audits and risk assessments of our reporting systems, and of data protection compliance and control of risks took place at segment or local level. If necessary, their findings are remediated on the respective level. Effectiveness of identified risk-mitigating measures is evaluated and aligned with expert functions and affected departments. Measures to prevent the same or similar cases are identified and implemented from both a technical and organizational perspective, such as encryption or working instructions. Findings resulting from audits are also used by the data protection organizations as an opportunity to implement risk-mitigating measures, where needed.
Our actions [S4-4] Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions
In the event of data protection breaches, additional protective measures or the adaptation of contractual clauses may be necessary to enhance the protection of rights and freedoms, depending on the severity of the breach identified. As no material data protection incidents were reported in 2024, Fresenius has not adopted any central measures in connection with identified impacts, risks, and opportunities.
We take specific actions when weaknesses are identified, new business areas are created, or regulatory requirements change. The projects undertaken in the reporting year to address the identified material impacts, risks, and opportunities are designed to support our employees in responding appropriately to instances of misconduct or non-compliance with our internal or external regulations. For example, we have proactively supported the design of the AI governance process and implemented a data protection-specific risk assessment for AI applications, which serves in particular to act within the framework of legal requirements.
We evaluate the effectiveness of our measures based on the reports and data protection incidents received as well as the results of audits and risk assessments, as described in section S4-3 Engaging with patients. We aim to achieve a positive impact on data protection for consumers / end-users through these activities.
The improvement and derivation of measures data protection is the subject of operational consulting in committees in cooperation with the regular exchange with the data protection officers in our Group.
We are increasingly using artificial intelligence in our business activities, ensuring that data protection is a priority from the outset. Further information can be found in the company-specific standard Digital transformation in the section Ethics in digitalization.
Our goals and ambitions [S4-5] Targets related to managing material negative impacts, advancing positive impacts, and managing material risks, and opportunities
Our ambition is to avoid data protection violations. To achieve this goal, we measure our incidents and work to further refine metrics and KPIs in order to specifically identify data protection trends.
Through the described activities in the area of data protection, we aim to sensitize our employees to the importance of handling personal data in a compliant manner. We strive to equip them with extensive knowledge and careful handling practices to avoid data protection violations. Additionally, we want them to be able to identify any data protection violations immediately and take the necessary measures without delay.
We measure the effectiveness of our concepts based on the number of data protection breaches that occur and, if applicable, the recurrence of a similar incident. If these occur, an evaluation is carried out through a defined process. This can lead to actions being taken to prevent future breaches, the adaption of internal guidelines, or the initiation of additional training. We continuously monitor our compliance with privacy laws and regulations through our risk assessment and monitoring activities.
Metrics S4-Company-specific
A total of 21 reports were submitted in 2024. In the reporting year, no data breaches were reported via the reporting channels that had a direct impact on the financial position or reputation of our company. The number is derived from the respective case category in the Group Compliance Case Management. For information on the system, the categories and the metrics, please refer to the topical standard G1 Business conduct.