Privacy
Disclosure requirement |
|
Title with reference |
|---|---|---|
S4 SBM-2 |
|
|
S4 SBM-3 |
|
Material impacts, risks, and opportunities and their interaction with strategy and business model |
S4-1 |
|
|
S4-2 |
|
Processes for engaging with consumers and end-users about impacts |
S4-3 |
|
Processes to remediate negative impacts and channels for consumers and end-users to raise concerns |
S4-4 |
|
|
S4-5 |
|
Impacts, risks, and opportunities [S4 SBM-3] Material impacts, risks, and opportunities and their interaction with strategy and business model
Impacts, risks, and opportunities
Within the scope of the materiality analysis, Fresenius has identified one material impact and one material risk related to Privacy:
Sub-sub-topic |
|
Type of IRO |
|
Value chain |
|
Time horizon |
|
Description |
|---|---|---|---|---|---|---|---|---|
Information-related impacts for consumers and / or end-users |
||||||||
Privacy |
|
Potential negative impact |
|
Own operations |
|
Short-term |
|
Potential violation of patients’ privacy through data breaches [#28] |
Privacy |
|
Risk |
|
Own operations |
|
Short-term |
|
Regulatory risk of data breaches [#29] |
Approach [S4-1] Policies related to consumers and end-users
Group-wide data protection concept
Fresenius has to align high-quality standards with economical, efficient IT-supported processes in its regulated markets. The company is also mindful of the sensitivity and increasing need for protection of the data and information it processes.
The Group and its Operating Companies may process personal and other information of
patients,
employees,
customers, and
suppliers, as well as other business partners.
Fresenius is committed to respecting and protecting the rights and freedoms of all data subjects. Personal data is processed only for purposes specified in each case and in accordance with legal requirements. Fresenius also requires third parties with whom it shares data for specified purposes, such as providing services, to comply with applicable data protection requirements.
The group-wide data protection concept is designed to counteract data protection violations and the resulting potential negative effects on patients as well as financial risks for Fresenius. Fresenius continually evolves the data protection management systems and related data protection policies, to meet new requirements or accommodate new technologies.
Group-wide governance and responsibilities
At the Fresenius corporate level, the Sustainability Board member is accountable for data protection. The Data Protection Officer1 of Fresenius SE & Co. KGaA reports directly to this person. Due to an organizational change, the Group Head of Data Proctection reports directly to the Management Board member Sustainability, as of February 1, 2026. Information on responsibilities and requirements for the Management Board as well as the Supervisory Board are explained in standard ESRS 2 General disclosures, section GOV-1 Sustainability organization.
The Group function Data Protection is headed by the Group Head of Data Protection. Operating Company Data Protection Experts were also established. Together, they form the Group Data Protection Management Team.
The Management of the Operating Companies and Management Boards are responsible for implementing data-protection-related governance systems in their respective Operating Company. The Operating Companies have defined responsibility for data protection, e.g., via a business allocation plan. The Operating Companies Data Protection Experts act independently in the performance of their duties and report to their respective management.
In addition, data protection is a regular topic of discussion in the Risk Steering Committee, which includes the Sustainability Board member, among others.
Furthermore to the above functions, Fresenius SE & Co. KGaA and all Operating Companies maintain data protection organizations in line with their organizational and business structure, including the aforementioned independent Data Protection Experts. The data protection organizations support the management and specialist departments of the assigned companies in operational data protection issues. They help to comply with and adhere to the applicable data protection requirements in the respective countries. The respective Data Protection Experts are responsible for monitoring compliance with data protection requirements. They are the point of contact for national and international supervisory authorities and are supported internally by other specialists. Depending on the Operating Company, the Data Protection Experts are organized centrally, regionally, and / or locally. Their role is to advise Business Process Owners (BPOs) and other employees in the Group on data protection matters and coordinating data protection activities. A BPO is a natural person in the company who is responsible for processes in which, among other things, data is processed.
The responsibility for operating data protection tasks lies with the respective expert functions, supported by the processes of the data protection management system. In certain topics, such as risk analysis, the compliance management system provides additional support.
1 In the following, the term Data Protection Expert is used as a synonym for the various functions and designations for those responsible for data protection, including Data Protection Officers.
Guidelines and regulations
The realization of data protection is a joint task of all employees of Fresenius. At the core of this is the commitment of all Operating Companies and Fresenius SE & Co. KGaA to the careful handling of data and the right to informational self-determination, as specified in the Fresenius Code of Conduct and the Operating Companies’ Codes of Conduct. Further information on the Fresenius Code of Conduct can be found in the topical standard G1 Business conduct, section G1-1 Business conduct policies and corporate culture.
Moreover, Fresenius has implemented mandatory internal policies for data protection and the handling of personal data. Binding Corporate Rules (BCRs) have been established as the compliant data transfer mechanism for EU personal data transfers to third countries for Fresenius Corporate / Other (except Fresenius Health Services (FHS)) and Fresenius Kabi (entities directly or indirectly controlled by Fresenius Kabi AG). Other legal entities in the Group utilize standard contractual clauses (SCCs) for the same purpose. Their BCRs, SCCs, and data protection policies from other segments are complemented by further Group regulations, Standard Operating Procedures (SOPs), or working instructions and guidelines. The respective expert functions of the data protection organization make the applicable policies and SOPs available and comprehensible to internal stakeholders via tools. The guidelines apply to the geographical areas in which Fresenius operates production sites or healthcare facilities. Fresenius also considers the upstream and downstream value chain if required due to contractual or regulatory provisions, e.g. the aftersale service of medical technical equipment. Relevant stakeholder groups are explained in standard ESRS 2, section SBM-2 Stakeholders and partnerships.
Extensive data protection information is also provided. The Privacy Employee Notice informs employees about the data processing taking place in the respective company and is made available to them online and on bulletin boards. Additionally, data protection information is accessible on the Fresenius SE & Co. KGaA website www.fresenius.com.
To ensure compliance with data protection regulations, several functions in the Group perform regular monitoring activities. Internal Audit departments perform independent audits to enhance the effectiveness of risk management, control, and governance processes in all Operating Companies. Data protection aspects are also taken into account based on risk. In this context, data protection measures, including guidelines and their implementation, are considered from a risk-oriented perspective. In 2025, six audits focusing on data protection were conducted (2024: eight). The data-protection-related results from these audits are analyzed by the respective Data Protection Experts and are integrated into the continuous improvement of existing processes. Furthermore, Data Protection Experts, among others, perform regular specific data protection audits. Fresenius is also subject to external controls and, if necessary, conducts audits via third parties on business partners involved in data processing activities.
In addition, data protection controls and data protection risk assessments are integral components of various internal control frameworks in the Operating Companies. Findings on potential improvements from data privacy audits, risk assessments, and reviews are used to continuously improve the data protection processes.
Risk assessment
Fresenius regularly assesses risks related to data protection, IT security, and information security using standardized methods. All Operating Companies and Fresenius SE & Co. KGaA record their data processing activities in central IT applications and subject the data processing activities to a data protection review, including a risk assessment and, if necessary, a data protection impact assessment, as early as possible in the implementation process. In this context, the Data Protection Experts support those responsible in preparing a data protection impact assessment, if required. This approach enables Fresenius to implement the data protection requirements through the use of appropriate technical and organizational data protection measures in processing personal data and to minimize potential risks. Regular reviews are conducted to ensure that they are up to date, e.g., with regard to technical developments. The internal control system also supports the review of data protection controls and the performance of testing. Existing controls are also checked for their implementation. Additionally, it is the responsibility of the respective process owner to provide notification of relevant planned changes in data processing activities, thereby enabling a new data protection review to be conducted if necessary.
Fresenius has proactively supported the design of the AI governance process and implemented a data protection-specific risk assessment for AI applications, which is particularly intended to ensure compliance with legal requirements. Further information on the use of AI can be found in the company-specific standard S-Digital transformation, section AI governance policy.
International data transfer
As a multinational organization operating globally, Fresenius assigns high priority to ensuring an appropriate level of data protection in all international data transfers, as defined by the European Union’s General Data Protection Regulation (EU GDPR) and other international legal requirements. This includes the BCRs, supported by mandatory internal company policies and guidelines. BCRs should ensure that participating companies establish a uniform level of data protection aligned with the EU GDPR standards and contribute to the lawful processing of personal data internationally within the companies. Fresenius closely monitors the latest developments in the area of international data transfer and incorporates them into risk assessments and contract negotiations. Internally published templates are subsequently adapted. When data is processed in another country by third parties, the contractor undergoes a careful review. Data protection measures are being taken, such as additional safeguards like pseudonymization, to ensure compliance with privacy regulations and maintain an appropriate data protection level. The data protection departments are involved in all negotiations relating to data protection contracts.
Training
Fresenius trains employees on current requirements and threats related to data protection and data security, using an extensive range of e-learning courses, face-to-face training, and other training measures. A differentiation is made between specialist functions and responsibilities, the scope of training, and between voluntary and mandatory training. Fresenius supplements general training with training measures for specific employee groups. In this way, Fresenius ensures that employees entrusted with processing data are informed about the current legal situation and the corresponding internal requirements. Basic training on data protection is mandatory for all employees.
Fresenius informs new employees about the appropriate handling of sensitive data and oblige them to maintain confidentiality. Newly hired employees also receive online mandatory instruction in data protection within a defined period. It is furthermore specified when and how often evidence must be provided regarding the instruction of employees in data protection. This ranges from eight weeks for initial training courses to at least every two years for subsequent updated training courses.
Fresenius takes the interests of patients into account through the procedures described in the following section on their involvement.
Engaging with patients [S4-2] Processes for engaging with consumers and end-users about impacts [S4-3] Processes to remediate negative impacts and channels for consumers and end-users to raise concerns
Data subject rights
All Operating Companies and Fresenius SE & Co. KGaA are committed to safeguarding the rights of data subjects by adequately informing them and by having established processes and tools in place to ensure that requests are answered sufficiently and in a timely manner. Fresenius informs data subjects – whether employees or external parties – about the processing of their data, such as collection and storage or any amendments, via privacy notices.
Fresenius provides data subjects with information in a concise, transparent, intelligible, and easily accessible way, enabling them to understand which of their personal data is being processed. Requests can be evaluated and responded to at Group or Operating Company level, or both, and in the local language. Technical and organizational data protection measures, including the implementation of corresponding applications, are designed to safeguard the rights of data subjects in accordance with EU GDPR.
With these solutions, Fresenius aims to support data subjects in exercising their rights to access, rectification, restriction, objection, portability, and erasure of their personal data in a timely manner. Fresenius complies with such data subject requests or rights in accordance with legal requirements.
Frequent engagement with specialists in this field serves as the basis for decisions and activities related to data protection, to represent the interests of stakeholders such as patients and product end-users. These discussions and possible operational implementation are within the responsibility of the relevant data protection organizations. Regular alignment meetings of experts from Data Protection and other departments such as IT ensure in dedicated committees that IT security, information security, and data protection topics are discussed. Based on the outcomes of these meetings, activities may be derived, or strategic decisions formulated and proposed to the respective management.
In addition, the Data Protection Experts regularly exchange information on best practices and initiatives during Group Coordination Meetings and conferences, jours fixes, and in other formats.
In principle, all personal data and company data is protected. Patients’ health data, in particular, is subject to strict data protection regulations. This also includes implementing appropriate technical and organizational data protection measures to safeguard personal data.
Reporting systems
External parties and all employees of the Group may raise concerns regarding data protection either via the existing reporting systems provided by a third-party processor or dedicated email addresses, or contact forms on Fresenius websites. Fresenius provides information about its whistleblower systems through its compliance organization. Data protection violations can also be reported via this system. Fresenius data protection information includes, in addition, contact details of the Data Protection Experts and general functional mailbox addresses directly routing to the respective data protection organization.
Fresenius promptly investigates and evaluates all reported indications of potential infringements and adjusts its processes as necessary. The effectiveness of reporting channels is measured as part of the reporting review and documentation process. When required, privacy breaches are reported to the relevant authorities and inform affected individuals without undue delay and in accordance with legal requirements. The data protection organizations conduct their own investigations and document possible violations.
As detailed in the respective guidelines, incoming reports are treated confidentially to protect the reporting persons. The Data Protection Experts prepare reports on the number, type, and processing status of data protection incidents and data subject inquiries, which are communicated in accordance with the organizational structure explained.
If a negative impact on consumers or end-users has materialized, the effectiveness of corrective measures is reviewed. To this end, an assessment is made as to whether cases that have already occurred can be avoided in the future. In addition, depending on the severity of the negative effects, additional controls are implemented. The responsibility for this review lies with the responsible data protection organization. For detailed information on reporting systems, their confidentiality, and the outcomes from the reporting year, please also see the topical standard G1 Business conduct.
In 2025, audits and risk assessments of reporting systems and of data protection compliance and control of risks took place at segment or local level. If necessary, identified cases of non-compliance with data protection regulations are remediated on the respective level. Effectiveness of identified risk-mitigating measures is evaluated and aligned with expert functions and affected departments. Measures to prevent the same or similar cases are identified and implemented from both a technical and organizational perspective, such as encryption or working instructions. Findings resulting from audits are also used by the data protection organizations as an opportunity to implement risk-mitigating measures, where needed.
Actions [S4-4] Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions
In the event of data protection breaches, additional protective measures or the adaptation of contractual clauses may be necessary to enhance the protection of rights and freedoms, depending on the severity of the breach identified. As no material data protection incidents were reported in 2025, Fresenius has not adopted any central measures in connection with the identified impact and risk.
When weaknesses are identified, new business areas are created, or regulatory requirements change, specific actions are taken.
Fresenius generally evaluates the effectiveness of the existing data protection measures based on the reports and data protection incidents received as well as the results of audits, risk assessments and internal controls, as described in section S4-3 Engaging with patients in this standard. Fresenius’ objective is that the actions taken should contribute positively to the data protection of consumers / end-users.
The improvement and derivation of measures for data protection is the subject of operational consulting in committees in cooperation with the regular exchange with the Data Protection Experts in the Group.
Fresenius is increasingly using artificial intelligence in its business activities, ensuring that data protection is a priority from the outset. Further information can be found in the company-specific standard S-Digital transformation in the section AI governance policy.
Goals and ambitions [S4-5] Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities
Fresenius’ ambition is to avoid data protection violations. To achieve this goal, the company measures its incidents and work to further refine metrics and key performance indicators (KPIs) in order to specifically identify data protection trends.
Through the described activities in the area of data protection, employees should be sensitized to the importance of handling personal data in a compliant manner. Fresenius thereby strives to equip them with extensive knowledge and careful handling practices to avoid data protection violations. Additionally, they should be able to identify any data protection violations immediately and take the necessary measures without delay.
The effectiveness of these concepts is measured based on the number of data protection breaches that occur and, if applicable, the recurrence of a similar incident. If these occur, an evaluation is carried out through a defined process. This can lead to actions being taken to prevent future breaches, the adaption of internal guidelines, or the initiation of additional training. Fresenius continuously monitors compliance with privacy laws and regulations through risk assessment and monitoring activities.
Metrics [MDR-M] S4-Company-specific
Reports received regarding data breaches
A total of 33 reports were submitted in 2025 (2024: 21). No severe data protection incident was reported through the whistleblowing systems during the reporting year that had a direct impact on the company’s financial position or reputation, or required an adjustment of existing management approaches (2024: 0). However, there were data protection breaches that were reviewed and addressed within the framework of the existing management approaches. These incidents were assessed and resolved in accordance with internal processes, without the need for fundamental adjustments to the control mechanisms. For information on the system, the categories, and the metrics, please refer to the topical standard G1 Business conduct, section compliance reports.