Data Protection Notice for BD* Customers – Europe
BD is advancing the world of health by improving medical discovery, diagnostics and the delivery of care. In doing so, we collect, process and use large quantities of personal information. We collect and use information from customers, healthcare professionals, patients, business partners and other external parties with whom we interact. BD* takes data privacy seriously and believes that carrying out our business activities in compliance with applicable data protection laws and in accordance with sustainable corporate governance is fundamental to our business success.
This Data Protection Notice for BD* Customers – Europe (“Notice”) explains our practices as the responsible controller in relation to the collection, processing and use of personal data of individuals at BD’s customers and prospective customers who are located in the European Economic Area or Switzerland (or to whom EU data protection law otherwise applies). Such individuals may include healthcare professionals, procurement staff, technical or support staff and other staff members, as well as business contacts at hospitals, companies, institutions, purchasing organizations, distributors, wholesalers, agents and other intermediaries. If you fall into one of those categories, this Notice will help you understand what data BD may collect about you, how BD uses and safeguards that data, and with whom we may share it.
* In this Notice, BD or “we” means Becton, Dickinson and Company and all its worldwide subsidiaries and affiliates, including C.R. Bard and affiliates, each of which is referred to in this Notice as a BD Affiliate.
We may change this Notice periodically, so we encourage you to review it from time to time.
Summary of the Notice
What categories of personal data does BD collect about me and why?
BD will collect, process and use your personal data for a range of different purposes. For example:
What is personal data
- identification data
- professional data
- product data
- communication details
- to deliver products and services to you
- to provide customer service
- to provide marketing and customer relationship activities
for product/service development and improvement
- to interact with you in relation to services or advice you provide to us
for security and fraud prevention activities
- to comply with legal obligations
It’s important to know that BD does not collect any sensitive personal data about you.
Who might BD share my personal data with?
BD may share your personal data within BD, our service providers and business partners, and, in accordance with applicable law, governmental authorities, courts, external advisors, and similar third parties. Find out more here.
How long will BD keep my personal data for?
Your personal data is stored for as long as necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. Find out more here.
What rights do I have in respect of my personal data?
You have a number of rights in relation to your data. These include a right to access, correct and erase your data, to object to certain types of processing activities as well as more technical rights to restrict the way we process it, and to transmit your data as part of data portability. Your rights are important, and we’ve set them out in detail here.
Who can I contact if I have questions?
If you have concerns or questions regarding your personal data, please let us know. Our contact details are at the bottom of this Notice.
Categories of Personal Data
BD may collect, process and use the following categories of personal data about you which have been obtained either from you or from certain third parties (e.g. your employer or the healthcare institution you work for, or other business contacts) (collectively, personal data):
- identification data, such as full name, academic title, business contact details;
- professional data, such as business name and type (e.g. the healthcare institution you work for), business website, area of expertise, job title and description, department, professional experience;
- product data, such as the types of products and services used or purchased by you or your employer and related data (including user ID);
- communication and interaction details, such as customer service requests, correspondence, notes of calls or meetings, and other customer care or technical service interactions;
- training data, such as details of product or clinical training received; and
- financial or payment data (in limited cases only), such as bank account numbers and dates and amounts of payments made or received.
Processing purposes and legal grounds for processing
Personal data is collected, processed, and used for the following purposes (collectively, processing purposes). Furthermore, BD relies on the following legal grounds for the collection, processing, and use of personal data:
|Processing purposes||Categories of Personal Data Involved||Legal Basis|
|Delivering products and services, including technical support and maintenance services.||Identification data; product data; communication details.||The processing is necessary for the purposes of the legitimate interests pursued by BD (Art. 6(1)(f) GDPR) – legitimate interests are stated in the first column.|
|Providing customer service and engaging in other communication with the Customer.||Identification data; product data; communication details.||The processing is necessary for the purposes of the legitimate interests pursued by BD (Art. 6(1)(f) GDPR) – legitimate interests are stated in the first column.|
|Marketing and customer relationship activities, which may include profiling or categorization of your potential interests in BD products and services for tailored marketing.||Identification data; professional data; product data; communication details.||The data subject has given consent to the processing of his or her personal data (Art. 6(1)(a) GDPR).
The processing is necessary for the purposes of the legitimate interests pursued by BD (Art. 6(1)(f) GDPR) – legitimate interests are stated in the first column.
|Product/service development and improvement of quality and functionality of products and services.||Product data.|
|Training records of clinical and other staff||Identification data; professional data;
|Security and fraud prevention activities such as prevention of fraud, misuse of IT systems, or money laundering, physical security, IT and network security, or internal investigations.||Identification data; professional data; communication details; product data; financial or payment data.||The processing is necessary for compliance with a legal obligation to which BD is subject (Art. 6(1)(c) GDPR).
|Complying with legal obligations or standards, responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country, compliance with transparency laws governing interactions with healthcare professionals and equivalent laws and regulations, industry standards and codes such as the MedTech Europe Code of Ethical Business Practice, details of training given to distributors and other intermediaries relating to compliance.||Identification data; professional data; product data; communication details; financial or payment data.||The processing is necessary for the purposes of the legitimate interests pursued by BD (Art. 6(1)(f) GDPR) – as stated in the first column.
The processing is necessary for compliance with a legal obligation to which BD is subject (Art. 6(1)(c) GDPR).
The provision of personal data as described in this Notice is necessary for the processing purposes described above. While the provision of your personal data is generally voluntary, you may not be able to benefit from the processing purposes if you do not provide the personal data.
Categories of Recipients
You should expect that we will transfer your personal data to third parties for the processing purposes as follows:
- Within BD: Becton, Dickinson and Company, in the USA, and each BD Affiliate may receive your personal data as necessary for the processing purposes. Details of BD Affiliates can be found in the corporate filings published in the Investors pages of www.bd.com.
- With certain acquiring or acquired entities: If BD is sold or transferred in whole or in part, or if another entity is being acquired by or integrated into BD (or any similar transaction is being contemplated), your personal data may be transferred to the other entity prior to or after the transaction, subject to any rights provided by applicable law, including in jurisdictions where the other entity is located.
- With data processors: Certain service providers such as IT support, logistics and marketing providers, will receive your personal data to process such data under appropriate instructions ( processors) as necessary for the processing purposes, in particular to provide IT and other administrative support, to assist with compliance with applicable laws, and for other activities. The processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard your personal data, and to process the personal data only as instructed.
- With certain other third parties: Your personal data may need to be shared with professional advisors, regulators, governmental authorities and other similar bodies, for example where we have an obligation to be transparent about interactions we have with healthcare professionals or government officials in connection with our business.
Access to your personal data is generally restricted to those individuals that have a need to know or use that data in order to fulfill their job responsibilities.
You should expect that the recipients identified above which will receive or have access to your personal data may be located inside or outside the European Economic Area (” EEA“).
- For recipients located outside the EEA, some are certified under the EU-U.S. Privacy Shield and others are located in countries with adequacy decisions pursuant to Art. 45 GDPR (including Switzerland and Canada in particular), and, in each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective.
- Other recipients might be located in countries which have not been recognized as providing an adequate level of protection from a European data protection law perspective (for example, the USA, India or Malaysia). We will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law.
- With respect to data transfers to countries not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority (Art. 46(2)(c) or (d) GDPR), approved codes of conduct together with binding and enforceable commitments of the recipient (Art. 46 (2)(e) GDPR), or approved certification mechanisms together with binding and enforceable commitments of the recipient (Art. 46 (2)(f) GDPR). You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 7 below.
- Data transfers to BD Affiliates is protected by standard data protection clauses adopted by the European Commission (Art. 46(2)(c) or (d) GDPR).
- Data transfers to processors which are neither certified under the EU-U.S. Privacy Shield nor in a country with an adequacy decision will typically also be protected by such standard data protection clauses.
Your personal data is stored for as long as is necessary to achieve the processing purposes for which the personal data is collected, in accordance with applicable data protection laws. When BD no longer needs to use your personal data for the purposes identified above, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations). If we anonymize data, they no longer qualify as personal data and can no longer be attributed to you in which case we may use such data without further notice to you.
To determine the appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and the applicable legal requirements.
Right to withdraw your consent: If, in accordance with applicable law, you have declared your consent regarding certain types of processing activities (in particular regarding the receipt of direct marketing communication via email, SMS/MMS, fax, and telephone), you can withdraw this consent at any time with respect to future processing by using the methods mentioned in the original or any related communication. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can also withdraw your consent by contacting us as set out below.
Additional data privacy rights: Pursuant to applicable data protection law, you have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data. Below please find further information on your rights to the extent that the GDPR applies. Please note that these rights might be limited under the applicable local data protection law.
- Right to request access to your personal data: As provided by applicable data protection law, you have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You have the right to obtain a copy of the personal data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
- Right to request rectification: As provided by applicable data protection law, you have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to request erasure (right to be forgotten): As provided by applicable data protection law, you have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
- Right to request restriction of processing: As provided by applicable data protection law, you may have the right to obtain from us restrictions on the processing of your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
- Right to request data portability: As provided by applicable data protection law, you may – in cases where processing is based on consent or the performance of a contract, and the processing is carried out through automated means – have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
- Right to object: Under certain circumstances, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and in such circumstances we are required to cease processing your personal data. If you have a right to object and if you exercise this right, your personal data will no longer be processed for such purposes by us.
This online request form enables you to submit a request to exercise your rights under GDPR. Please fill out the below form and we will address your request.
You may exercise this right by contacting us as stated in Section 7 below. Such a right to object may, in particular, not exist if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded. If you have given your consent to receive direct marketing via email, SMS/MMS, fax, and telephone, you may withdraw your consent as explained above.
To exercise your rights please contact us as described below. You also have the right to lodge a complaint with the competent data protection supervisory authority in the relevant Member State (for example, the place where you live or work – contact details can be found here: https://edpb.europa.eu/about-edpb/board/members_en).
Questions and Contact Information
If you have any questions about this Notice, wish to contact BD’s Data Protection Officer, or if you wish to exercise your rights as mentioned above, please contact us at:
By email : email@example.com
Data Protection Officer
BD Switzerland Sàrl
Route de Crassier 17,
Business Park Terre-Bonne,
Bâtiment A4, 1262 Eysins,
Changes to this Notice
We may update this Notice from time to time in response to changing legal, regulatory or operational requirements. We will notify you of any such changes, including when they will take effect, by updating the “Last revised” date above or as otherwise required by applicable law.
Last revised: 22 November 2018