BioNTech SE ("BioNTech") takes the protection of your privacy very seriously. This privacy statement explains what data is processed and how it is processed when you report an adverse event (side effect), product quality complaint or submit a medical information request.
This privacy statement applies only to the reporting of adverse events, product complaints or medical information requests via web form, telephone, chatbot, e-mail or post.
The privacy statement for the use of BioNTech’s website in general can be found here: https://www.biontech.com/de/de/home/data-privacy-statement.html
Data controller of your personal data
Data Protection Officer at BioNTech SE
Data Privacy Officer
An der Goldgrube 12
D-55131 Mainz, Germany
Purpose and legal basis for the processing of personal data
We collect data from you that is necessary to process your report of an adverse event, product quality complaint or medical information request. We process your data collected when you contact us (e.g., by e-mail, web form, telephone etc.) in accordance with the data protection regulation of the European Union (General Data Protection Regulation / EU GDPR). The following legal bases for the processing of your personal data may be relevant in this regard:
Processing of personal information about you is required so that we can comply with our legal obligation (Art. 6 (1)(c) in conjunction with Art. 9 (2)(i) GDPR) to monitor and report adverse events and product quality issues. Pharmaceutical companies by law have to monitor, evaluate and take actions to prevent adverse events (side effects) for their medicinal products, called “pharmacovigilance”. Pharmaceutical companies also have to do the same for product quality issues.”. Pharmacovigilance helps to protect public safety and enables actions to be taken by national and international regulatory authorities as needed. Pharmacovigilance includes BioNTech making notifications to regulatory authorities, as well as the other activities required by law.
We may need to use your email address or telephone number that you have submitted to us to ask further questions in the case of adverse event reports and product quality complaints, or in order to respond to your medical information request.
Furthermore, processing of personal information about you for the purpose of responding to your request or investigating your complaint is based on our legitimate interest (Art. 6 (1)(f) GDPR) as we would not be able to respond to your request or report without processing your personal information.
When you contact us via telephone to report an adverse event, product quality complaint or medical information request, we may process your audio recording for training purposes relying on your consent (Art. 6 (1)(a) GDPR).
Categories of personal data
We generally only collect data that is necessary for handling and reporting adverse events and product quality complaints and for handling medical information requests. This can be the following data:
Your personal data according to Art. 4 (1) GDPR, which may include: your name, surname, initials, gender, residential address, age and date of birth, email address, phone number, and job title (if you are a healthcare professional who is reporting for a third party).
Special categories of personal data according to Art. 9 (1) GDPR, which may include medical diagnostic data, prescription data, other health related information such as relevant health information, any pre-existing conditions, concomitant medications, pregnancy, lactation, allergies, and disabilities.
Collection of your personal data
We collect personal data directly from you. The provision of your data is voluntary. However, non-disclosure may mean that we are unable to adequately evaluate your report, as queries remain unanswered.
If you contacted us via telephone and agreed to the recording of the call, we may process this recording for training purposes. We delete the recording after it is no longer needed for this purpose, but latest after six months.
You may revoke your consent at any time with effect for the future. Please address your revocation to firstname.lastname@example.org.
We may also collect data about you indirectly from third parties when they report an adverse event, product quality complaint or medical information request for you as a patient. This may include reports from, for example, your physician or other healthcare professional, a distributor of our products, another company within our group (if they receive information about adverse events), or another person (such as a family member or acquaintance).
Deletion and storage of data
We would like to inform you that in order to process your report/request, we may pass on your data to our order processors, to regulatory authorities, and under certain circumstances to subsidiaries and our collaboration partners.
However, data will only be passed on if this is necessary for the processing of your report and if there is a legal basis to ensure that we take appropriate measures to protect your data.
As a global company, we have various subsidiaries. If we share your data within the BioNTech Group, we have intercompany agreements for this purpose that specify data sharing in conjunction with applicable data protection laws.
We work closely with other pharmaceutical companies that partner with us regarding the distribution and promotion of our products. Where a collaboration partner is responsible for handling adverse event reporting, we will need to pass on your report to our partner.
If you would like to know more about our collaboration partners, please contact our data protection officer with your question at email@example.com.
Furthermore, we also work together with processors pursuant to Art. 28 GDPR. Processors are third-party service providers (e.g., data storage providers, call center providers) who process personal data while providing a service for us. If we commission such a service provider, we assure you that we will take appropriate protective measures regarding your personal data. Processors are required to keep your personal data secure and may not use your data for their own purposes.
National Regulatory Authorities or Other Regulatory Authorities:
We are required by law to report adverse events or certain product complaints to national regulatory authorities and EU or other regulatory authorities. For this purpose, data will be shared with them without direct personal identifiers (such as name and contact information). The relevant regulatory authorities become independent controllers of the data we transfer to them. They will use the data for the purposes described above, and their own privacy policies will apply to their use of the data.
Transfer of your personal data outside the European Union
Your data will initially be stored in the European Union. However, we may need to transfer your personal data to collaboration partners and regulatory authorities. These may be located outside the European Economic Area ("EEA") in a country for which the European Commission has not decided that an adequate level of data protection is ensured ("third country").
If your personal data must be transferred to a third country for drug safety purposes, we use the standard contractual clauses under data protection law (Art. 44 et seq. GDPR), which have been approved by the European Commission (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_de), as an appropriate guarantee of an adequate level of data protection.
After your data is provided, it is stored directly on a server of our order processors and, if applicable, collaboration partners via an encrypted connection. All data is encrypted on the basis of the SSL procedure. BioNTech, order processors and partners use technical and organizational security measures to protect your collected data against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. Our security measures are continuously improved in line with technological developments.
According to the GDPR, you as a data subject may have the following rights under specific circumstances:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of your personal data. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no legal or legitimate reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Request to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party). This is possible if your personal situation is overridden by our legitimate interest to process your data and if there is no other legal obligation that requires the processing of your data.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you under certain circumstances, e.g., if you want us to restrict processing while the accuracy of the personal data is being established.
- Request not to be subjected to automated decision-making. However, we do not use automated decision-making or profiling as part of our business operations in relation to adverse event and product complaint reporting or medical information requests.
You can exercise your rights by contacting our Data Protection Officer (see contact details above).
We will always try to help you if you want to exercise your rights, but in some cases, we may have legitimate reasons to refuse your request. If we cannot fulfil your request, for example because we have a legal obligation to retain the information as in the case of adverse event reports we will explain you the reasons. If you disagree with a decision we make in connection with your request for your rights or believe that we are violating data protection laws in Europe, you may file a complaint with a European supervisory authority. You can refer to the list of supervisory authorities of the European Data Protection Board to find the contact information of the corresponding authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Updates to this privacy statement
We reserve the right to adapt or update this privacy statement at any time, in particular to reflect new legal regulations as well as technical developments.
Last updated: April 2023