Data Protection Notice

We appreciate your interest in Fresenius. Protecting your privacy is important to us and we want you to feel secure when visiting our websites. In the following, we would like to explain which data we collect via our websites fresenius-benefits.de, fre.fresenius-benefits.de and what happens with this data. However, our websites may contain links to websites that are not covered by this data protection notice.

The processing of personal data is subject to the EU General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG). This data protection notice informs you about how your personal data and information is processed in your terminal equipment (e.g. laptop or smartphone) when using the websites and what data is involved.

"Personal data" means all information about you as data subject.

"Processing" means any operation performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With this data protection notice, we explain to you in detail, in particular:

- who is responsible for the processing of your personal data and whom you can contact if you have questions or wish to make a complaint
  (Section 1)

- how we collect your data, what data we collect, for what purposes we process these personal data, on which legal bases we rely on in this regard and how long we store your personal data
(Section 2)

- to whom we may transfer your personal data
(Section 3)

- how you can update, correct or even delete your personal data and exercise other rights in relation to your personal data
(Section 4)
and

- in which other situations your personal data may be processed and how you can contact us
(Section 5).

1. Controller and contact details

The controller responsible for the processing of your personal data is:

Fresenius SE & Co. KGaA, Else-Kröner-Strasse 1, 61352 Bad Homburg, Germany

email: fresenius-benefits@fresenius.com

According to the GDPR, we are obliged to provide you with the contact details of the data protection officer. You can contact the data protection officer by sending a letter to the postal address of the controller for the attention of the Data Protection Department or by e-mail via dataprotection@fresenius.com

2. Processing of personal data

We process your personal data for the following purposes and on the basis of the following legal grounds:

2.1. Processing of your personal data when using the simulation calculators

Simulation calculators are offered to check your current options for certain benefits (company pension, long time account and pension scheme) and to plan your contributions. In particular, the following personal data is collected for the use of the simulation calculators:

- Contract data (date of entry, holiday, type of contract (e.g., vocational training or tariff employee, degree of employment, weekly working hours)

- Remuneration data (remuneration, amount of salary and variable payments as well as long time account balance)

- Personal data (date of birth)

- Private address data (federal state)

- Insurance data (health insurance status (e.g., private, statutory).

The data entered in the simulation calculators is used exclusively to calculate the respective benefits. The processing of the data is necessary for the calculation of the respective benefits in accordance with Art. 6 (1) (1) (b) GDPR.

The data is stored exclusively in the browser and is automatically deleted at the latest at the end of the browser session. Depending on the browser memory management, closing and then restoring the page or navigating "back and forth" within the browser history may result in the data being deleted and having to be re-entered.

2.2. Processing of your personal data as part of the Jubi Health Check

To register as an authorised employee for a Jubilee health check in accordance with the General Works Agreement, you must complete a registration form.

In particular, the following personal data will be collected from you as the applicant:

- Organisational data (group company, site)

- Name (salutation, name, first name)

- Personal data (date of birth)

- Identification code (staff code)

- Business address and contact details (street, street number, postal code, city, phone)

- Private contact details (e-mail address)

- Health data (appointment suggestions, desired additional services)

The data entered in the registration form will be transmitted to the registration recipient (healthcare service provider) and also sent to you by e-mail. The healthcare service provider processes your personal data as an independent controller.  The healthcare service provider will provide the necessary data, such as your name, first name and staff code, for the purposes of checking and billing, i.e. to take your Jubilee Health Check into account.

We process personal data for the purpose of the performance of the employment relationship with regard to health management based on Art. 6 (1) (1) (b) GDPR. Complementary purposes are also our tax return obligations based on Art. 6 (1) (1) (c) GDPR in conjunction with Sec. 25 (3), Sec. 8 (1) EstG, Sec. 2 (1) LSt-DV.

Your personal data will be deleted in accordance with applicable law. The data entered in the registration form is stored in the browser and is automatically deleted at the latest at the end of the browser session. Depending on the browser memory management, closing and then restoring the page or navigating "back and forth" within the browser history may result in the data being deleted and having to be re-entered.. As we are subject to retention obligations, we delete the personal data provided by the healthcare service provider after the respective retention period has expired (e.g. 10 years in accordance with Sec. 147 AO with regard to the receipt of benefits in kind).

2.3. Recording of technical characteristics when visiting the website

We collect information about your visit to our website, as we do with most other websites. When you visit our website, the web server temporarily records

- the domain name or IP address of your computer,

- the file request of the client (file name and URL),

- the http response code,

- the website from which you are visiting us,

- which Internet browser and which operating system you are using,

- the nature of their device,

- the date of her visit,

- as well as how long you've been here.

Your IP address is only recorded anonymously - shortened by the last block of numbers (octet). The logging of data is necessary for navigation through the pages and use of essential functions (section 25 (2) (2) TDDDG, Article 6 (1) (1) (b) GDPR). In addition, the data is used for the purpose of detecting and tracking abuse on the basis of the legitimate interests of data security and the functionality of the service (Article 6 (1) (1) (f) GDPR, section 25 (2) (2) TDDDG). In particular, no overriding interest of the data subject is opposed to a use for the defense against attempted attacks on our web server to ensure proper use. The data will neither be used for the creation of individual profiles nor passed on to third parties and will be deleted after seven days at the latest.

2.4. If you provide Fresenius with information by making a general contact

For the purpose of communicating with you, we process personal data that you provide when contacting us (in particular name, company, business contact details, content and nature of your enquiry). This is done on the basis of legitimate interest in external communication (Art. 6 (1) (1) (f) GDPR). In particular, as you have contacted us, there is no overriding interest of the data subject to the contrary. The data will be deleted after three years unless the processing of your request is not yet completed.

3. Possible recipients of personal data

In order to fulfill the aforementioned purposes, we may share your personal data in whole or in part with other group companies and/or service providers.

In addition, the following categories of recipients may receive your personal data:

- authorities, courts, parties to a legal dispute or their designees to whom we are required to provide your personal data by applicable law, regulation, legal process or enforceable  governmental order, e.g., tax and customs authorities, regulatory authorities and their designees, financial market regulators, public registries;

- auditors or external consultants such as lawyers, tax advisors, insurers or banks, and

- another company in the event of a change of ownership, merger, acquisition or disposal of assets.

3.1. International data transfers

In order to fulfill the aforementioned purpose, we may transfer your personal data to recipients outside Germany. Transfers within the European Economic Area (EEA) always take place in accordance with the uniform EU data protection level.

Transfers to third countries are always carried out in compliance with the supplementary requirements of Article 44 et seq. GDPR.

Your personal data may be transferred to certain third countries for which an adequacy decision of the EU Commission determines that an adequate level of protection exists in accordance with the uniform EU level of data protection. The full list of these countries is available here (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions).

As a rule, EU standard contractual clauses (“SCC”) are concluded with the recipient for transfers to other third countries. These have been issued by the EU Commission to safeguard such international data transfers and a copy can be requested via dataprotection@fresenius.com.

To transfer personal data outside the EEA among group companies of the business segments Fresenius Kabi (Fresenius Kabi AG and its affiliated companies) and Fresenius Corporate, we implemented binding corporate rules (“BCR”) approved by the data protection authorities in accordance with Article 47 GDPR. A copy of the BCR is available on our website (https://www.fresenius.com/de/datenschutz).

Ultimately, personal data may be transferred on the basis of an exceptional circumstance under Article 49 GDPR.

4. Your rights

According to the GDPR you are entitled to various rights. You have the right to access your personal data (Article 15 GDPR, section 34 et seq. BDSG), to correct incorrect personal data (Article 16 GDPR), to delete your personal data under certain circumstances (Article 17 GDPR, section 34 et seq. BDSG) and to restrict the processing of your personal data under certain circumstances (Article 18 GDPR).

If the processing is based on a contract and carried out by automated means, you have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit your personal data to another controller (Article 20 GDPR).]

Right to object on a case-by-case basis
In case the processing is based on Article 6 (1) (1) (e) or (f) GDPR including profiling based on those provisions, you have the right to object to the processing of your personal data on grounds relating to your particular situation (Article 21 (1) GDPR).

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR (Article 77 GDPR in conjunction with section 19 BDSG). The competent data protection authority for Fresenius is "Der Hessische Beauftragte für Datenschutz und Informationsfreiheit", Postfach 3163, 65021 Wiesbaden. The right of appeal is without prejudice to any other administrative or judicial remedy.

5. Further information on data processing in other contexts and our contact details

We may process your personal data in various other contexts, for example, when you visit our website www.fresenius.com. For the processing of your personal data in these situations, please refer to the specific information in each case. If you have any questions about data protection at Fresenius, please contact dataprotection@fresenius.com.