Data privacy and cyber security

The mandate and goal of our Group Data Privacy unit is to mitigate risks and create a global framework for data privacy-compliant business operations. This unit helps train our employees to handle data responsibly and with clear accountability. It safeguards our company by providing data privacy risk assurance and ensuring compliance with relevant data privacy laws globally. Group Data Privacy also contributes to creating value for the development of digital business models.

It is of critical importance to our business to protect our information systems, their contents and our communication channels against any criminal or unwanted activities. These include e-crime and cyberattacks, such as unauthorized access, information leakage and misuse of data or systems.

Roles and responsibilities

Group Data Privacy is an independent function, organizationally integrated into Group Compliance and Data Privacy. We have a Group Data Privacy Officer and a network of local Data Privacy Officers at various sites Group-wide. In line with external regulations, the Data Privacy Officers and their respective teams act independently and without receiving internal or external instructions. Group Data Privacy regularly prepares data privacy updates and a comprehensive data privacy report. This report is submitted to the Executive Board and the Supervisory Board.

Cyber security is part of our Group Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors and Group functions who hold risk ownership, act as our first line of cyber security defense and are supported by dedicated networks. Our global Cyber Security function acts as a second line of defense and has responsibilities regarding cyber security risk governance and oversight. Our third line of defense consists of internal audits.

Our Cyber Security organization strengthens resilience against cyberattacks and data breaches. It defines policies and standards for cyber security (including data security) while providing oversight, tools and systems to manage and monitor our overall cyber security risk exposure. The organization is also responsible for providing cyber security monitoring and incident response capabilities across the entire company. Additionally, we train our employees on how to protect data properly.

Our commitment: Guidelines and standards

Our Data Privacy Policy and the corresponding standards and procedures define our principles for processing personal data. This approach allows us to achieve a high level of data protection for our employees, contract partners, customers, and suppliers as well as patients and participants in clinical studies. Our Group-wide understanding of data privacy is based on European legislation, in particular the European Union General Data Protection Regulation (EU GDPR). We are also taking steps to meet local data privacy requirements, where these are stricter than our Group-wide standards.

Our Group cyber security governance framework contains organizational, process-related and technical information security countermeasures based on recognized international standards. In addition, we apply harmonized electronic and physical security controls (e.g. access controls and security monitoring) to bolster our ability to securely handle sensitive data, such as trade secrets.

Training and IT tools

In line with the EU GDPR and our global approach to data privacy, we regularly conduct e-learning training courses in ten languages. In 2023, the completion rate for our e-learning courses was 99%.

We maintain a central IT tool to provide a single source for data privacy processes, such as registering data processing activities and reporting potential data privacy incidents. In 2023, we reported seven cases of minor personal data breaches to the supervisory authority. One of them related to identified data leaks, theft, or loss of customer data. However, none of these cases were sanctioned.