Privacy statement
Welcome to our privacy page. At BioNTech, privacy means fair data processing and transparent communication.
This data privacy statement describes how we collect, use, store, disclose, and delete (together “process”) your personal data, when you visit our websites and use the functionalities on these websites (such as contact forms). We also inform you about your rights and how you can exercise them.
To make it easier for you to read our privacy statement, we segmented our data privacy statement into different parts. At first, we will give you general information on how we are processing personal data that applies for every processing we conduct. In the second part we will provide you information on the following processing situations:
- When you’re a visitor of one of our websites
- When you’re a healthcare professional
- When you’re an investor or interested party
- When you’re a job applicant
- When you are interacting with one of our social media accounts
You can read the general as well as the specific information by expanding the texts under the corresponding headings below. In certain processing scenarios, additional privacy statements are displayed that you should read. For example, there is a specific privacy statement for adverse event reporting, product quality complaints, and medical information requests.
BioNTech SE (“BioNTech”, “we”, “us”) are the “data controller” of your personal data, if not stated otherwise:
BioNTech SE
An der Goldgrube 12
55131 Mainz
Germany
Telephone: +49 6131 9084-0
Fax: +49 6131 9084-2121
E-Mail: data.privacy@biontech.de
This may involve the processing of personal data by affiliates of BioNTech SE and providers on behalf of BioNTech.
If you have any questions regarding the processing of your personal data or if you wish to exercise your rights as a data subject, please don’t hesitate to contact our global data privacy officer or the global data privacy team.
They can be reached at:
BioNTech SE
Data Protection Officer
An der Goldgrube 12
55131 Mainz
Germany
E-Mail: data.privacy@biontech.de
When we process your data, we follow the EU General Data Protection Regulation (GDPR). If we rely on legal bases outside the GDPR for processing your data, like country specific data privacy legislation, we will inform you accordingly. We are allowed to process your data for the following overarching purposes:
Responding to your requests
Where you have given your consent (Art. 6 (1)(a) GDPR), we will process your data for the consented purpose (e.g., to respond to your questions via our web form).
Legal and compliance requirements
We will process your personal information to comply with legal obligations (Art. 6 (1)(c) GDPR), including the disclosure of information in connection with a legal process or litigation.
Enabling business activities and pursuing our legitimate interests
Always provided that your data protection rights are not overridden by our legitimate interests (Art. 6 (1)(f) GDPR), we will process your data for various reasons such as providing you with a convenient website experience.
Fulfilment of contract and pre-contractual inquiries
We will process your personal information if this is required for the fulfilment of a service contract or to conduct pre-contractual actions (Art. 6 (1)(b) GDPR).
Besides the above stated regulations, the national data privacy legislation of Germany applies. This particularly applies for the Federal Data Protection Law (BDSG) and the German Telecommunications-Telemedia Data Protection Act (TTDSG). We will specify the legal basis in the respective subsections below.
Your personal data will be deleted as soon as the purpose required for processing has been fulfilled. Different retention periods may apply due to legal requirements.
The retention periods differ depending on the type of personal data collected and the purpose of the processing. The German Commercial Code and the German Tax Code for example require the storage a certain information from 6 up to 10 years.
We will specify the retention period in the respective subsections.
We have appropriate technical and organizational measures in place to protect your privacy and personal information. This includes measures against data loss, falsification, and unauthorized access. We choose service providers accordingly. However, data disclosure on the internet is at your own risk. Please contact our global data privacy team, if you have reasons to believe that your data is no longer secure with us.
In general, your personal data is only processed inside of BioNTech and not shared with third parties. In some cases, it may be necessary to share your personal data with associated companies or service providers. In such cases we have concluded respective data processing agreements (Art. 28 GDPR) or joint controller agreements (Art. 26 GDPR) to ensure the lawfulness of the transfer and secure your personal data.
Eventually, your personal data may be transferred outside of the European Union and the European Economic Area (together “Europe”). If we conduct such a transfer, there is an adequate level of data privacy in place by ensuring at least one of the following:
- Adequacy Decision of the European Commission according to Art. 45 GDPR that there is an adequate level of data privacy in the target country of the transfer.
- The conclusion of so-called Standard Contractual Clauses (SCC) that have been approved by the EU Commission in accordance with Art. 46 GDPR.
- The presence of Binding Corporate Rules (BCR) which were approved by an EU based supervisory authority after Art 47 GDPR.
We would like to inform you that we may be legally obliged to disclose personal data to authorities under certain circumstances. Depending on the legal reason, it is prohibited to inform you about the disclosure.
If BioNTech processes personal data, you are a data subject as defined by the GDPR and have the following rights:
- Right of access:
You have the right to request information about to request information about whether we process personal data about you and to request a copy of the personal data we process. - Right to rectification:
You have the right to rectify personal data of which you think is inaccurate or incomplete. - Right to erasure:
You have the right to request us to delete your personal data in some cases. - Right to restrict processing:
You have the right to request us to restrict the processing of personal data in some cases. - Right to data portability:
You have the right to request us if we transfer personal data you provided to us to another organisation. This doesn’t apply in certain cases. - Right to withdrawal of consent:
When you have given us a consent to process your personal data you can withdraw your consent anytime without having to fear negative effects. However, the withdrawal does not affect the lawfulness of the processing carried out until the withdrawal. - Right to object to processing:
In the case that we are relying our processing of your personal data on our legitimate interest (Art. 6 (1)(f) GDPR) you have the right to object to the processing on grounds relating to your situation.
You also have the right not to be subject to automated decision making. When you wish to exercise these rights, please contact our global data privacy team.
If you think that the processing of your personal data violates the GDPR you furthermore have the right to lodge a complaint with a supervisory authority. You can lodge this complaint to the authority in the member state of your habitual residence, place of work or the place where an alleged incident occurred in your opinion.
You can refer to the list of supervisory authorities of the European Data Protection Board to find the contact information of the corresponding authority.
We maintain various websites including its subdomains on which processing of personal data takes place when you visit them. In this section we will give you Information about this processing of your personal data.
To protect your personal data when you visit our website, we’re using SSL/TLS encryption on all sub-pages to prevent manipulation, sniffing or similar unauthorised data processing especially on transit. You can recognize the encrypted connection at the lock symbol next to the address bar of your browser. In general, you can use our website without having to provide us with personal data, beyond such data necessary for technical operation of the website or data you provide us in forms or similar occasions.
This privacy policy is valid for the following websites and its subdomains:
- www.biontech.com
- investors.biontech.com
- jobs.biontech.de and jobs.biontech.com
- mrnaverstehen.biontech.de
- pro.biontech.de and pro.biontech.com
- praxis.corminaty.de
- impfung.biontech.de
We (i.e., our web hosting provider) collect data on every access to the server (so-called server log files) your browser is providing to us.
No usage profiles are created in which these information and other personal data are linked.
Categories of personal data |
|
Purpose of the processing |
|
Legal basis |
|
Data subjects affected |
|
Recipients or categories of recipients |
|
Duration of processing or storage |
|
Use of cookies and third-party tools
We use cookies on our websites to ensure you have a convenient website experience. A cookie is a small piece of data (text file) that a website asks your browser to store on your device in order to remember information about you, such as your language preference or login information when you visit a website. Those cookies are set by us and are called first-party cookies. We also use third-party cookies for tracking the performance of our website or other marketing purposes. Please see our cookie statement for more information.
Plugins and embedded functions
We integrate third party content and tools (hereafter third party content) to enhance the functionality of the website, improve user experience while visiting the website and to ensure the website security. Such third-party content can be graphics, videos, stock prices or maps.
Every time when you visit a site which includes third-party content at least your IP-address is sent to this particular third-party content provider as part of the content delivery of your browser. Some third-party content providers may also include so called web beacons (invisible graphics to allow tracking activities) or set cookies on your device depending on the functionality of the third-party content.
Categories of personal data |
|
Data subjects affected |
|
Recipients or categories of recipients |
|
Purpose of the Processing |
|
Legal basis |
|
More information on plugins and embedded functions can be found in our cookie statement.
Contact via contact form or e-mail
When using the contact form or contacting us via e-mail, personal data is processed. The data entered will be transmitted to BioNTech. This section does not apply to adverse event reports or product quality complaints or medical inquiries. This specific privacy statement can be found here.
Purpose of the processing |
|
Categories of personal data |
|
Legal basis |
|
Data subjects affected |
|
Recipients or categories of recipients |
|
Duration of processing or storage | Your personal data will be deleted as soon as the purpose of the communication has been fulfilled. Different retention periods may apply due to legal requirements. If the communication can be deemed a business correspondence, we are obliged by the German commercial code to retain the communication for at least 6 years. If the communication is tax related the German Tax Code requires us to retain the data for 10 years. |
If you are a healthcare professional, we may process your personal data in the following ways in addition to processing for website visits as described in the section “Processing of personal data when you’re visiting our website”.
Access to restricted medical information
On our website praxis.corminaty.de, pro.biontech.de and pro.biontech.com, we’re providing medical information about our products to healthcare professionals. We are required by the German Health Services and Products Advertising Act to make such contents on our website exclusively accessible to expert groups after prior registration and authentication.
For this verification we are using the service of DocCheck and IQVIA.
DocCheck is used as a login provider via an Iframe on our website. After logging in to your DocCheck account you can select whether you would like to share your account information from DocCheck with BioNTech or not. If you select to use the HCP portal without sharing your profile information from DocCheck, DocCheck provides us with a unique identifier (pseudonym) and we get the information that a login request was successful.
Purpose of the processing | Verification of the status as a healthcare professional |
Categories of personal data |
|
Legal basis | Art. 6 (1)(c) GDPR. To fulfil our legal obligation to only make medical information accessible to healthcare professionals according to the German Health Services and Products Advertising Act. Your consent (Art. 6 (1)(a) GDPR) |
Data subjects affected | Healthcare professionals with interest on medical information |
Recipients or categories of recipients | DocCheck Community GmbH, Vogelsanger Strasse 66, D-50823 Cologne BioNTech employees BioNTech subprocessors |
Privacy Policy | |
Duration of processing or storage | We are storing your submitted information as long as this is required for marketing and contractual purposes. Please also refer to the privacy policy of DocCheck. |
If you register by creating a new account, we will verify your contact information by using the services of IQVIA. Therefore, we transmit your submitted information to IQVIA and they validate your status as a HCP in real time. If the validation was successful, your submitted profile information will be stored in our customer relationship data base.
Purpose of the processing | Verification of the status as a healthcare professional |
Categories of personal data | · Meta data (e.g., IP-Addresses) · Location data (e.g., approximate location based on IP-address or exact location when GPS) · Device information (e.g., installed fonts on the device or screen resolution) · Identification and contact information (such as name, surname, address, country, profession) |
Legal basis | Art. 6 (1)(c) GDPR. To fulfil our legal obligation to only make medical information accessible to healthcare professionals according to the German Health Services and Products Advertising Act. Your consent (Art. 6 (1)(a) GDPR) |
Data subjects affected | Healthcare professionals with interest on medical information |
Recipients or categories of recipients | BioNTech employees BioNTech subprocessors |
Duration of processing or storage | The data is deleted as soon as it is no longer required to achieve the purpose (marketing or contractual purposes) for which it was originally collected, or it is deleted if the user objects his/her consent. |
When you visit the HCP portal, we may also process the data generated during the use of our services in order to analyse how our offers are used, to improve our services and to send you suitable information and offers, if necessary. The legal basis is Art. 6 (1)(f) GDPR. If consent should be required as a legal basis for processing your data, we obtain such consent in advance.
We store collected personal data for the duration of the (pre-)contractual relationship, non-personal data may also be stored longer.
Contact via contact form or e-mail
When using the contact form or contacting us via e-mail, personal data is processed. The data entered will be transmitted to BioNTech. Through the contact forms you can submit normal contact requests, send medical requirements, or report side effects of our medical products.
Purpose of the processing | Handling of the contact request |
Categories of personal data | · Contact information (e.g., first, or last name, e-mail address) · Message content |
Legal basis | · Art. 6 (1)(f) GDPR. Our legitimate interest consists in the proper processing of the contact. · Art. 6 (1)(b) GDPR if the contact to us is in connection with an existing contractual relation or in a pre-contractual setting |
Data subjects affected | · (Possible) Investors · Persons who are interested in BioNTech |
Recipients or categories of recipients | · Hosting provider · Mail provider |
Duration of processing or storage | Your personal data will be deleted as soon as the purpose of the communication has been fulfilled. Different retention periods may apply due to legal requirements. If the communication can be deemed a business correspondence, we are obliged by the German commercial code to retain the communication for at least 6 years. If the communication is tax related the German Tax Code requires us to retain the data for 10 years. |
If you are a job applicant, we may process your personal data in the following ways in addition to processing for website visits as described in the section “Processing of personal data when you’re visiting our website”.
If your applying for a job with us, you submit personal data directly to BioNTech through our job portal and follow-up communications and/or through alternative channels (e.g., via professional recruiting firms). In our job portal at jobs.biontech.de we offer you the opportunity to submit an online application for a job offer at BioNTech. When you want to apply for a job offer you have to provide personal data, as we need personal data to check eligibility for the vacancy and for the conduction of the application procedure.
By submitting your personal data to us, you acknowledge that you have read and understand the privacy notice applicable for job applicants and agree to the use of your personal data as set out herein. You are not required to provide any requested information to us, but your failure to do so may result in our not being able to continue your candidacy for the job for which you have applied. You confirm that all of your representations are true and correct to the best of your knowledge and belief, and you have not knowingly omitted any related information of an adverse nature.
For the application process we use the Recruiting solution “SAP Success Factors” from SAP (Germany, EU, Andorra, Färöer Islands, Guernsey, der Isle of Man, Jersey, Switzerland, Great Britain: SAP SE, Dietmar-Hopp-Allee 16 in 69190 Walldorf, Deutschland; USA: SAP America Inc., 3809 West Chester Pike, Suite 200 in Newtown Square, PA 19073, USA). We have concluded a data processing agreement of personal data according to Art. 28 GDPR with SAP.
Purpose of the processing | Conducting the application process |
Categories of personal data | · Name, address data (e.g., address, ZIP Code) · Contact data (e.g., telephone number, email-address), · Application data (e.g., data from curriculum vitae or references) |
Legal basis | · § 26 (1) BDSG. Establishment of an employment relationship. · Art. 6 (1)(b) GDPR. If necessary, conduction of pre-contractual measures and the fulfilment of a contract. · Art. 6 (1)(a) GDPR. Consent regarding personal data you provide us voluntary beyond what is required for the application. |
Data subjects affected | · Applicants · Persons who are interested in working at BioNTech |
Recipients or categories of recipients | We only share your personal data with employees of BioNTech and subsidiaries who need the data to perform the recruitment process. In some cases, our recruitment and pre-employment screening activities are carried out for us by specialised service providers. We will share your personal data with their teams which require this data as part of their service. We will also share your personal data with local or overseas regulators or governments and law enforcement agencies where we are required to do so by law. These may be located in or outside the country where you live. We will share your personal data with our service provider SAP. If you are based in Germany, EU, Andorra, Färöer Islands, Guernsey, der Isle of Man, Jersey, Switzerland, Great Britain: SAP SE, Dietmar-Hopp-Allee 16 in 69190 Walldorf, Deutschland If you are based in the USA: SAP America Inc., 3809 West Chester Pike, Suite 200 in Newtown Square, PA 19073, USA |
Privacy statement | |
Duration of processing or storage | In principle, the data is deleted as soon as it is no longer required for the selection of applicants. In the case of unsuccessful applications, your personal data will be deleted six months after the rejection decision unless longer storage is required due to legal disputes. |
In addition, we would like to point out that you can also change or request the deletion of your application data in the application system at any time. We will then delete or completely anonymise the application data immediately. For more information on your data subject rights based on the GDPR and our data protection officer, please refer to our general privacy statement of this website.
If you receive an offer from us, we may conduct a background check on you or instruct a third party to do so on our behalf. Background checks will only be done where permitted by the law applicable to the location where the position is located and to the extent necessary and proportionate to the role that you are being offered. A background check will involve the validation of your former employers, certificates, trainings, and other CV data to the extent permitted by law. The legal basis for background checks is our need to perform precontractual measures concerning the establishment of our employment relationship. In case a background check is performed by a service provider on our behalf, you may be contacted by this service provider to request authorization for the release of your information, and at that time you will be provided with further information about the processing of your personal information and categories of data it might involve. The service provider will only process your personal information as long as it is required for the background check and will delete your data after having sent us a final report of the check.
Contact via contact form or e-mail
When using the contact form or contacting us via e-mail for application purposes, personal data is processed. The data entered will be transmitted to BioNTech.
Purpose of the processing | Handling of the contact request |
Categories of personal data | · Contact information (e.g., first, or last name, e-mail address) · Message content · Document data (e.g., if you are attaching any additional documents such as a CV) |
Legal basis | · § 26 (1) BDSG. If the contact to us is in connection with the establishment of an employment relationship. · Art. 6 (1)(b) GDPR. If the contact to us is in connection with an existing contractual relation or in a pre-contractual setting · Art. 6 (1)(f) GDPR. Our legitimate interest consists in the proper processing of the contact. |
Data subjects affected | · Applicants · Persons who are interested in working at BioNTech |
Recipients or categories of recipients | · Hosting provider · Mail provider |
Duration of processing or storage | Your personal data will be deleted as soon as the purpose of the communication has been fulfilled. Different retention periods may apply due to legal requirements. If the communication can be deemed a business correspondence, we are obliged by the German commercial code to retain the communication for at least 6 years. If the communication is tax related the German Tax Code requires us to retain the data for 10 years. |
We maintain publicly accessible profiles on various social networks. As the operator of theses presences on the social media platforms we are processing personal data, for example if we are communicating with you via the platforms or posting content and you interact with this content. Furthermore, we can access personal data you have publicly available on your social media profile.
In the case you’re visiting one of our social media profiles your personal data is also processed by the social media platforms themselves. This applies even if you don’t have a profile on the certain social media platform. The specific data processing operations and their extent differ depending on the operator of the respective social media platform and we have no influence regarding this processing by the platforms. More information regarding the processing of personal data through the social media platform can be found in their respective privacy statement.
For the most social media platforms it cannot be ruled out that a processing personal data is also taking outside of the European Union/European Economic Area. This means that a transfer of personal data into third countries without an adequate level of data privacy is possible and that there are possible difficulties regarding the enforcement of the rights of the data subject.
We maintain profiles on the following social media platforms:
We use LinkedIn a platform of the LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland to inform you about the latest developments and information about our company and products and to communicate with you and other interested parties. In addition, we are conducting recruiting activities to attract new employees and are marketing our products.
As mentioned above social media platforms like LinkedIn are conducting their own processing of your personal data on their own without any influence from our site.
Data Processing of BioNTech
We are processing your personal data in the following way when you are using LinkedIn:
Purpose of the processing | · Marketing · Communication with interested parties (e.g., users, investors, potential applicants) · Recruiting |
Categories of personal data | · Publicly available information from your profile (e.g., your name, current, employer) · Content data (e.g., if you comment our posts) · Probably meta/location data (e.g., if you include your location into a post on LinkedIn) |
Legal basis | · Art. 6 (1)(f) GDPR. Our legitimate interest to inform the public about our company in a business context and to communicate with parties who are interested in BioNTech. · Art. 6 (1)(a) GDPR. Consent regarding personal data you provide us voluntary. |
Data subjects affected | Interested parties (e.g., users, investors, potential applicants) |
Recipients or categories of recipients | LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland |
Country of possible recipients | A transfer into third countries like the USA cannot be ruled out. |
Duration of processing or storage | Your personal data will be deleted on our side as soon as the purpose required for processing has been fulfilled. Different retention periods may apply due to legal requirements. Comments under our posts are available until we delete the post you commented on. |
Regarding the above-described data processing LinkedIn is acting as our processor, and in some cases as a separate controller. We have concluded a data processing agreement in accordance with Art. 28 GDPR. This agreement can be found here: https://legal.linkedin.com/dpa. The data processing agreement has also incorporated the Standard Contractual Clauses to provide an adequate level of data privacy in case your personal data in transferred into a third country.
Data processing of LinkedIn
LinkedIn processes your personal data in different ways for different purposes. LinkedIn also uses cookies to track your activities on their website and other websites you visit. For more information regarding the processing conducted by LinkedIn please refer to their privacy statement: https://www.linkedin.com/legal/privacy-policy
LinkedIn offers you the possibility to Opt-out targeted advertising through the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
We are using Twitter a platform of the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland to inform you about the latest development and information about our company and products.
As mentioned above social media platforms like Twitter are conducting their own processing of your personal data on their own without any influence from our side.
Data processing of BioNTech
We are processing your personal data in the following way when you are using Twitter:
Purpose of the processing | · Marketing · Communication with users (e.g., via direct message or interaction on our Twitter posts) |
Categories of personal data | · Publicly available information from your profile (e.g., your username, content of your bio) · Content data (e.g., if you comment on our posts) · Probably meta/location data (e.g., if you include your location into a post on Twitter) |
Legal basis | · Art. 6 (1)(f) GDPR. Our legitimate interest to inform the public about our company and to communicate with parties who are interested in BioNTech. · Art. 6 (1)(a) GDPR. Consent regarding personal data you provide us voluntary. |
Data subjects affected | · Users of Twitter · Unregistered users who visit our profile or tweets |
Recipients or categories of recipients | Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland |
Country of possible recipients | A transfer to third countries like the USA cannot be ruled out. |
Duration of processing or storage | Your personal data will be deleted as soon as the purpose required for processing has been fulfilled. Different retention periods may apply due to legal requirements. Comments under our posts are available until we delete the post you commented on. |
Regarding the above-described data processing Twitter is acting as our processor. We have concluded a data processing agreement with Twitter in accordance with Art. 28 GDPR. This agreement can be found here: https://privacy.twitter.com/en/for-our-partners/global-dpa The data processing agreement has also incorporated the Standard Contractual Clauses to provide an adequate level of data privacy in case your personal data in transferred into a third country.
Data processing of Twitter
Twitter processes your personal data in different ways for different purposes on various legal basis. This includes also tracking an analysing your usage of Twitter. For further information how Twitter is processing your personal data if you are using it, please refer to their privacy statement: https://twitter.com/en/privacy.
Twitter gives you a certain amount of control regarding their processing of personal data. For more information, see the following link: https://twitter.com/settings/account/personalization.
Linking to social media content
Within our website, we provide you with direct access to social media content (LinkedIn, Twitter) through links. The offers that can be accessed under the integrated link originate from the respective companies (hereinafter referred to as "social media providers") and do not represent social plug-ins that automatically forward your personal data to the social media provider. Only when you use the link and click on one of the social media buttons is personal data transmitted to the respective social media provider. The transmission ensures that the respective social media provider is aware of your IP address. Without your IP address, the social media provider cannot send the content to your browser.
By transmitting your IP address, the respective social media provider may also be able to assign your personal data to your user account, in case you are currently logged in with this account. If you do not want the assignment to your user account with the respective provider, you can log out of your user account before using the social media button.
An automated forwarding of your personal data to the social media providers by visiting our website and without clicking on the respective button does not take place.
The legal basis for the processing of your personal data is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO. We integrate the content of social media providers into our site in order to provide you with useful information or to facilitate a process for you, without any further data processing.
We endeavour to use such content whose respective providers only use the IP address to deliver the content. Notably, we have no influence on the extent to which providers store the IP address for statistical purposes, for example.
The recipients of the personal data collected are the social media providers. We have no knowledge of the content and use of your personal data by them. Therefore, we cannot roll out that they process the collected data outside the European Union.
For more information, please visit the privacy statement of the social media providers:
LinkedIn: Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA, Data Protection.
https://www.linkedin.com/legal/privacy-policy
Twitter: Twitter International Company, 26 Fenian St, Dublin, D02 FX09, Ireland, a subsidiary of Twitter Inc, 1355 Market St #900, San Francisco, CA 94103, USA, data protection.
The BioNTech’s internet presence may be subject to change, which means that it may be necessary to amend the data privacy statement accordingly. BioNTech reserves the right to change this data privacy statement at any time.
This data privacy statement was last updated: June 2023
