Data Processing Terms Business Partners

BioNTech SE and its subsidiaries (“BioNTech”) are committed to protect your privacy and the security of your data. This data privacy policy provides you with an overview of the processing of your personal data and/or your employees’ personal data in connection with our data protection obligations in accordance with Art. 13, 14 and 21 of the European General Data Protection Regulation (GDPR). We would like to ask you to share this information with any of your employees who are in professional contact with us.

Precisely which data is processed and in what way will largely depend on the form of cooperation with you or your query, or the requested or agreed services. We therefore ask you to bear in mind that not all of the statements in this document will apply to you. You can find more thorough and specific information in the contract we have entered into with you or can request this information from us or our data protection officer at any time

This data privacy policy applies for all personal data that you provide us with as a “natural person” and business partner (e.g. as a consumer, contractor, customer, study participant etc.), employees of one of our business partners or as a party interested in establishing business relationships with you or your company.

The data controller in accordance with GDPR is:

BioNTech SE 
An der Goldgrube 12 
D-55131 Mainz 
Germany

Tel: +49 6131 9084-0 
Fax: +49 6131 9084-390 
Email: info@biontech.de 
Website: www.biontech.de

and/or the relevant BioNTech subsidiary with which you are in contact or have entered into a contract. 
If you have questions about your personal data, you can reach the data protection officer of our corporate group on the aforementioned address or via telephone or email to:

Tel: +49 6131 9084-1030 
Email: data.privacy@biontech.de 

We process the personal data that we have received from you in the context of a business relationship or query or from third parties in an authorized manner (e.g. to fulfil contracts or after consent has been granted) or that we generate in connection with the fulfilment of our contractual duties. In particular, this data concerns

• Personal/contact details (e.g. first name, surname, company if applicable, address, (mobile) telephone number, fax, email)

• Communication data in connection with correspondence (emails, written correspondence)

• Personal/contact details (e.g. first name, surname, company if applicable, (mobile) telephone number, fax, email)

• Contract and accounting data (e.g. bank details, goods ordered, invoice data)

• Communication data in connection with correspondence (emails, written correspondence)

• Legitimation data (e.g. ID papers), authentication data (e.g. signature sample), credit checks 

• Personal/contact details (e.g. first name, surname, company if applicable, (mobile) telephone number, fax, email)

• Contract and accounting data (e.g. bank details, goods ordered, invoice data)

• Communication data in connection with correspondence (emails, written correspondence), legitimation data (e.g. ID papers), authentication data (e.g. signature sample),

• Pseudonymized personal and study data 
   
  We primarily process your personal data in order to fulfil contracts with you or your company or in order to execute precontractual measures upon request. As part of our business relationship, you must provide us with the personal data that is required for entering into, executing and terminating a business relationship and for the fulfilment of associated contractual obligations or which we are legally obliged to collect. Without this data, we will usually not be able to enter into, execute or terminate a contract with you, or to implement your request for precontractual measures in order to enter into a contract with you. Should you not provide us with the necessary information and documents, we cannot enter into or continue your desired business relationship. 
   
  In addition, your personal data helps us to understand your interest in our company as well as our services and products. You also allow us to provide you with further information if you want it. Of course, we only collect from you the personal data that we require for these processing purposes.

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), in particular on the basis of the following legal grounds:

In these cases, personal data is processed to fulfil our contract with you or your employer.

In terms of data processing, we are subject to various legal obligations; these include: Taxation laws, statutory invoicing duties, the fulfilment of queries and requirements of supervisory or law enforcement authorities as well as the fulfilment of tax-related inspection and reporting obligations. In addition, the disclosure of personal data may be necessary as part of official/judicial measures in order to secure evidence, prosecute crimes or to assert civil claims.

In some cases, we process your personal data beyond the actual fulfilment of contracts in order to protect our own legitimate interests or those of third parties. Examples of legitimate interests are internal data processing in the proprietary CRM system or building/facility security measures (e.g. access or entrance controls).

Within our corporate group, your personal data will be forwarded on a need-to-know basis to employees who are responsible for contact and contractual cooperation with you (including to fulfil precontractual measures).

In addition, your personal data may also be forwarded on a need-to-know basis to service providers who work for us in various areas as data processors, for example to service providers in administrative or IT fields (e.g. accounting, data archiving, data erasure, IT security and/or support or maintenance of IT facilities). These service providers are contractually obliged to also handle your data confidentially.

Apart from contact service providers, data is only forwarded to recipients outside of our business in compliance with applicable data protection stipulations. Recipients of personal data may include, for example:

• Public bodies and institutions (e.g. financial or law enforcement authorities)

• Credit and finance providers (processing of payment transactions)

• Tax advisers or financial, taxation and business auditors 

• Collaboration partners: For example, we may forward product quality complaints and adverse events reports relating to BioNTech’s/Pfizer’s COVID-19 (SARS-COV-2) vaccine products/clinical trials to our collaboration partner Pfizer Inc., but only on the basis of an appropriate legal basis, e.g. your consent in accordance with Art. 6 Para. 1 lit. a) GDPR, or due to a legal obligation to which we are subject to in accordance with Art. 6 Para. 1 lit. c) GDPR, Without a legal basis, we will send only anonymized data to Pfizer.

As part of a corporate group, we have business relationships with affiliated companies and external service providers both within and outside the European Economic Area (EEA), which we may also work with in connection with your personal data. In this respect, your personal data may also be accessed remotely in countries outside of the EEA for the purposes described in this data privacy policy. This may also affect countries in which the level of data protection is not comparable with that of the European Union (EU). Within our corporate group, we are committed to a high level of data protection. We will also only forward this data to external service providers if it is sufficiently ensured that the data recipient observes the high level of data protection under GDPR. Specifically, this is ensured through the conclusion of standard contractual clauses of the EU Commission in accordance with point c. of Article 46(2) GDPR (can be accessed at  http://eur-lex.europa.eu) and through additional technical and organizational measures and guarantees.

We process and store your personal data insofar as is required to fulfil our tasks and contractual duties. If the data is no longer required for this purpose, it will be erased. 
Exceptions may arise, for example in the following cases: 
To fulfil statutory storage duties, e.g. in accordance with the Commercial Code (HGB) and Fiscal Code (AO) or Medicinal Products Act (AMG). The storage and documentation periods stipulated by these acts are often between six and 15 years; 
To back up evidence in the context of statutes of limitations. In accordance with Section 195 et seq. of the German Civil Code (BGB), the statute of limitations is three years, but under special circumstances may extend to up to 30 years. 
If data is processed in accordance with our legitimate interests or those of a third party, the personal data will be erased as soon as these interests no longer apply. The aforementioned exceptions apply in this case.

If you have questions about data protection, complaints about our handling of your personal data or would like to assert the data subject rights stated in this data privacy policy, you can contact us at any time or send your query directly to our data protection officer. 
If our response is not to your satisfaction or if you believe that we are unlawfully processing your personal data, in accordance with your right to objection in accordance with Art. 77 GDPR you can also contact the responsible data protection authority of the country in which you live, work or in which you believe the data protection breach occurred. The relevant supervisory authority for BioNTech SE is: 
 
The State Officer for Data Protection and Freedom of Information 
 
Postfach 30 40 
55020 Mainz, Germany 
 
Email: poststelle@datenschutz.rlp.de 

Please bear in mind that other supervisory authorities may be responsible for our subsidiary companies. 
 
In accordance with GDPR, you have the following rights as a data subject:

You have the right to receive on request written information about your personal data processed by us in accordance with Art. 15 GDPR. This right is restricted by the exceptions of Section 34 BDSG, in accordance with which the right to information is waived if the data is only stored as a result of legal storage regulations or for data backup and data protection checks, the provision of information would require unreasonable effort and the misuse of data processing is prevented by suitable technical and organizational measures.

In accordance with Article 16 GDPR, you have the right to demand the immediate correction of personal data concerning you if it is inaccurate.

In accordance with the requirements of Article 17 GDPR, you have the right to demand the erasure of personal data concerning you. These requirements apply in particular if: a) the purpose of processing in the individual case has been achieved or otherwise is no longer necessary, b) we have processed your data unlawfully, c) you have withdrawn consent without the data processing being able to continue on other legal grounds, d) you successfully object to the data processing or e) in cases where there is a duty to erase in accordance with the law of the EU or an EU member state to which we are subject. This right is subject to the restrictions under Section 35 BDSG, under which the right to erasure in particular may be waived in the event that non-automated data processing would mean that erasure is associated with unreasonably high effort and your interest in erasure is viewed as low.

In accordance with Art. 18 GDPR, you can request that we only process your personal data to a limited extent. This right applies in particular if: a) the accuracy of the personal data is disputed, b) you request restricted processing instead of erasure in accordance with the requirements of a legitimate desire for erasure, c) the data is no longer necessary for our purposes, but you still require the data for the enforcement, execution or defense of legal claims or d) the successful outcome of objection remains disputed.

In accordance with Art. 21 GDPR, you have the right, for reasons that result from your particular situation, to submit an objection against the processing of personal data concerning you, which takes place either in the public interest or to satisfy our legitimate interests. We will then cease processing your personal data, unless we can prove compelling reasons worth protecting for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will absolutely cease such processing. 
 
You can send an informal objection to the processing of your data with the subject “Objection”, including your name and your address, to the contact address of the data controller and the data protection officer of the BioNTech Group.

In accordance with Art. 20 GDPR, you have the right to receive personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and have the right for us to transmit such data to another controller. The restrictions in accordance with Sections 34 and 35 BDSG apply to the right to information and erasure.