Privacy

Privacy policy

Thank you for visiting the website of Biotest AG (hereinafter referred to as Biotest) and for your interest in our company, our products and our websites.

The protection of your privacy when using our website is very important to us. Therefore, we would like to inform you about how we at Biotest handle your data. This data protection information explains how and for what purposes Biotest processes your personal data and what rights and options you have in this regard. It applies to all personal data that you provide to Biotest or that results from your contractual relationship or other interaction with Biotest. In our Cookie Notice also tells you how we collect data through the use of cookies or other web tracking or analytics technologies and how we use it.

WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA

Biotest AG, Landsteinerstraße 5, 63303 Dreieich, Germany, is the data controller for all personal data that you provide to us in the context of our existing business relationship or for the purpose of a prospective business relationship. You can reach us by e-mail at datenschutz@biotest.com or by telephone at +49 - 6103 / 801 - 0.

VISITING OUR WEBSITE

In order to enable you to visit the website, the following data is collected, stored and used:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Operating system and its access status / HTTP status code
  • Amount of data transferred
  • Website from which the request comes
  • Browser, language and version of the browser software

The data processing of this access data is absolutely necessary to enable the visit of the website, to ensure the permanent operability and security of our systems as well as for the general administrative maintenance of our website. The access data is also temporarily stored in internal log files for the purposes described above, for example in order to find the cause of and take action against repeated or criminal calls that jeopardise the stability and security of our website.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as the page call is made in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in enabling website access as well as the permanent functionality and security of our systems.

The log files are stored for 90 days.

CONTACT

You have the option of contacting us on varius topics using the contact forms on our websites. In this context, we process data exclusively for the purpose of communicating with you. For this purpose, we require mandatory information on your first and last name as well as your e-mail address. The mandatory information is marked with an asterisk. Optionally, you can provide information on your title, your institute, your department as well as your address, telephone number and fax number for better allocation of your request.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in you contacting us and us being able to answer your enquiry. We only make promotional telephone calls if you have given your consent for this. If you are not an existing customer, we will also only send you promotional e-mails on the basis of your consent. In these cases, the legal basis is Art. 6 Para. 1 lit. a GDPR.

The data we collect when you contact us will be automatically deleted once your enquiry has been fully processed, unless we still need your enquiry to fulfil contractual or legal obligations (see "How long do we store your data").

REGISTRATION FOR THE CONGRESS AND TRAVEL ORGANISATION

After you have received the relevant access data from us, you can register on our website. There you have the possibility to register for the respective congress. Here you will be required to enter your contact information such as full name, work address, e-mail address, private address (street number postcode, city, country), title, institute and department. If you would also like us to organise your arrival and departure as well as your stay during the congress, we need information on your departure airport/railway station, the mode of arrival, arrival and departure dates as well as the flight/railway number.

In connection with registering for and granting access to an event or seminar, we may request information about your health in order to identify and accommodate any disability or special nutritional needs you may have. Any such information will only be used with your consent. If you do not provide us with information about disabilities or special dietary needs, we will not be able to make appropriate arrangements.

The legal basis for handling your personal data follows from Art. 6 (1) lit. b GDPR, as a contract is created between you and Biotest AG when you register for a congress.

In order to be able to carry out your registration and travel booking, personal data will be passed on to congress organisations, travel agencies and hotels. In this context, it cannot be ruled out that your data will be forwarded to third countries that do not have an adequate level of data protection (e.g. USA). Please contact the respective hotel chain for information on data processing.

AREAS RESERVED FOR TRADE VISITORS

Due to the Therapeutic Products Advertising Act, more detailed information on therapy products can only be viewed in a password-protected area. Access to these closed portals is via DocCheck password. In order to access these pages, you must register as a user with DocCheck Medical Services GmbH (www.doccheck.de). We use this data exclusively to check your access authorisation. This information will not be used as a basis for further contact with you unless you have given us your express permission to do so. In doing so, we send an authentication request to DocCheck each time you register for the protected area, which is checked there without giving us any indication of your identity.

REPORTS OF SUSPECTED ADVERSE DRUG REACTIONS

In the context of reporting adverse drug reactions or other information relevant to drug safety concerning a Biotest product, we use and share this data exclusively for drug safety purposes. The completed reporting forms are treated as strictly confidential with regard to all personal data in accordance with the provisions of the DS-GVO and the German Federal Data Protection Act ("BDSG"). All data of an adverse reaction report are recorded in a database and assessed by medical or pharmaceutical staff for the specific case and, if available, in the context of other similar cases.

The printed report form is sent by e-mail, post or fax. In accordance with legal requirements, Biotest must forward suspected adverse drug reactions that meet certain criteria to authorities worldwide.

For further information on how to handle a report of adverse drug reactions, retention period, information requirements on the handling of your personal data, etc., please refer to our detailed data protection notice on drug safety https://www.biotest.com/de/de/kontakt/melden_von_verdachtsfaellen.cfm.

MEDICAL ENQUIRIES

In the context of medical enquiries, we process the personal data you provide to us in order to

  • process your enquiry;
  • add your enquiry to our medical information database;
  • contact you for follow-up questions and clarification;
  • ensure the quality and safe use of our products; 
and
  • provide you with a response to your enquiry.

Depending on local regulations and regulatory requirements, our response may need to take into account whether you are a Health Care Professional.

The data processing is based on our legitimate interest to respond to your enquiry and to comply with documentation and record-keeping obligations (Art. 6 (1) (f) GDPR).

Please note that enquiries regarding personal health aspects and individual therapy recommendations cannot be answered.

HOW WE PROTECT YOUR PERSONAL DATA

To protect your personal data, we take physical, electronic and procedural security measures that comply with current state of the art and legal data protection requirements. These safeguards include the implementation of certain technologies and procedures to protect your privacy, such as secure servers, firewalls and SSL encryption. We will at all times act in accordance with applicable laws and regulations relating to the confidentiality and security of personal data.

WITH WHOM WE SHARE YOUR PERSONAL DATA

We may share your personal data as follows:

  • with our affiliates within the Biotest Group worldwide when and to the extent necessary for the permitted purposes described above and as permitted by law. In such cases, these companies will only use the personal data for the same permitted purposes and under the same conditions as described above. Please find a list of all Biotest Group companies including contact addresses on our website (https://www.biotest.com/de/de/unternehmen/biotest_im_ueberblick/biotest_weltweit.cfm).
  • with the Grifols Group (majority shareholder of Biotest AG and in some countries the contracted local distribution partner), when and to the extent necessary for the permitted purposes described above and as permitted by law. You can find Grifols' data protection information on their website: https://www.grifols.com/en/corporate-website-privacy-notices
  • with service providers (so-called processors) within or outside the Biotest Group in Germany or abroad (e.g. shared service centres or cloud providers) who have been commissioned by us to process personal data on our behalf and exclusively in accordance with our instructions for the permitted purposes. Biotest retains control over and responsibility for your personal data and will take appropriate safeguards as required by applicable law to ensure the integrity and security of your personal data when engaging such service providers.
  • with courts, law enforcement agencies or other competent authorities or lawyers to the extent permitted by law and necessary to comply with a legal obligation or to establish, assert or defend legal claims.
  • with credit reference agencies and other companies in the context of credit decisions, for the prevention of fraud and for debt collection.
  • with IQIVIA Commercial GmbH & Co. OHG we provide information about the specialisation of medical professionals (such as doctors and pharmacists in particular) for the purposes of information and advice.
  • In addition, your personal data may also be disclosed to third parties when we sell or buy parts of a company or assets, in which case we may disclose personal data to the potential buyer or seller and their advisors. If Biotest or substantially all of its assets are acquired by a third party, the personal data we hold about customers and other contacts will be part of the transferred assets.
  • Otherwise, we will only disclose your personal data if you instruct us to do so or give your consent, if we are required to do so by law or under a court or regulatory order, or if we suspect fraudulent or criminal activity.

HOW LONG DO WE KEEP YOUR PERSONAL DATA

We will retain your personal data for as long as is necessary to provide the services or products ordered or information requested and to carry out and manage our business relationship with you. If you have requested us not to contact you, we will retain that information for as long as necessary to comply with that request. In addition, we are legally obliged to retain certain types of personal data for certain periods of time (e.g. due to retention obligations under commercial or tax law). Your personal data will be deleted immediately when it is no longer required for these purposes.

YOUR RIGHTS

Under certain conditions laid down by law, you may request information about your personal data, its correction or deletion, or the restriction of its processing. You may also object to processing or exercise your right to data portability. In particular, you have the right to request a copy of the personal data we hold about you. If you make such requests repeatedly, we may charge a fee for this. For more detailed information on your data protection rights, please refer to Articles 15-22 of the GDPR.

If you have consented to the processing of your personal data, you may withdraw your consent at any time with future effect, i.e. the withdrawal of consent does not affect the lawfulness of the processing based on the consent prior to the withdrawal. In the event of a withdrawal of consent, we will only continue to process the personal data if there is another legal basis for the processing or if we are legally obliged to do so.

To make any of the above requests, please send a brief description of the personal data in question, including your name and, if applicable, your customer number or other identification number as proof of identity, to the contact address below or by e-mail to datenschutz@biotest.com . We may require additional proof of identity to protect your personal data against unauthorised access. We will carefully consider your request and, if necessary, discuss with you how we can best comply with it.

In accordance with Article 21(2) of the EU General Data Protection Regulation ("GDPR"), you have the right to object to the processing of your personal data for marketing purposes, including profiling as described above. We will only communicate with you for marketing purposes (e.g. through emails and telephone calls to a selected group of recipients such as doctors and pharmacists) if you have expressly consented to this in advance, where required by law. You have the option to withdraw your consent at any time if you no longer wish to receive marketing-related information from us.

If you have any concerns about how we process your personal data or wish to make a complaint, you can contact us at the contact address below to have this investigated. If you are not satisfied with our response or believe that we are not processing your personal data in accordance with applicable law, you may lodge a complaint with the relevant data protection supervisory authority in your country.

OBLIGATION TO PROVIDE PERSONAL DATA

Generally, you provide us with your personal data on a voluntary basis. In principle, there will be no adverse consequences for you if you do not consent or do not provide us with your personal data. However, in certain cases Biotest cannot act without your personal data, e.g. if this personal data is necessary to process your orders, to provide you with access to an online offer or newsletter or to carry out a legally required compliance check. In these cases, Biotest unfortunately cannot fulfil your request without the relevant personal data.

WEB SERVER LOGS

We periodically evaluate these server logs anonymously to regulate troubleshooting.

COOKIES AND SIMILAR TECHNOLOGIES

This Site uses cookies and similar technologies (collectively, "Tools") provided either by us or by third parties.

A cookie is a small text file that is stored on your device by your browser. Cookies are not used to run programs or download viruses onto your computer. Comparable technologies are in particular web storage (local / session storage), fingerprints, tags or pixels. Most browsers are set by default to accept cookies and similar technologies. However, you can usually adjust your browser settings so that cookies or comparable technologies are rejected or only stored with your prior consent. If you reject cookies or comparable technologies, it is possible that not all of our offers will function properly for you.

In the following, we list the tools we use by category, informing you in particular about the providers of the tools, the storage period of the cookies and the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can revoke this consent.

Legal basis and revocation

Legal basis

We use tools that are necessary for website operation on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in order to enable you to use our website more conveniently and individually and to make use of it as time-saving as possible. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 (1) lit. b GDPR. In these cases, access to and storage of information in the terminal device is absolutely necessary and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

We use all other tools, in particular those for marketing purposes, on the basisof your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR. In these cases, access to and storage of information in the terminal device is subject to consent and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 (1) TTDSG. Data processing with the help of these tools only takes place if we have received your consent for this in advance.

If personal data is transferred to third countries, we refer you to section 6 ("Data transfer to third countries"), also with regard to the possible associated risks. We will inform you if we have concluded standard contractual clauses or other guarantees with the providers of certain tools. If you have given your consent to use certain tools, we (also) transfer the data processed when using the tools to third countries on the basis of this consent.

Obtaining your consent

We use the Usercentrics tool from Usercentrics GmbH, Rosental 4, 80331 Munich ("Usercentrics") to obtain and manage your consent. This generates a banner which informs you about the data processing on our website and gives you the opportunity to consent to all, individual or no data processing through optional tools. This banner will appear the first time you visit our website and when you revisit your choice of settings to change them or withdraw consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookies or information in Usercentrics' local storage have been deleted or have expired.

Your consent or revocation, your IP address, information about your browser, your terminal device and the time of your visit are transmitted to Usercentrics during your visit to the website. Usercentrics also stores necessary information on your terminal device in order to retain the consents and revocations you have given. If you delete your cookies or information in the local storage, we will ask you again for your consent when you visit the site at a later date.

Data processing by Usercentrics is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of Usercentrics is Art. 6 (1) lit. f GDPR, justified by our interest in fulfilling the legal requirements for cookie consent management.

Withdrawal of your consent or change of your selection

You can revoke your consent for certain tools at any time. To do so, click on Cookie settings in the footer. There you can also change the selection of tools you wish to consent to using, as well as obtain additional information on the cookies and the respective storage period. Alternatively, you can assert your revocation for certain tools directly with the provider.

Necessary tools

We use certain tools to enable the basic functions of our website ("Necessary Tools"). Without these tools, we would not be able to provide our service. Therefore, Necessary Tools are used without consent on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR or for the performance of a contract or for the execution of pre-contractual measures pursuant to Art. 6(1)(b) GDPR.

Own cookies

Wir verwenden eigene notwendige Cookies insbesondere

  • "highres" We use this cookie to display a correct screen resolution when you call up our website.
  • "HASSESSION" We apply this cookie to determine if the website visitor is a machine or human.
  • "cftoken" (used to determine what type of device the visitor is using so that the website can be formatted correctly).
  • "JSESSIONID" until the browser session ends (retains the status of the user across page views);
  • "cfid" (used in conjunction with the "cftoken" cookie and stores an ID specific to the visitor and the visitor's device and browser).

GOOGLE TAG MANAGER

Our website uses Google Tag Manager, a service provided to persons in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other persons by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (collectively "Google").

The Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by the Google Tag Manager with your consent.

The Google Tag Manager does not use cookies.

The legal basis is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in integrating and managing multiple tags on our website in a straightforward manner.

For the purposes of ensuring stability and functionality, Google collects information on which tags are integrated by our website within the framework of the use of the Google Tag Manager, but in principle no personal data, in particular no data on usage behaviour, the IP address or the pages visited.

We have concluded a data processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GDPR. For further information, please refer to section 6 ("Data transfer to third countries").

For more information, please refer to Google's information on the Tag Manager.

Analysis tools

In order to improve our website, we use tools for the statistical collection and analysis of general usage behaviour based on access data ("analysis tools"). We also use analytics services to evaluate the use of our various marketing channels.

The legal basis for the analysis tools is - unless otherwise stated - your consent according to Art. 6 para. 1 lit. a GDPR. For revocation of your consent, see 3.1.3: "Revoking your consent or changing your selection". In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the data transfer (Art. 49 para. 1 sentence 1 lit. a GDPR). Please refer to the section "Data transfer to third countries" for the associated risks.

GOOGLE ANALYTICS

Our website uses Google Analytics, which is provided for users from Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google").

Google Analytics uses cookies and similar technologies to analyse and improve our website based on your user behaviour. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. The data generated in this context may be transferred by Google to a server in the USA for evaluation and stored there.

We have made the following data protection settings for Google Analytics:

  • IP anonymisation (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity).
  • Automatic deletion of old logs / limitation of the storage period to 26 months
  • No personalised ads
  • No measurement protocol
  • Disabled data sharing with other Google products and services
  • The following data is processed by Google Analytics:
    • Anonymised IP address;
    • Referrer URL (previously visited page);
    • Pages viewed (date, time, URL, title, length of stay);
    • Downloaded files;
    • Clicked links to other websites;
    • Technical information: Operating system; browser type, version and language; device type, brand, model and resolution;
    • Approximate location (country and city, if applicable, based on anonymised IP address)

Google Analytics sets the following cookies for the stated purpose with the respective storage period:

  • "_ga" for 2 years and "_gid" for 24 hours (both to recognise and distinguish website visitors by a user ID);
  • "_gat" for 1 minute (to reduce requests to Google servers);

We have concluded an order processing agreement with Google for the use of Google Analytics as well as standard contractual clauses in the event that personal data is transferred to the USA or other third countries.

You can find more information on this in Google's privacy policy.

GOOGLE MAPS

Our website uses the Google Maps mapping service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together "Google") for all other users.

In order for the Google map material we use to be integrated and displayed in your web browser, your web browser must establish a connection to a Google server, which may also be located in the USA, when you call up our website. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Google.

By integrating the map material, Google receives the information that a page of our website was called up from the IP address of your device. If you call up the Google map service on our website while you are logged into your Google profile, Google can also link this event to your Google profile. If you do not wish to be associated with your Google profile, you must log out of Google before accessing our contact page. Google stores your data and uses it for the purposes of advertising, market research and personalised presentation of Google Maps.

For more information, please see Google's Privacy Policy and the Additional Terms of Use for Google Maps.

ONLINE-MEETINGS VIA „TEAMS“

We use "Teams" to conduct online meetings, conference calls and/or online events (collectively, "Meetings"). Teams is software from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"), available as a desktop, web and mobile app.

Microsoft Teams is part of the Office 365 cloud application for which a user account must be created.

Data processing with Office 365 takes place on servers in data centres in the European Union in Ireland and the Netherlands. For this purpose, we have concluded a commissioned processing agreement with Microsoft in accordance with Art. 28 DS-GVO. Accordingly, we have agreed extensive technical and organisational measures with Microsoft for Office 365 that comply with the current state of the art of IT security, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.

The legal basis for the processing of data to conduct meetings via teams is our legitimate interest in the effective and simple conduct of online meetings, discussion rounds and presentations in accordance with Art. 6 para. 1 lit. f GDPR. Insofar as the meetings are conducted within the framework of existing contractual relationships with you, the legal basis is Art. 6 para. 1 lit. b GDPR. We are not responsible for any further data processing on the Teams product website, where the desktop software can be downloaded and the web app can be used.

During a meeting, the following data may be processed under certain circumstances:

  • Participant details: display name, if applicable, first name, last name, phone, email address, password (encrypted for authentication), profile picture;
  • Metadata: Meeting topic and description, IP address, participant's phone number, type of device/software (Windows/Mac/Linux/Web/iOS/Android Phone/Windows Phone), time of participant's last activity on Teams, number of chat and channel messages, number of meetings attended, duration of time for audio, video and screen sharing;
  • For chat, or channel message usage: text data for display and logging, if applicable;
  • For audio use: microphone recording data;
  • For video use: recording data from the video camera;
  • For recordings: Audio, video and screen sharing for storage in the cloud / Microsoft Stream; In principle, no recording will take place without you being informed and agreeing in advance.

Before the meeting, you will receive a confirmation email with an invitation link or a calendar date.

You can deactivate the transmission via microphone and camera at any time via the corresponding settings. We only record meetings or log text data with your consent and prior notification. Microsoft stores and uses the metadata to enable us to analyse and report on the use of Teams.

Microsoft may become aware of the above data as part of its contract processing in order to process it. All data traffic is encrypted (MTLS, TLS or SRTP) and encrypted data storage generally takes place on servers in the European Economic Area (EEA). As far as possible, we also activate end- to-end encryption. In the event that data is nevertheless processed in the USA, Microsoft Ireland Operations Limited and Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, have concluded the EU Standard Contractual Clauses, Module 3, and have taken additional measures. For more information, please refer to point 6, Data transfer to third countries.
For more information, please see Microsoft's privacy policy, available at: https://privacy.microsoft.com/de-de/privacystatement.

DATA TRANSFER TO THIRD COUNTRIES

As explained in this Privacy Policy, we use services whose providers are sometimes located in or process personal data in so-called third countries (outside the European Union or the European Economic Area), i.e. countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.

If a third country transfer is provided for and there is no adequacy decision or suitable guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the cookie banner, you will also be informed of this.

SECURITY

We would like to point out that the transmission of data on the Internet is not secure and that there is therefore a risk that third parties may intercept and use the data. You can also send us your data at any time by post or telephone at:

Biotest AG
Landsteinerstraße 5
D-63303 Dreieich

Tel.: +49 - 6103 / 801 - 0

HOW YOU CAN CONTACT US

If you have any further questions on the subject of "Data protection at Biotest" or wish to assert your rights, you can contact our data protection officer directly at the following contact address:

CONTACT ADDRESS

Biotest AG
Datenschutzbeauftragter
Landsteinerstr. 3-5
63303 Dreieich, Germany

or
by e-mail to: datenschutz@biotest.com

CHANGES TO THIS DATA PROTECTION DECLARATION

This privacy policy was last amended in January 2021. We may amend or supplement this data protection information if this becomes necessary due to changes in the way we process data or in the legal framework. Therefore, please check from time to time or when you provide us with personal data to see if there have been any changes. Changes will apply from the date they are published on our website.

NOTE TO THE SHAREHOLDERS OF BIOTEST AG

Biotest AG processes personal data in compliance with the EU Data Protection Regulation ("GDPR"), the German Federal Data Protection Act ("BDSG"), the German Stock Corporation Act ("AktG") and all other relevant legal provisions.

Biotest AG's ordinary and preference shares are no-par value bearer shares. Biotest AG uses your personal data for the purposes provided for in the German Stock Corporation Act. This applies in particular to the technical conduct of general meetings. The banks involved in the purchase, custody or sale of your Biotest AG shares forward your personal data (name and class of shares) to Biotest AG for the register of participants required by stock corporation law.

Via our website, you have the opportunity to notify us of changes of address, e-mail addresses or, if applicable, your proxy and instructions in advance of the Biotest AG Annual General Meeting. If you make use of this option, we will use the personal data you provide exclusively to update our share register in accordance with your information.

The legal basis for the processing of your personal data is the German Stock Corporation Act in conjunction with Article 6 (1) c DS-GVO.

Should we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the scope of the legal provisions.

Your data will be passed on to the following categories of recipients:

External service providers: Biotest AG uses external service providers for the technical processing of Annual General Meetings. In the context of registration for the Annual General Meeting, these are, for example, companies in the categories of services for printing and dispatching the invitation to the Annual General Meeting or in supporting the implementation of the Annual General Meeting.

Other recipients: In addition, it may be necessary to transfer your personal data to other recipients if this is required to fulfil legal obligations. If you take part in a General Meeting, other Biotest shareholders may, in accordance with Section 129 of the German Stock Corporation Act (AktG), inspect the data recorded about you in the register of participants required by the German Stock Corporation Act.

We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. For data collected in connection with general meetings, the retention period is regularly up to 3 years. Personal data may be retained for the period during which claims may be brought against our company (statutory limitation period of three to thirty years). As a matter of principle, we store your personal data unless we are obliged to store it further by a legal obligation to provide proof or to retain data; these obligations arise, among other things, from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. These storage periods are up to ten years.

Status: November 2023