PRIVACY

Welcome to our privacy page. At BioNTech, privacy means fair data processing and transparent communication.   

This data privacy statement describes how we collect, use, store, disclose, and delete (together “process”) your personal data, when you visit our websites and use the functionalities on these websites (such as contact forms). We also inform you about your rights and how you can exercise them.  

The Data Controller – Who is responsible for the processing of your personal data? 

BioNTech IMFS GmbH (“BioNTech”, “we”, “us”) are the “data controller” of your personal data, if not stated otherwise: 

BioNTech IMFS GmbH 

Vollmersbachstr. 66 

D-55743 Idar-Oberstein 

Germany 

Tel +49 67 81 98 55 0 

E-Mail info-imfs@biontech.de 

An affiliate of the BioNTech SE (An der Goldgrube 12, 55131 Mainz, Germany) 

Our Global Data Privacy Team – Who are your contacts? 

If you have any questions regarding the processing of your personal data or if you wish to exercise your rights as a data subject, please don’t hesitate to contact our global data privacy officer or the global data privacy team.  

They can be reached at: 

BioNTech IMFS GmbH 

Data Protection Officer 
Vollmersbachstr. 66 

D-55743 Idar-Oberstein 

Germany 

Tel +49 67 81 98 55 0 

E-Mail: data.privacy@biontech.de 

Purposes and Legal Bases – Why are we allowed to process your personal data? 

When we process your data, we follow the EU General Data Protection Regulation (GDPR). If we rely on legal bases outside the GDPR for processing your data, like country specific data privacy legislation, we will inform you accordingly. We are allowed to process your data for the following overarching purposes: 

Responding to your requests 

Where you have given your consent (Art. 6 (1)(a) GDPR), we will process your data for the consented purpose (e.g., to respond to your questions via our web form). 

Legal and compliance requirements 

We will process your personal information to comply with legal obligations (Art. 6 (1)(c) GDPR), including the disclosure of information in connection with a legal process or litigation. 

Enabling business activities and pursuing our legitimate interests 

Always provided that your data protection rights are not overridden by our legitimate interests (Art. 6 (1)(f) GDPR), we will process your data for various reasons such as providing you with a convenient website experience. 

Fulfilment of contract and pre-contractual inquiries  
We will process your personal information if this is required for the fulfilment of a service contract or to conduct pre-contractual actions (Art. 6 (1)(b) GDPR). 

Besides the above stated regulations, the national data privacy legislation of Germany applies. This particularly applies for the Federal Data Protection Law (BDSG) and the German Telecommunications-Telemedia Data Protection Act (TTDSG). We will specify the legal basis in the respective subsections below. 

Retention – How long do we store and process your personal data? 

Your personal data will be deleted as soon as the purpose required for processing has been fulfilled. Different retention periods may apply due to legal requirements. 

The retention periods differ depending on the type of personal data collected and the purpose of the processing. The German Commercial Code and the German Tax Code for example require the storage a certain information from 6 up to 10 years.  

We will specify the retention period in the respective subsections. 

Security – How do we secure your personal data? 

We have appropriate technical and organizational measures in place to protect your privacy and personal information. This includes measures against data loss, falsification, and unauthorized access. We choose service providers accordingly. However, data disclosure on the internet is at your own risk. Please contact our global data privacy team, if you have reasons to believe that your data is no longer secure with us. 

Transfer – With whom and to where do we share your personal data? 

In general, your personal data is only processed inside of BioNTech and not shared with third parties. In some cases, it may be necessary to share your personal data with our headquarter (BioNTech SE), business partners, or service providers. In such cases we have concluded respective data processing agreements (Art. 28 GDPR) or joint controller agreements (Art. 26 GDPR) to ensure the lawfulness of the transfer and secure your personal data. 

Eventually, your personal data may be transferred outside of the European Union and the European Economic Area (together “Europe”). If we conduct such a transfer, there is an adequate level of data privacy in place by ensuring at least one of the following: 

  • Adequacy Decision of the European Commission according to Art. 45 GDPR that there is an adequate level of data privacy in the target country of the transfer. 

  • The conclusion of so-called Standard Contractual Clauses (SCC) that have been approved by the EU Commission in accordance with Art. 46 GDPR. 

  • The presence of Binding Corporate Rules (BCR) which were approved by an EU based supervisory authority after Art 47 GDPR. 

We would like to inform you that we may be legally obliged to disclose personal data to authorities under certain circumstances. Depending on the legal reason, it is prohibited to inform you about the disclosure. 

Your Rights – What are your rights as a data subject? 

If BioNTech processes personal data, you are a data subject as defined by the GDPR and have the following rights: 

  • Right of access: 
    You have the right to request information about to request information about whether we process personal data about you and to request a copy of the personal data we process. 

  • Right to rectification 
    You have the right to rectify personal data of which you think is inaccurate or incomplete. 

  • Right to erasure 
    You have the right to request us to delete your personal data in some cases. 

  • Right to restrict processing 
    You have the right to request us to restrict the processing of personal data in some cases. 

  • Right to data portability 
    You have the right to request us if we transfer personal data you provided to us to another organisation. This doesn’t apply in certain cases. 

  • Right to withdrawal of consent: 
    When you have given us a consent to process your personal data you can withdraw your consent anytime without having to fear negative effects. However, the withdrawal does not affect the lawfulness of the processing carried out until the withdrawal. 

  • Right to object to processing 
    In the case that we are relying our processing of your personal data on our legitimate interest (Art. 6 (1)(f) GDPR) you have the right to object to the processing on grounds relating to your situation.  

You also have the right not to be subject to automated decision making. When you wish to exercise these rights, please contact our global data privacy team. 

If you think that the processing of your personal data violates the GDPR you furthermore have the right to lodge a complaint with a supervisory authority. You can lodge this complaint to the authority in the member state of your habitual residence, place of work or the place where an alleged incident occurred in your opinion. 

You can refer to the list of supervisory authorities of the European Data Protection Board to find the contact information of the corresponding authority: edpb.europa.eu/about-edpb/about-edpb/members_en 

Website Visitors – What should you know when using our website? 

To protect your personal data when you visit our website, we’re using SSL/TLS encryption on all sub-pages to prevent manipulation, sniffing or similar unauthorised data processing especially on transit. You can recognize the encrypted connection at the lock symbol next to the address bar of your browser. In general, you can use our website without having to provide us with personal data, beyond such data necessary for technical operation of the website or data you provide us in forms or similar occasions. 

We (i.e., our web hosting provider) collect data on every access to the server (so-called server log files) your browser is providing to us. The logs are kept for 7 days and are then deleted or anonymised. 

No usage profiles are created in which these information and other personal data are linked.  

Categories of personal data 

  • Meta data (e.g., IP-addresses) 

  • Location data (e.g., approximate location based on IP-address) 

  • Device information (e.g., installed fonts on the device or screen resolution) 

  • Usage information (e.g., previously visited Websites through a Referrer URL) 

Purpose of the processing 

  • Technical provision of the contents 

  • For the identification and tracking of unauthorised access attempts/accesses to the web server to ensure the security and stability of our system 

  • Statistical evaluations such as visitor numbers and page popularity. 

Legal basis 

  • Art. 6 (1)(f) GDPR. Our legitimate interest lies in the uninterrupted provision of the website content and the prevention of unauthorised access. 

  • Art. 6 (1)(b) GDPR if the visit is in connection with an existing contractual relation or in a pre-contractual setting. 

Data subjects affected 

Visitors of BioNTech websites 

Recipients or categories of recipients 

  • BioNTech Employees 

  • Service Providers 

Duration of processing or storage  

The logs are kept for 7 days and are then deleted or anonymised  

 

Use of cookies 

We use cookies on our websites to ensure you have a convenient website experience. A cookie is a small piece of data (text file) that a website asks your browser to store on your device in order to remember information about you, such as your language preference or login information when you visit a website. Those cookies are set by us and are called first-party cookies. We only use technically necessary cookies to provide you with a convenient website experience. The legal basis for using such cookies is our legitimate interest. 

 

Contact via e-mail 

When contacting us via e-mail, personal data is processed. The data entered will be transmitted to BioNTech. This section does not apply to adverse event reports or product quality complaints or medical inquiries. This specific privacy statement can be found here.  

Purpose of the processing 

Handling of the contact request 

Categories of personal data 

  • Contact information (e.g., first, or last name, e-mail address) 

  • Message content 

Legal basis 

  • Art. 6 (1)(f) GDPR. Our legitimate interest consists in the proper processing of the request. 

  • Art. 6 (1)(b) GDPR if the request is in connection with an existing contractual relation or in a pre-contractual setting. 

Data subjects affected 

Persons who are contacting us 

Recipients or categories of recipients 

  • Hosting Provider 

  • Mail Provider 

Duration of processing or storage 

Your personal data will be deleted as soon as the purpose of the communication has been fulfilled. Different retention periods may apply due to legal requirements. 

If the communication can be deemed a business correspondence, we are obliged by the German commercial code to retain the communication for at least 6 years. If the communication is tax related the German Tax Code requires us to retain the data for 10 years. 

 

Interested Parties, Customers, and Providers 

This section applies to all personal data that you provide to us as a "natural person" and business partner (e.g., as a consumer, entrepreneur, customer, study participant, etc.), employee of one of our business partners or as an interested party in the context of our business relationship with you or your company. 

We process personal data that we have received from you in the course of the business relationship or inquiry or from third parties in a permissible manner (e.g., for the performance of contracts or on the basis of consent given) or generate in connection with the performance of our contractual obligations with you. In particular, these are in relation to 

  1. Prospective customers and other business partners: 

  • Personal/contact data (e.g., first name, last name, company if applicable, address, (mobile) phone number, fax, e-mail) 

  • Communication data in connection with correspondence (e-mails, correspondence, telephone calls, etc.) 

  • Data from business directories 

  1. Customers 

  • Personal/contact data (e.g., first name, last name, company, (mobile) telephone number, fax, e-mail) 

  • Contract and billing data (e.g., bank details, goods ordered, billing data) 

  • Communication data in connection with correspondence (e-mails, correspondence, telephone calls, etc.) 

  • -Legitimation data (e.g., identification documents), authentication data (e.g. specimen signature), creditworthiness information 

  1. Suppliers and service providers 

  • Personal/contact data (e.g., first name, last name, company, (mobile) phone number, fax, e-mail) 

  • Contract and billing data (e.g., bank details, goods ordered, invoice data) 

  • Communication data in connection with correspondence (e-mails, correspondence, telephone calls, etc.) 

  • Legitimation data (e.g., identification documents), authentication data (e.g. specimen signature) 

  1. Study participants 

  • Pseudonymized personal and study data 

  • Communication data in connection with correspondence (emails, telephone calls, correspondence, etc) 

We process your personal data primarily for the fulfillment of contracts with you, or your company, or for the implementation of pre-contractual measures upon request. This also applies to communication data in connection with correspondence (emails, correspondence, telephone calls, etc.) Within the scope of our business relationship, you must provide those personal data that are required for the establishment, implementation and termination of a business relationship and for the fulfillment of the associated contractual obligations, or which we are required to collect by law. Without this data, we will generally not be in a position to conclude a contract with you, to execute and terminate such a contract and to take pre-contractual measures to conclude a contract with you at your request. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship you have requested. 

In addition, your personal data help us to understand your interest in our company and our services and products. They also enable us to provide you with further information if you so wish. Of course, we only collect personal data from you that we need for these processing purposes. 

 

Social Media Users – What should you be aware of when using social media? 

We maintain a publicly accessible profile on LinkedIn – a professional social network. As the operator of theses presences on the social media platforms we are processing personal data, for example if we are communicating with you via the platforms or posting content and you interact with this content. Furthermore, we can access personal data you have publicly available on your social media profile. 

In the case you’re visiting our social media profile your personal data is also processed by the social media platform for their own purposes. This applies even if you don’t have a profile on the social media platform. The specific data processing operations and their extent differ depending on the operator of the respective social media platform and we have no influence regarding this processing by the platforms. More information regarding the processing of personal data through the social media platform can be found in their respective privacy statement. 

For the most social media platforms it cannot be ruled out that a processing personal data is also taking outside of the European Union/European Economic Area. This means that a transfer of personal data into third countries without an adequate level of data privacy is possible and that there are possible difficulties regarding the enforcement of the rights of the data subject. 

LinkedIn 

We use LinkedIn a platform of the LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland to inform you about the latest developments and information about our company and products and to communicate with you and other interested parties. In addition, we are conducting recruiting activities to attract new employees and are marketing our products. 

As mentioned above social media platforms like LinkedIn are conducting their own processing of your personal data on their own without any influence from our site. 

Data Processing of BioNTech 

We are processing your personal data in the following way when you are using LinkedIn: 

Purpose of the processing 

  • Marketing 

  • Communication with interested parties (e.g., users, investors, potential applicants) 

  • Recruiting 

Categories of personal data 

  • Publicly available information from your profile (e.g., your name, current, employer) 

  • Content data (e.g., if you comment our posts) 

  • Probably meta/location data (e.g., if you include your location into a post on LinkedIn)  

Legal basis 

  • Art. 6 (1)(f) GDPR. Our legitimate interest to inform the public about our company in a business context and to communicate with parties who are interested in BioNTech. 

  • Art. 6 (1)(a) GDPR. Consent regarding personal data you provide us voluntary. 

Data subjects affected 

Interested parties (e.g., users, investors, potential applicants) 

Recipients or categories of recipients 

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland 

Country of possible recipients 

A transfer into third countries like the USA cannot be ruled out. 

Duration of processing or storage 

Your personal data will be deleted on our side as soon as the purpose required for processing has been fulfilled. Different retention periods may apply due to legal requirements. 

Comments under our posts are available until we delete the post you commented on. 

Regarding the above-described data processing LinkedIn is acting as our processor, and in some cases as a separate controller. We have concluded a data processing agreement in accordance with Art. 28 GDPR. This agreement can be found here: legal.linkedin.com/dpa. The data processing agreement has also incorporated the Standard Contractual Clauses to provide an adequate level of data privacy in case your personal data in transferred into a third country.  

Data processing of LinkedIn 

LinkedIn processes your personal data in different ways for different purposes. LinkedIn also uses cookies to track your activities on their website and other websites you visit. For more information regarding the processing conducted by LinkedIn please refer to their privacy statement: www.linkedin.com/legal/privacy-policy 

LinkedIn offers you the possibility to Opt-out targeted advertising through the following link: www.linkedin.com/psettings/guest-controls/retargeting-opt-out  

Linking to social media content 

Within our website, we provide you with direct access to social media content (LinkedIn) through a link. The offers that can be accessed under the integrated link originate from the respective companies (hereinafter referred to as "social media providers") and do not represent social plug-ins that automatically forward your personal data to the social media provider. Only when you use the link and click on one of the social media buttons is personal data transmitted to the respective social media provider. The transmission ensures that the respective social media provider is aware of your IP address. Without your IP address, the social media provider cannot send the content to your browser.  

By transmitting your IP address, the respective social media provider may also be able to assign your personal data to your user account, in case you are currently logged in with this account. If you do not want the assignment to your user account with the respective provider, you can log out of your user account before using the social media button.  

An automated forwarding of your personal data to the social media providers by visiting our website and without clicking on the respective button does not take place.  

The legal basis for the processing of your personal data is our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO. We integrate the content of social media providers into our site in order to provide you with useful information or to facilitate a process for you, without any further data processing. 

We endeavour to use such content whose respective providers only use the IP address to deliver the content. Notably, we have no influence on the extent to which providers store the IP address for statistical purposes, for example.  

The recipients of the personal data collected are the social media providers. We have no knowledge of the content and use of your personal data by them. Therefore, we cannot roll out that they process the collected data outside the European Union.  

For more information, please visit the privacy statement of the social media providers: 

LinkedIn: Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA, Data Protection. 

www.linkedin.com/legal/privacy-policy 

 

Updates – Will this statement be updated? 

The BioNTech’s internet presence may be subject to change, which means that it may be necessary to amend the data privacy statement accordingly. BioNTech reserves the right to change this data privacy statement at any time. 

This data privacy statement was last updated: September 2023