1. Scope

Grifols USA, LLC and its affiliates under common ownership and control (collectively, "Grifols") undertake to protect the privacy of its customers and users accessing this website which home page is located at www.grifolsplasma.com (the "Website"). The contents are owned, operated, licensed or controlled by Grifols. Any data collected by use or viewing of this Web site will be stored and maintained solely by Grifols and used exclusively for the below reasons. Grifols will seek user consent before using any collected data in any way outside of the below categories. 

The user can browse and use the Website without having to provide any detailed personal data. The only personal data that Grifols will have access to is the information that users provide voluntarily through the forms provided, by contacting Grifols by e-mail or through any other way facilitated on the Website. If the Website collects personal data through cookies, the user will be adequately informed through Cookies Policy as well as by the means as the legislation requires. 

This document sets out our policy on enforcement and use of personal data collected through our Website. The use of the Website implies acceptance by the user of the provisions of this Privacy Policy and that personal data may be processed as stated herein. Please note that although there may be links on our Website to other websites Grifols or its subsidiaries and not to websites of other companies. Grifols does not control or endorse the content of third-party websites nor accept any liability for the content or the privacy policies of such websites. 

2. Purposes

Grifols' primary purpose in collecting and processing such information is to provide you with services that you request or to personalize product or service information for you. Grifols may also use your personally-identifiable information to provide you with additional information about our products and services, to provide you with advertising based on your activity on Grifols' websites and applications and third-party websites and applications, to optimize or improve Grifols products, services and operations, to detect, investigate and prevent activities that may violate Grifols policies or be illegal, or for technical support, troubleshooting or account administration purposes. Grifols may also share your personally-identifiable information with our agents, contractors, or business partners in order that they may perform services for Grifols. 

Grifols may also collect and use non-personally-identifiable information from website visitors, which includes information that does not directly or indirectly identify, and cannot reasonably be used to identify, an individual visitor. This can be technical information, such as your device type or internet browser version, or it can be demographic information, such as your age, gender, or interests. Non-personally-identifiable information does NOT identify you personally. 

3. Transfers to third parties

In order to correctly respond to your requests or queries or in order to inform you of novelties that may be of interest to you, your personal data could be transferred to other companies in the group, where the legislation on the processing of personal data may be different or less stringent than the legislation offered in your country. The user expressly authorizes us to make such communications and/or transfers to any companies within the Grifols group for the purposes mentioned in the previous section. 

Grifols will not share your personal data with third parties unless (i) it is consistent with the terms and conditions of the privacy policy, (ii) the user consents to the transfer case, or (iii) it is required to meet legal obligations among which include, without limitation, providing data to the courts, the police or other national or international security bodies. Any transfers of data will be subject to strict safeguards regarding the obligations of the entity receiving the transfer, all of whom must be in full compliance with applicable data protection regimes. 

4. Security Measures

Grifols informs you that it has adopted the technical and organizational measures necessary to maintain the level of security required in the personal data processed and also has the necessary mechanisms in place to prevent, to the extent possible, any unauthorized access, theft, illicit modification, and loss of data. 

In any case, Grifols only will retain user data during the time period necessary to fulfil the intended purposes. Unless applicable law states otherwise, personal data will be erased, blocked or will be rendered anonymous when they are no longer needed for the purposes for which they were collected. 

Despite these safeguards, no security protocol is totally and completely secure, and therefore Grifols cannot completely guarantee the safety of any collected personal information. Nevertheless, Grifols has taken all commercially reasonable steps to ensure the safety, security, accuracy, and fidelity of all collected data. 

5. Confidentiality

In compliance with current regulations, Grifols undertakes to fulfil its obligation of secrecy regarding personal data that the user provides while browsing through the Website and it is its duty to keep them confidential. 

6. Third party data

In the event that the user provides personal data of third parties, he/she guarantees to have obtained their prior consent and inform them beforehand of the conditions and purposes for which Grifols may use their personal data. If required by Grifols, the user must prove that consent has been obtained. Grifols shall not be liable for personal data of third parties provided without their consent, and any damages whatsoever, including direct and indirect, special, consequential, or otherwise, shall solely be the responsibility of the user who provided the third parties' data. 

7. Minors

The services and information available on the Website are intended for people over 18 years of age. Continuing usage of the Website shall be construed as an acknowledgement that the user is of the legal age to access this Web site, and underage users should immediately cease using the Web site. 

8. Data quality

Data provided by the user must be accurate and truthful. In any case, the user has the obligation to notify Grifols of any changes to their data in order to keep them up to date at all times. 

9. State Specific Privacy Polices 

Privacy Statement for California Residents
Privacy Statement for Virginia Residents

10. Data subjects rights

Grifols enables its users to access, correct, and update information previously provided through the Grifols platform provided, or users can contact Grifols directly at the below address. At any time, users may exercise all consumer rights affecting personal data under the terms established by the current legislation, as well as more information about those rights under current legislation by writing to the address below. 

Grifols USA, LLC 
Attn: Office of the General Counsel 
2410 Grifols Way
Los Angeles, CA 90032 

11. Donor Biometric Data Privacy Policy

The operator of the facility at which you are donating plasma (Biomat USA, Inc., Talecris Plasma Resources, Inc., Bio Blood Components, Inc., or Plasma Biological Services, LLC, as applicable, and hereafter called the “Company”), uses a donor management system managed and supported by a third-party vendor, Haemonetics Corporation, to ensure proper verification of donors’ identities during the donation screening process. The system uses certain Biometric Data (defined below) solely for this purpose. The Company established this Policy to ensure such data is, and continues to be, reasonably safeguarded and not retained for longer than is necessary. Further, this Policy is intended to comply with any potentially applicable laws including, but not limited to, the Illinois Biometric Information Privacy Act (“BIPA”).

Definition of Biometric Data for Purposes of This Policy

Solely for purposes of this Policy, Biometric Data means the digital signature composed of hash values that is generated when a donor scans a fingertip on a Company computer-assisted self-interview (“CASI”) system kiosk finger scanner. During this process, no fingerprints or images of fingers or fingerprints are collected or retained in any form or transmitted outside of the system. Rather, digital signatures/hash values are generated from the scans by an application on the Company’s network called VeriFinger. The resulting digital signatures/hash values are stored securely in the Company’s databases in the United States, but fingerprint images are not collected, saved, or stored. No digital signatures/hash values are transmitted to any other location or third-party.

The phrase “Biometric Data” as used in this Policy includes, but is not limited to, all potentially applicable legal definitions of “biometric identifiers” and/or “biometric information,” including, but not limited to, data generated from the scan of a finger or fingerprint. In addition, for purposes of this Policy, data or other information derived from a scan of a donor’s finger or fingerprint during the donation screening process is referred to as “Biometric Data” even though it may not meet the definition of “biometric information” or “biometric identifiers” under any potentially applicable law, such as the BIPA.

Collection of Biometric Data

The Company will obtain a written release/consent from each donor using the system. The form must inform the donor of the data being collected; the purpose of the collection; the use, storage and any transmission of the data; and the period of time the Biometric Data is being collected, stored, and used.

Use of Biometric Data

The Company will use the Biometric Data solely for purposes of administering the Donor History Questionnaire to ensure the proper verification of the donor’s identity and, potentially, other lawful purposes. The finger is scanned twice, once to initiate the questionnaire and then again to finalize the questionnaire. Such additional purposes for obtaining a finger scan may include, but are not limited to, conducting audits and investigations, as necessary.

Access to Biometric Data

In general, Company employees are unable to access donor Biometric Data. However, certain authorized Company personnel that require access to the database where Biometric Data is stored could potentially view the digital signatures/hash values.

Moreover, to the extent ever necessary, Company attorneys and/or investigators may from time to time need access to donor Biometric Data to conduct audits or investigations. Further, as described herein, Biometric Data may be made available to Haemonetics Corporation as needed to operate and maintain the donor management system, including to provide technical support.

Disclosure of Biometric Data

The Biometric Data of donors is currently securely stored on Company server databases located in the United States that may be accessed by certain Company personnel and certain authorized third-parties, including Haemonetics Corporation as described herein, who are granted security access by the Company. However, the Company may in the future disclose such Biometric Data to Company-retained attorneys and/or investigators to the extent it is necessary to conduct audits and investigations. In the event additional parties need access to donor Biometric Data for technical support, administration or other lawful purposes, the Company will make available or disclose Biometric Data only after obtaining: (i) written consent from the individual(s) to whom the Biometric Data relates, and (ii) the written assurances from the third-party that the Biometric Data will be safeguarded in accordance with applicable law and best practices.

Retention and Destruction of Biometric Data

The Company shall adhere to its Privacy Policy, which may be found on the Company’s website: www.grifolsplasma.com. Consistent with that Policy, the Company will retain donor Biometric Data only for as long as necessary to satisfy the initial purpose for which the Biometric Data was collected. Except as otherwise required by law, including but not limited to, federal or international regulations, the Company will take the actions necessary to permanently delete a donor’s Biometric Data from the Company database where it is stored as soon as practicable when 6 months have elapsed since the donor last scanned a fingertip on a Company scanner as part of the donation screening process. If the individual donates again after that time, s/he will be required to complete the verification process again in order to donate. To the extent this process ever results in a donor’s Biometric Data not being deleted within 3 years of the donor’s last interaction with the Company of any kind, the donor’s Biometric Data will be permanently deleted as soon as is practicable at that time.

Safeguarding Biometric Data

Consistent with the Company’s information security policies, procedures and practices, which are incorporated herein by reference, as applicable, the Company shall take reasonable steps to ensure that donors’ Biometric Data, regardless of format, is protected from unauthorized access, acquisition or disclosure. Such safeguards shall include storing the Biometric Data on secure Company databases located in the United States, limiting access to donor Biometric Data, and using the minimum necessary donor Biometric Data for a particular permissible purpose.

Amendment, Enforcement and Violations

The Company reserves the right to amend this Policy at any time for any reason.

The Company’s Donor Center Systems department shall be responsible for implementing, interpreting and enforcing this Policy in collaboration with other appropriate Company depart

Employees who violate this Policy shall be subject to discipline up to and including termination of employment.

12. Update of the Privacy Policy

Grifols may modify and update this Privacy Policy at any time without prior notice. Please always check that you are aware of our Privacy Policy in order to remain informed at all times of the information collected through the Website, how we use this information and the circumstances in which it may be disclosed to third parties. Grifols has no obligation to notify users of the Website of any changes and while it may elect to do so, users of the Website should not rely on notice to learn of any changes and should instead review this Privacy Policy before they use, browse, or otherwise interact with this Web site. 

Last Updated: November 2022