Grifols USA, LLC and its subsidiaries ("Grifols") undertake to protect the privacy of its customers and users accessing this website which home page is located at www.grifolsplasma.com (the "Website"). The contents of the Website are owned, operated, licensed or controlled by Grifols. Any data collected by use or viewing of this website will be stored and maintained solely by Grifols and used exclusively for the below reasons. Grifols will seek user consent before using any collected data in any way outside of the below categories.
The user can browse and use the Website without having to provide any detailed personal data. The only personal data that Grifols will have access to is the information that users provide voluntarily through the forms provided, by contacting Grifols by e-mail or through any other way facilitated on the Website. If the Website collects personal data through cookies, the user will be adequately informed through Cookies Policy as well as by the means as the legislation requires.
Grifols' primary purpose in collecting and processing such information is to provide you with services that you request or to personalize product or service information for you. Grifols may also use your personally-identifiable information to provide you with additional information about our products and services, to provide you with advertising based on your activity on Grifols' websites and applications and third-party websites and applications, to optimize or improve Grifols products, services and operations, to detect, investigate and prevent activities that may violate Grifols policies or be illegal, or for technical support, troubleshooting or account administration purposes. Grifols may also share your personally-identifiable information with our agents, contractors, or business partners in order that they may perform services for Grifols .
Grifols may also collect and use non-personally-identifiable information from website visitors, which includes information that does not directly or indirectly identify, and cannot reasonably be used to identify, an individual visitor. This can be technical information, such as your device type or internet browser version, or it can be demographic information, such as your age, gender or interests. Non-personally-identifiable information does NOT identify you personally.
3. Transfers to third parties
In order to correctly respond to your requests or queries or in order to inform you of novelties that may be of interest to you, your personal data could be transferred to other companies in the group, where the legislation on the processing of personal data may be different or less stringent than the legislation offered in your country. The user expressly authorizes us to make such communications and/or transfers to any companies within the Grifols group for the purposes mentioned in the previous section.
4. Security Measures
Grifols informs you that it has adopted the technical and organizational measures necessary to maintain the level of security required in the personal data processed and also has the necessary mechanisms in place to prevent, to the extent possible, any unauthorized access, theft, illicit modification and loss of data.
In any case, Grifols only will retain user data during the time period necessary to fulfil the intended purposes. Unless applicable law states otherwise, personal data will be erased, blocked or will be rendered anonymous when they are no longer needed for the purposes for which they were collected.
Despite these safeguards, no security protocol is totally and completely secure, and therefore Grifols cannot completely guarantee the safety of any collected personal information. Nevertheless, Grifols has taken all commercially reasonable steps to ensure the safety, security, accuracy, and fidelity of all collected data.
In compliance with current regulations, Grifols undertakes to fulfil its obligation of secrecy regarding personal data that the user provides while browsing through the Website and it is its duty to keep them confidential.
6. Third party data
In the event that the user provides personal data of third parties, he/she guarantees to have obtained their prior consent and inform them beforehand of the conditions and purposes for which Grifols may use their personal data. If required by Grifols, the user must prove that consent has been obtained. Grifols shall not be liable for personal data of third parties provided without their consent, and any damages whatsoever, including direct and indirect, special, consequential, or otherwise, shall solely be the responsibility of the user who provided the third parties' data.
The services and information available on the Website are intended for people over 18 years of age. Continuing usage of the Website shall be construed as an acknowledgement that the user is of the legal age to access this website, and underage users should immediately cease using the Website.
8. Data quality
Data provided by the user must be accurate and truthful. In any case, the user has the obligation to notify Grifols of any changes to their data in order to keep them up to date at all times.
9. California Privacy
Under California Law (CCPA), California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories and specific pieces of information that such business collects, uses, discloses, and sells about its California customers during the immediately preceding twelve (12) months, as well as the sources from which this information has been collected, (b) the purpose for which the information was collected, and (c) the right to request that the business delete such information. To exercise these rights, you may submit a Request to Know or a Request to Delete by calling 1-855-697-5276, emailing US-PrivacyRights@grifols.com, or visiting one of our California donor centers. Grifols' policy is available at Privacy Statement for California Residents. If you have any questions, please contact us at the above phone number or email address.
10. Data subjects rights
Grifols enables its users to access, correct, and update information previously provided through the Grifols platform provided, or users can contact Grifols directly at the below address. At any time users may exercise all consumer rights affecting personal data under the terms established by the current legislation, as well as more information about those rights under current legislation by writing to the address below.
Grifols USA, LLC
Attn: Office of the General Counsel
2410 Lillyvale Avenue
Los Angeles, CA 90032
The operator of the facility at which you are donating plasma (Biomat USA, Inc., Talecris Plasma Resources, Inc., Bio Blood Components, Inc., or Plasma Biological Services, LLC, as applicable, and hereafter called the “Company”), uses a donor management system managed and supported by a third-party vendor, Haemonetics Corporation, to ensure proper verification of donors’ identities during the donation screening process. The system uses certain Biometric Data (defined below) solely for this purpose. The Company established this Policy to ensure such data is, and continues to be, reasonably safeguarded and not retained for longer than is necessary. Further, this Policy is intended to comply with any potentially applicable laws including, but not limited to, the Illinois Biometric Information Privacy Act (“BIPA”).
Definition of Biometric Data for Purposes of This Policy
Solely for purposes of this Policy, Biometric Data means the digital signature composed of hash values that is generated when a donor scans a fingertip on a Company computer-assisted self-interview (“CASI”) system kiosk finger scanner. During this process, no fingerprints or images of fingers or fingerprints are collected or retained in any form or transmitted outside of the system. Rather, digital signatures/hash values are generated from the scans by an application on the Company’s network called VeriFinger. The resulting digital signatures/hash values are stored securely in the Company’s databases in the United States, but fingerprint images are not collected, saved, or stored. No digital signatures/hash values are transmitted to any other location or third-party.
The phrase “Biometric Data” as used in this Policy includes, but is not limited to, all potentially applicable legal definitions of “biometric identifiers” and/or “biometric information,” including, but not limited to, data generated from the scan of a finger or fingerprint. In addition, for purposes of this Policy, data or other information derived from a scan of a donor’s finger or fingerprint during the donation screening process is referred to as “Biometric Data” even though it may not meet the definition of “biometric information” or “biometric identifiers” under any potentially applicable law, such as the BIPA.
Collection of Biometric Data
The Company will obtain a written release/consent from each donor using the system. The form must inform the donor of the data being collected; the purpose of the collection; the use, storage and any transmission of the data; and the period of time the Biometric Data is being collected, stored, and used.
Use of Biometric Data
The Company will use the Biometric Data solely for purposes of administering the Donor History Questionnaire to ensure the proper verification of the donor’s identity and, potentially, other lawful purposes. The finger is scanned twice, once to initiate the questionnaire and then again to finalize the questionnaire. Such additional purposes for obtaining a finger scan may include, but are not limited to, conducting audits and investigations, as necessary.
Access to Biometric Data
In general, Company employees are unable to access donor Biometric Data. However, certain authorized Company personnel that require access to the database where Biometric Data is stored could potentially view the digital signatures/hash values. Moreover, to the extent ever necessary, Company attorneys and/or investigators may from time to time need access to donor Biometric Data to conduct audits or investigations. Further, as described herein, Biometric Data may be made available to Haemonetics Corporation as needed to operate and maintain the donor management system, including to provide technical support.
Disclosure of Biometric Data
The Biometric Data of donors is currently securely stored on Company server databases located in the United States that may be accessed by certain Company personnel and certain authorized third-parties, including Haemonetics Corporation as described herein, who are granted security access by the Company. However, the Company may in the future disclose such Biometric Data to Company-retained attorneys and/or investigators to the extent it is necessary to conduct audits and investigations. In the event additional parties need access to donor Biometric Data for technical support, administration or other lawful purposes, the Company will make available or disclose Biometric Data only after obtaining: (i) written consent from the individual(s) to whom the Biometric Data relates, and (ii) the written assurances from the third-party that the Biometric Data will be safeguarded in accordance with applicable law and best practices.
Retention and Destruction of Biometric Data
Safeguarding Biometric Data
Consistent with the Company’s information security policies, procedures and practices, which are incorporated herein by reference, as applicable, the Company shall take reasonable steps to ensure that donors’ Biometric Data, regardless of format, is protected from unauthorized access, acquisition or disclosure. Such safeguards shall include storing the Biometric Data on secure Company databases located in the United States, limiting access to donor Biometric Data, and using the minimum necessary donor Biometric Data for a particular permissible purpose.
Amendment, Enforcement and Violations
The Company reserves the right to amend this Policy at any time for any reason.
The Company’s Donor Center Systems department shall be responsible for implementing, interpreting and enforcing this Policy in collaboration with other appropriate Company departments and officers.
Employees who violate this Policy shall be subject to discipline up to and including termination of employment.
Last update: June 2022.