CEPI External Privacy Notice

1.   Introduction

This Privacy Notice provides you with information about how the Coalition for Epidemic Preparedness Innovations ("CEPI") processes your personal data during the course of your relationship with us. This includes any external interactions such as:
 

• browsing our website (www.cepi.net);
• registering your interest in CEPI events or updates;
• filling out an online contact form;
• participating in online events or forums;
• emailing a CEPI employee for business purposes;
• entering into a contract to provide services to, or receive funding from, CEPI; or
• any other external engagement with CEPI in which you provide personal data.

In this notice, we detail what personal data we collect, why we process it, and what your rights are.

CEPI considers the privacy of individuals and the protection of their personal information to be of the utmost importance and is committed to processing data in accordance with the principles of the GDPR and all applicable national legislation. As such, we emphasise the importance of maintaining the accuracy and currency of your personal data in our records. As you continue to interact with CEPI, we kindly ask for your assistance in keeping your personal information up to date. This helps us to ensure both the accuracy and integrity of your personal data and effective communication and service provision throughout your ongoing relationship with us.

If you have any questions about this notice, please contact us using the contact details below. For further information on our commitment to data protection and individual privacy, please see CEPI’s Data Protection and Privacy Policy. This notice may be updated to reflect changes in our practices or applicable legislative changes.

2.    Data Controller

The data controller will be CEPI, which is comprised of the following entities:

•    The Coalition for Epidemic Preparedness Innovations PO Box 1030 Hoff, 0218 Oslo, Norway ("CEPI Norway")
•    The Coalition for Epidemic Preparedness Innovations UK Limited, 215 Euston Road, London, United Kingdom ("CEPI UK")
•    The Coalition for Epidemic Preparedness Innovations U.S., 1901 Pennsylvania Ave NW, Suite 1003, Washington, D.C., USA ("CEPI US")
The relevant data controller will be the CEPI entity with whom you have a relationship, or engage regularly, with.

CEPI Norway operates ww.cepi.net and is the controller for any personal data processed therein and for any other processing as described below. CEPI UK and CEPI US are controllers for the local processing of personal data as set out in this notice.

3.    What personal data we will process

We collect and process your personal data for different purposes in relation our web services and external relationships. Such processing may include, but is not limited to, the following categories of personal data.

i.    Information you provide to make enquiries or communicate with us online, such as:
 

• your title, name, and full postal, email, or telephone contact details;
• your job title and role; or
• any personal data you disclose in your enquiry or communication.
   

ii.    Records of communications sent to, and received from, you in relation to any enquiries, business relationship or other aspects of our business activities.
iii.    Your name and email address for the purpose of sending you our newsletters or other requested updates on CEPI activities and events.
iv.    Cookies and other personal data such as IP addresses, gathered to improve our website and enhance and tailor your user experience.
v.    Information required to manage contractual relationships or funding of projects, which may include personal data contained in contracts, ongoing commercial correspondence, invoices, minutes of meetings and any other data required to facilitate our business and partner relationships.
vi.    Screening and financial information such as:
•    your job title and role;
•    personal and political relationships;
•    possible sanction listings; and
•    criminal records collected from public sources.
vii.    Personal data provided by you whilst reporting concerns via CEPI’s whistleblowing channel, for which there is a separate privacy notice. 
viii.    Contact or payroll information about employees and consultants engaged by our business partners in order to complete any investigations or audits required by law, contract, or triggered by third party grievances.
ix.    Curriculum vitae, applications, certifications, references, and other personal data you may provide during the course of applying for a position at CEPI or which we require to verify and assess any application.

CEPI may, on a case-by-case basis, process your personal data for other purposes, in accordance with applicable data protection law, as set forth in an applicable privacy notice and will always notify you of any such processing using the contact details you have provided as required.

The personal data we process is normally collected directly from you. We may also collect personal data from others, such as reference agencies and public authorities.

Please note: to fulfil our obligations according to any contract we have in place with you, or to facilitate an event and provide you with an acceptable experience, CEPI depends on receiving a variety of information. If CEPI does not receive the required information from you, it may not be able to fulfil its obligations.

4.    Purpose and lawful basis for processing data

4.1.    Purpose of processing
CEPI will collect and process personal data about you for the following purposes:

i.    To fulfil any contract or agreement that we have in place with you, or with your employer organisation, or in anticipation of any such contract or agreement.
ii.    To facilitate investor, board-level, or other business events and ensure that we provide attendees with the appropriate level of service. 
iii.    To ensure your health, wellbeing, and safety and personal security whilst travelling to and attending CEPI events.
iv.    To improve our website and your user experience whilst engaging with www.cepi.net or with CEPI across social media or via email.
v.    To comply with CEPI’s obligations under applicable national laws or regulatory requirements such as anti-corruption legislation or the GDPR.
vi.    To assess and process employment applications, including reviewing qualifications, skills, and suitability for the role. This involves processing personal data submitted by candidates, such as CVs, cover letters, and employment history.
vii.    To respond to any enquiries or reports of wrongdoing sent via www.cepi.net or other online channels, including email.

4.2.    Lawful basis for processing
The lawful basis we rely on to processing your personal data will depend upon the purpose(s) for which it was collected and the nature of the data. The relevant basis for processing will be one of the following:

i.    The processing is necessary for the performance of, or in anticipation of entering, a contract to which you are, or will be, party, such as in your capacity of a CEPI stakeholder, employee, consultant, or employee of a CEPI partner or supplier, as per Article 6(1)(b) of the GDPR and UK GDPR.
ii.    The processing is necessary for compliance with a legal obligation to which CEPI is subject, as per Article 6(1)(c) of the GDPR and UK GDPR.
iii.    You have given your explicit consent to the processing for the specific purposes for which it was gathered, such as receiving event invitations or updates on CEPI activities. 
iv.    The processing is necessary for purposes of ensuring CEPI’s legitimate interests as per Article 6(1)(f) of the GDRP and UK GDPR, in:
a.    Running events.
b.    Keeping stakeholders informed.
c.    Improving our website and other services.
d.    Answering and managing enquiries and other communications.
e.    Entering into business relationships, fulfilling contracts and other related administration such as engaging suppliers.
f.    Ensuring the integrity of CEPI’s decision making and management.
g.    Ensuring the rights of CEPI or third parties to establish, exercise, or defend legal claims in our favour or that are directed towards us by stakeholders, awardees, suppliers, partners, other third parties or public authorities.
h.    Conducting investigations or audits that may impact CEPI or our legal obligations and for the establishment, exercise, or defence of legal claims.

4.3.    Special category data
If we process special category data, for example race or ethnicity or health data, we will do so under one of the following bases:

i.    You have given your explicit consent to the processing for a specified purpose, as per Article 9(2)(a) of the GDPR and UK GDPR.
ii.    The processing is necessary for the establishment, exercise, or defence of legal claims in which you or CEPI and its employees, investors, and board-members may be party as per Article 9(2)(f) of the GDPR and UK GDPR.

4.4.    Processing of personal data about third parties
Do not provide personal data about others unless you are authorised or required to do so by contract or applicable law. You may provide personal data on behalf of another person if you have provided them with a copy of this notice and any applicable supplemental privacy notice, or if the personal data is provided on other legal grounds. We may ask you to provide evidence of the legal grounds for sharing personal data about others.

If such individuals have questions relating to such processing, they may contact CEPI at [email protected] at any time.

4.5.     Additional processing
CEPI may, on a case-by-case basis, process other personal data or do so based on other legal grounds. You will always be notified of this, as and when applicable.

5.    Disclosure of personal data
We will only share your personal data to third parties if there is a legal basis for such disclosure. We may share your personal data with our:
•    employees and affiliates (CEPI entities) who have a business need to know;
•    services providers (including consultants, contractors, vendors, and out-sourced service providers) to process it on behalf of CEPI based on our instructions; and 
•    partners that are collaborating with us to fund projects.

We do not share your personal data with third parties (including our service providers) for marketing purposes. Our affiliated companies will process your personal data to fulfil our directions or to respond to your request, and when doing so they will act as data controller for the processing conducted by them.

Third-party service providers are only authorised to use your personal data as necessary to provide its services to us. When CEPI uses data processors to collect, store, or otherwise process personal data on our behalf, the relationship to such service suppliers is governed by legal framework agreements, which, among other things, ensures the security and integrity of your personal data. CEPI entities and third-party service providers may be located within or outside the EU/EEA.

We may also share personal data with government agencies or authorities, or other third parties if and to the extent required by applicable law.

If you believe personal data you provided to us is being misused by a third party, please contact [email protected] right away.

6.    Transfer of personal data outside the EEA/EU

The personal data that we collect from you may be transferred to and processed by a third-party service provider established in a country outside the EU/EEA/UK (i.e. a so-called third country), including countries which the EU Commission does not consider having an adequate level of protection for personal data.

In such cases, CEPI will ensure that the personal data is subject to appropriate safeguards by:

•    transferring personal data to countries approved by the EU Commission;
•    entering the EU Standard Contractual Clauses; and
•    additional measures (if required) for such transfers or ensuring other appropriate safeguards.

7.    Protection of personal data
 

CEPI will take appropriate technical and organisational measures to protect personal data. The measures will be consistent with applicable privacy and data security laws and regulations and will include requiring service providers to use appropriate measures to protect the confidentiality and security of personal data.

Whilst we take the protection of personal data seriously and take have put in place appropriate technical and organisational measures to safeguard the personal data that you provide to us, no transmission over the Internet can ever be guaranteed secure. Consequently, please note that we cannot guarantee the security of any personal data that you transfer over the Internet to us.

8.    Retention of personal data

CEPI stores your personal data for as long as it is necessary to achieve the purposes for which the personal data was collected. CEPI will process your personal data until, at the very least, the conclusion of any relationship or interaction, and for a period after that period, to the extent this is necessary to;
•    fulfil CEPI’s obligations pursuant to a contract or other agreements with you;
•    establish, exercise, and defend a legal claim’
•    safeguard CEPI’s legitimate interests; and 
•    fulfil statutory obligations to which CEPI is subject, such as continued storage pursuant to accounting legislation. 
After such time, we will either delete or anonymise your personal data.

If any processing is, at any time, based on consent then the processing will cease when you withdraw your consent. You can withdraw your consent at any time. We may dispose of any data at our discretion without notice, subject to applicable law, or in accordance with a specific data processing agreement governing our processing of the personal data.

9.    Links to other websites and social media

Please note that our website may contain links to non-CEPI websites. CEPI is not responsible for the privacy policies or practices of such websites, and we recommend that you read the privacy policy and notice of any third-party site.

Your activity on our pages on social media, such as content you post and posts you like, will be shared on the relevant platform. The relevant platform will be responsible for the personal data it collects and processes through the platform. More information about how these platforms process personal data can be found in the relevant platform's privacy policy.

10.    Automated Decisions

Automated decision making is the process of making decisions by automated means without any human involvement. These decisions are typically based on algorithmic processing of data, and they can include profiling, which is a form of automated processing of personal data to evaluate certain personal aspects relating to an individual.

CEPI does not envisage that you will be subject to decisions that will have a significant impact on you based solely on automated decision-making. CEPI will notify you in writing if this position changes using the contact details you provide.

11.    Your rights

You have the following rights in relation to any personal data we process or store about you:

i.    To access the personal data.
ii.    To correct inaccurate personal data.
iii.    To have personal data erased (right to be forgotten).
iv.    To restrict the processing of your personal data
v.    To receive personal data you have provided to CEPI in a structured, commonly used, and machine-readable format for onward transmission (data portability).
vi.    To object to the processing.

If the processing is based on your consent, you may at any time withdraw your consent.

You also can file a complaint with your local data protection supervisory authority. We encourage you to contact us first in order to address any objections against CEPI’s processing of personal data.