Data Protection and Privacy Policy

1. Introduction

1.1. This policy is the overarching policy for data protection and privacy for The Coalition for Epidemic Preparedness Innovations (“CEPI”).

2. Objective

2.1. This policy sets out how CEPI:

• a) complies with its obligations under the General Data Protection Regulation (2016), UK GDPR and all other applicable national legislation; and
• b) seeks to protect the Personal Data of individuals.

2.2. This policy is intended to ensure that staff understand and comply with the rules governing the collection, use, retention, and deletion of any Personal Data to which they may have access during their work.
 

3. Scope

3.1. This policy covers all Personal Data that CEPI might process during the course of its activities, either in hard copy or digital copy, including Special Category Data but excluding anonymous Data or Data that has had the identity of an individual permanently removed.

3.2. This policy applies to all Employees, Associates, and other persons that process Personal Data on behalf of CEPI, and any individual or entity who processes Personal Data on behalf of CEPI must follow this policy in accordance with the relevant provisions of their contract of engagement.

3.3. Individuals should refer to CEPI’s privacy notices, other relevant policies, and the CEPI Privacy site in CEPI Central for specific information and guidance regarding the protection of personal information in specific contexts, such as:

a) Data retention
b) Employment
c) Information security
d) International Data Transfers
e) Monitoring
f) Special Category Data
g) Travel and events
h) Use of the Internet, electronic communications, and social media
 

4. Definitions

4.1. For the purposes of this policy, the following definitions will apply:

Associate

Any non-Employee engaged to provide services to CEPI or chosen or appointed to act or speak on behalf of CEPI. This includes, but is not limited to:

• paid consultants;
• temporary workers and individuals engaged through a professional employer organisation or other intermediary;
• external reviewers or other experts engaged by CEPI (paid or unpaid);
• interns and fellows (paid or unpaid); and
• members of CEPI’s Board of Directors and advisory bodies (e.g., Scientific Advisory Committee, Joint Coordination Group).

CEPI

The Coalition for Epidemic Preparedness Innovations, the Coalition for Epidemic Preparedness Innovations UK Limited, and the Coalition for Epidemic Preparedness Innovations U.S.

CEPI Privacy

The Senior Data Protection and Privacy Manager, or other Employee or Associate, who is responsible for advising on and monitoring compliance with data protection laws under the direction of the Director of Compliance, Risk and Assurance (CRA).

Data

Information in many forms. Examples include, but are not limited to, paper documents, electronic documents (databases, emails, presentations, spreadsheets), or information contained in spoken conversations.

Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Data Processor

A third party that Processes Personal Data on behalf of CEPI, under our instructions.

Employee

Any individual with an employment contract directly with one of CEPI’s three legal entities in Norway, the UK or the US.

Data Subject

An identifiable natural person, to whom specific personal information relates. An identifiable natural person is a living individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

International Data Transfer

The movement of Personal Data from within the European Economic Area (EEA) to countries or international organisations located outside the EEA.

Data Privacy Laws

All applicable laws, regulations, and legal requirements relating to data protection and privacy, including but not limited to, the General Data Protection Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Norwegian Personal Data Act, and any other applicable federal, national, or state‑level data protection or privacy legislation.

Personal Data

Any information that directly identifies you or relates to you, that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about your actions or behaviour.

Processing

Obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.

Special Category Data

Sensitive Personal Data, as defined in Article 9 of the GDPR and includes Personal Data relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying you, data concerning health, or data concerning sex life or sexual orientation.
 

5. Policy statement

5.1. Our commitment to privacy and data protection

CEPI recognises the important distinction between data privacy and data protection:

• a) Data Privacy is the fundamental right of individuals to have control over their personal information and how it is used. It is about why we process data, and the rights individuals have.
• b) Data Protection is the mechanism for protecting personal data. It includes the security measures, rules, and frameworks we put in place to defend against unauthorised access and ensure privacy rights are upheld.

5.2. CEPI statement of privacy principles

The overall purpose of Data Privacy Laws is to protect the privacy rights and freedoms of individuals, and in particular the right to the protection of their Personal Data. As such:

• a) CEPI, as a publicly funded organisation that operates globally, considers the privacy of individuals and the protection of their personal information to be of the utmost importance in any jurisdiction in which it operates.
• b) CEPI will always process Personal Data in a way that ensures that the individual’s rights are safeguarded.
• c) CEPI is committed to Processing Personal Data in accordance with the principles of the GDPR and all applicable national legislation.

5.3. Data protection principles

In practice, the statement of principles in subsection 5.1. means that CEPI will process Personal Data in accordance with the following principles regardless of what jurisdiction it is operating in:

• a) CEPI will process Personal Data lawfully, fairly, and in a transparent manner.
• b) CEPI will collect Personal Data for specified, explicit, and legitimate purposes only; and will not process it in a way that is incompatible with those legitimate purposes.
• c) CEPI will only process Personal Data that is adequate, relevant, and necessary for the relevant purposes.
• d) CEPI will keep accurate and up to date records and take reasonable steps to ensure that inaccurate Personal Data is corrected or deleted without undue delay.
• e) CEPI will keep Personal Data for no longer than is necessary for the purposes for which the information was gathered and is processed.
• f) CEPI will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful Processing, and against accidental loss, destruction, or damage.
• g) CEPI will, where required, take reasonable steps to ensure that any third parties with whom it shares Personal Data will operate in a manner that is consistent with applicable data protection laws and regulations, as set out in CEPI’s Third Party Code of Conduct.

5.4. Rights of the Data Subject

CEPI will always uphold the rights of the Data Subject as outlined in section 8 below.

5.5. Organisational measures

CEPI will establish and maintain policies and procedures to ensure compliance with the principles and protection of the rights mentioned above.

CEPI will establish data protection and privacy procedures and guidance via official channels such as our intranet, which will detail how Employees are to comply with this policy and the data protection principles in practice.

Compliance with this policy will be monitored through the Internal Audit and Assurance group activities in accordance with CEPI’s Internal Audit programme. Compliance by third parties engaged or funded by CEPI will be monitored through CEPI’s risk-based Partner Assurance programme.

CEPI will conduct periodic risk assessments and update its policies and procedures accordingly to ensure continued compliance with this policy and all other legal requirements.

CEPI Employees, Associates, and other relevant individuals, shall receive appropriate training on this policy and associated procedures, as appropriate to their role.
 

6. Compliance with data protection principles

6.1. Accuracy

CEPI shall:

• take all reasonable steps to ensure the Personal Data it processes is accurate; and
• where it is necessary for the lawful basis upon which Personal Data is processed, take steps to ensure that Personal Data are kept up to date.

6.2. Adequate, relevant, and limited to what is necessary

CEPI shall:

• ensure that any Personal Data it processes are adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

6.3. Breach reporting

In the event of a Data Breach CEPI shall, without undue delay:

• assess the risk to individuals’ rights and freedoms;
• where appropriate, notify the relevant supervisory authority; and
• where appropriate, notify the Data Subject.

6.4. International data transfers

CEPI may transfer Personal Data to internal or third-party recipients located in another country and in doing so shall:

• only make routine International Data Transfers to countries that are recognised as having an adequate level of legal protection for the rights and freedoms of the relevant Data Subjects; and
• where International Data Transfers need to be made to countries lacking an adequate level of legal protection (“third countries”), do so in compliance with an approved transfer mechanism with advice from CEPI Privacy.

6.5. Lawful, fair, and transparent Processing

CEPI shall:

only Process Personal Data based on one of the following legal bases: – consent

• – legal obligation
• – vital interests
• – public task; or
• – legitimate interest of CEPI

ensure that Processing of Personal Data is lawful, fair, and transparent, by maintaining Records of Processing Activities;

regularly review the Records of Processing Activities and at least once annually;

log the appropriate basis for each category of Personal Data in the Records of Processing Activities;

where consent is relied upon as a lawful basis for Processing data, evidence an individual’s opt‑in consent; and

uphold Data Subjects’ right to access their Personal Data and deal any requests to exercise their rights within a timely manner (see sections 8 and 9 below).

6.6. Security

CEPI shall:

• ensure that Personal Data is stored securely;
• implement technical and organisation measures to ensure a level of security that is appropriate to the risk in Processing;
• limit access to Personal Data to the personnel who need access;
• put in place appropriate security measures to avoid the unauthorised sharing of Personal Data;
• delete any Personal Data securely and in such a way that the data is irrecoverable; and
• ensure that appropriate back‑up and disaster recover solutions are in place.

6.7. Special Category Data

If CEPI processes any Special Category Data or criminal records data, it shall:

Only process this Data based on one of the following legal bases: 
6.7.1..1. explicit consent;
6.7.1..2. employment, social security, or social protection law;
6.7.1..3. vital interests;
6.7.1..4. the Personal Data has been manifestly made public by the Data Subject;
6.7.1..5. to establish, exercise, or defend legal claims;
6.7.1..6. substantial public interest;
6.7.1..7. health or social care;
6.7.1..8. public health; and
6.7.1..9. archiving, research, and statistics.

Keep written records of:

6.7.1..1. the relevant purpose(s) for which the Processing takes place, including (where required) why it is necessary for the purpose;
6.7.1..2. the lawful basis for Processing; and
6.7.1..3. whether CEPI retains and erases the Personal Data and, if not, the reasons for not doing this.

6.8. Storage/deletion

To ensure that Personal Data is kept for no longer than is necessary, CEPI shall put in place a data retention policy and schedule and this process shall be reviewed annually. The retention policy shall consider what data should be retained, for how long, and why.
 

7. Data protection by design and by default

7.1. CEPI will ensure appropriate technical and organisational measures are in place to effectively uphold the principles outlined in subsection 5.2. and safeguard the individual rights outlined in subsection 5.3. This will include:

• integrating the necessary safeguards into any new data Processing activity to meet regulatory requirements and to protect individuals’ rights;
• considering the nature, scope, purpose, and contents of any Processing; and
• considering the risks to the rights and freedoms of individual posed by the Processing.

7.2. CEPI shall uphold the principles of data protection by design and by default from the beginning of any new data Processing activity, in addition to the planning and implementation of any new data process.

This will include, where appropriate, carrying out a data protection impact assessment.

7.3. All existing data Processing shall be recorded in CEPI’s Record of Processing Activities.

7.4. By adhering to the principles in subsection 5.2. as its default position, CEPI ensures that individuals are protected against privacy risks.
 

8. Rights of the Data Subject

8.1. The Data Subject will, among other rights, always have the following rights in relation to their Personal Data:

• To be informed of the purposes of the Processing.
• To be informed of the categories of Personal Data concerned.
• To be informed of the recipients or categories of recipient to whom the Personal Data have been, or will be, disclosed, particularly recipients in third countries or international organisations.
• Where possible, to be informed of the expected period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period.
• To be informed of the existence of the right to request from the controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing.
• To lodge a complaint with a relevant supervisory authority.
• Where the Personal Data is not collected from the Data Subject, to be provided with any available information as to its source.
• To be informed of the existence of automated decision‑making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance of the envisaged consequences of such Processing for the Data Subject.

8.2. Any inquiries regarding the rights of an individual Data Subject, including the wish to exercise such rights, should be sent to [email protected].
 

9. Responsibilities

9.1. Privacy at CEPI

The Director of Compliance, Risk and Assurance, is responsible for the overall data protection framework.

CEPI has appointed a Senior Data Protection Manager, who is responsible for the day‑to‑day management of data protection activities within CEPI and ensuring that these activities comply with this policy.

9.2. Individuals

Individuals are responsible for helping CEPI keep the Personal Data it holds up to date.

Employees and Associates should let P&O know if the information they have provided to the organisation changes, for example through moving house or changing name.

9.3. Employees and Associates

Employees and Associates might have access to the Personal Data of other members of staff, consultants, suppliers, and other third parties in the course of their employment or engagement.

If so, CEPI expects Employees and Associates to assist in meeting its data protection obligations in relation to those individuals, including upholding CEPI’s commitments to the data protection principles outlined in section 6 above.

Further details on what is expected of Employees and Associates and how they are to comply with this policy in practice can be found within CEPI’s Data Protection and Privacy procedures and guidance on CEPI’s intranet and will be explained through inductions for new colleagues and regular training.
 

10. Failure to comply

10.1. CEPI takes compliance with this policy seriously. Failure to comply with this policy and associated procedures:

• puts Data Subjects at risk;
• carries the risk of substantial civil and criminal sanctions for the individual and CEPI; and
• may, in certain circumstances, amount to a criminal offence by the individual.

10.2. Due to the importance of this policy and the severity of the potential consequences of any breach, an Employee’s failure to comply with any requirement of this policy may lead to disciplinary action under CEPI’s procedures and legal action to redress any damage or loss to Data Subjects. Such action may lead to dismissal for gross misconduct, or termination of the individual contract.

10.3. Associates who fail to comply with this policy may face serious consequences, including the termination of their contractual agreement with CEPI. Depending on the severity of the breach, CEPI may also pursue further legal action to address any damages or losses incurred as a result of the non‑compliance. All Associates are expected to take their data protection responsibilities seriously to avoid such consequences.

_

Current version: 2.2

Approved by CEPI Board: March 2023

Owner: Director, Compliance, Risk and Assurance

Linked documents:

• Acceptable Use of IT Policy
• CEPI External Privacy Notice
• Data Protection & Privacy Procedure
• Data Retention Policy
• Data Retention Schedule
• Information Security Policy
• Privacy and Cookie Policy
• Personal Data Breach Procedure
• Privacy Notice for CEPI Employees and Associates
• Privacy Notice for CEPI Travel and Events
• Third Party Code

Past versions: 1.0, 1.1, 2.0, 2.1

Date of last review: December 2025