Privacy and Cookie Policy

Scope and purpose 

CEPI cares about individuals’ privacy and is committed to process personal data in compliance with the locally applicable laws and regulations. This privacy notice is applicable to the processing of your personal data that you submit to us through this website, our newsletter service, electronic webforms and web portals in order to send or receive information and materials to and from us.

Please note that this website may contain links to non-CEPI websites. CEPI is not responsible for the privacy policies or practices of such websites and we recommend that you read the privacy policy and notice of any third-party site.

If at any time you have questions about this notice, please let us know.
This notice may be updated to reflect changes in our practices.


Within CEPI the data controller will be the relevant CEPI undertaking you have your relationship with, which can be one of the following, separately or jointly:

  • Coalition for Epidemic Preparedness Innovations with business register number 917 687 811, P.O. Box 123, Torshov, 0412 Oslo (“CEPI Norway”)
  • CEPI UK Limited, 215 Euston Road, London, Greater London, NW1 2BE
  • CEPI US, 1901 Pennsylvania Ave, NW; Suite 1003; Washington, DC 20006; USA

CEPI Norway is controller for personal data processed via as CEPI Norway operates this website, and for other processing as described below. Other affiliated CEPI companies are controllers for local processing of personal data as set out in this policy.

Personal data we collect and how we process personal data

We may process personal in accordance with applicable data protection legislation and this privacy notice for the following purposes and based on the following legal basis:

A contractual relationship between you and CEPI where the processing of personal data is generally necessary to the execution or the performance of the contract (GDPR Article 6 (1) (b)).

Communication and respond to inquiries we receive, where we can process name, email address, phone number and any personal data included in the inquiry or communication. Please do not disclose more personal data than is requested or necessary. The legal basis is CEPI’s legitimate interest to answer and manage inquiries and other communication (GDPR Article 6 (1) (f)).

Business and partner relationship purposes, where CEPI process personal data necessary to manage contractual relationships and funding of projects where for example name and contact information for contact persons (e.g. employees) is processed, in addition to personal data contained in contracts, ongoing commercial correspondence, invoices, minutes of meeting etc. The legal basis is CEPI’s legitimate interest in entering into business relationships, fulfil contracts and administrate such relationship (GDPR Article 6 (1) (f)).

For funding of projects undertake screening activities including Integrity Due Diligence (IDD) screening and financial information, where personal data may be processed, such as example position, personal relations, possible political relations, possible sanction listings and criminal records are collected from public sources. The legal basis is CEPI’s legitimate interest to comply with legal obligations (GDPR Article 6 (1) (c)) and the legitimate interest of ensuring the integrity of CEPI’s decision making and management of (GDPR Article 6 (1) (f)).

Reporting concerns via CEPI’s whistleblowing channel, where the processing of personal data is described in a separate privacy policy.

CEPI may initiate investigations or audits on its own initiative or due to grievances by third parties, which may include processing of personal data such as contact information about employees etc with our business relations and other necessary personal data such as employees’ or consultants’ payrolls and time sheets in order to complete our investigation or audit. The legal basis is our legitimate interest in conducting investigation conditions or audits that may impact CEPI, our legal obligations and for the establishment, exercise or defence of legal claims (GPDR Article 6 (1) (f)).

Newsletters, where name and email address are processed for the purpose of sending you our newsletters, if you have consented to receive newsletters (GDPR Article 6 (1) (a)).

To improve our website, and to enhance the user experience, CEPI uses cookies and other information gathering methods, where personal data as IP address will be collected. The legal basis is our legitimate interests in collecting visitor statistics and optimize and develop our user experience on our website. You can find more information regarding our use of cookies etc. below.

Recruitment purposes, where we process personal data such as CV, application, certificates, references and other information you may provide or which we need to verify to assess your application. The legal basis for such processing is that it is necessary in order to take steps at your request prior to entering into a contract (GDPR Article 6 (1) (b)), our legitimate interest in finding the best candidate for the position (GDPR Article 6 (1) (f)), or your consent (GDPR Article 6 (1) (a)). CEPI has a separate privacy policy in relation to recruitment, which will be available to applicants via our job application and before signing up on our recruitment platform.

Ensuring the rights of CEPI or third parties, to establish, exercise or defend legal claims we believe to have, or that are directed towards us by customers, suppliers, partners, other third parties or public authorities. The legal basis is CEPI’s legitimate interests in excessing and defending such claims (GDPR Article 6 (1) (f)).

Legal obligations applicable to the operation of CEPI (GDPR Article 6 (1) (c)).

CEPI may, on a case-by-case basis, process personal data for other purposes and rely on different legal grounds, such consent, legitimate interest or the protection of individuals vital interests, in accordance with applicable data protection law, as set forth in an applicable privacy notice.

Sources of personal data

We collect personal from different sources, such as directly from you, through the use of our web page/cookies, from our business relations (for instance where a partner or supplier provides information about employees) or other third parties.

Personal data provided of others.

Do not provide personal data about others unless you are authorized or required to do so by contract or applicable law. You may provide personal data on behalf of another person if you have provided them with a copy of this notice and any applicable supplemental privacy notice, or if the personal data is provided other legal grounds. We may ask you to provide evidence of the legal grounds for sharing personal data about others.

Sharing of personal data

We will only share your personal data to third parties if there is a legal basis for such disclosure. We may share your personal data with our employees and affiliates (CEPI entities) who have a business need to know, our services providers (including consultants, contractors, vendors, and out-sourced service providers) to process it for us based on our instructions, and with partners that are collaborating with us to fund projects. We do not share your personal data with third parties (including our service providers) for marketing purposes. Our affiliated companies will process your personal data to respond to your request and when doing so they will act as data controller for the processing conducted by them.

Third-party service providers are only authorised to use your personal data as necessary to provide its services to us. The relationship to such suppliers is governed by a data processor agreement, which among others ensures confidentiality and information security for your personal data. CEPI entities and third-party service providers may be located within or outside the EU/EEA.

We may also share personal data with government agencies or authorities, or other third parties if and to the extent required by applicable law.

If you believe personal data you provided to us is being misused by a third party, please contact us right away.

Transfer of your personal data outside the EU/EEA

The personal data that we collect from you may be transferred to and processed by a third-party service provider established in a country outside the EU/EEA (i.e. a so-called third country), including countries which the EU Commission does not consider having an adequate level of protection for personal data. In such case we will take all necessary steps required under applicable law in order for such transfer of your personal data across borders to be compliant with applicable law. We will only transfer your personal data to a country outside the EU/EEA where; (i) the EU Commission has decided that the third country ensures an adequate level of protection, or (ii) where the transfer is being safeguarded by the use of EU model clauses and additional measures (if required) or (iii) ensuring that other appropriate safeguards as set out in applicable data privacy laws are in place.

Protection of personal data

CEPI maintains appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. CEPI also takes appropriate legal, technical and organisational measures to ensure that your personal data is treated securely and with an adequate level of protection when transferred to or shared with the above referred to third parties.

Whilst we take technical and organisational measures to safeguard the personal data that you provide to us, no transmission over the Internet can ever be guaranteed secure. Consequently, please note that we cannot guarantee the security of any personal data that you transfer over the Internet to us.

Data storage

We will keep your personal data as long as necessary for us to respond to your request or forward your request to the relevant individual, or until it is no longer needed to fulfil the purpose(s) for which it was collected or as otherwise required or permitted by law. After such time, we will either delete or anonymize your personal data or. If the legal basis for the processing of personal data is consent, CEPI will cease the processing of personal data if the consent is withdrawn. You may withdraw your consent at any time. We may dispose of any data in our discretion without notice, subject to applicable law, or in accordance with a specific data processing agreement governing our processing of the personal data. Please contact us if you would like more details regarding our retention periods for different categories of personal data.

Links to other websites and social media

Please note that this website may contain links to non-CEPI websites. CEPI is not responsible for the privacy policies or practices of such websites and we recommend that you read the privacy policy and notice of any third-party site.

Your activity on our pages on social media, such as content you post and posts you like will be shared on the relevant platform. The relevant platform will be responsible for the personal data it collects and processes through the platform. More information about how these platforms process personal data can be found in the relevant platform’s privacy policy.

Your rights

You have under some circumstances the right to access personal data, to correct inaccurate personal data, to have personal data erased, to restrict the processing of your personal data, to receive personal data you have provided to CEPI in a structured, commonly used and machine-readable format for onward transmission (data portability), and to object to the processing. If the processing is based on your consent, you may at any time withdraw your consent. Generally, newsletters and updates from us will include links to access, correct, or delete your personal data and to manage any subscriptions directly.

You are also entitled to lodge a complaint with the relevant supervisory authority if you believe that CEPI’s processing of your personal data are contrary to relevant data protection regulations. However, we encourage you to address any objections against CEPI’s processing of personal data to us first.


Technologies such as cookies are used by us and our analytics or service providers. These technologies are used e.g. in analysing trends, administering this website and tracking users’ movements around this website. A cookie is a small file of letters and numbers that we put on your computer. This helps us to provide you with a good experience while you browse and to improve the way the site works.

Cookies are set when you:

  • visit the site
  • sign up for newsletters

For general information about cookies, and how to control and disable them, please visit

Cookies used on the CEPI site

has_js Records whether a browser has JavaScript enabled

.cookie_agreed Records a user's cookie preference.

_ga Universal Google Analytics cookie for distinguishing between users. Duration: 2 years.

_gat Universal Google Analytics cookie for limiting the number of requests. Duration: 10 minutes.

_utma Used to distinguish users and sessions. Updates every time data is sent to Google Analytics. Duration: 2 years from when it is set/updated.

_utmz Stores information about the traffic source or campaign for use by Google Analytics. Duration: 6 months from when it is set/updated.

Learn about Google’s practices here.

Contact information

If you have any questions regarding the processing of your personal data, this Privacy Notice, have comments on CEPI’s processing of your personal data or you want to exercise your rights, please contact us on:


Coalition for Epidemic Preparedness Innovations
P.O. BOX 123, Torshov
0412 Oslo, Norway


[email protected]


The material contained in the CEPI website is provided for general purposes only. We endeavour to ensure that the content is accurate and up to date but CEPI accepts no responsibility for loss arising from reliance on information contained in this site, or any other sites that we link to from our site.