Data Protection and Privacy Policy

Learn more about CEPI's overarching policy for data protection and privacy.

1. Introduction

This data protection and privacy policy (“Policy”) is the overarching policy for data protection and
privacy for The Coalition for Epidemic Preparedness Innovations (“CEPI”).

 

2.    Objective

2.1. This Policy sets out how CEPI:

  • complies with its data protection obligations under the General Data Protection
    Regulation (2016) and all other applicable national legislation; and
  • seeks to protect the Personal Data of individuals.

2.2. This Policy is intended to ensure that Employees and Associates understand and comply with
the rules governing the collection, use, retention, and deletion of any Personal Data to which
they may have access during their work.
 

3.     Scope

3.1. This Policy covers all Personal Data that CEPI might process during the course its activities, either in hard copy or digital copy, including special categories of data. This Policy applies to all Employees, consultants, and other persons that process Personal Data on behalf of CEPI. 

3.2. Any individual or entity who processes Personal Data on behalf of CEPI must follow this Policy. 

3.3. Individuals should refer to CEPI’s privacy notices and other relevant policies for detailed information and guidance regarding the protection of personal information in specific contexts, such as: a) Data retention b) Employment c) Information security d) International data transfers e) Monitoring f) Special category data g) Use of the Internet, electronic communications, and social media
 

4.    Definitions

For the purposes of this Policy: 

  • CEPI means the Coalition for Epidemic Preparedness Innovations, the Coalition for Epidemic Preparedness Innovations UK Limited, and the Coalition for Epidemic Preparedness Innovations U.S
  • Data means information in many forms. Examples include, but are not limited to, paper documents, electronic documents (databases, emails, presentations, spreadsheets), or information contained in spoken conversations. 
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. 
  • Data Subject means the identifiable natural person to whom specific personal information relates. 
  • Employee: an individual with an employment contract directly with one of CEPI’s three legal entities in Norway, United Kingdom or the US. Associate: A CEPI associate is any non-employee engaged to provide services to CEPI or chosen or appointed to act or speak on behalf of CEPI. This includes, but is not limited to: paid consultants, temporary workers and individuals engaged through a professional employer organisation or other intermediary; external reviewers or other experts engaged by CEPI (paid or unpaid); interns and fellows (paid or unpaid) and members of CEPI’s Board of Directors and advisory bodies (e.g., Scientific Advisory Committee, Joint Coordination Group). 
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, or the “General Data Protection Regulation”. 
  • Identifiable natural person is a living individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data means any information that relates to an identified or identifiable natural person. 
  • Processing Data means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it. 
  • Record of Processing Activities means CEPI’s internal register of data processing activities, which details the data categories, the groups of data subjects, the purpose of the processing and the data recipients. Record of Systems means CEPI’s record of information systems and contexts in which Personal Data is processed by the organisation.
  • Special Category Data means sensitive Personal Data, as defined in Article 9 of the GDPR and includes Personal Data relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 
  • Third Country means a country outside of the European Economic Area
     

5.    Policy statement

5.1. CEPI statement of principles 

The overall purpose of data privacy regulations and policies is to protect the rights and freedoms of individuals and in particular the right to the protection of their Personal Data and, as such: 

  • a) CEPI, as a publicly funded organization that operates globally, considers the privacy of individuals and the protection of their personal information to be of the utmost importance. 
  • b) CEPI will always process Personal Data in a way that ensures that the individual’s rights are safeguarded.
  • c) CEPI is committed to processing Personal Data in accordance with the principles of the GDPR and all applicable national legislation.


5.2.    Data protection principles

CEPI will process Personal Data in accordance with the following principles regardless of what jurisdiction it is operating in: 

  • a) CEPI will process Personal Data lawfully, fairly, and in a transparent manner. 
  • b) CEPI will collect Personal Data for specified, explicit, and legitimate purposes only; and will not process it in a way that is incompatible with those legitimate purposes. 
  • c) CEPI will only process Personal Data that is adequate, relevant, and necessary for the relevant purposes. 
  • d) CEPI will keep accurate and up to date records and take reasonable steps to ensure that inaccurate Personal Data is corrected or deleted without undue delay. 
  • e) CEPI will keep Personal Data for no longer than is necessary for the purposes for which the information was gathered and is processed. 
  • f) CEPI will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. 
  • g) CEPI will ensure that any third parties with whom it shares Personal Data will operate in a manner that is consistent with applicable data protection laws and regulations, as set out in CEPI’s Third Party Code or other applicable contractual documents.

5.3.    Rights of the Data Subject
 

CEPI will always uphold the following rights of the Data Subject: 
a) The right to be informed 
b) The right of access 
c) The right to rectification 
d) The right to erasure 
e) The right to restrict processing 
f) The right to data portability 
g) The right to object 
h) Rights in relation to automated decision making and profiling


5.4.    Organisational measures
 

CEPI will establish and maintain policies and procedures to ensure compliance with the principles and protection of the rights mentioned above and, as such: 

  • a) CEPI will establish a data protection and privacy procedure (“Procedure”), which will detail how Employees are to comply with this Policy and the data protection principles in practice. 
  • b) Compliance with this Policy will be monitored through the Internal Audit and Assurance group activities in accordance with the Annual Internal Audit and Assurance Plan, as agreed with CEPI Senior Management. Compliance by third parties engaged or funded by CEPI will be monitored through CEPI’s risk-based Partner Assurance programme. 
  • c) CEPI will conduct periodic risk assessments and update its policies and procedures accordingly to ensure continued compliance with this Policy and all other legal requirements. 
  • d) CEPI Employees, Associates, and other relevant individuals shall receive appropriate training on this Policy and associated Procedure, as appropriate to their role.
     

6.    Compliance with data protection principles

6.1. Accuracy

CEPI shall take all reasonable steps to ensure the Personal Data it processes are accurate. Where it is necessary for the lawful basis upon which data are processed, steps shall be put in place to ensure that Personal Data are kept up to date.

6.2. Adequate, relevant, and limited to what is necessary

CEPI shall ensure that any Personal Data it processes are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

6.3. Breach reporting 

In the event of a Data Breach, CEPI shall, without undue delay: 

a) assess the risk to individuals’ rights and freedoms; 
b) where appropriate, notify the relevant supervisory authority; and 
c) where appropriate, notify the data subject. 

6.4. International data transfers 
  • CEPI may transfer Personal Data to internal or third-party recipients located in another country. 
  • CEPI will only transfer data to a country that is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. 
  • Where transfers need to be made to countries lacking an adequate level of legal protection (Third Countries), they must be made in compliance with an approved transfer mechanism as detailed in the associated Procedure. 
6.5. Lawful, fair, and transparent processing
  • Individuals have the right to access their Personal Data and any such requests shall be dealt with in a timely manner (see paragraph 9 below).
  • To ensure that processing of Personal Data is lawful, fair, and transparent, CEPI will maintain a Record of Processing Activities and a Register of Systems.
  • The Record of Processing Activities and the Register of Systems shall be regularly reviewed and at least once annually. 
6.6. Lawful purposes

All Personal Data will be processed by CEPI on one of the following legal bases:

a) Consent 
b) Legal obligation 
c) Vital interests 
d) Public task 
e) Legitimate interest of CEPI

CEPI shall log the appropriate basis for each category of Personal Data in the Record of Processing Activities. 

Where consent is relied upon as a lawful basis for processing data, evidence of an individual’s optin consent shall be stored with the Personal Data. 

6.7. Security 

CEPI shall ensure that Personal Data are stored securely and shall implement technical and organisation measures to ensure a level of security that is appropriate to the risk in processing. 

Access to Personal Data shall be limited to the personnel who need access and appropriate security measures shall be put in place to avoid the unauthorised sharing of Personal Data. 

When Personal Data is deleted, this shall be done securely and in such a way that the data are irrecoverable. 

CEPI shall ensure that appropriate back-up and disaster recover solutions are in place. 

6.8. Special category data 

If CEPI processes any Special Category Data or criminal records data, it will keep written records of:

  • a) the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for the purpose; 
  • b) the lawful basis for processing; and 
  • c) whether CEPI retains and erases the personal information and, if not, the reasons for not doing this. 

Employees and Associates shall follow the process laid out in the associated Procedure when handling special category or criminal records data. 

6.9. Storage/deletion

To ensure that Personal Data are kept for no longer than is necessary, CEPI shall put in place a storage and retention policy and this process shall be reviewed annually. The storage and retention policy shall consider what data should be retained, for how long, and why.
 

7. Data protection by design and by default 

7.1. CEPI will ensure appropriate technical and organisational measures are in place to effectively uphold the principles and safeguard the individual rights outlined above. This will include: 

  • a) integrating the necessary safeguards into any new data processing activity to meet regulatory requirements and to protect individuals’ rights; 
  • b) considering the nature, scope, purpose, and contents of any processing; and 
  • c) considering the risks to the rights and freedoms of individual posed by the processing. 

7.2. CEPI shall uphold the principles of data protection by design and by default from the beginning of any new data processing activity, in addition to the planning and implementation of any new data process. This will include, where appropriate, carrying out a data protection impact assessment. 

7.3. All existing data processing shall be recorded in CEPI’s Record of Processing Activities. 

7.4. By adhering to the principles in paragraph 5.2 as its default position, CEPI ensures that individuals are protected against privacy risks. 
 

8. Rights of the data subject 

8.1. The Data Subject will, among other rights, always have a right to the following information in relation to their Personal Data: 
a) The purposes of the processing. 
b) The categories of Personal Data concerned. 
c) The recipients or categories of recipient to whom the Personal Data have been, or will be, disclosed, particularly recipients in third countries or international organisations. 
d) Where possible, the expected period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period. 
e) The existence of the right to request from the controller rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing. 
f) The right to lodge a complaint with a relevant supervisory authority. 
g) Where the Personal Data are not collected from the Data Subject, any available information as to their source. 
h) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

8.2. Any inquiries regarding the rights of an individual Data Subject, including the wish to exercise such rights, should be sent to [email protected]
 

9. Responsibilities

9.1. The Director of Governance, Risk and Compliance is responsible for the overall data protection framework. CEPI has appointed a Senior Data Protection and Privacy Manager, who is responsible for the day-to-day management of data protection activities within CEPI and ensuring that individuals carrying out these activities adhere to this Policy and associated Procedure. 
9.2. Individuals are responsible for helping CEPI keep the Personal Data it holds up to date. 
9.3. Employees and Associates might have access to the Personal Data of other Employees and Associates, suppliers, and other third parties in the course of their employment or engagement. 
9.4. If so, CEPI expects Employees and Associates to assist in meeting its data protection obligations in relation to those individuals.
9.5. Further details on what is expected of Employees and Associates and how they are to comply with this Policy in practice can be found in the associated Procedure.


10. Failure to comply 

10.1. CEPI takes compliance with this Policy seriously. Failure to comply with this Policy and associated Procedure: 
a) puts data subjects at risk; 
b) carries the risk of substantial civil and criminal sanctions for the individual and CEPI; and 
c) may, in certain circumstances, amount to a criminal offence by the individual. 

10.2. Due to the importance of this Policy and the severity of the potential consequences of any breach, an Employee’s failure to comply with any requirement of this Policy may lead to disciplinary action under CEPI’s procedures. Such action may lead to dismissal for gross misconduct, or termination of the individual contract. 

10.3. CEPI will take the appropriate legal actions for instances of Associates and third parties’ failure to comply with the applicable data protection and privacy laws.