Information on data protection - valid from 25/05/2018
With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.
Who is responsible for data processing and who can I contact?
Responsibility lies with European Vaccine Initiative
You can reach our internal Data Protection Officer under
European Vaccine Initiative
Mr. Sten Larsen Finnsson
Data Protection Principles
'European Vaccine Initiative is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation, Chapter 2 (Article 5):
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Which sources and which data do we use?
We process personal data, which we receive from our website contact form, partners, beneficiaries and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from other beneficiaries or third parties (for example consortium partner) to the extent necessary for rendering our services and as according to instructions from donors (example European Union).
Relevant personal data are personal details (name, address and other contact data and authentication data - such as a specimen signature). In addition, these may also be contract data (such as a payment data and budget information on payroll and person months). Data resulting from the performance of our contractual obligations such as information about financial status - financial validation, data on credit standing, origin of assets, data relevant for validations (assets, liabilities, equity, revenues and expenditures) and other data comparable with the above-mentioned categories.
What is the purpose of processing your data (purpose of personal data processing) and on which legal basis does this take place?
We process personal data in accordance with the provisions of the EU/EEA General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG)
a) In order to comply with contractual obligations (Art. 6 (1 b) GDPR)
Data are processed for the purpose of providing and arranging vaccine developments and other related services in connection with the performance of our agreements with our donors or for performing pre-contractual measures as a result of queries (open calls). The purposes of data processing are primarily determined by the specific project and donor requests (such as budget information as according to contract term of reference for which each partner has consented) and may, among other things, include needs assessments, consultation, asset management and administration and the execution of transactions.
b) Within the scope of the balancing of interests (Art. 6 (1 f) GDPR)
To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples:
Consultation of and exchange of data with external auditors of both financial and technical character such as
- EVI audit firm of Falk & co (Section 316/321 paragraph 4a of the German Commercial code HGB and IDW audit standard PS 201/450).
- Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002.
- Council Regulation (Euratom, EC) No 2185/1996 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities' financial interests.
- Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF).
- Good Clinical Practise ICH-GCP guidelines.
For the benefit of:
- Analysis and optimisation of processes
- Advertising or market and opinion research unless you have objected to the use of your data
- Lodging legal claims and defence in case of legal disputes
- Ensuring IT security
- Prevention and investigation of criminal acts
- Measures to protect our contractual rights
- Measures for business management and advanced development of services and products
- Risk management
c) As a result of your consent (Art. 6 (1 a) GDPR)
To the extent you have consented to the processing of personal data by us for certain purposes (such as passing on budget data, analysis of payment transactions, data for marketing purposes, photographs taken in connection with website or events, mailing newsletters), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.
d) On the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)
Moreover, we, are subject to various legal obligations, i.e. statutory requirements (such as the Law on Money Laundering & tax laws and employment laws in Europe) and regulations relating to the supervision of clinical practise management.
Who will receive my data?
Within EVI, specific employees will have limited access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes on the condition that they, specifically, observe secrecy. These are companies in the categories Payroll services, banking services, IT services, logistics, printing services, telecommunication, if relevant collection of receivables, consultation as well as sales and marketing.
As far as passing on data to recipients outside, it must first be kept in mind that we are obliged to keep all facts and assessments we become aware of in strict confidence. As a matter of principle, we may pass on information only if this is required by statutory law or after been given consent.
Other cases of outside recipients may be service providers whom we involve in connection with contract data processing relationships.
Other recipients of data may be those bodies for which you have given us your consent to data transfer or an agreement or consent to which we may transfer personal data based on the balancing of interests.
Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent
- this is required to carry out orders (such as payment orders)
- it is required by law (such as obligatory reporting under tax law)
- Specific consent.
For how long will data be stored?
We process and store personal data as long as this is required to meet our contractual and statutory obligations. In this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.
If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes:
Compliance with obligations of retention under commercial or tax law, which for example may result from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Law on Money-Laundering (GwG). As a rule, the time limit specified there for retention or documentation is up to 15 years depending on contractual commitments.
Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Secs. 195 et seqq. of the German Civil Code (BGB), these statutes of limitations may be up to 30 years, the regular statute of limitation being 3 years.
What are my rights with regard to data protection?
- Every data subject has the right of access pursuant to Article 15 GDPR,
- the right to rectification pursuant to Article 16 GDPR,
- the right to erasure pursuant to Article 17 GDPR,
- the right to restriction of processing pursuant to Article 18 GDPR,
- the right to object pursuant to Article 21 GDPR and
- the right to data portability pursuant to Article 20 GDPR.
As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).
Consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.
Obliged to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements or perform under such an agreement or to terminate it.
Your data will be processed automatically in part with the objective of evaluating certain personal aspects (profiling). For example, we will use profiling of the following cases:
As a result of statutory and regulatory regulations, we are obliged to fight money laundering, the financing of terrorism and criminal acts jeopardising property. In that respect, data (among others, data in payment transactions) will be analysed and will become part of the ongoing risk management.
Information about your right to object pursuant to Article 21 GDPR
- Right to object based on individual cases
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests); this also applies for profiling as defined in Article 4 point 4 GDPR.
If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
- Right to object to processing data for the purpose of marketing
In individual cases, we will process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling to the extent it is connected to such direct marketing.
If you do object to processing for the purposes of direct marketing, we will refrain from using your personal data for such purposes henceforth.
- Recipient of an objection
Such objection may be submitted informally under the heading "objection" indicating your name and your address and should be addressed to:
European Vaccine Initiative
Mr. Sten Larsen Finnsson