SEARCH:

Privacy Notice

This page functions as a Privacy Notice explaining how Bavarian Nordic processes your personal data. 

You can read more about how we process your personal data on this page, where you can choose the specific situation and processing activity that you want to know more about. You can also learn about your rights as well as how we process personal data in general.

1. Data controller

The entity responsible for the processing of your personal information is:

Bavarian Nordic A/S
Reg. No. 16271187
Philip Heymans Alle 3
DK-2900 Hellerup
Denmark
Bavarian Nordic GmbH
Reg. No. DE 813 250 971
Fraunhoferstrasse 13
D-82152 Martinsried
Germany

Bavarian Nordic AG
Reg. No. CHE-259.519.429
Grafenauweg 8
CH-6301 Zug
Switzerland 

Bavarian Nordic AB
Reg. No. 559305-6186
Box 1017
S-251 12 Helsingborg
Sweden
Bavarian Nordic Inc.
Reg. No. 3906219
1005 Slater Road, Suite 101
Durham, NC27703
USA
Bavarian Nordic Canada Inc.
Reg. No. 1000483465
100 King Street West, Suite 6200
1 First Canadian Place
Toronto, Ontario M5X 1B8
Canada
Bavarian Nordic Berna GmbH
Reg. No. UID: CHE-334.354.325
Oberriedstrasse 68
CH-3174 Thörishaus
Switzerland


Bavarian Nordic Spain, SLU
Reg. No. NIF: B87176897
C/O CitCo Corporate Management
Calle Pinar 7, 1
28006 Madrid
Spain

Bavarian Nordic Portugal, LDA
Reg. No. NIPC: 514766760
Rua Abranches Ferrão, 10, 15.º C
1600 001 Lisbon
Portugal

Bavarian Nordic Italy S.r.L
Reg. No. MI-2056003
Piazzo Pio XI
20123 Milano
Italy


The entity responsible for the processing of your personal information will mostly be Bavarian Nordic A/S, however in some situations it might be another of our group companies, and, in such case, it will be noted as part of the description of the specific processing activities.

If you have any questions, and/or would like to get in touch with us, our contact details are as follows:

Email address: gdpr@bavarian-nordic.com

Telephone number: +45 33 26 83 83

You can also always contact our Group Data Protection Officer on e-mail dpo@bavarian-nordic.com.

2. Description of the processing

Purpose
We process your personal data for the purpose of providing customer service to you when you contact us.

This includes handling all inquiries coming via emails, phone, contact formulars, and social media.

Note that inquiries related to pharmacovigilance and drug safety matters are described under “Pharmacovigilance (drug safety)” and inquiries related to clinical trials under “Clinical Trials”.

If you are a study patient participating in a clinical trial, please do reach out to your local Site Investigators for any inquiries related to this, as Bavarian Nordic cannot, as the sponsor of the trial, know the identity of the study patients. 

Categories of personal data
We may process the following categories of personal data about you as:

Ordinary personal data, such as:

  • Identity and contact information (name, email, phone-number).
  • Phone recordings if you leave a message when calling us. 
  • Professional information (information about your job if such is provided by you).
  • Information related to your inquiry, email, call, message etc. and any information that you choose to give us as part of this.

Sensitive personal data: We do not process sensitive personal data as part of general customer service, and we will delete such if received wrongly.

Source(s) of the personal data
We can collect your personal data from the following sources:

  • Directly from you when you contact us. 
Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Our legitimate interests in ensuring and optimizing customer service (GDPR art. 6.1.f).
Recipients
We may share your personal data with:  
  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • Professional advisers, including lawyers, consultants, and auditors.
  • Regulators and other authorities, namely relevant health and tax authorities.
Data retention
Generally, we will not store your personal data for longer than necessary.

Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

Purpose
We process your personal data for the purpose business development and optimization of our website.

When you visit our website, we collect personal data about you, including by using cookies. We use the information to optimize the user experience on our website and to make statistics on the use of our website.

You can read more about our cookies in our cookie policy here, where you can also read more about the third-party cookies that we use, and if we are joint controllers with providers of such, you can find a link to the relevant other privacy notices.

Remember that you can always withdraw or change your consent in our cookie solution, and you can also block cookies in your browser. 

Categories of personal data
We may process the following categories of personal data about you as:

Ordinary personal data, such as:

  • IP address, location, and information about your IT equipment (such as browser, operating system, and MAC address).
  • Information about your behaviour including your use of our website.

Sensitive personal data: We do not process sensitive personal data when you visit our website.

Source(s) of the personal data
We can collect your personal data from the following sources:
  • Directly from you through your use of our website. 
Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Our legitimate interests in operating and optimizing our website, as well as business and product development (GDPR art. 6.1.f).
Recipients
We may share your personal data with:  
  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
Data retention
Generally, we will not store your personal data for longer than necessary.
The exact retention periods depend on the individual cookies being set. See our cookie policy here.

Note that the legal entity responsible for the processing of your personal information, the data controller, is the legal entity of our group companies (see “data controllers” above) located in the country where you are located as well, e.g. if you are a German HCP, the data controller is Bavarian Nordic GmbH.

Purpose
We process your personal data for the purpose of general HCP and expert relation management (CRM) and administration of our relationship with you as an HCP or other expert and the contact and/or contract that we have with you, including to market and promote our business and our products towards you. 

This can include

  • correspondence and communication with you as part of our general business operations,

  • payment of fees and disclosure of such where required by law,

  • HCP analysis,

  • sending materials to you and providing you with marketing and promotional messages and materials and information about our business and our products, that may be tailored to your area of expertise and interest . We use the following channels to send you marketing messages: e-mail, text messages via phone or other text message services (such as Whatsapp), social media (Facebook and similar), business media (LinkedIn and similar) and medical networks,

  • tracking of your (online) behavior related to sending your marketing material, including your reading of and interaction with the material that we send you.

  • promotion of BN and as part of disease awareness campaign if you participate in such,

  • hosting and participation in events,

  • compliance with HCP disclosure and reporting obligations, and

  • for internal compliance auditing/monitoring purposes.

Categories of personal data
We may process the following categories of personal data about you:

Ordinary personal data, such as:

  • Identity and contact information (name, email, picture, etc.,).

  • Professional information (job title, workplace, area of expertise/speciality, educational information, medical ID number).

  • Financial information (information related to payment of HCP services, including your fee, reimbursements, bank account details, contract terms and participation in HCP services and activities).

  • Information related to marketing and communications (information about your preferences, your consent etc.) if you have given your consent for us to send you direct marketing. Also, if you have given your consent, we will process information collected via pixels and similar technology placed in emails to you about when you open the email as well as your online behaviour related to your actions when receiving the email (e.g. which links did you click on, the websites you visit afterwards etc.)

  • Information related to interviews with you, events, speaker arrangements, etc. if you have agreed to participate in such as part of collaboration with us.

  • Any other information included in our correspondence and contact with you.

Sensitive personal data: We do not process sensitive personal data about you as HCP.

Source(s) of the personal data
We can collect your personal data from the following sources:

  • Directly from you as part of our contact and/or contract with you.
  • Publicly available sources and publications, for example local medical registers, associations, websites, and social media and social medical networks.
  • Vendors or service providers, for example providers of healthcare provider databases.
  • Directly from you via cookies, pixels or similar technology, if you have given you consent.
  • Our group companies (see “data controllers”).

Legal basis for the processing
We process your personal data based on the following legal bases:

  • Your consent (GDPR art. 6.1.a)
  • The performance of a contract with you and/or to take steps prior to entering into a contract with you (GDPR art. 6.1.b).
  • Our legal obligations to comply with regulation on HCP disclosure and reporting as applicable in some countries (GDPR art. 6.1.c).
  • Legitimate interests (GDPR art. 6.1.f) where our legitimate interests in processing your personal data are our interests in i) HCP administration and management, ii) to ensure compliance with applicable codes and internal compliance audits/monitoring and iii) HCP analysis, promotion of us and disease awareness and direct marketing to better understand your preferences and provide you with relevant information and updates. 
We will of course obtain your consent when sending you direct marketing material as required by national marketing and cookies (and similar technology) law, and you can always withdraw your consent by contacting us, see below under “your rights”. You can read more about our use of cookies and similar technology in our cookie policy here.
Recipients
We may share your personal data with:
  • Our group companies (see “data controllers”).

  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.

  • Professional advisers, including lawyers, consultants, and auditors.

  • Social media and other digital channels if we publish posts based on interviews with you or if you have given your consent for us to do so for marketing and targeting purposes.

  • Regulators and other authorities, namely relevant health and tax authorities.

  • To the public in cases/countries where we are required by law to disclose any payments to you as an expert for transparency purpose.

Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose (such as bookkeeping regulations etc.) and whether storage is relevant to ensure our interests and contractual obligations.

Information related to a consent you might have given, will be kept as long as the consent is used actively or until the consent has been withdrawn.

Purpose
We process your personal data for the purpose of shareholder management and administration.

This includes, among others, communicating with you as a shareholder and sending you information about our company if you have signed up to receive such, conducting meetings, webcasts, conference calls and other relevant investor relation activities, compliance with Danish corporate regulation, such as the requirement to maintain a shareholder registry, conducting general meetings etc. as well as compliance with various tax legislation and other relevant legislation applicable.  

Categories of personal data
We may process the following categories of personal data about you:

Ordinary personal data, such as:

  • Identity and contact information (name, email, address, phone-number, country of residence, etc.,).
  • Information related to your shareholder status (custodian bank, VP account number, username, and password and general stock portfolio information such as numbers of shares, voting rights, historical transactions etc.).
  • Information related to general annual meetings, conference calls, webcasts, and other events (meeting invitation, attendance, voting, accompanying persons, proxies, photos, video, your questions, meeting minutes etc.)
  • Our communications with you and the information you provide us as part of this, your communication preferences, and information related to your marketing consent if you have given such consent, and
  • Other information relevant to the shareholding. 
Sensitive personal data: We do not process sensitive personal data about you as shareholder.

Source(s) of the personal data
We can collect your personal data from the following sources:

  • Directly from you.
  • Vendors or partners that we work with, for example Computershare (shareholder portal), VP Securities, Nasdaq, and other relevant IR actors.
  • Banks and other financial institutions.
Legal basis for the processing
We process your personal data based on the following legal bases:
  • Processing is necessary for compliance with our legal obligations (the Danish company act, Danish tax regulation and other relevant legislation) (GDPR art. 6.1.c).
  • You have given your consent to the processing of your personal information via our shareholder portal (GDPR art. 6.1.a).
  • Processing is necessary for the purposes of the legitimate interests pursued by us (GDPR art. 6.1.f), where our interests are to administrate our shareholders, to maintain and develop a strong IR management, performing investor relations outreach activities to you due to your expressed interest in Bavarian Nordic, including to send you information about our company if you have requested to receive such.
Recipients
We may share your personal data with:
  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • Vendors and partners that we work with for shareholder management purposes, including Computershare, Nasdaq, VP Securities, and other relevant IR actors.
  • Relevant authorities (e.g., the Danish Business Authority or tax authorities).
  • Professional advisers, including lawyers, consultants, and auditors.
Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.
Information related to a consent you might have given, will be kept as long as the consent is used actively or until the consent has been withdrawn.

Purpose
We process your personal data for the purpose of ensuring effective medicines, including preparing and conducting clinical trials as well as using the results hereof to get medicines approved if applicable.

This includes, among others, investigation and control of the safety and effectiveness of our medicines, how it is tolerated by data subjects with different demographics and application for approval for public use of medicine, if applicable, based on these results.

Categories of personal data
We may process the following categories of personal data about you:

Ordinary personal data, such as:

  • Identity and contact information (name, email, address, phone-number etc.,).
  • Personal information needed for the study (gender, age and date of birth, body weight, height, national identification number).
  • Results of the clinical trial including the use of and reaction to study medicine.

Sensitive personal data, such as:

  • Information about race, ethnicity, sexuality, and health data including medical history and the use of and reaction to study medicine.

We process personal data related to the results of the clinical trial in a pseudonymized form meaning that your name, contact information and national identification number have been removed from the material that we receive. 

Source(s) of the personal data
We can collect your personal data from the following sources:
  • Directly from you when participating in our clinical trials.
  • Contract Research Organizations (CRO).
  • Site Investigators.

Note that the information we receive are all pseudonymized meaning we do now know the identity of you as a study patient in our clinical trial.

Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Processing is necessary for the performance of a task carried out in the public interest (for some of our trials) (GDPR art. 6.1.e).
  • Processing is necessary to comply with our legal obligations when conducting clinical trials (re. reporting, notifications, inspections, and archiving) (GDPR art. 6.1.c).
  • Our legitimate interests in scientific research (GDPR art. 6.1.f).

Sensitive personal data:

  • Processing is necessary for reasons of public interest in the area of public health, including to ensure that effective medicines are approved and made available to the public (GDPR art. 9.2.i).
  • Processing is necessary for scientific research purposes (GDPR art. 9.2.j).
Recipients
We may share your personal data with:
  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • vendors, partners, and service providers that we collaborate with on clinical trials, including namely Contract Research Organizations (CRO), (Site) Investigators, and data management providers.
  • Professional advisers, including doctors and other health care professionals and organizations, laboratories, auditors, and other clinical trial related actors.
  • Regulators and other relevant authorities, namely relevant health authorities in the EU and other relevant countries. 
Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

When participating in a clinical trial, the personal data that we process about you, is pseudonymized.

We will store your pseudonymized personal data for 2 years after the last marketing application is approved, is no longer pending, or is discontinued, unless applicable EU law requires a longer retention period, which may be for up to 25 years after the end of the clinical trial.

Purpose
We process your personal data for the purpose of ensuring effective medicines, including to monitor, investigate and control the effect and safety of our products. 

This includes, among others, handling any information about how our products effect data subjects, both in the process of a clinical trial and when the products have been approved and marketed and are in use by the public, and to follow up on and report adverse events to relevant parties and authorities.

If you have participated in a clinical trial, we also refer to “Clinical Trials”.

Categories of personal data
We may process the following categories of personal data about you:

Ordinary personal data, such as:

  • Identity and contact information (name, email, address, phone-number etc.,).
  • Personal information related to you being a user of our product (such as date of birth, age, gender, body weight, height, use of and reaction to the product that you have been using as well as any information you might give us or concerns about our products that you might raise).

Sensitive personal data:

  • Information about race, ethnicity, sexuality, and health data including medical history and use of and reaction to our medicine.
Source(s) of the personal data
We can collect your personal data from the following sources:
  • Directly from you if you contact us regarding pharmacovigilance and drug safety matters.
  • The investigator or CRO if you have participated in a clinical trial.
  • Social media and other digital channels if you inform of any adverse events via these.
Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Processing is necessary to comply with our legal obligations to handle pharmacovigilance matters and to ensure the safety of our products (GDPR art. 6.1.c).

Sensitive personal data:

  • Processing is necessary for reasons of public interest in the area of public health, including to ensure that our medicines are effective and safe (drug safety) (GDPR art. 9.2.i).
Recipients
We may share your personal data with:  
  • Our group companies (see “data controllers).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • Vendors, partners and service providers that we collaborate with on clinical trials and for pharmacovigilance matters, including namely Contract Research Organizations (CRO), (Site) Investigators, and data management providers.
  • Professional advisers, including doctors and other health care professionals and organizations, laboratories, auditors, and other clinical trial related actors.
  • Regulators and other relevant authorities, namely relevant health authorities in the EU and other relevant countries. 
Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations. 

Purpose
We process your personal data for the purpose of product development, including market research of our products and our company.

This includes to conduct market research of our products and our company to find out how certain groups find our products, our company and travel vaccines and diseases in general.

We mainly use third party agencies to conduct market research on our behalf and for this reason, we typically do not receive any personal data about you that can identify you. 

Categories of personal data
We may process the following categories of personal data about you as part of market research:

Ordinary personal data, such as:

  • Identity and contact information (name, email, address, phone-number etc.,).
  • Information related to the market research topic (the answers that you have provided during the market research).
  • Photos, video and recording if the market research interview is being recorded.

Sensitive personal data:

  • Information about race, ethnicity and health data including use of and reaction to our medicine.

Sensitive personal data is normally not processed during market research activities, however depending on your answers, we may receive information about adverse events experienced in connection with any use of our products, and if the market research topic requires it, we may process any sensitive personal data that are part of your answers to the market research.

See also “Pharmacovigilance (drug safety)”.
Source(s) of the personal data
We can collect your personal data from the following sources:
  • Directly from you.
The agency who you provide the personal data to and who is conducting the market research on our behalf.
Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Your consent in some interviews if required (GDPR art. 6.1.a).
  • Processing is necessary to comply with our legal obligations to handle pharmacovigilance matters and to ensure the safety of our products (GDPR art. 6.1.c).
  • Our legitimate interest in understanding the use of our products and our company as well as developing and improving such (GDPR art. 6.1.f).

Sensitive personal data:

  • Your consent if the market research requires sensitive data as part of your answers (GDPR art. 9.2.a).
  • Processing is necessary for reasons of public interest in the area of public health, including to ensure that our medicines are effective and safe (drug safety) (GDPR art. 9.2.i).
Recipients
We may share your personal data with:  
  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • Vendors, partners, and service providers that we collaborate with on market research and pharmacovigilance matters, including market research agencies and data management providers.
  • Professional advisors.
Data retention

Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

Purpose
We process your personal data for the purpose of general business operations in the context of you working for and/or representing a third party that we work with or are in any other way communicating with. We do so to be able to operate our business including to ensure and to comply with security, safety, and product quality requirements.

This includes us working with different third parties such as business partners, consultants, vendors, customers, digital influencers, suppliers, service providers etc. and our interactions with such, including communication, visits etc.

This also includes promotional and disease awareness campaigns, where we might get third parties, such as patients, patient organizations or other subject matter experts to participate in interviews or similar campaigns to be used both internally (intranet) and externally (social media, website etc.).

Categories of personal data
We may process the following categories of personal data about you as:

Ordinary personal data, such as:

  • Identity and contact information (name, email, address, phone-number etc.,) as well as professional information (job title, workplace, educational information).
  • Information relation to our collaboration (any information that we might share as part of our relationship and any information that we might need to be able to work with you, for example driver license number if you are chauffeur vendor, contract terms and information related to the services and products, relation management information.
  • If you are a consultant, we will also process information related to contract terms, signature, CVs and other qualification records, billing details and payments, work product, training documentation, references, criminal records, and other personal information that may be relevant for the business interaction with you.
  • If you visit our site(s) we will further process information related to this (video surveillance at gate, fence and certain outdoor areas as well as video surveillance of certain production areas, machines and production processes). If you get an access card, we will process confidentiality declaration and access card request form containing contact details, company name, date and time for entrance and exit, card number, pin code, access rights, car information, card type, Bavarian Nordic contact person, contract terms, signature and type of identification documentation shown, and photo (if photo card), access card log files.
  • If you participate in interviews with us to share your knowledge and/or your journey with a certain disease, we will process the information provided to us during the interview, i.e., information related to your disease.

Sensitive personal data: As a main rule, we do not process sensitive personal data about business partners, consultants and other third parties.

However, if you participate in an interview with us to talk about a disease that you have/have had, we will process health information about you, but always based on your explicit consent.

Source(s) of the personal data
We can collect your personal data from the following sources:
  • The party that you represent.
  • Directly from you.
  • References.
  • Relevant authorities.
  • Other third parties that we work with.
  • Patient organizations.
  • Relevant security actors, e.g., guards and site responsible.

Legal basis for the processing
We process your personal data based on the following legal bases:

  • Consent (criminal records and information related to patient interviews) (GDPR art. 6.1.a).
  • Processing is necessary for the performance of the contract we have with you and/or the party that you represent or prior to entering into such (GDPR art. 6.1.b).
  • Processing is necessary for compliance with a legal obligation to which we are subject (GxP regulation and applicable security legislation) (GDPR art. 6.1.c).
  • Processing is necessary for the purposes of the legitimate interests pursued by us, including our interests in operating and developing our business and our products, site security and safety requirements and our interest in promotion of our company and creating disease awareness (GDPR art. 6.1.f).
  • Consent (health information as part of patient interviews) (GDPR art. 9.2.a)

Recipients
We may share your personal data with: 

  • Our group companies (see “data controllers”).
  • Service providers and third-party vendors that we work with, including cloud-services and hosting and IT providers.
  • Vendors, partners, agencies and service providers that we collaborate with to operate and develop our business and our products and to ensure safety and security.
  • If you have agreed to participate in disease awareness interviews to be published, we will share your information with the public via social media and our websites and our employees via our intranet, depending on what you have agreed to.
  • Professional advisors.
  • Regulators and other relevant authorities.
Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

Purpose
We process your personal data for the purpose of managing Bavarian Nordic’s Ethics Hotline.

This includes to receive, follow up on, investigate and report criminal offenses or other matters reported to the Ethics Hotline.

We can process your personal data both if you are reporting to the hotline, but also if you are being reported to the hotline.

Categories of personal data
We may process the following categories of personal data about you as:

Ordinary personal data, such as:

  • Identity and contact information (if you are reporter and not reporting anonymously or if you are reported about): name, contact information, position.
  • Information related to the reporting (information about the violation or matter reported, i.e., the experience, situation, or observation etc.).
  • Information about criminal offenses or other serious offenses if the report is about such.

Sensitive personal data:

None (unless the report concerns a matter relating to sensitive personal data, for example discrimination or harassment based on race, ethnicity, religion or political opinions, religious or philosophical beliefs, trade union membership, or sexuality, or exposure to sexual harassment).

Source(s) of the personal data
We can collect your personal data from the following sources:

  • Directly from you if you are reporting to the hotline.
If you have been reported to the hotline, then the source of your personal data depends on who has reported you, but will generally comprise one or more of the following: An employee, a member of the Executive Management or the Board of Directors, or a shareholder, a former employee or a job applicant, a volunteer or a trainee (paid or unpaid) working in or for Bavarian Nordic, a contractor or consultant working in or for Bavarian Nordic, a person working under the supervision and management of a third party with professional or contractual relationship with Bavarian Nordic, such as contractors, subcontractors, and suppliers, or a customer.

Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Our legitimate interests in ensuring that Bavarian Nordic, its employees, and stakeholders comply with relevant laws and the Bavarian Nordic Code of Conduct (GDPR art. 6.1.f).

Sensitive personal data:

Our processing is necessary for reasons of substantial public interest on the basis of EU and Danish laws (GDPR art. 9.2.g).

Recipients
We may share your personal data with:

  • Professional advisers, including lawyers and auditors.
  • Our group companies (see “data controllers”).
  • Service providers, including hosting and IT providers.
  • Regulators and other authorities, namely the Danish Police.

Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

We will delete personal data immediately when it has been concluded that no sanction will be issued, e.g., because, upon investigation, the matter is concluded to be unsubstantiated or because the matter might be substantiated but not of such severity that a sanction is deemed appropriate.

Purpose
We process your personal data for the purpose of managing our collaborations with third parties, including to ensure compliance with relevant regulation when using third parties to conduct business on our behalf requiring us to perform and demonstrate due diligence of such third parties.

This means that if you are in the management of, or owns, a company that we have defined as a “TPI” doing business on our behalf, we will ask for your personal data in order for us to perform a due diligence of this company and the key personnel of it. 

Categories of personal data
We may process the following categories of personal data about you as:

Ordinary personal data, such as:

  • Identity and contact information (name, previous name, address, birthday, country of residence, nationality).
  • Professional information (information about your job and relation to the TPI, including job title, ownership percentage, if you are a member of a body, council, or authority).
  • Information about any relevant convictions and debarments and other civil or criminal matters. 

Sensitive personal data:

  • Political opinions (namely if you are high ranking member of a political party).
  • Religious beliefs (namely if you are member of a religion-based terrorist organisation).
  • Trade union membership (namely if you are employed in a trade union).
Source(s) of the personal data
We can collect your personal data from the following sources:
  • Directly from you.
  • The company (the TPI) that you are affiliated with.
  • Data service providers such as providers of due diligence services.
  • Publicly available sources such as company databases, online news articles, search engines, and social media.
Legal basis for the processing
We process your personal data based on the following legal bases:

Ordinary personal data:

  • Our legitimate interests in ensuring that Bavarian Nordic is compliant with rules on anti- corruption, bribery, competition law etc. and in ensuring that the third parties we work with to do business on our behalf are so too (GDPR art. 6.1.f).

Sensitive personal data:

  • If we process sensitive data about you, it will be based on information already available from public sources (GDPR art. 9.2.e).
  • In some cases, we might ask you (or the TPI) for further information, and if such is sensitive data (not publicly available), we will ask for you consent to process such (GDPR art. 9.2.a).
Recipients
We may share your personal data with:  
  • Professional advisers, including lawyers and other advisors.
  • Our group companies (see “data controllers”).
  • Service providers, including hosting and IT providers.
  • Data service providers that we collect your personal data from in case they are assisting us in clarifying specific cases.

Data retention
Generally, we will not store your personal data for longer than necessary. Our retention periods are determined based on our purpose for processing your personal data and whether we have a legal obligation to store your personal data for either compliance or regulatory purpose and whether storage is relevant to ensure our interests and contractual obligations.

Personal data collected in connection with due diligence will be stored for the term of the engagement with you, or the company you are affiliated with, and for a certain period after termination of partnership to ensure compliance with applicable laws and regulation, including the French Sapin II, the U.S. Foreign Corrupt Practices Act, and the UK Bribery Act.

3. Transfers to countries outside the EU/EEA

In some cases, we will be transferring personal data to countries outside the EU/EEA. This will either be to our group company in the United States, Bavarian Nordic, Inc., or to countries where we are in a process of product approval (as it is required to disclose (pseudonymized) results of clinical trials during the process of product approvals).

Such transfers will take place on the basis of the following legal basis:

  1. The country/countries and/or certified companies in the country/countries has/have been deemed by the Commission of the European Union to have an adequate level of protection of personal data.
  2. Appropriate safeguards for the transfer:

    • through the use of "Model Contracts for the Transfer of Personal Data to Third Countries", as published by the Commission of the European Union, or any other contractual agreement approved by the competent authorities. You may obtain a copy of the contract/agreement by contacting us.

4. Your rights

You have the following rights:

  • You have the right to request access to, rectification or erasure of your personal data, and you also have the right to have the processing of your personal data restricted.
  • If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting gdpr@bavarian-nordic.com.
  • You have the right to receive your personal information in a structured, commonly used and machine-readable format (data portability).
  • You may always lodge a complaint with a data protection supervisory authority, e.g. The Danish Data Protection Agency.

You can find a list of the relevant data protection supervisory authorities here: European Data Protection Board.

The Swiss Federal Data Protection and Information Commissioner can be contacted here: Contact.

Furthermore, you have THE RIGHT TO OBJECT to processing of your personal data as follows.

  • If processing of your personal data is based on article 6(1)(e) or article 6(1)(f), see description of the specific processing activities regarding legal basis, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
  • Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such marketing.

You can take steps to exercise your rights by contacting us at gdpr@bavarian-nordic.com.

Note, that there may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability in the specific case - this depends on the specific circumstances of the processing activity.

5. Other information

5.1. Mandatory information
There might be cases where we need to process your personal data either to comply with law, or to perform the terms of a contract we have with you, and the consequence of not providing such personal data to us is that we cannot continue our contact with you or provide you a service.

5.2. Use of personal information for new purpose
We will only use your personal information for the purposes for which we have collected such, unless we reasonably consider that we need to use it for another purpose and such new purpose is compatible with the original purpose.

If we need to use your personal information for a new (compatible) purpose, we will inform you of such. 

5.3. Automated decision-making
Your personal data will not be used for automated decision-making, including profiling.

5.4. How we keep your personal data secure
We have put in place appropriate security measures to protect your personal data and prevent it from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

We have, among others, limited access to your personal information to those employees and other staff who have a business need to have such access, and all such people are subject to a contractual duty of confidentiality.

Further, we have put in place procedures to deal with any actual or suspected personal data breach. We will of course notify you of any breach, where required. 

5.5. Third party links
This site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your personal information. We do not control these third-party websites and are not responsible for their privacy statements.

When you leave our site, we encourage you to read the privacy statements of every site you visit. 

5.6. Children
This site is not intended for children below 16 years old and we do not knowingly process personal data relating to children.

5.7. Update of Bavarian Nordic’s Privacy Notice
Changes to this Privacy Notice will always be posted on our webpage (www.bavarian-nordic.com/privacy) and we therefore encourage you to visit our webpage regularly to keep yourself updated on any such changes. In some situations, we may also inform you directly of changes.

This Privacy Notice was last updated on 05 September 2023.