Privacy Policy - Healthcare Professionals
This privacy policy explains how Bavarian Nordic A/S (Denmark) and our affiliates, Bavarian Nordic GmbH (Germany), Bavarian Nordic AG (Switzerland), Bavarian Nordic Inc. (United States) and Bavarian Nordic Sweden AB (Sweden) collect and handle your personal data when we interact with you as a healthcare professional. Bavarian Nordic A/S and its affiliates are in the following referred to as “Bavarian Nordic”, “us”, “we” or “our”.
1. DATA CONTROLLER
The main legal entity responsible for the processing of your personal data is:
Bavarian Nordic A/S
CVR: 16271187
Philip Heymans Alle 3
DK-2900 Hellerup
Denmark
If you have inquiries and/or questions to our processing of your personal data, please contact the Bavarian Nordic Data Protection Officer at dpo@bavarian-nordic.com
2. CATEGORIES OF PERSONAL DATA
Depending on the exact interaction we have with you, we may collect and process the following categories of personal data about you:
| Category of personal information collected | What this means |
|
Identity Data |
First name, last name, title, gender, General Medical Council (GMC) number (or equivalent). |
|
Contact Data |
Your email address, telephone number, fax number and work address. |
|
Professional Data |
Your job role, area of specialty/expertise. |
|
Marketing and Communications Data |
Your preferences in receiving marketing communication from us and our third-party service providers and your communication preferences. |
|
Financial Data |
Your fees, reimbursements, bank account details, contract terms and participation in HCP activities/services. |
|
Website usage data |
Your IP address, browser information and use of the specific website. |
No Special Categories of Personal Data
We do not collect or process any “Special Categoriesof Personal Data” about you.
3. From where we collect personal data
We collect and process personal data that you have provided in communications with us. In addition, we may collect and process personal data from your use of our websites or from the following sources:
- From publicly available publications, for example local medical registers or associations websites, or social media
- From vendors or service providers, for example providers of healthcare provider databases
- From Affiliates
4. Purpose and legal basis
In the following we have described the purposes and legal bases for our processing of your personal data:
|
Purpose |
Category(ies) of personal data involved |
Our legal basis for processing this data |
|
HCP relation management (CRM) |
Identity Data Contact Data Professional Data Marketing and Communications Data |
Legitimate Interests. Our legitimate interests are to keep a good relationship with you. |
|
Performance of a contract, including payment of fees |
Identity Data Contact Data Professional Data Financial Data |
Performance of contracts or taking necessary steps prior to entering into a contract with you. |
|
HCP analysis |
Identity Data Contact Data Marketing and Communications Data |
Legitimate Interests. Our legitimate interests are to better understand your preferences and provide you with relevant information and updates. |
|
Direct marketing |
Identity Data Contact Data Marketing and Communications Data |
Consent We will obtain your consent prior to sending marketing material to you by email. |
|
Compliance with HCP disclosure and reporting obligations, and for internal compliance auditing/monitoring purposes |
Identity Data Contact Data Professional Data Financial Data |
Legal obligation We have a legal obligation to comply with legislation on HCP disclosure and reporting as applicable in some countries. Legitimate Interests Our legitimate interests are to ensure compliance with applicable ethical codes or to perform internal compliance audits/monitoring. |
5. Sharing og your personal data
We may share your personal data with the following recipients:
- Our Affiliates (listed in the beginning of this Privacy Policy)
- Service Providers, including cloud-services and hosting and IT providers
- Professional advisers, including lawyers and auditors
- Regulators and other authorities, namely relevant health and tax authorities
6. Transfers to countries outside the EU/EEA and Switzerland
As a starting point, your personal data will only be processed and stored within the EU, namely in Denmark, unless otherwise stated or evident (for example if the contracting party is Bavarian Nordic Inc., US).
To the extent your personal data is transferred to countries outside the EU/EEA and Switzerland, we will only transfer the personal data after having provided one of the following safeguards:
- Adequacy decision by the EU Commission.
- EU Commission’s Standard Contractual Clauses
In some cases, we may rely on your consent for the transfer of your personal data to countries outside the EU, or if one of the limited and relevant exceptions third country transfers in the GDPR apply. You can contact us for more information on the relevant safeguards or legal basis.
7. How long will we store your personal data
We will not store your personal data for longer than necessary.
The retention period will be determined on whether we have a legal obligation to store such personal data for either compliance or bookkeeping purposes, or whether a continuous storage is relevant to ensure our contractual obligations towards you or to pursue our legitimate interests.
8. Your rights
You have the following rights in connection with our processing of your personal data. Please note that some of the rights may be subject to exceptions and limitations.
- Request access to and to receive a copy of your personal data.
- Right to have your personal data rectified.
- Right to have your personal data deleted.
- Right to have the processing of your personal data limited.
- Right to data portability.
- Right to object to the processing of your personal data.
- Right to not be subject to automated decision making, including profiling.
- Right to withdraw your consent.
- Right to complain to the relevant supervisory authorities.
How to exercise your rights
If you want to exercise any of the rights described above, please contact us as provided for in Section 1.
Complaints
If you would like to make a complaint regarding this Privacy Policy or our practices in relation to your personal data, please contact us as provided for in Section 1. We will reply to your complaint as soon as we can.
If you feel that your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority, as listed here. The data protection supervisory authority for Switzerland is the Office of the Federal Data Protection and Information Commissioner.
9. Obligation to provide personal data adconsequences for failing to do so
You are not required to provide us with your personal data.
Where we need to process your personal data, either to comply with law or to perform the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract with you.
10. Automated decision-making
Your personal data will not be used for automated decision-making, including profiling.
11. Changes to this privacy policy
Changes to this privacy policy will be posted on our webpage here: www.bavarian-nordic.com/privacy. We encourage you to visit our webpage regularly to keep yourselves updated on any such changes.