Privacy Shield Policy
Last updated: July 6, 2018
Valneva USA, Inc. (“VALNEVA”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information (as defined below) transferred from the European Union (EU) to the United States. Valneva is committed to subjecting all Personal Information received from the EU member countries in reliance on the EU-U.S. Privacy Shield Frameworks, to the Framework’s applicable Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
VALNEVA is responsible for the processing of Personal Information it receives, under the Privacy Shield Frameworks, or subsequently transfers to a third party acting as an agent on its behalf. Valneva complies with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, including the onward transfer liability provisions.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, VALNEVA is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, VALNEVA may be required to disclose Personal Information in response to lawful requests by public authorities, including to meeting national security or law enforcement requirements.
“Data Processor” means any natural or legal person that Processes Personal Information on behalf of the Data Controller.
“Data Subject” means the individual to whom any given Personal Information covered by this Privacy Shield Policy refers.
“Personal Information” means any information relating to an individual residing in the European Union that can be used to identify that individual either on its own or in combination with other readily available information.
“Processing” means performing any operation or set of operations on Personal Information, including, but not limited to, collecting, recording, storage, alteration, retrieval, consultation, use, evaluation, analysis, reporting, sharing, disclosure, dissemination, transmission, making available, alignment, combination, blocking, deleting, erasure or destruction.
“Sensitive Personal Information” means Personal Information regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
The purpose of this Privacy Shield Policy is to inform Data Subjects covered by this Privacy Shield Policy about VALNEVA`s practices regarding Personal Information received by VALNEVA in the U.S. from European Union member countries in reliance on the EU-U.S. Privacy Shield Framework, including the types of Personal Information it collects about them, the purposes for which it collects and uses such Personal Information, the types of third parties to which it discloses such Personal Information and the purposes for which it does so, the rights of Data Subjects to access their Personal Information, the choices and means that VALNEVA offers for limiting its use and disclosure of such Personal Information, how VALNEVA’s obligations under the Privacy Shield are enforced, and how Data Subjects can contact VALNEVA with any inquiries or complaints.
All employees of VALNEVA that have access in the U.S. to Personal Information covered by this Privacy Shield Policy are responsible for conducting themselves in accordance with this Privacy Shield Policy. Adherence by VALNEVA to this Privacy Shield Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations.
VALNEVA employees responsible for engaging third parties to whom Personal Information covered by this Privacy Shield Policy will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the Privacy Shield Principles, including any applicable contractual assurances required by the Privacy Shield.
Privacy Shield Principles
1. Types of Personal Information VALNEVA Processes
VALNEVA may receive a number of different types of Personal Information from its affiliates including data about: employees and potential employees; medical and healthcare professionals; customers; vendors, suppliers, contractors, and business partners. These types of Personal Information may include, but are not limited to the following:
- Employee (and potential employee) names, dates of employment, positions, email addresses, pictures, out of office information, holidays.
- Consultants names, work and home addresses, home and work phone numbers, email addresses, positions, professional titles, places of employment, signatures, pictures.
- Contract party names, addresses, signatures, bank account numbers, phone numbers, fax numbers, e-mail addresses, positions.
These types of Personal Information are transferred to VALNEVA for use as part of the company’s business operations in the areas of: activities as an employer to support and fulfill its obligations to its employees; finance and tax activities; its undertakings with vendors, suppliers and contractors of goods and services; and other legal and business activities; compliance with the company’s regulatory obligations (e.g. FDA); market research for its products and services; marketing and sales of its products.
When VALNEVA as Data Controller collects Personal Information directly from Data Subjects, the company generally offers those Data Subjects the opportunity to choose whether their Personal Information may be (i) disclosed to third-party Data Controllers, or (ii) used for a purpose that is materially different from the purposes for which the Personal Information was originally collected or subsequently authorized by the relevant Data Subjects. To the extent required by the Privacy Shield Principles, VALNEVA obtains opt-in consent for certain uses and disclosures of Sensitive Personal Information. Data Subjects may contact VALNEVA as indicated below regarding the company’s use or disclosure of their Personal Information. Unless VALNEVA offers Data Subjects an appropriate choice, the company uses Personal Information only for purposes that are materially the same as those indicated in this Privacy Shield Policy.
When VALNEVA as Data Processor receives Personal Information about Data Subjects from other Data Controllers or Data Processors, those other Data Controllers or Data Processors are responsible for providing the Data Subjects with certain choices with respect to their use or disclosure of the Data Subjects’ Personal Information. VALNEVA shares Personal Information with its affiliates and subsidiaries.
VALNEVA may disclose Personal Information without offering an opportunity to opt out, and may be required to disclose the Personal Information (i) to third-party Data Processors the company has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. VALNEVA also reserves the right to transfer Personal Information in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
If Personal Information covered by this Privacy Shield Policy is to be used for a new purpose that is materially different from that for which the Personal Information was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, VALNEVA will provide Data Subjects with an opportunity to choose whether to have their Personal Information so used or disclosed. Requests to opt out of such uses or disclosures of Personal Information should be sent to: email@example.com.
If Sensitive Personal Information covered by this Privacy Shield Policy is to be used for a new purpose that is different from that for which the Sensitive Personal Information was originally collected or subsequently authorized, or is to be disclosed to a third party, VALNEVA will obtain the Data Subject’s explicit consent prior to such use or disclosure.
3. Accountability for Onward Transfer
To the extent VALNEVA acts as a Data Controller, except as permitted or required by applicable law, VALNEVA provides Data Subjects with an opportunity to opt out of sharing their Personal Information with third-party Data Controllers. VALNEVA requires third-party Data Controllers to whom it discloses Personal Information to contractually agree to (i) only process the Personal Information for limited and specified purposes (ii) provide the same level of protection for Personal Information as is required by the Privacy Shield Principles, and (iii) notify VALNEVA and cease processing Personal Information (or take other reasonable and appropriate remedial steps) if the third-party Data Controller determines that it cannot meet its obligation to provide the same level of protection for Personal Information as is required by the Privacy Shield Principles.
With respect to transfers of Personal Information to third-party Data Processors, VALNEVA (i) enters into a contract with each relevant Data Processor, (ii) transfers Personal Information to each such Data Processor only for limited and specified purposes, (iii) ascertains that the Data Processor is obligated to provide the Personal Information with at least the same level of privacy protection as is required by the Privacy Shield Principles, (iv) takes reasonable and appropriate steps to ensure that the Data Processor effectively processes the Personal Information in a manner consistent with VALNEVA’s obligations under the Privacy Shield Principles, (v) requires the Data Processor to notify VALNEVA if the Data Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, (vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Information by the Data Processor, and (vii) provides a summary or representative copy of the relevant privacy provisions of the Data Processor contract to the Department of Commerce, upon request. VALNEVA remains liable under the Privacy Shield Principles if a third party Data Processor appointed by it further transfers Personal Information in a manner inconsistent with the Privacy Shield Principles, unless VALNEVA proves that it is not responsible for the event giving rise to the damage.
VALNEVA takes reasonable and appropriate measures to protect Personal Information covered by this Privacy Shield Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information.
5. Information Integrity and Purpose Limitation
VALNEVA limits the collection of Personal Information covered by this Privacy Shield Policy to information that is relevant for the purposes of Processing. VALNEVA does not Process such Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.
VALNEVA takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. VALNEVA takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing, which includes VALNEVA’s obligations to comply with professional standards, VALNEVA’s business purposes and unless a longer retention period is permitted by law, and it adheres to the Privacy Shield Principles for as long as it retains such Personal Information.
Data Subjects whose Personal Information is covered by this Privacy Shield Policy have the right to access such Personal Information and to correct, amend, or delete such Personal Information if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: firstname.lastname@example.org.
7. Recourse, Enforcement, and Liability
VALNEVA’s participation in the EU-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the Privacy Shield Principles, VALNEVA commits itself to resolve complaints about privacy and the collection or use of Personal Information. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact VALNEVA at: email@example.com.
VALNEVA has further committed itself to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to the appropriate EU data protection authority panel. If timely acknowledgment of complaint receipt is not given, or if a complaint is not satisfactorily addressed, please visit https://ec.europa.eu/digital-single-market/en/news/list-personal-data-protection-competent-authorities for more information, including how to file a complaint with the appropriate EU data protection authority panel.
Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Arbitration Panel to be created by the U.S. Department of Commerce and the European Commission.
VALNEVA agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. VALNEVA acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will result in VALNEVA being removed from the Department’s list of Privacy Shield participants.
Changes to this Privacy Shield Policy
How to contact VALNEVA
In the USA:
Valneva USA, Inc.
Attention: Local Compliance Officer
910 Clopper Road Suite 160S
Gaithersburg, MD 20878
Or faxing us at 301-556-4501, attention Local Compliance Officer, Valneva USA, Inc.
In the European Union:
Valneva Austria GmbH
Attention: Data Protection Officer Campus Vienna Biocenter 3
1030 Vienna, Austria
For questions or concerns about this Privacy Shield, please send an email to firstname.lastname@example.org.