EEA/UK-Specific Disclosures

ADDITIONAL INFORMATION FOR INDIVIDUALS IN THE
EUROPEAN ECONOMIC AREA AND THE UNITED KINGDOM

The below information applies to any Data Subject located in the EEA or the UK. For the purposes of processing this Personal Data, Novavax acts as a “data controller” and our headquarters is located in the United States at 21 Firstfield Road, Gaithersburg, MD 20878.

Legal Basis of Processing

In this section, we identify the lawful ground we rely on for processing Personal Data.

Consent

If Novavax relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data.

If Novavax wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU's General Data Protection Regulation, Novavax may obtain your explicit consent for such processing.

Contractual NecessityNovavax processes Personal Data as necessary to fulfill our contracts with you, such as for rendering payment or communicating when you are working with us as a Health care Professional or consultant.
Legal ObligationNovavax may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Novavax to process Personal Data for purposes of obtaining medical research approvals and spend transparency disclosures.
Public Interest

Novavax may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law.

If Novavax wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU's General Data Protection Regulation, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests.

Legitimate Interests

Novavax may process Personal Data subject to its own legitimate interests, such as to develop, administer and support Research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; to communicate financial updates regarding Novavax' business, or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Novavax to process Personal Data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms and Conditions that govern the services we provide.

Compatible purposesNovavax may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.

 

Where we require personal information to comply with legal or contractual obligations, provision of such information is mandatory: if it is not provided, then we will not be able to manage the employment relationship or meet obligations placed on us. In all other cases, provision of requested personal information is optional.

Data Retention

We retain Personal Data for as long as is necessary to accomplish the purposes set out in this Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.

The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:

ConsentFor the period of time necessary to fulfill the purposes described in the consent form that you agreed to, subject to your right, under certain circumstances, to withdraw consent and have certain Personal Data about you erased (see Data Subject Rights below).
Contractual NecessityNovavax processes Personal Data as necessary to fulfill our contracts with you, such as for rendering payment or communicating when you are working with us as a health care professional or consultant.
Legal ObligationNovavax may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Novavax to process Personal Data for purposes of obtaining medical research approvals and spend transparency disclosures.
Public Interest

Novavax may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law.

If Novavax wishes to process any special categories of Personal Data as set out in Article 9(1) of the EU's General Data Protection Regulation, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests.

Legitimate Interests

Novavax may process Personal Data subject to its own legitimate interests, such as to develop, administer and support Research; to operate, evaluate and improve our business; to facilitate and manage patient advocacy and engagement programs; to promote scholarly research; to support our recruitment activities; to communicate financial updates regarding Novavax' business, or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Novavax to process Personal Data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms. and Conditions that govern the services we provide.

Compatible purposesNovavax may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.

 

Transfer of Personal Data Outside of the EEA and UK

Novavax processes your Personal Data in the United States, which does not provide the same level of data protection as the EEA or the UK. Where your Personal Data is transferred to and/or processed by Novavax or third parties outside of the EEA or the UK, we will ensure that appropriate safeguards are in place to adequately protect your Personal Data, as required by applicable law, including the execution of standard contractual clauses if the recipients are not located in a country with adequate data protection laws (as determined by the European Commission) or certified under the EU-US Privacy Shield framework. To request a copy of the safeguards that Novavax has in place for transfers of personal data outside of the EEA or the UK, please contact us.

GDPR Data Subject Rights

Under the GDPR, in certain circumstances, an EEA- or UK-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them. In particular, you may have the right to:

Request access to any data held about you;
Ask to have inaccurate data amended;
Request data held about you to be erased, provided the data is not required by Novavax to perform a contract, protect its rights, interests or those of a third party, defend against a legal claim or to comply with applicable laws or regulations; Prevent or restrict processing of data which is no longer required;
Request transfer of appropriate data to a third party where this is technically feasible; and
Not be subject to automated decision-making, including profiling.
Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific purpose at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

To exercise any of these rights, please contact us. As a resident of the EEA or the UK, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection supervisory authority.