Data Protection and Privacy Policy
Learn more about 成人VR视频's overarching policy for data protection and privacy.
1. Introduction
This data protection and privacy policy (鈥淧olicy鈥) is the overarching policy for data protection and
privacy for The Coalition for Epidemic Preparedness Innovations (鈥湷扇薞R视频鈥).
2. Objective
2.1. This Policy sets out how 成人VR视频:
- complies with its data protection obligations under the General Data Protection
Regulation (2016) and all other applicable national legislation; and - seeks to protect the Personal Data of individuals.
2.2. This Policy is intended to ensure that Employees and Associates understand and comply with
the rules governing the collection, use, retention, and deletion of any Personal Data to which
they may have access during their work.
3. Scope
3.1. This Policy covers all Personal Data that 成人VR视频 might process during the course its activities, either in hard copy or digital copy, including special categories of data. This Policy applies to all Employees, consultants, and other persons that process Personal Data on behalf of 成人VR视频.
3.2. Any individual or entity who processes Personal Data on behalf of 成人VR视频 must follow this Policy.
3.3. Individuals should refer to 成人VR视频鈥檚 privacy notices and other relevant policies for detailed information and guidance regarding the protection of personal information in specific contexts, such as: a) Data retention b) Employment c) Information security d) International data transfers e) Monitoring f) Special category data g) Use of the Internet, electronic communications, and social media
4. Definitions
For the purposes of this Policy:
- 成人VR视频 means the Coalition for Epidemic Preparedness Innovations, the Coalition for Epidemic Preparedness Innovations UK Limited, and the Coalition for Epidemic Preparedness Innovations U.S
- Data means information in many forms. Examples include, but are not limited to, paper documents, electronic documents (databases, emails, presentations, spreadsheets), or information contained in spoken conversations.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- Data Subject means the identifiable natural person to whom specific personal information relates.
- Employee: an individual with an employment contract directly with one of 成人VR视频鈥檚 three legal entities in Norway, United Kingdom or the US. Associate: A 成人VR视频 associate is any non-employee engaged to provide services to 成人VR视频 or chosen or appointed to act or speak on behalf of 成人VR视频. This includes, but is not limited to: paid consultants, temporary workers and individuals engaged through a professional employer organisation or other intermediary; external reviewers or other experts engaged by 成人VR视频 (paid or unpaid); interns and fellows (paid or unpaid) and members of 成人VR视频鈥檚 Board of Directors and advisory bodies (e.g., Scientific Advisory Committee, Joint Coordination Group).
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, or the 鈥淕eneral Data Protection Regulation鈥.
- Identifiable natural person is a living individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data means any information that relates to an identified or identifiable natural person.
- Processing Data means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.
- Record of Processing Activities means 成人VR视频鈥檚 internal register of data processing activities, which details the data categories, the groups of data subjects, the purpose of the processing and the data recipients. Record of Systems means 成人VR视频鈥檚 record of information systems and contexts in which Personal Data is processed by the organisation.
- Special Category Data means sensitive Personal Data, as defined in Article 9 of the GDPR and includes Personal Data relating to an individual鈥檚 racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person鈥檚 sex life or sexual orientation.
- Third Country means a country outside of the European Economic Area
5. Policy statement
5.1. 成人VR视频 statement of principles
The overall purpose of data privacy regulations and policies is to protect the rights and freedoms of individuals and in particular the right to the protection of their Personal Data and, as such:
- a) 成人VR视频, as a publicly funded organization that operates globally, considers the privacy of individuals and the protection of their personal information to be of the utmost importance.
- b) 成人VR视频 will always process Personal Data in a way that ensures that the individual鈥檚 rights are safeguarded.
- c) 成人VR视频 is committed to processing Personal Data in accordance with the principles of the GDPR and all applicable national legislation.
5.2. Data protection principles
成人VR视频 will process Personal Data in accordance with the following principles regardless of what jurisdiction it is operating in:
- a) 成人VR视频 will process Personal Data lawfully, fairly, and in a transparent manner.
- b) 成人VR视频 will collect Personal Data for specified, explicit, and legitimate purposes only; and will not process it in a way that is incompatible with those legitimate purposes.
- c) 成人VR视频 will only process Personal Data that is adequate, relevant, and necessary for the relevant purposes.
- d) 成人VR视频 will keep accurate and up to date records and take reasonable steps to ensure that inaccurate Personal Data is corrected or deleted without undue delay.
- e) 成人VR视频 will keep Personal Data for no longer than is necessary for the purposes for which the information was gathered and is processed.
- f) 成人VR视频 will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
- g) 成人VR视频 will ensure that any third parties with whom it shares Personal Data will operate in a manner that is consistent with applicable data protection laws and regulations, as set out in 成人VR视频鈥檚 Third Party Code or other applicable contractual documents.
5.3. Rights of the Data Subject
成人VR视频 will always uphold the following rights of the Data Subject:
a) The right to be informed
b) The right of access
c) The right to rectification
d) The right to erasure
e) The right to restrict processing
f) The right to data portability
g) The right to object
h) Rights in relation to automated decision making and profiling
5.4. Organisational measures
成人VR视频 will establish and maintain policies and procedures to ensure compliance with the principles and protection of the rights mentioned above and, as such:
- a) 成人VR视频 will establish a data protection and privacy procedure (鈥淧rocedure鈥), which will detail how Employees are to comply with this Policy and the data protection principles in practice.
- b) Compliance with this Policy will be monitored through the Internal Audit and Assurance group activities in accordance with the Annual Internal Audit and Assurance Plan, as agreed with 成人VR视频 Senior Management. Compliance by third parties engaged or funded by 成人VR视频 will be monitored through 成人VR视频鈥檚 risk-based Partner Assurance programme.
- c) 成人VR视频 will conduct periodic risk assessments and update its policies and procedures accordingly to ensure continued compliance with this Policy and all other legal requirements.
- d) 成人VR视频 Employees, Associates, and other relevant individuals shall receive appropriate training on this Policy and associated Procedure, as appropriate to their role.
6. Compliance with data protection principles
6.1. Accuracy
成人VR视频 shall take all reasonable steps to ensure the Personal Data it processes are accurate. Where it is necessary for the lawful basis upon which data are processed, steps shall be put in place to ensure that Personal Data are kept up to date.
6.2. Adequate, relevant, and limited to what is necessary
成人VR视频 shall ensure that any Personal Data it processes are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
6.3. Breach reporting
In the event of a Data Breach, 成人VR视频 shall, without undue delay:
a) assess the risk to individuals鈥 rights and freedoms;
b) where appropriate, notify the relevant supervisory authority; and
c) where appropriate, notify the data subject.
6.4. International data transfers
- 成人VR视频 may transfer Personal Data to internal or third-party recipients located in another country.
- 成人VR视频 will only transfer data to a country that is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects.
- Where transfers need to be made to countries lacking an adequate level of legal protection (Third Countries), they must be made in compliance with an approved transfer mechanism as detailed in the associated Procedure.
6.5. Lawful, fair, and transparent processing
- Individuals have the right to access their Personal Data and any such requests shall be dealt with in a timely manner (see paragraph 9 below).
- To ensure that processing of Personal Data is lawful, fair, and transparent, 成人VR视频 will maintain a Record of Processing Activities and a Register of Systems.
- The Record of Processing Activities and the Register of Systems shall be regularly reviewed and at least once annually.
6.6. Lawful purposes
All Personal Data will be processed by 成人VR视频 on one of the following legal bases:
a) Consent
b) Legal obligation
c) Vital interests
d) Public task
e) Legitimate interest of 成人VR视频
成人VR视频 shall log the appropriate basis for each category of Personal Data in the Record of Processing Activities.
Where consent is relied upon as a lawful basis for processing data, evidence of an individual鈥檚 optin consent shall be stored with the Personal Data.
6.7. Security
成人VR视频 shall ensure that Personal Data are stored securely and shall implement technical and organisation measures to ensure a level of security that is appropriate to the risk in processing.
Access to Personal Data shall be limited to the personnel who need access and appropriate security measures shall be put in place to avoid the unauthorised sharing of Personal Data.
When Personal Data is deleted, this shall be done securely and in such a way that the data are irrecoverable.
成人VR视频 shall ensure that appropriate back-up and disaster recover solutions are in place.
6.8. Special category data
If 成人VR视频 processes any Special Category Data or criminal records data, it will keep written records of:
- a) the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for the purpose;
- b) the lawful basis for processing; and
- c) whether 成人VR视频 retains and erases the personal information and, if not, the reasons for not doing this.
Employees and Associates shall follow the process laid out in the associated Procedure when handling special category or criminal records data.
6.9. Storage/deletion
To ensure that Personal Data are kept for no longer than is necessary, 成人VR视频 shall put in place a storage and retention policy and this process shall be reviewed annually. The storage and retention policy shall consider what data should be retained, for how long, and why.
7. Data protection by design and by default
7.1. 成人VR视频 will ensure appropriate technical and organisational measures are in place to effectively uphold the principles and safeguard the individual rights outlined above. This will include:
- a) integrating the necessary safeguards into any new data processing activity to meet regulatory requirements and to protect individuals鈥 rights;
- b) considering the nature, scope, purpose, and contents of any processing; and
- c) considering the risks to the rights and freedoms of individual posed by the processing.
7.2. 成人VR视频 shall uphold the principles of data protection by design and by default from the beginning of any new data processing activity, in addition to the planning and implementation of any new data process. This will include, where appropriate, carrying out a data protection impact assessment.
7.3. All existing data processing shall be recorded in 成人VR视频鈥檚 Record of Processing Activities.
7.4. By adhering to the principles in paragraph 5.2 as its default position, 成人VR视频 ensures that individuals are protected against privacy risks.
8. Rights of the data subject
8.1. The Data Subject will, among other rights, always have a right to the following information in relation to their Personal Data:
a) The purposes of the processing.
b) The categories of Personal Data concerned.
c) The recipients or categories of recipient to whom the Personal Data have been, or will be, disclosed, particularly recipients in third countries or international organisations.
d) Where possible, the expected period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period.
e) The existence of the right to request from the controller rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing.
f) The right to lodge a complaint with a relevant supervisory authority.
g) Where the Personal Data are not collected from the Data Subject, any available information as to their source.
h) The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
8.2. Any inquiries regarding the rights of an individual Data Subject, including the wish to exercise such rights, should be sent to [email protected].
9. Responsibilities
9.1. The Director of Governance, Risk and Compliance is responsible for the overall data protection framework. 成人VR视频 has appointed a Senior Data Protection and Privacy Manager, who is responsible for the day-to-day management of data protection activities within 成人VR视频 and ensuring that individuals carrying out these activities adhere to this Policy and associated Procedure.
9.2. Individuals are responsible for helping 成人VR视频 keep the Personal Data it holds up to date.
9.3. Employees and Associates might have access to the Personal Data of other Employees and Associates, suppliers, and other third parties in the course of their employment or engagement.
9.4. If so, 成人VR视频 expects Employees and Associates to assist in meeting its data protection obligations in relation to those individuals.
9.5. Further details on what is expected of Employees and Associates and how they are to comply with this Policy in practice can be found in the associated Procedure.
10. Failure to comply
10.1. 成人VR视频 takes compliance with this Policy seriously. Failure to comply with this Policy and associated Procedure:
a) puts data subjects at risk;
b) carries the risk of substantial civil and criminal sanctions for the individual and 成人VR视频; and
c) may, in certain circumstances, amount to a criminal offence by the individual.
10.2. Due to the importance of this Policy and the severity of the potential consequences of any breach, an Employee鈥檚 failure to comply with any requirement of this Policy may lead to disciplinary action under 成人VR视频鈥檚 procedures. Such action may lead to dismissal for gross misconduct, or termination of the individual contract.
10.3. 成人VR视频 will take the appropriate legal actions for instances of Associates and third parties鈥 failure to comply with the applicable data protection and privacy laws.