Veeva and GDPR

For Veeva Customers: Veeva offers a Data Processing Addendum to enable its customers to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Where Veeva transfers EU personal data from a country that is not considered to have an adequate level of data protection, Veeva and its customers can rely on Standard Contractual Clauses.

For Individuals: This section provides specific information about how Veeva complies with the EU General Data Protection Regulation (“GDPR”). It supplements the information contained in the rest of our Privacy Statement and applies to all data subjects residing in the European Union.

Our EU Data Protection Officer and Information Security Officer have assessed our obligations as a data controller for Veeva OpenData and Veeva Oncology Link data products and as data processor for the rest of our product suite, Veeva CRM, Veeva Nitro, Veeva Andi, Veeva Vault and Veeva Network. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient and creating better relationships with our customers and those whose data they collect.

Veeva will process personal data only if and to the extent that at least one of the following applies:

  1. You have given consent to the processing of your personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which Veeva is subject; or
  4. processing is necessary for the purposes of the legitimate interests pursued by Veeva or by a third party, except where such interests are overridden by your interests or your fundamental rights and freedoms.

When we collect personal data from you, we will make sure that you are aware of the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; if applicable, the legitimate interests pursued by Veeva or by a third party; the recipients or categories of recipients of the personal data, if any; and where applicable, the appropriate or suitable safeguards to protect your personal data. We will also inform you of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; your right to request access to and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability; if processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; your right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract with us, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

If Veeva intends to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you, prior to that further processing, with information on that other purpose and with any relevant further information.

You may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting privacy@veeva.com. Veeva will provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request.

If we need to extend by two further months where necessary, taking into account if the complexity and number of the requests that require more time, then Veeva will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you make the request by electronic form means, we will provide the information to you by electronic means where possible, unless otherwise requested by you.

If Veeva does not take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on your possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

For our Software Solutions, Veeva is a Data Processor of EU Personal Data under the direction of our Customers who are Data Controllers. Here, Veeva has no direct relationship with the individuals whose Personal Data it processes. If you are a customer of one of our Customers and would no longer like to be contacted by one of our Customers that use our Services, please contact the Customer that you interact with directly. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct queries to the appropriate Veeva Customer (the Data Controller). If a Veeva Customer requests our assistance in the removal of data, Veeva will respond to such requests within 20 business days.