Veeva and GDPR

Veeva and Privacy

For Veeva Customers: Veeva has made GDPR-specific changes to its data processing commitments to customers and will abide by these commitments going forward. Veeva customers may add these commitments to their existing Veeva subscription agreements at the link below. Customers may e-sign and receive a countersigned copy of Veeva’s Privacy and Security GDPR Processor Addendum (“GDPR Addendum”) here.

The GDPR Addendum sets out the scope, subject-matter, duration and purpose of Veeva’s data processing, as well as the types of personal data processed and rights of data subjects. It also details Veeva’s confidentiality obligations as a data processor, cooperation regarding inquiries from data subjects and authorities, international data transfers, Veeva’s sub-processors, and the location and deletion of data. Finally, our security measures and personal data breach indemnity commitments are explained.

For Individuals: This section provides specific information about how Veeva complies with the EU General Data Protection Regulation (“GDPR”). We welcome this opportunity to put the individual data subject in the driver’s seat.

Our Data Protection Officer and Information Security Officer have assessed our obligations as a data controller for Veeva OpenData and Veeva Oncology Link data products and as data processor for the rest of our product suite, Veeva CRM, Veeva Vault and Veeva Network. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient and creating better relationships with our customers and those whose data they collect.

Veeva will process personal data only if and to the extent that at least one of the following applies:

  1. You have given consent to the processing of your personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which Veeva is subject; or
  4. processing is necessary for the purposes of the legitimate interests pursued by Veeva or by a third party, except where such interests are overridden by your interests or your fundamental rights and freedoms.

When we collect personal data from you, we will make sure that you are aware of the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; if applicable, the legitimate interests pursued by Veeva or by a third party; the recipients or categories of recipients of the personal data, if any; and where applicable, the appropriate or suitable safeguards to protect your personal data. We will also inform you of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; your right to request access to and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability; if processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; your right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract with us, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

If Veeva intends to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you, prior to that further processing, with information on that other purpose and with any relevant further information.

You may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting privacy@veeva.com. Veeva will provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request.

If we need to extend by two further months where necessary, taking into account if the complexity and number of the requests that require more time, then Veeva will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you make the request by electronic form means, we will provide the information to you by electronic means where possible, unless otherwise requested by you.

If Veeva does not take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on your possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

For more information on GDPR, please visit: GDPR is coming, are you ready?