Veeva and Privacy Shield

Veeva and Privacy

Veeva Systems Inc. EU-U.S. and Swiss-U.S. Privacy Shield Notice

Effective Date: January 1, 2020

TRUSTe Privacy Certification

Veeva Systems Inc. and its U.S. subsidiary, Zinc Ahead Inc. comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union (“EU”), the United Kingdom (“UK”) and Switzerland to the United States, respectively. Veeva Systems Inc. and its U.S. subsidiary, Zinc Ahead Inc. have certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Types of personal data collected

We collect business contact details from customers, suppliers and other business partners in the EU, UK and Switzerland (“EU, UK and Swiss Business Contacts”), including name, job title, company affiliation and contact details. From our website, visitors who request additional information about our products or who wish to access secure areas of our website, we collect name, company name, email address, mailing address, phone number, portal login ID, and password.

We also store and process personal data on behalf of our corporate customers. Our corporate customers use our cloud-based software products to process personal data at their discretion, including data pertaining to their own customers, employees, and patients.

We also obtain personal data of healthcare professionals from third party public sources such as medical associations and directories.

We are subject to the Principles for all personal data that we receive from companies or individuals in the EU, UK and Switzerland (“EU, UK and Swiss Data”) in reliance on the Privacy Shield Frameworks. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the Standard Contractual Clauses.

Purposes of collection and use

We collect and use personal data of EU, UK and Swiss website visitors for purposes of providing products and services to our customers, communicating with corporate business partners about business matters, processing data on behalf of corporate customers, providing information on our services, and conducting related tasks for legitimate business purposes. With respect to marketing, data subjects in the EU, UK and Switzerland may opt-in to receive or opt-out to stop marketing communications from Veeva. Onward transfers of their personal data to other data controllers is also managed by following opt-out instructions that are contained in each marketing email or by contacting privacy@veeva.com.

How to contact us

If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting privacy@veeva.com or by regular mail addressed to:

Veeva Systems Inc.
4280 Hacienda Drive
Pleasanton, CA 94588
United States

To contact Veeva’s EU Data Protection Officer:

Ashley Slavik, CIPP/US, CIPP/E
Chief Privacy Officer & Lead Data Counsel
Veeva Systems Inc. – Europe Headquarters
Carrer de la Diputació, 303, Ático 1a
08009, Barcelona, Spain
ashley.slavik@veeva.com

To contact Veeva’s Chief Information Security Officer:

Andrew Bretten
Chief Information Security Officer
5555 Parkcenter Circle, Suite 300
Dublin, OH 43017
andrew.bretten@veeva.com

Types of third parties to which we disclose personal data and purposes

Veeva is responsible for the processing of personal data it receives under the Privacy Shield Frameworks and subsequently transfers to any third party acting as an agent on its behalf. Veeva complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions.

We share EU, UK and Swiss Data with our subsidiaries, affiliates and contractors who process personal data on behalf of Veeva. We may also need to provide personal data to our partners to fulfill product and information requests and to provide customers and prospective customers with information about Veeva and its products and services. We share EU, UK and Swiss Data with other third parties for the purposes for which we receive the EU, UK and Swiss Data (e.g., performance of contractual obligations and rights), and we may also disclose EU, UK and Swiss Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and we have a legitimate business interest in such disclosure.

EU, UK and Swiss website visitors may opt out of disclosures to entities other than agents unless the disclosure is required by law or necessary under contracts by sending an email to privacy@veeva.com, but such an opt-out request may make it difficult or impossible for us to provide requested services. We minimize disclosures of personal data as reasonably practical.

Right to access

EU, UK and Swiss website visitors have the right to access the personal data we process about them. To access your personal data, please send a request to privacy@veeva.com.

Because Veeva may have limited access to personal data our customers store in our services, if you wish to request access, limit use or disclosure, please provide the name of the Veeva customer who provided your personal data to our services. We will refer your request to that customer and will support them as needed in responding to your request.

Choices and means

EU, UK and Swiss Business Contacts may choose to change personal data, unsubscribe from email lists, or cancel an account by contacting privacy@veeva.com. EU, UK and Swiss website visitors may choose to unsubscribe from our marketing communications by using the unsubscribe mechanism in our emails.

Independent dispute resolution body

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

When covering Veeva employee data received from EU, UK and Switzerland for use in the context of the employment relationship, Veeva commits to cooperate with and comply with the advice of the EU & UK Data Protection Authorities and Swiss Federal Data Protection and Information Commissioner.

Investigatory and enforcement powers of the FTC

Veeva’s commitments under the Privacy Shield Frameworks are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Arbitration

Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Requirement to disclose

Veeva may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

United Kingdom

The European Council and the UK have extended the period for withdrawal of the UK from the EU until January 31, 2020. During the extension period, the UK will remain a Member State of the EU; as a Member State, EU law will remain applicable to and in the UK. In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”) after the transition period or in the event of no transition period, Veeva has preemptively updated its Privacy Shield commitments to specifically cover personal data from the UK.