Veeva and Privacy Shield

Veeva and Privacy

Veeva Systems Inc.
EU-U.S. Privacy Shield Notice
Effective Date: September 30, 2016

TRUSTe Privacy Certification

Veeva Systems Inc. and its U.S. subsidiary, Zinc Ahead Inc. comply with the EU-U.S. Privacy Shield (“Privacy Shield”) as set forth by the U.S. Department of Commerce and the European Commission regarding the transfer, collection, use, and retention of personal data made to U.S. organizations from the Member States of the European Economic Area (the “EEA”), which includes the 28 EU Member States plus Norway, Iceland and Liechtenstein.

We, Veeva Systems Inc. and its U.S. subsidiary, Zinc Ahead Inc., (collectively “Veeva”) adhere to the EU-U.S. Privacy Principles with respect to personal data of residents of the EEA that we receive in reliance on the Privacy Shield from EEA residents who visit our web and mobile sites (“EEA Site Visitors”) and companies in the EEA.

Types of personal data collected

We collect business contact information from customers, suppliers and other business partners in the EEA (“EEA Business Contacts”), including name, job title, company affiliation and contact information. From EEA Site, visitors who request additional information about our products or who wish to access secure areas of our site, we collect name, company name, email address, mailing address, phone number, portal login ID, and password.

We also store and process personal data on behalf of our corporate customers. Our corporate customers use our cloud-based software products to process personal data at their discretion, including data pertaining to their own customers, employees, and patients.

We may obtain business contact information of health care professionals from third party public sources such as medical associations and directories.

We subject to the Principles all personal data that we receive from companies or individuals in the EEA (“EEA Data”) in reliance on the Privacy Shield. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Purposes of collection and use

We collect and use personal data of EEA Site Visitors for purposes of providing products and services to our customers, communicating with corporate business partners about business matters, processing data on behalf of corporate customers, providing information on our services, and conducting related tasks for legitimate business purposes. With respect to marketing, data subjects in the EEA may opt-out of receiving marketing communications from Veeva or onward transfers of their data to other data controllers by following opt-out instructions that are contained in each marketing email or by contacting privacy@veeva.com.

How to contact us

If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting privacy@veeva.com or by regular mail addressed to:

Veeva Systems Inc.
4280 Hacienda Drive
Pleasanton, CA 94588
United States

To contact Veeva’s Global Data Protection Officer by regular mail:

Ashley Slavik, CIPP/E
131 Avenue Charles de Gaulle, Building A
92200 Neuilly-sur-Seine
France

Types of third parties to which we disclose personal data and purposes

Veeva is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Veeva Systems complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

We share EEA Data with our subsidiaries, affiliates and contractors, who process personal data on behalf of Veeva. We also provide information to our channel partners, such as distributors and resellers, to fulfill product and information requests, and to provide customers and prospective customers with information about Veeva and its products and services. We also share EEA Data with other third parties for the purposes for which we receive the EEA Data (e.g., performance of contractual obligations and rights), and we may also disclose EEA Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and we have a legitimate business interest in such disclosure.

EEA Site Visitors may opt out of disclosures to entities other than agents unless the disclosure is required by law or necessary under contracts by sending an email to privacy@veeva.com, but such an opt-out request may make it difficult or impossible for us to provide requested services. We try to minimize disclosures of personal data as reasonably practical because we are mindful of our responsibility and potential liability in cases of onward transfers to third parties.

Right to access

EEA Site Visitors have the right to access personal data about them. Upon request, we will provide you with information about whether we hold any of your personal information. To access your personal data, contact privacy@veeva.com.

Because Veeva may have limited ability to access data our customers submit to our services, if you wish to request access, limit use or disclosure, please provide the name of the Veeva customer who submitted your data to our services. We will refer your request to that customer, and will support them as needed in responding to your request.

Choices and means

EEA Business Contacts may choose to change personal data, unsubscribe from email lists, or cancel an account by contacting privacy@veeva.com. EEA Site Visitors may choose to unsubscribe from our marketing communications by following the instructions or unsubscribe mechanism in the email message.

Independent dispute resolution body

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Investigatory and enforcement powers of the FTC

Veeva’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Arbitration

Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Requirement to disclose

Veeva may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Switzerland

Until further notice, Veeva complies with the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Veeva has certified that it adheres to the Swiss Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Swiss Safe Harbor program, and to view Veeva System’s Swiss certification, please visit:

https://safeharbor.export.gov/swisslist.aspx

United Kingdom

Personal data may be compliantly transferred from the United Kingdom (the “UK”) under the Privacy Shield pending the UK’s formal withdrawal from the European Union and the UK’s adoption of legislation amending or superseding the UK Data Protection Act 1998. The conditions applicable to the transfers from the UK will need to be re-assessed following the UK’s official exit from the EU.