We protect your privacy

Your privacy is of the utmost importance to UMC. Should you have any questions related to the processing of personal data at UMC, please contact us, using the contact details found at the end of this page.

Who is responsible for the processing of your personal data?

Uppsala Monitoring Centre, registration no. 817603-2558, with its office located at Bredgränd 7, 753 20 Uppsala, Sweden, (“UMC”, “we”, “us”) acting as controller of personal data, is responsible for the processing of your personal data under the applicable data protection laws, such as the General Data Protection Regulation, EU2016/679 (“GDPR”) and the Swedish Data Protection Act (2018:218). When you interact with UMC, use our products and services, apply for a job, attend an event, or visit our websites, we may collect certain information about you. If you have any questions regarding our processing of your personal data, or if you have any complaints, you can contact us through the contact form on our website. 

You have the right to be informed when we process your personal data. This right includes information on how and why we process your data. You can learn more on how and why we process your personal data and many other things by reading this Privacy Policy or by contacting us.

For our employees, consultants, students, and trainees, please see our Privacy Policy for Employees.

Your rights as data subject

As a data subject, you have certain rights when your personal data is processed. Read on to learn more about them. You can always contact us if you want to know more or when you want to exercise your rights, by using the contact form on our website.
Please note that some of these rights may not be applicable to you in all situations.

Right to access your personal data

You have the right to know what personal data we process about you and the right to access this data. A copy of the personal data we process about you and how we process your data can be provided to you upon request.

Right to rectification of your personal data

You have the right to request that we correct personal data or complete personal data about you that you believe is inaccurate or incomplete.

Right to object to the processing of your personal data

You have the right to object to the processing of your personal data if the processing is based on our legitimate interest (article 6.1 (f) GDPR). We may only continue to process your data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing is performed in connection with legal claims. If you object to our processing of your personal data, you can also ask us to restrict the processing while we assess our legitimate interest to process your data (see the section “Rights to restrict the processing of your personal data”).

Rights to restrict the processing of your personal data

You have the right to request that we restrict the processing of your personal data. Such restriction may be applied if you have asked us to rectify your personal data, for a period enabling us to verify or correct your personal data or if you believe that our processing of your personal data is unlawful, but you do not want us to erase your data. This may also apply where we no longer need your data but where you need it to establish or defend a legal claim. If the processing of your personal data has been restricted, we may only continue to process this data if this is necessary for establishing, exercising or defending legal claims, to protect someone else’s rights or if you have given your explicit consent.

Right to withdraw your consent

You have the right to withdraw your consent at any time in cases where we process your personal data based on your consent. You can contact us using the webform on our website. Please note that a withdrawal of consent does not affect the lawfulness of prior processing of your data.

Right to erasure of your personal data (right to be forgotten)

You have the right to request that we delete your personal data. This applies if you believe that the personal data we store are no longer necessary in relation to the purpose for which they were collected or if we process your data based on your consent and you withdraw your consent. This also applies if we process your data based on our legitimate interest and your rights outweigh our legitimate interests. There may, however, be situations when we need to keep your personal data, for example where this is required according to a legal obligation, when we still need this data for the purposes for which it was collected or if the data is needed to establish, exercise or defend a legal claim. The right to be forgotten might not always be applicable to you in a particular situation, but you will always have the right to request us to delete your information, and we will then assess your request according to the data protection laws.

Right to data portability

You have the right to request us to send your personal data to you in digital form so that you can forward it to somebody else, if the processing of the data is based on your consent or on a contract and the processing is carried out by automated means.

Right to object to automated decisions based on profiling

According to the GDPR, you have the right to object to automated decisions based on profiling. UMC does not make automated decisions based on your personal data.

Which categories of personal data do we collect about you?

This section contains a list of categories of personal data that we collect. Not all these data have necessarily been collected about you, since this depends on how you have interacted with UMC.

More information on what personal data we collect relating to the specific ways you can interact with UMC as well as information on the legal basis for the processing of personal data is available below. A description of legal bases are also available below. For job applicants and current and former employees, please also see the specific indications below.

• Name and contact information: Name, email address, postal address, phone number.
• Identification and personal information: Personal identification number, date of birth, nationality, photos, video and audio recordings.
• Employment information: Title, occupation, employment, employment history, employer’s name, employer’s address, address of your office, education, candidate assessment results.
• Technical information: Information on your access rights to our products and services and your username and other login credentials. Information relating to your use of our products and services and how you interact with our products and services, such as your IP address, logs, the date and time of access, which browser you used, the URL of the website from which you were referred, geolocation information such as city and region of connection. 
• Sensitive personal data (special categories of data): Information that may reveal religious beliefs, political or philosophical views and health information by dietary preferences.

Which are the legal bases for the processing of your data?

We process your personal data based on the following legal grounds: 

• Consent (Article 6.1 (a) GDPR): we may process your personal data based on your consent. You have the right to withdraw your consent at any time by contacting us.
• Contract (Article 6.2 (b) GDPR): we may process your data based on a contract or prior to entering a contract to which you or the organisation that you represent is a party.
• Legal obligation (Article 6.1 (c) GDPR): we may process your personal data due to a legal obligation, for example relating to bookkeeping and accounting.
• Legitimate interest (Article 6.1 (f) GDPR): we may process your data based on our legitimate interest, for example to communicate with you, to establish or maintain a business relationship with you or the organisation that you represent, or to improve our services. When we use our legitimate interest as legal basis, we have balanced our interests with your interests to ensure that the processing of the data is necessary.

The processing of sensitive personal data (special categories of data as defined in article 9.1 GDPR) is prohibited, unless any of the exceptions in article 9.2 applies. We process sensitive personal data based on the following exceptions:

• Consent (Article 9.2 (a) GDPR): we may process sensitive personal data about you if you have given your explicit consent. You have the right to withdraw your consent at any time by contacting us.
• Legal obligation (Article 9.2 (b) GDPR): we may process sensitive personal data about you if this is necessary for us to comply with mandatory legislation or collective agreement in the fields of employment and social protection law.

Your interaction with UMC

This section will provide information on which information we collect, when we collect it, why we collect it, how this is done and the legal basis.

When you visit our websites

When you visit our websites (www.who-umc.org or uppsalareports.org), certain information is collected and shared with us through your web browser. 

• What data we collect
  Provided automatically: Technical information
• Why we collect this data
  We collect this data for statistical reasons to improve our websites, the technical functionality of the sites, and the user experience. 
• Legal basis
  Legitimate interest

We also use cookies on our websites. For more information about our use of cookies, please see our Cookie Policy.

When you contact us or visit our office

When you contact us, for example by using our webform, by sending an email or by calling us, or when you visit our office, we collect certain information about you.

• What data we collect
  Provided by you: Contact information, Employment information and any additional information you provide us with in free text.
• Why we collect this data
  We collect this information so that we can communicate with you, help you with your query, or establish a business relationship with you or the organisation that you represent. If you visit our office, we collect information about you for security reasons so that we know when guests are expected to be in our office building.
• Legal basis
  Legitimate interest, Contract

When you use our products and services

We are offering many products and services to our customers, such as our WHODrug and products and services connected to the WHO Programme for International Drug Monitoring. We also publish the Uppsala Reports magazine.

• What data we collect
  Provided by you or your employer: Contact information, Employment information
  Automatically collected: Technical information
• Why we collect this data
  We collect Contact information and Employment information to communicate with you, to establish or maintain a business relationship with you or the organisation that you represent, or to provide you with access to our products and services. This is based on our legitimate interest or for the performance of a contract. We also collect Contact information based on your consent if you have subscribed to the Uppsala Reports magazine or signed up for a newsletter. We collect Technical information for IT security reasons based on our legitimate interest. We can also for statistical reasons collect data about your use of our products and services to improve our product and service offering, the technical functionality of our services our websites and the user experience, based on our legitimate interest.
• Legal basis
  Legitimate interest, Contract, Consent

When you attend our trainings and events

We host events and offer workshops and trainings within the field of pharmacovigilance, both in-person and virtually.

• What data we collect
  Provided by you or your employer: Contact information, Identification and personal information, Employment information, Sensitive information
  Provided automatically: Technical information
• Why we collect this data
  We collect Contact information, Identification and personal information and Employment information when you sign up for a training, an event or similar. We collect this information to provide you with access to trainings and to give you information on events and trainings that you have been invited to attend, and this is based on our legitimate interest or on a contract. We may also use your contact information to send a survey to you after you have attended an event, a training or similar, which will help us improve these services for the future, based on our legitimate interest. Based on your consent, we can collect Sensitive information to be able to cater for your dietary preferences during our on-site trainings and events.
• Legal basis
  Legitimate interest, Contract, Consent

When you participate in or contribute to our communication and/or marketing activities or collaborate with us in our pharmacovigilance work

UMC is a Swedish foundation with many partners and collaborators around the world that contribute to global pharmacovigilance and the safety of medicines and vaccines. UMC publishes the Uppsala Reports magazine, records podcasts and videos, creates information material and other communication and/or marketing activities to promote UMC, pharmacovigilance, and medicines and vaccines safety overall.

• What data we collect
  Provided by you or your employer: Contact information, Identification and personal information, Employment information
• Why we collect this data
  We collect this information relating to your participation or contribution to our communication and marketing activities. We do this for example when you author articles for our magazine and when you are a guest in our podcasts, based on a contract or your consent. We also collect your information when you offer your opinions on our products and services, based on our legitimate interest or your consent, and when you offer your expertise and knowledge, or in other ways contribute to our activities, based on your consent or our legitimate interest. We also collect this information when you or the organisation that you represent enter into a collaboration or partnership with us, based on a contract.
• Legal basis
  Legitimate interest, Consent, Contract

When you apply for a job, a traineeship or student position etc.

When you apply for a job, a traineeship, or a student position at UMC, we collect and process certain information about you. For successful candidates, additional information will be collected.

• What data we collect
  Provided by you: Contact information, Identification and personal information, Employment information
  From other sources: Employment information
• Why we collect this data
  We collect this information for the purposes of the recruitment process at UMC and for UMC to enter into an employment contract or other contract with successful applicants, based on our legitimate interest or to enter into a contract.
• Legal basis
  Legitimate interest, Contract

For employment reference persons

In a recruitment process, we might collect and process certain information on a job applicant’s reference persons.

• What data we collect
  From other sources: Contact information
• Why we collect this data
  As part of a recruitment process, it may be necessary to collect information on a job applicant’s reference person in order to assess the candidate.
• Legal basis
  Legitimate interest

For our employees’ emergency contacts

In the event of an emergency, we might need to contact an employee’s emergency contact or next of kin. A separate Privacy Notice for emergency contacts is available.

• What data we collect
  From our employees: Contact information
• Why we collect this data
  Our employees are encouraged to share the contact details of somebody they want us to contact. As an employer, we feel a responsibility towards our employees to be able to inform a person that they have chosen in the event of an emergency.
• Legal basis
  Legitimate interest

How long will we retain your data?

Your data will be retained for as long as necessary to fulfil the purposes for which the data was collected or for the purpose of legal requirements. You have the right to ask us to delete the information we have collected about you. Please note that we might need to keep your data due to legal obligations or if the data is needed to establish, exercise or defend a legal claim.

• Consent: For personal data processed based on your consent, we will process this data for as long as your consent persists. You have the right to withdraw your consent at any time by contacting us. Please note that a withdrawal of consent does not affect the lawfulness of prior processing of your data.
• Contract: For personal data processed based on a contract, we will process your data for as long as the contract is valid. If the contract is terminated, we will continue to process your data based on our legitimate interest or a legal obligation.
• Legal obligation: For personal data processed based on a legal obligation, we will process your data for as long as necessary to comply with this obligation.
• Legitimate interest: For personal data processed based on our legitimate interest, we will process your data for as long as necessary to fulfil the purposes for which the data were collected. You can contact us to learn more on our retention times for a particular processing or category of data.

Who do we share your personal data with?

Staff access

Access to personal data for our staff is restricted to times when it is deemed necessary and to people who need to access the data as part of their job. Access to data for our employees and contractors is covered by confidentiality agreements to ensure that all data is handled with the utmost care.

Swedish government authorities

Due to legal requirements, we might share your personal data with Swedish authorities, for example where we need to share certain information with the Swedish Tax Agency and the Swedish Social Insurance Agency about our employees, based on a legal obligation.

Financial institutions and auditors

Personal data might be shared with our bank in order for us to handle payments, and with auditors, based on a legal obligation or our legitimate interest.

Service providers and subcontractors

We may use data processors for the processing of your personal data, for example cloud service providers, such as Microsoft. Data Processing Agreements are used to ensure an adequate level of protection when a processor is processing personal data on our behalf.

World Health Organization, WHO

As a WHO Collaborating Centre, UMC works with the WHO to support the WHO Programme for International Drug Monitoring (“WHO PIDM”). Some personal data might be transferred to WHO where this is necessary for the activities relating to the WHO PIDM. This includes personal data about our employees, such as name, title, and contact details.

Where is your data processed?

Your personal data is primarily processed within the EU/EEA. We might use processors based in countries outside EU/EEA, but only where this is legal and appropriate based on a decision on adequacy from the European Commission, with parties certified under the EU-U.S. Data Privacy Framework and/or where the European Commission Standard Contractual Clauses are used. Such processing will always be governed by adequate technical and organisational measures to protect your personal data.

Updates to this Privacy Policy

UMC reserves the right to update this Privacy Policy at any time. The most recent version will be available here on our website.

Complaints

If you believe that UMC is not processing your data in accordance with the GDPR or other applicable data protection laws, you have the right to submit a complaint to the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) or to your local data protection authority.

Contact UMC

If you have any questions regarding our processing of your personal data, or if you have any complaints, you can contact us through the contact form on our website.

We have appointed a Data Protection Officer (DPO) to monitor our compliance with the GDPR. You can contact our DPO by sending an email to privacy@who-umc.org.