EEA/UK-Specific Disclosures


The below information applies to any Data Subject located in the EEA or the UK. For the purposes of processing this Personal Data, Novavax acts as a “data controller” and our headquarters is located in the United States at 21 Firstfield Road, Gaithersburg, MD 20878.

Data Retention

We retain Personal Data for as long as is necessary to accomplish the purposes set out in this Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.

The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:


For the period of time necessary to fulfill the purposes described in the consent form that you agreed to, subject to your right, under certain circumstances, to withdraw consent and have certain Personal Data about you erased (see Data Subject Rights below).

Contractual Necessity

For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.

Legal Obligation

For the duration of time we are legally obligated to keep the information.

Public Interest

For the period of time necessary to fulfill the purposes of the business process in the public interest and for any period of time that may be required under.

Legitimate Interests

For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.

We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

Transfer of Personal Data Outside of the EEA and UK

Novavax processes your Personal Data in the United States, which does not provide the same level of data protection as the EEA or the UK. Where your Personal Data is transferred to and/or processed by Novavax or third parties outside of the EEA or the UK, we will ensure that appropriate safeguards are in place to adequately protect your Personal Data, as required by applicable law, including the execution of standard contractual clauses if the recipients are not located in a country with adequate data protection laws (as determined by the European Commission) or certified under the EU-US Privacy Shield framework. To request a copy of the safeguards that Novavax has in place for transfers of personal data outside of the EEA or the UK, please contact us.

GDPR Data Subject Rights

Under the GDPR, in certain circumstances, an EEA- or UK-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them. In particular, you may have the right to:

  • Request access to any data held about you;
  • Ask to have inaccurate data amended;
  • Request data held about you to be erased, provided the data is not required by Novavax to perform a contract, protect its rights, interests or those of a third party, defend against a legal claim or to comply with applicable laws or regulations;
  • Prevent or restrict processing of data which is no longer required;
  • Request transfer of appropriate data to a third party where this is technically feasible; and
  • Not be subject to automated decision-making, including profiling.

Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific purpose at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

To exercise any of these rights, please contact us. As a resident of the EEA or the UK, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection supervisory authority.