Moderna HCP Data Protection Notice

Last revised: 15 September 2021

Moderna takes the protection of your personal data very seriously. This data protection notice for health care professionals (“Data Protection Notice”) informs you about the processing of your personal data, including what personal data we collect and how we use the information, and your related rights under data protection laws.

This Data Protection Notice applies to the following Moderna group companies:

Moderna Biotech Spain, S.L.U.
Moderna Biotech UK Limited
Moderna France SAS
Moderna Germany GmbH
Moderna Italy S.r.l.
Moderna Switzerland GmbH

(each hereinafter individually and separately “Moderna” or “we”)


We may change the content of this Data Protection Notice from time to time. We therefore recommend that you review this Data Protection Notice at regular intervals.

1. Who is responsible for the processing of my personal data?

The respective Moderna group entity with which you enter into contact, establish or maintain a business relationship or with which you otherwise interact is responsible as controller within the meaning of the EU General Data Protection Regulation (“GDPR”).

The Moderna group entities that are covered under this Data Protection Notice are listed at the end of this document (section 10).

You can contact the respective Moderna group entities at any time at the contact details set out at the end of this document (section 10). To effectively exercise your rights under data protection laws, please contact us via the central privacy email at EUprivacy@modernatx.com


2. What categories of personal data will be processed?

Moderna collects and processes the personal data that you disclose to Moderna, or that we otherwise collect, in the context of the business relationship or other interaction between you and Moderna (such as in case you request medical information, register for an event, sign-up for scientific, medical or promotional information, or enter into an agreement with us on a speaker or advisory board engagement).

This may include, but is not limited, to the following categories of personal data:

Name, title, job title, organization/practice, area of expertise and specialization, status (registered / employed practitioner), professional address, professional contact information (email, telephone and/or telefax), individual HCP identification numbers, bank account details, educational background, publications, contract history and performance evaluation, documentation concerning medical/scientific information requests, information concerning the nature of the relationship with Moderna, your activities and work experience as health care professional, your preferences and interests regarding our products and services, your consent for receiving scientific, medical and/or promotional information (or related objections), documentation of interactions and communications with you, information relating to your participation in webinars, seminars or other events, documentation and details of services rendered by you and of any direct and indirect payments, compensation, expense reimbursement, ownership or investment interest, or other transfers of value provided to you by Moderna.

As a rule, personal data will be collected directly from you. However, there may be scenarios where we collect personal data (including the categories of data listed above) from third party sources. These third party sources include: Publicly accessible sources in the Internet containing background information on health care professionals (such as publications, speaker engagements and educational background), third party data providers of basic HCP business data (e.g., name, job title, specialty, business address, telephone number and email), service providers (such as medical communication agencies) or MSLs that interact directly and independently with health care professionals.

3. Do I have an Obligation to provide my Data?

In principle, there is no contractual requirement or legal obligation for you to provide your personal data for the purposes indicated in this Data Protection Notice. However, if you decide not to reveal certain of your personal data, we may, under certain circumstances, be unable to respond to your request, provide our services, or enter into or perform a contract with you. Where required, we will inform you separately in case there is an obligation to provide certain data and of the possible consequences of failure to provide such data. In case we ask for your consent to the publication of your personal data for transparency disclosure purposes, such consent is voluntary and you are free to provide or refuse consent.

4. For what purposes will my personal data be processed, and on what legal basis?

Your personal data will be processed for the following purposes, and on the legal bases set out in the respective sections:

  • Contract Performance: Moderna stores and processes your personal data to the extent necessary for the establishment, administration, performance and management of your contractual engagements with Moderna, including travel arrangement and expense reimbursement. The related processing of your personal data will be based on the necessity of the processing for the performance of the contract with you or in order to take steps at your request prior to entering into the contract. Depending on the contractual arrangements with you, Moderna may, where this forms part of the contractually agreed services, also make video and audio recordings of the services performed by you, and use and publish such recordings for educational, scientific and commercial purposes, as further agreed between the parties. The processing of your related personal data will be based on the necessity of the processing for the performance of the contract with you. Where required under applicable local law, we will obtain your underlying authorisation and/or consent.

  • Responding to Medical Requests and Enquiries: To the extent you contact Moderna with any request or enquiry, such as in case you contact our med/info services, request certain HCP and patient informational materials, or file a product related complaint, Moderna will process the personal data you provide to the extent necessary to safeguard our legitimate interests in ensuring an effective and legally compliant handling, response and documentation of your requests and enquiries.

  • Legitimate Business Interests: Moderna further stores and process your personal data to the extent necessary to safeguard Moderna's legitimate interests in operating its business, in particular:

    • determining fair and market standard remuneration (such as for speaker or advisory board engagements), and ensuring and documenting compliance with related legal and regulatory obligations;

    • evaluating, documenting, managing and administering the business relationship with you, and providing appropriate further educational, scientific and business related support and care;

    • evaluating potential future engagements by Moderna or third parties (such as where events are not carried out by Moderna);

    • market analysis and market research;

    • understanding the preferences, interests and needs of health care professionals and patients, improving scientific and educational medical support, and commercially optimizing the products and services offered by Moderna;

    • ensuring and documenting compliance with applicable legal or regulatory requirements, and industry standards and practices; and

    • safeguarding our rights and interests, and establishing, exercising or defending legal claims.

  • Scientific, Medical and/or Promotional Communication. In accordance with applicable law, Moderna may process your personal data in order to contact you via email, telephone or personal visits with relevant scientific, medical and/or promotional information about the products and services offered by the Moderna group companies, including invitations to medical educational events or webinars, and information on opportunities for scientific, medical and promotional engagements. The processing of your personal data will be based on our legitimate interests in maintaining an appropriate relationship with you, in particular an effective scientific, educational medical and promotional exchange, support and care of the relationship, and in facilitating the commercial optimization of our products and services. To the extent required under applicable data protection law, Moderna will obtain your prior consent for contacting you by email or telephone. Such consent may allow Moderna to share the information with other Moderna group companies to contact you for the above purposes. These Moderna group companies may be located in the European Union, the UK, Switzerland and the USA. In addition, we use a service provider in the USA that provides the technical platform for sending our email communications and related consent management. The laws of the USA may not provide for the same level of data protection as considered adequate in the European. In particular, there is a risk of data being accessed by U.S. public authorities without adequate judicial redress for the persons concerned. With your consent, you also agree with the related transfer and processing of your personal data in the USA, including by our technical service provider. Such consent will be recorded by Moderna in order to safeguard Moderna’s legitimate interests in ensuring and documenting compliance with applicable legal requirements. You have the right to withdraw your consent with effect for the future, and/or to object to the processing of your personal data for promotional purposes, at any time by contacting Moderna at the contact details set out below (see section 10).

  • Compliance with Legal Obligations: Moderna further stores and processes certain personal data to the extent necessary to comply with applicable legal requirements, such as anti-corruption and anti-bribery laws or statutory data retention requirements.

  • Pharmacovigilance: To the extent Moderna receives any information from you that is relevant to the safety aspects of its medicinal products, Moderna will process the data for purposes of evaluating, documenting and processing the information submitted for ensuring safety of its medicinal products and for complying with legal documentation and reporting obligations in case of adverse events. The processing is based on the necessity of the processing for purposes of complying with legal obligations (in particular documentation and reporting obligations to the competent authorities) for reasons of public interests in the area of public health, in particular for ensuring high standards of quality and safety of health care and of medicinal products, as well as for protecting Moderna’s and its affiliated group companies’ legitimate interests (ensuring and documenting compliance with statutory pharmacovigilance requirements and establishing, exercising and defending legal claims).

  • Transparency Disclosures: In accordance with the European Federation of Pharmaceutical Industries (EFPIA), and in light of any applicable legal and regulatory requirements and industry standards, including under local industry specific codes of conduct, Moderna supports and contributes to the implementation of transparency disclosure requirements in relation to collaborations between the industry and health care professionals and related transfers of value made by Moderna. For this purpose, Moderna will document the following information and prepare reports relating to payments and other transfer of values made to you:

    • name and address, 

    • the existence and nature of the relationship with Moderna,

    • actual services rendered by you,

    • direct and indirect payments, compensation, expense reimbursement, ownership or investment interest, or other transfers of value provided to you by Moderna.

Such information will, in accordance with local requirements, including under the applicable industry specific code of conduct, be published on a publicly accessible website or operated by Moderna or any of its affiliated group companies, or on a central platform, as provided by the relevant public or professional authority or body of an association under the applicable legal regime and/or industry specific code of conduct. Except where Moderna is under a legal obligation to do so (to the extent applicable to the respective Moderna group company in your jurisdiction, such as in France), and except where Moderna is entitled to disclose the personal data on the basis of its legitimate interests (such as in Spain), Moderna will only disclose and publish your data in personal identifiable form if you have provided your prior consent. You are not obliged to provide your consent to the disclosure and publication of your personal data. If you do not provide your consent, and in case there is no applicable legal obligation to do so, any information regarding transfers of value made to you under the Agreement, will be reported and published for the relevant reporting period only in aggregated and anonymized form, i.e., without being attributable to your person. 

The processing of your personal data for documentation and reporting purposes, including a potential anonymization before publication in aggregated form, will be based on the necessity of the processing in order to comply with legal obligations (to the extent applicable to the respective Moderna group company in your jurisdiction) and to safeguard Moderna's legitimate interests in ensuring and documenting compliance with applicable regulatory requirements and industry standards, including under applicable code of conducts of industry associations.

Where applicable law permits Moderna to disclose and publish the personal data in personal identifiable form under the legal basis of Moderna's legitimate interest, such as in Spain, Moderna relies on its legitimate interests in reducing the risk of anyone perceiving any influence over healthcare professionals, as well as fostering an integrity culture regarding the transactions to healthcare professionals and the public and patients trust in the integrity and independence of healthcare professionals, which is crucial to generate trustworthiness in these relationships and its proper functioning.

5. Who will receive my personal data?

Moderna will not sell, share or otherwise disclose your personal data to third parties, except as necessary for the purposes set out above (e.g. to Moderna group companies in order to handle your information requests) or as otherwise set out in this Data Protection Notice.

  • Service Providers: We may disclose your personal data to third party service providers who will process your personal data on our behalf. For instance, we may share your personal data with our technical service providers that perform technical support or hosting services or provide the technical platform for our email communications and related consent management. We further use health care service partners that assist us with managing and handling your business relationship (such as medical communication agencies). These service providers have contracted with us to only use the personal data for the agreed purposes and in accordance with our instructions, and not to disclose your data to any third parties, except as may be required by law.

  • Third Party Recipients: We may further disclose your personal data to third parties acting as separate controllers, as necessary for the purposes set out in this Data Protection Notices (such as to travel agencies, hotels or travel service providers for purposes of travel arrangements, to an event organizer for handling your participation in an event, or to our legal consultants and external advisors, as necessary for safeguarding our rights and the establishment, exercise or defense of legal claims).

  • Moderna Group Companies: We may also disclose your personal data to Moderna affiliates, in particular the Moderna group companies listed at the end of this Data Protection Notice (see section 10) and our affiliates in the USA (Moderna TX, Inc. and Moderna, Inc.), as necessary to handle your requests or engagements, and for purposes of our legitimate interests in benefiting from centralized and group-wide business services and functions in an integrated worldwide organizational structure (such as global IT systems and applications and centralized processes for handling transparency disclosures, processing adverse events reporting and/or for managing HCP business relationships, including appropriate educational, scientific and business related support, care and administration of the relationship with you), and enabling appropriate respective oversight, evaluation and controls in our corporate structure. We may also share your personal data to enable these group companies to comply with their respective legal obligations (such as in case of adverse events reporting). We may further share any audio and video recordings made under an contract with you (if any) with our affiliated group companies as necessary for any educational, scientific, audit and/or commercial purposes, as further agreed in the respective contractual engagement. To the extent permitted by law, and – where legally required – if you have provided your consent, these Moderna group companies may contact you directly with regular scientific, medical and/or promotional information about the products and services offered by the Moderna group companies. 

  • Authorities, Government Agencies and Other Third Parties: We may disclose personal data to a third party where required to do so to comply with legal and regulatory requirements or to establish, exercise or defend our legal claims (e.g. in case of an access request by a public authority or cooperation with a law enforcement agency). Moderna and/or any of its affiliated group companies involved in the internal pharmacovigilance procedures will further disclose the data (in pseudonymized form) to the relevant authorities competent for medicinal product safety in the relevant countries concerned to the extent necessary for complying with applicable adverse events reporting obligations.

For further information about the recipients of your personal data, please contact Moderna at the contact details set out below.

6. Will my personal data be processed outside the EU/EEA?

Your personal data may be transferred to or otherwise processed by the above recipients in a country outside the EU/EEA ("Third Country"), in particular the USA, which may not provide for the same level of data protection as considered adequate in the European Union. In these cases, Moderna will ensure by taking appropriate safeguards, such as by entering into agreements on the basis of the EU standard contractual clauses and by implementing supplementary measures, that your personal data will be adequately protected as required under EU data protection laws. In relation to our pharmacovigilance obligations, the transfer to our affiliated group companies and authorities in third countries is further necessary to comply with our legal obligations for important reasons of public interests in the area of public health. In certain scenarios, we will also obtain your consent before transferring your personal data to a Third Country.

The laws of Switzerland and the UK are considered to provide for an adequate level of protection on the basis of an EU Commission adequacy decision.

To learn more about the recipients of your data and the safeguards implemented by Moderna, including how to receive a copy of them, you can contact Moderna at any time at the contact details set out below.

7. How long will my personal data be stored?

Your personal data will only be stored for as long as necessary for the purposes set out in this Data Protection Notice. As a general rule, your personal data will be stored as follows:

  • The personal data necessary for handling a contractual relationship with you will be stored by Moderna for as long as necessary for the performance and complete winding-up of the contract, including accounting purposes. To the extent necessary for purposes of ensuring and documenting compliance with related legal and regulatory requirements in connection with the performance of the contract, the relevant personal data will further be stored for a period of five years after the end of the contract. We may further stored personal data required to comply with statutory retention obligations (such as under commercial and tax law) for a period of up to ten years after the end of the contract.

  • Any video and audio recordings made during performance of the Services will be stored for as long as necessary to enable appropriate use for the related educational, audit, scientific and commercial purposes for which the recordings have been made, and in accordance with any underlying consent and/or authorization provided by you (if any).

  • Personal data processed for purposes of responding to your requests and enquiries (including complaints) will be stored for a period of up to 10 years after the full completion of the processing of your matter, to the extent necessary for ensuring and documenting compliance with our legal obligations and/or for the establishment, exercise or defense of legal claims.

  • Personal data processed for pharmacovigilance purposes will be stored in accordance with legal data retention obligation for at least ten years after the withdrawal of the marketing authorization of the medicinal product from the countries in which it has been authorised for prescription and administration.

  • For purposes of our transparency disclosures, your personal data will be stored by Moderna for purposes of internal documentation for a period of five years from the time of publication. In case you have consented to the disclosure of your personal data, or the laws applicable to the respective Moderna group company in your jurisdiction require or permit Moderna to disclose your personal data, your personal data will remain in the public domain, and the corresponding documentation of your consent will be stored, for a period of three years from the time of publication, except as required otherwise to comply with applicable legal and regulatory requirements or, where applicable, in case of a withdrawal of consent.

  • Any personal data stored for purposes of evaluating, documenting, managing and administering the business relationship with you (including for potential future engagements) will be stored for as long as necessary for these purposes, and as a rule no longer than for a period of five years after the end of the business relationship and latest interaction with you.

Your personal data will be deleted thereafter, except any further storage is necessary to comply with our legal obligations (such as data retention obligations or other legal requirements) or to establish, exercise or defend our legal claims. The data will, to the extent legally required, be kept blocked and be restricted from further processing.

8. How will my Personal Data be protected?

Moderna applies appropriate safeguards to make sure that your personal data is protected. Moderna has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process. These measures are aimed at fully ensuring the ongoing integrity, availability and confidentiality of personal data. We evaluate and improve these measures on a regular basis.

To the extent Moderna relies on legitimate interests for the processing of personal data, a balancing test has been carried out (available on request where required under applicable laws) to ensure the your rights and interests are appropriately balanced against the interests of Moderna.

9. What rights do I have?

To the extent you are affected by the data processing carried out by Moderna, you have the right subject to and in accordance with applicable legal provisions:

  • to obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access);

  • to obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification);

  • if there are legitimate reasons, to request the deletion of the personal data (right to erasure);

  • to request the restriction of the processing of the personal data, if the legal requirements are met (right to restriction of processing);

  • if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by Moderna (right to data portability); and

  • not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met. An automated decision making process is not carried out by Moderna.

You also have the right to object, in accordance with the statutory provisions, to the processing of personal data, which is necessary for the purpose of Moderna’s legitimate interests, on grounds relating to your particular situation (right to object). If your personal data is processed by Moderna for direct marketing purposes, you have the right to object to this processing at any time, without any special reason.

If the data processing is based on consent you can withdraw the consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until withdrawal.

In order to exercise your rights (including the withdrawal of your consent), as well as in the event of questions regarding the processing of your personal data, please contact Moderna at any time using the contact details set out below. 

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time.

10. To which Moderna Group Companies does this Data Protection Notice Apply? How can I contact Moderna?

This Data Protection Notice applies to the following Moderna group companies:

  • Moderna Biotech Spain, S.L.U.
    Calle Monte Esquinza 30
    28010 Madrid, Spain

  • Moderna Biotech UK Limited
    11th floor Whitefriars
    Lewins Mead, Bristol, England, BS1 2NT

  • Moderna France SAS
    25 rue du 4 Septembre
    75002 Paris

  • Moderna Germany GmbH
    c/o Rödl & Partner, Äußere Sulzbacher Str. 100,
    90491 Nürnberg

  • Moderna Italy S.r.l.
    Via Della Moscova, 18
    Milano 20121

  • Moderna Switzerland GmbH
    Peter Merian-Weg 10,
    4052 Basel

You can contact the respective Moderna group companies at any time at the contact details set out above for the respective group company. To effectively exercise your rights under data protection law, or in case of any privacy related questions, we would encourage you to contact us via our central privacy email at EUprivacy@modernatx.com.