What are “personal data”?
What is “processing” of personal data?
What is a “data subject”?
A data subject is any living natural person whose personal data are processed. For reasons of readability, we use the words “person” and “you(r)” to indicate the data subject.
What is a “controller”
What is a “processor”?
A processor is a legal person who processes personal data on behalf of and at the instructions of the controller.
What does “GDPR” mean?
GDPR means General Data Protection Regulation, the European regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, adopted by the European Parliament and the European Council on April 27, 2016, and current as of May 25, 2018.
COLLECTING PERSONAL DATA
What personal data do we collect?
Aptitude Health collects personal data directly from you or indirectly from third parties, such as our clients or third-party vendors.
The personal data we collect are always and solely connected to you in your professional capacity. The data we collect include your name (first name, last name), gender, title, company and company address, email address, telephone numbers, degrees, professional specialties, special professional interests, billing data such as credit card numbers or bank account numbers, possible billing address, and personalized registration numbers for events. If you ask us to book a flight or a hotel, we also collect location data (travel data). If you are a faculty member who contributes to one of our services (symposia, meetings, etc), we assess whether there are relevant financial relationships that may influence the content of your contribution and/or our services. We sometimes ask faculty members to provide us with recent photographs to use in our promotional materials.
We do not collect special personal data, except for—at your request—dietary information or special needs that may (or may not) relate to your health or religious beliefs.
When do we collect personal data?
Your personal data are collected when you
- Create an account on our website
- Register (or are registered with your consent) for one of our events and/or other services
- Subscribe to our newsletters
- Contribute to symposia, publications, meetings, boards, presentations, or surveys, and/or you contact us or we contact you to do so
- Are reimbursed for any contribution to our services
- Ask us to provide extra services, such as booking flights or hotels
- Engage with us on or through social media (by mentioning/tagging us or by contacting us directly)
- Are included in a list of personal data from one of our clients and/or third-party vendors, to provide specific services
- Confirm intent to participate as chair or faculty member in one of our programs
Do we collect data of patients?
No, we do not. All personal patient data are always anonymized before we receive them.
Do we collect data of children?
No, we do not. Our business is not targeted at children.
USE OF PERSONAL DATA
How do we make use of personal data?
We use the personal data that we collect to provide you with the information and services that you expect and/or request from us. This may be business intelligence, medical communications, publication services, promotional services, digital and virtual services, strategic consultancy or any of the other services we may—now and in the future—provide. Some of these data are also used for the receipt of newsletters and emails that inform you about our business activities.
Whenever you register for one of our events or other services, we use your personal data to meet our obligations to provide you with the information and services you ask for. Whenever this includes billing or reimbursement, we use the billing data you provide to exercise our financial rights and obligations.
Your personal data are also used for our internal business purposes, such as improving our services and communication, enhancing our website, and monitoring the use of our website. Data such as specialties, special interests, and degrees, combined with (general) data such as name and (email) address, are used for direct marketing purposes (see below).
We rarely use special data (see definition above). These are only used in the event that you respond to our questions concerning dietary requirements and/or special needs, which may relate to your health and/or religious beliefs.
Is this use lawful?
Yes, it is. Pursuant to the GDPR, there are various legal grounds for processing personal data. Insofar as is relevant, these are
- You have given us consent to use your personal data for specific purposes
- We need the personal data for the performance of the contract (or entering into a contract) between you and us
- There is a legal obligation to process the personal data
- We, or a third party we work with, have a legitimate interest to process these data
Since our core business is providing you with the knowledge, information, and other services you ask for, we need these data for performance of the agreement we have or will enter into. Without these data, access to our services, information, and knowledge is not possible.
Moreover, it may happen that we (need to) make use of these data to comply with a legal obligation to which Aptitude Health is subject, for example fiscal or medical (accreditation) legislation, court orders, or criminal charges.
Finally, we have our own legitimate interests in processing these data, which include the interests of our clients. These interests are improving our services, our communication, and our website, and business development. Our legitimate interests involve profiling for direct marketing purposes. If you wish to opt out of our direct marketing activities, see below.
As for the processing of special personal data (dietary requirements and/or special needs), this takes place only after you give your explicit consent. With that consent, we have met the legal obligation for the processing of special personal data.
SHARING PERSONAL DATA
Since Aptitude Health consists of several companies, all legal entities share personal data with other entities within the group. All entities within the group use the same data for the same purposes.
We always work with trusted service providers who help us to carry out our services, improve our work and our (online and offline) communication, and act as processors. Since these service providers have skills and capabilities we may not have, it is in our and your interest that we collaborate with these third parties. These service providers are never allowed to process the personal data of Aptitude Health for other (commercial or non-commercial) purposes than the purposes previously defined by us.
Where appropriate, we share your personal data with third parties, such as local event organizers, agencies and hotels/hotel booking agencies, credit card companies, and banks, for the performance of contractual obligations.
If necessary we also share personal data to meet legal obligations, such as combating fraud, adhering to medical law and accreditation regulations, and maintaining compliance with the EFPIA Code and Sunshine Act.
DATA MINIMIZATION, ACCURACY, AND STORAGE LIMITATION
Aptitude Health complies with the principles of data minimization, accuracy, and storage limitation. In short, this means that we will merely retain the personal data for as long as it is necessary, and that we clean our databases containing personal data from time to time. Because we use personal data for different purposes, our retention periods may vary.
Along with our responsibility in this regard, you may at all times exercise your rights concerning the accuracy of the personal data we collect from you (see below).
We do our utmost to keep the security of your personal data up to date. This includes technical and organizational measures such as encryption techniques, login procedures, firewalls, and regular updates of our technical infrastructure.
As part of these measures, we ensure that access to personal data is restricted to employees who actually work with these data. An account with access to (part of) our systems is created for an employee only after authorization.
YOUR RIGHTS AS DATA SUBJECT
As data subject, you are entitled to be informed about what happens with your personal data. This means that you can exercise the following rights:
- The right to have access to the personal data we collect about you
- The right to know the source when these data are not directly collected from you
- The right to know with whom your data are shared by us
- The right to have your personal data rectified when these are incomplete, out-of-date, incorrect, or otherwise inaccurate
- The right to have your personal data erased (the “right to be forgotten”)
- The right to have the use of your personal data restricted for a limited period of time
- The right to have your personal data transferred to another service provider
- The right to object to automated decision-making, including profiling (see below)
Whenever you wish to exercise one of the above-mentioned rights, please . The information you request will be provided by us in a commonly used electronic form.
You have the right to object at any time to the processing of your personal data for direct marketing purposes. Whenever you do, we will no longer use your data for direct marketing. However, this does not mean that we will no longer use these data for other specified, explicit, and legitimate purposes.
If you created an account on our website, you can simply amend your preferences or follow the “unsubscribe” links provided in our direct marketing emails and our other direct marketing communication. If you do not wish to see personalized marketing content, you can clear the cookies in your browser settings (see our Cookie Statement).
If you have any difficulties or complaints regarding our direct marketing activities that cannot be solved in the above-mentioned way, please .
Since we are based in both the European Union and the United States, we are committed to subjecting all the personal data we collect from persons who are citizens of the territory in which the GDPR is applicable to the Privacy Shield’s principles. To learn more about the Privacy Shield you can visit the US Department of Commerce’s Privacy Shield List at: https://www.privacyshield.gov.
However, on 26/06/2018 the European Parliament has adopted a Resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2018/2645(RSP), by which the European Parliament has taken the position that the current Privacy Shield Arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice. The European Parliament has called on the European Commission that, unless the United States is fully compliant by 1 September 2018, the Privacy Shield should be suspended until the US Authorities fully comply with its terms.
Aptitude Health acts in full compliance with the EU-US Privacy Shield, but refrains from registration until the terms of EP Resolution are fully met and the regulatory enforcement powers of the US Federal Trade Commission are fully restored. In certain situations, Aptitude Health may still be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.