Last Updated: 8/2/22
This policy applies to information we collect
- On the Websites
- In email, text, and other electronic messages between you and Aptitude Health
- When you participate in any virtual or live meetings, conferences, or events organized or presented by us, or programs managed for our clients
It does not apply to information collected by
- Any third party, including but not limited to, any application or content (including advertising) that may link to or be accessible from or through the Websites
What are “personal data”?
What is “processing” of personal data?
What is a “data subject”?
A data subject is any living natural person whose personal data are processed. For reasons of readability, we use the words “person” and “you(r)” to indicate the data subject.
What is a “controller”?
What is a “processor”?
A processor is a legal person who processes personal data on behalf of and at the instruction of the controller.
What does “GDPR” mean?
GDPR is General Data Protection Regulation, the European regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, adopted by the European Parliament and the European Council on April 27, 2016, and current as of May 25, 2018.
COLLECTING PERSONAL DATA
What personal data do we collect?
Aptitude Health collects personal data directly from you or indirectly from third parties, such as our clients or third-party vendors.
The personal data we collect are always and solely connected to you in your professional capacity. The data we collect include your name (first name, last name), gender, title, company and company address, email address, telephone numbers, degrees, professional specialties, special professional interests, billing data such as credit card numbers or bank account numbers, possible billing address, and personalized registration numbers for events. If you ask us to book a flight or a hotel, we also collect location data (travel data). If you are a faculty member who contributes to one of our services (symposia, meetings, etc), we assess whether there are relevant financial relationships that may influence the content of your contribution and/or our services. We sometimes ask faculty members to provide us with recent photographs to use in our promotional materials.
We do not collect special personal data, except for—at your request—dietary information or special needs that may (or may not) relate to your health or religious beliefs.
When do we collect personal data?
Your personal data are collected when you
- Create an account on our Websites
- Register (or are registered with your consent) for one of our events and/or other services
- Subscribe to our newsletters
- Contribute to symposia, publications, meetings, boards, presentations, or surveys, and/or you contact us or we contact you to do so
- Are reimbursed for any contribution to our services
- Ask us to provide extra services, such as booking flights or hotels
- Engage with us on or through social media (by mentioning/tagging us or by contacting us directly)
- Are included in a list of personal data from one of our clients and/or third-party vendors, to provide specific services
- Confirm intent to participate as chair or faculty member in one of our programs
Do we collect data of patients?
No, we do not. If any patient data are inadvertently received, we delete or anonymize such data.
Do we collect data of children?
No, we do not. Our business is not targeted at children. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we delete that information. If you believe we may have any information from or about a child under 16, please contact us.
USE OF PERSONAL DATA
How do we make use of personal data?
We use the personal data that we collect to provide you with the information and services that you expect and/or request from us. This may be business intelligence, medical communications, medical publication, promotional, or any of the other services we may—now and in the future—provide. Some of these data are also used for the receipt of newsletters and emails that inform you about our business activities.
Whenever you register for one of our events or other services, we use your personal data to meet our obligations to provide you with the information and services you ask for. Whenever this includes billing or reimbursement, we use the billing data you provide to exercise our financial rights and obligations.
Your personal data are also used for our internal business purposes, such as improving our services and communication, enhancing our Websites, and monitoring the use of our Websites. Data such as specialties, special interests, and degrees, combined with (general) data such as name and (email) address, are used for direct marketing purposes (see below).
We rarely use special personal data (see definition above). These are only used in the event that you respond to our questions concerning dietary requirements and/or special needs that may relate to your health and/or religious beliefs.
Is this use lawful?
Yes, it is. Pursuant to the GDPR, there are various legal grounds for processing personal data. Insofar as is relevant, these are
- You have given us consent to use your personal data for specific purposes
- We need the personal data for the performance of the contract (or entering into a contract) between you and us
- There is a legal obligation to process the personal data
- We, or a third party we work with, have a legitimate interest to process these data
Since our core business is providing you with the knowledge, information, and other services you ask for, we need these data for performance of the agreement we have or will enter into. Without these data, access to our services, information, and knowledge is not possible.
Moreover, it may happen that we (need to) make use of these data to comply with a legal obligation to which Aptitude Health is subject, for example fiscal or medical (accreditation) legislation, court orders, or criminal charges.
Finally, we have our own legitimate interests in processing these data, which include the interests of our clients. These interests are improving our services, our communication, and our website, and business development. Our legitimate interests involve profiling for direct marketing purposes. If you wish to opt out of our direct marketing activities, see below.
As for the processing of special personal data (dietary requirements and/or special needs), this takes place only after you give your explicit consent. With that consent, we have met the legal obligation for the processing of special personal data.
SHARING PERSONAL DATA
Since Aptitude Health consists of several companies, all legal entities share personal data with other entities within the group. All entities within the group use the same data for the same purposes.
We always work with trusted service providers who help us to carry out our services, improve our work and our (online and offline) communication, and act as processors. Since these service providers have skills and capabilities we may not have, it is in our and your interest that we collaborate with these third parties. These service providers are never allowed to process the personal data of Aptitude Health for (commercial or noncommercial) purposes other than the purposes previously defined by us.
Where appropriate, we share your personal data with third parties, such as local event organizers, agencies and hotels/hotel booking agencies, credit card companies, and banks, for the performance of contractual obligations.
If necessary, we also share personal data to meet legal obligations, such as combating fraud, adhering to medical law and accreditation regulations, and maintaining compliance with the EFPIA Code and Sunshine Act.
DATA MINIMIZATION, ACCURACY, AND STORAGE LIMITATION
Aptitude Health complies with the principles of data minimization, accuracy, and storage limitation. In short, this means that we merely retain the personal data for as long as necessary, and that we clean our databases containing personal data periodically. Because we use personal data for different purposes, our retention periods may vary.
Along with our responsibility in this regard, you may at all times exercise your rights concerning the accuracy of the personal data we collect from you (see below).
We do our utmost to keep the security of your personal data up-to-date. This includes technical and organizational measures such as encryption techniques, login procedures, firewalls, and regular updates of our technical infrastructure.
As part of these measures, we ensure that access to personal data is restricted to employees who actually work with these data. An account with access to (part of) our systems is created for an employee only after authorization.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Websites, you are responsible for keeping this password confidential. We ask you to not share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Websites. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Websites.
YOUR RIGHTS AS DATA SUBJECT
As data subject, you are entitled to be informed about what happens with your personal data. This means that you can exercise the following rights
- The right to have access to the personal data we collect about you
- The right to know the source when these data are not directly collected from you
- The right to know with whom your data are shared by us
- The right to have your personal data rectified when these are incomplete, out-of-date, incorrect, or otherwise inaccurate
- The right to have your personal data erased (the “right to be forgotten”)
- The right to have the use of your personal data restricted for a limited period of time
- The right to have your personal data transferred to another service provider
- The right to object to automated decision-making, including profiling (see below)
Whenever you wish to exercise one of the above-mentioned rights, please contact us. The information you request will be provided by us in a commonly used electronic form.
You have the right to object at any time to the processing of your personal data for direct marketing purposes. Whenever you do, we will no longer use your data for direct marketing. However, this does not mean that we will no longer use these data for other specified, explicit, and legitimate purposes.
If you have any difficulties or complaints regarding our direct marketing activities that cannot be solved in the above-mentioned way, please contact us.
GDPR STANDARD CONTRACTUAL CLAUSES – EU stopped recognizing as of July 16, 2020
Aptitude Health operates in the United States, the European Union, and throughout the world. Personal information may be transferred, accessed, and stored globally as necessary for the uses stated above in accordance with this notice, and in compliance with local regulations.
Personal Data may be transferred to or processed in locations outside of the European Economic Area (EEA), some of which have not been determined by the European Commission to have an adequate level of data protection. In that case, for personal data subject to European data protection laws, we take measures designed to provide the level of data protection required in the EU, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en), or another adequate transfer mechanism.
When we receive requests to disclose personal data from law enforcement or regulators, we carefully validate these requests, including reviewing the legality of any order and challenging the order if there are grounds under the law to do so, before any personal data are disclosed. You may direct any inquiries or complaints related to our GDPR compliance here.
YOUR STATE PRIVACY RIGHTS
State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.
This Policy does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals (see California Employee Privacy Notice contained herein).
Where noted in this Policy, the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication (“B2B personal information”) from some of its requirements.
Information We Collect
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”). Personal information does not include
- Publicly available information from government records
- Deidentified or aggregated consumer information
- Information excluded from the CCPA’s scope, such as
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994
In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:
We obtain the categories of personal information listed above from the following categories of sources
- Directly from you, eg, from forms you complete or products and services you purchase
Use of Personal Information
We may use or disclose the personal information we collect for one (1) or more of the following purposes
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns
- To provide, support, personalize, and develop our Websites, emails, products, and services
- To create, maintain, customize, and secure your account with us
- To process your requests, purchases, transactions, and payments and prevent transactional fraud
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses
- To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law)
- To help maintain the safety, security, and integrity of our Websites, products and services, databases and other technology assets, and business
- For testing, research, analysis, and product development, including to develop and improve our Websites, products, and services
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations
- As described to you when collecting your personal information or as otherwise set forth in the CCPA or the CPRA
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users or clients is among the assets transferred
We do not collect additional categories of personal information or use the personal information we collect for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
We may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, Company has disclosed personal information for a business purpose to some of the categories of third parties indicated in the chart below.
We do not sell personal information. In the preceding twelve (12) months, Company has not sold the following categories of personal information to the categories of third parties indicated in the chart below. For more on your personal information sale rights, see Personal Information Sales Opt-Out and Opt-In Rights, herein.
Deidentified Patient Information
We do not sell deidentified patient information exempt from the CCPA to third parties.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Right to Know and Data Portability
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will disclose to you
- The categories of personal information we collected about you
- The categories of sources for the personal information we collected about you
- Our business or commercial purpose for collecting or selling that personal information
- The categories of third parties with whom we share that personal information
- If we sold or disclosed your personal information for a business purpose, two (2) separate lists disclosing
- Sales, identifying the personal information categories that each category of recipient purchased; and
- Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained
- The specific pieces of personal information we collected about you (also called a data portability request)
We do not provide a right-to-know or data portability disclosure for B2B personal information.
Right to Delete
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the “right to delete”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete, herein), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations on the basis of your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.
We do not provide these deletion rights for B2B personal information.
Exercising Your Rights to Know or Delete
To exercise your rights to know or delete described above, please submit a request to:
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information.
You may only submit a request to know twice within a twelve (12)-month period. Your request to know or delete must
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include
- Valid Government-Issued Identification
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password-protected account sufficiently verified when the request relates to personal information associated with that specific account.
We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.
Response Timing and Format
We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the ten (10)-day time frame, please contact us at:
We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another forty-five  days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide cover only the twelve (12)-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not
- Deny you goods or services
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
- Provide you a different level or quality of goods or services
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services
Attention: Chief Privacy Officer
5901-C Peachtree Dunwoody Road NE
Atlanta, GA 30328
Wilhelmina van Pruisenweg 104
2595 AN The Hague
If you need to access this Policy in an alternative format to accommodate a disability, please contact us at aptitudehealth.com/contact-us.
CALIFORNIA EMPLOYEE PRIVACY NOTICE
The California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act (CPRA), effective January 1, 2023, impose specific obligations on businesses processing personal information of California residents. Pursuant to the CCPA and the CPRA, Aptitude Health, LLC and Aptitude Health BV (“Aptitude Health,” “we,” or “us”) are required to provide employees who are California residents (“California Persons”) a notice, used at or before the point of collection of such personal information, that identifies the categories of personal information that may be collected and why Aptitude Health collects such information.
This California Employee Privacy Notice (“Notice”) is intended to provide California Persons with the CCPA- and CPRA-required notice.
“Personal information” has the meaning as defined in the CCPA, and includes information that is collected by Aptitude Health about you in the course of employment for employment-related purposes and encompasses any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you.
“Process,” “processed,” or “processing” means any operation or set of operations performed on personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal information.
“Employees,” “employee,” or “you” means an identified or identifiable natural person who is a California resident and who is acting as an Aptitude Health job applicant, employee, or contractor. In this context, “job applicant” refers to any person who has submitted their candidacy with Aptitude Health; “employee” refers to any person who is employed at Aptitude Health as a full- or part-time employee or temporary worker, and “contractor” means a natural person who provides any service to a business pursuant to a written contract.
Personal Information We Collect About You
Listed below are the categories of personal information that Aptitude Health may process about employees:
- Identifiers, including real name, alias, postal address, unique personal identifiers, email, account name, social security number, driver’s license number, passport number, or other similar identifiers. In this context, a “unique personal identifier” means a persistent identifier that can be used to recognize an employee, or a device that is linked to an employee, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, or similar technology; unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers.
- Characteristics of Protected Classifications Under California or Federal Law, including the following: race, skin color, national origin, religion (includes religious dress and grooming practices), sex/gender (includes pregnancy, childbirth, breastfeeding and/or related medical conditions), gender identity, gender expression, sexual orientation, marital status, medical condition (such as genetic characteristics, cancer, or a record or history of cancer), disability (such as mental and physical, including HIV/AIDS, or cancer), military or veteran status, request for family care leave, request for leave for an employee’s own serious health condition, request for pregnancy disability leave, and age.
- Internet or Other Electronic Network Activity Information, including browsing history, search history, application access location and information regarding an employee’s interaction with an internet website, application or advertisement, time and geolocation data related to use of an internet website, application or physical access to an Aptitude Health office location.
- Professional or Employment-Related Information, including job-related data, maintained as part of the employment relationship that is present in: a job application or résumé; an employment contract; a contractor agreement; a performance review; a disciplinary record; photos; payroll- and benefits-related data; internal and external contact information; or information captured from video, audio, systems, or other forms of monitoring or surveillance.
- Education Information, including information about an employee’s educational background, such as education records, report cards, and transcripts that is not publicly available.
Purposes for Collecting Your Personal Information
Aptitude Health collects the personal information identified above for the reasons listed below:
- To Recruit Employees, including to conduct employment related background screening and checks.
- To Administer Benefits, such as medical, dental, optical, commuter, and retirement benefits, including recording and processing eligibility of dependents, absence and leave monitoring, insurance and accident management, and provision of online total reward information and statements.
- To Pay and Reimburse for Expenses, including salary administration, payroll management, payment of expenses, to administer other compensation-related payments, including assigning amounts of bonus payments to individuals, administration of departmental bonus pools, and administration of stock option payments.
- To Conduct Performance-Related Reviews, including performance appraisals, career planning, skills monitoring, job moves, promotions, and staff restructuring.
- To Monitor Work-Related Licenses and Credentials, including provisioning software licenses for use in the course of an employee’s work-related responsibilities, ensuring compliance, training, examination, and other requirements are met with applicable regulatory bodies.
- To Provide Our Employees with Human Resources Management Services, including providing employee data maintenance and support services, administration of separation of employment, approvals and authorization procedures, administration and handling of employee claims, and travel administration.
- To Administer International Assignments, including relocation services, documenting assignment terms and conditions, obtaining relevant immigration documents, initiating vendor services, fulfilling home/host country tax administration and filing obligations, addressing health requirements, and populating the International Mobility global system.
- To Maintain Your Contact Information, including altering your details across relevant entities within Aptitude Health.
- To Assist You in Case of Emergency, including maintenance of contact details for you, and your dependents in case of personal or business emergency.
- To Monitor Eligibility to Work in the US or the EU, which means monitoring and ensuring compliance of employees’ ability to work in the US or EU.
- To Conduct Healthcare-Related Services, including conducting pre-employment and employment-related medical screenings for return-to-work processes and medical case management needs; determining medical suitability for particular tasks; identifying health needs of employees to plan and provide appropriate services, including operation of sickness policies and procedures; and providing guidance on fitness for travel and fitness for expatriation.
- To Facilitate Better Working Environment, which includes conducting staff surveys, providing senior management information about other employees, and conducting training.
- To Ensure a Safe and Efficient Working Environment, which includes Aptitude Health actions relating to disciplinary actions, and code-of-conduct processes and investigations.
- To Maintain Security on Aptitude Health Websites and Internet-Connected Assets, which includes hosting and maintenance of computer systems and infrastructure; management of Aptitude Health’s software and hardware computer assets; systems testing, such as development of new systems and end-user testing of computer systems; training; and monitoring email and Internet access.
- To Comply With Applicable Law or Regulatory Requirements, such as legal (state and federal) and internal company reporting obligations, including headcount, management information, demographic and health, safety, security, and environmental reporting.
If you have any questions regarding this statement, please contact:
Attention: Chief Privacy Officer
5901-C Peachtree Dunwoody Road NE
Atlanta, GA 30328
Wilhelmina van Pruisenweg 104
2595 AN The Hague
If you feel that we did not handle your complaints satisfactorily, you may apply to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, PO Box 93374, 2509 AJ The Hague (The Netherlands), telephone number +31 70 8888 500 or: https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us.
CHANGES TO THIS POLICY
Attention: Chief Privacy Officer
5901-C Peachtree Dunwoody Road NE
Atlanta, GA 30328
Wilhelmina van Pruisenweg 104
2595 AN The Hague