APTITUDE HEALTH PRIVACY POLICY 2018

  1. INTRODUCTION

This privacy policy applies to all services, products, websites, and other (automated) communication (hereinafter: “services”) provided by Aptitude Health LLC (Atlanta, GA, United States) and Aptitude Health BV (The Hague, the Netherlands).

At Aptitude Health we value the people we work for and work with. This includes the use of personal data of individuals. As Aptitude Health has offices in both the US and the EU, Aptitude Health has made its privacy policy compliant with the General Data Protection Regulation (GDPR) standards.

In this privacy policy we explain what we do with your personal data. Please note that this privacy policy forms part of our Terms of Use and Cookie Policy.

This privacy policy is updated regularly. The latest version is published on our website and takes effect from the day of publication.

 

  1. DEFINITIONS

For a proper understanding of this privacy policy, some knowledge of legal definitions is helpful.

What are “personal data”?

Personal data refers to any information related to an identified or identifiable natural person. There are general and special personal data. Special personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, genetic data, biometric data that may identify you as a unique person, and data concerning a person’s sex life or sexual orientation. All other data that may identify you as a natural person are general personal data. In this privacy policy we use the general term “personal data” or “data,” unless otherwise specified.

What is “processing” of personal data?

Processing means any operation, whether or not automated, that is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, making available, combination, restriction, erasure, or destruction. In this privacy policy and for reasons of readability, we use the words “collect(ing),” “use/using,” and “process(ing)” to refer to the legal definition of processing.

What is a “data subject”?

A data subject is any living natural person whose personal data are processed. For reasons of readability, we use the words “person” and “you(r)” to indicate the data subject.

What is a “controller”

A controller is the legal person who determines the purposes and means of the processing of personal data. In this privacy policy, that is us (hereinafter referred to as: “Aptitude Health” or “we/us/our”).

What is a “processor”?

A processor is a legal person who processes personal data on behalf of and at the instructions of the controller.

What does “GDPR” mean?

GDPR means General Data Protection Regulation, the European regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, adopted by the European Parliament and the European Council on April 27, 2016, and current as of May 25, 2018.

 

  1. COLLECTING PERSONAL DATA

What personal data do we collect?

Aptitude Health collects personal data directly from you or indirectly from third parties, such as our clients or third-party vendors.

The personal data we collect are always and solely connected to you in your professional capacity. The data we collect include your name (first name, last name), gender, title, company and company address, email address, telephone numbers, degrees, professional specialties, special professional interests, billing data such as credit card numbers or bank account numbers, possible billing address, and personalized registration numbers for events. If you ask us to book a flight or a hotel, we also collect location data (travel data). If you are a faculty member who contributes to one of our services (symposia, meetings, etc), we assess whether there are relevant financial relationships that may influence the content of your contribution and/or our services. We sometimes ask faculty members to provide us with recent photographs to use in our promotional materials.

We do not collect special personal data, except for—at your request—dietary information or special needs that may (or may not) relate to your health or religious beliefs.

When do we collect personal data?

Your personal data are collected when you

  • Create an account on our website
  • Register (or are registered with your consent) for one of our events and/or other services
  • Subscribe to our newsletters
  • Contribute to symposia, publications, meetings, boards, presentations, or surveys, and/or you contact us or we contact you to do so
  • Are reimbursed for any contribution to our services
  • Ask us to provide extra services, such as booking flights or hotels
  • Engage with us on or through social media (by mentioning/tagging us or by contacting us directly)
  • Are included in a list of personal data from one of our clients and/or third-party vendors, to provide specific services
  • Confirm intent to participate as chair or faculty member in one of our programs

Do we collect data of patients?

No, we do not. All personal patient data are always anonymized before we receive them.

Do we collect data of children?

No, we do not. Our business is not targeted at children.

 

  1. USE OF PERSONAL DATA

How do we make use of personal data?

We use the personal data that we collect to provide you with the information and services that you expect and/or request from us. This may be stakeholder engagement services, strategic consultancy, publication services, oncology services, digital and virtual services, or any of the other services we may—now and in the future—provide. Some of these data are also used for the receipt of newsletters and emails that inform you about our business activities.

Whenever you register for one of our events or other services, we use your personal data to meet our obligations to provide you with the information and services you ask for. Whenever this includes billing or reimbursement, we use the billing data you provide to exercise our financial rights and obligations.

Your personal data are also used for our internal business purposes, such as improving our services and communication, enhancing our website, and monitoring the use of our website. Data such as specialties, special interests, and degrees, combined with (general) data such as name and (email) address, are used for direct marketing purposes (see below).

We rarely use special data (see definition above). These are only used in the event that you respond to our questions concerning dietary requirements and/or special needs, which may relate to your health and/or religious beliefs.

Is this use lawful?

Yes, it is. Pursuant to the GDPR, there are various legal grounds for processing personal data. Insofar as is relevant, these are

  • You have given us consent to use your personal data for specific purposes
  • We need the personal data for the performance of the contract (or entering into a contract) between you and us
  • There is a legal obligation to process the personal data
  • We, or a third party we work with, have a legitimate interest to process these data

In most cases, we have asked for your consent directly. In other cases, your personal data are provided to us by a client (eg, the party that has asked us to organize an event or render other services) or by third-party vendors (eg, parties that specialize in compiling lists of professionals for whom our services may be of interest). In these 2 cases, Aptitude Health acts as processor rather than controller. On some occasions, it may be that the Client and Aptitude Health jointly determine the purposes and means of the processing of personal data. In that case Aptitude Health and the Client are joint controllers (Article 26 GDPR). Please note that in that case this privacy policy is fully applicable. Whenever you as data subject wish to exercise one of your rights, please contact Aptitude Health who is always designated as contact point.

Since our core business is providing you with the knowledge, information, and other services you ask for, we need these data for performance of the agreement we have or will enter into. Without these data, access to our services, information, and knowledge is not possible.

Moreover, it may happen that we (need to) make use of these data to comply with a legal obligation to which Aptitude Health is subject, for example fiscal or medical (accreditation) legislation, court orders, or criminal charges.

Finally, we have our own legitimate interests in processing these data, which include the interests of our clients. These interests are improving our services, our communication, and our website, and business development. Our legitimate interests involve profiling for direct marketing purposes. If you wish to opt out of our direct marketing activities, see below.

As for the processing of special personal data (dietary requirements and/or special needs), this takes place only after you give your explicit consent. With that consent, we have met the legal obligation for the processing of special personal data.

 

  1. SHARING PERSONAL DATA

Since Aptitude Health consists of several companies, all legal entities share personal data with other entities within the group. All entities within the group use the same data for the same purposes.

In order to provide our services to you, we acquire personal data from third parties from time to time. To these data, this privacy policy, as well as all security measures we take, are equally applicable. Whenever we collect personal data for the provision of services to our clients, we sometimes transfer or sell the personal data we collected for the rendering of our services to these clients. Apart from that we never sell your personal data to any third party we do not work with.

We always work with trusted service providers who help us to carry out our services, improve our work and our (online and offline) communication, and act as processors. Since these service providers have skills and capabilities we may not have, it is in our and your interest that we collaborate with these third parties. These service providers are never allowed to process the personal data of Aptitude Health for other (commercial or non-commercial) purposes than the purposes previously defined by us.

Where appropriate, we share your personal data with third parties, such as local event organizers, agencies and hotels/hotel booking agencies, credit card companies, and banks, for the performance of contractual obligations.

If necessary we also share personal data to meet legal obligations, such as combating fraud, adhering to medical law and accreditation regulations, and maintaining compliance with the EFPIA Code and Sunshine Act.

On our website you will find buttons for social media, such as Facebook, Twitter, LinkedIn, and Google+. When you use these features, these social media may collect your IP address and information about the pages you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features are either hosted by a third party or hosted directly on our website. Please note that this privacy policy does not apply to these features. Your interactions with these features are governed by the privacy policies of the companies providing them.

 

  1. DATA MINIMIZATION, ACCURACY, AND STORAGE LIMITATION

Aptitude Health complies with the principles of data minimization, accuracy, and storage limitation. In short, this means that we will merely retain the personal data for as long as it is necessary, and that we clean our databases containing personal data from time to time. Because we use personal data for different purposes, our retention periods may vary.

Along with our responsibility in this regard, you may at all times exercise your rights concerning the accuracy of the personal data we collect from you (see below).

 

  1. SECURITY

We do our utmost to keep the security of your personal data up to date. This includes technical and organizational measures such as encryption techniques, login procedures, firewalls, and regular updates of our technical infrastructure.

As part of these measures, we ensure that access to personal data is restricted to employees who actually work with these data. An account with access to (part of) our systems is created for an employee only after authorization.

 

  1. YOUR RIGHTS AS DATA SUBJECT

As data subject, you are entitled to be informed about what happens with your personal data. This means that you can exercise the following rights:

  • The right to be informed about the way we process your personal data (as in this privacy policy)
  • The right to have access to the personal data we collect about you
  • The right to know the source when these data are not directly collected from you
  • The right to know with whom your data are shared by us
  • The right to have your personal data rectified when these are incomplete, out-of-date, incorrect, or otherwise inaccurate
  • The right to have your personal data erased (the “right to be forgotten”)
  • The right to have the use of your personal data restricted for a limited period of time
  • The right to have your personal data transferred to another service provider
  • The right to object to automated decision-making, including profiling (see below)

Whenever you wish to exercise one of the above-mentioned rights, please . The information you request will be provided by us in a commonly used electronic form.

 

  1. DIRECT MARKETING

You have the right to object at any time to the processing of your personal data for direct marketing purposes. Whenever you do, we will no longer use your data for direct marketing. However, this does not mean that we will no longer use these data for other specified, explicit, and legitimate purposes.

If you created an account on our website, you can simply amend your preferences or follow the “unsubscribe” links provided in our direct marketing emails and our other direct marketing communication. If you do not wish to see personalized marketing content, you can clear the cookies in your browser settings (see our Cookie Statement).

If you have any difficulties or complaints regarding our direct marketing activities that cannot be solved in the above-mentioned way, please .

 

  1. PRIVACY SHIELD

Since we are based in both the European Union and the United States, we are committed to subjecting all the personal data we collect from persons who are citizens of the territory in which the GDPR is applicable to the Privacy Shield’s principles. To learn more about the Privacy Shield you can visit the US Department of Commerce’s Privacy Shield List at: https://www.privacyshield.gov.

However, on 26/06/2018 the European Parliament has adopted a Resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2018/2645(RSP), by which the European Parliament has taken the position that the current Privacy Shield Arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice. The European Parliament has called on the European Commission that, unless the United States is fully compliant by 1 September 2018, the Privacy Shield should be suspended until the US Authorities fully comply with its terms.

Aptitude Health acts in full compliance with the EU-US Privacy Shield, but refrains from registration until the terms of EP Resolution are fully met and the regulatory enforcement powers of the US Federal Trade Commission are fully restored. In certain situations, Aptitude Health may still be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

You may direct any inquiries or complaints related to our Privacy Shield compliance to https://www.privacyshield.gov/welcome

 

  1. COMPLAINTS

If you have any complaints about our way of processing your personal data or if you wish to speak to us about our privacy policy, please . If you feel that we did not handle your complaints satisfactorily, you may apply to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, PO Box 93374, 2509 AJ The Hague (The Netherlands), telephone number +31 70 8888 500 or: https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us.

 

  1. CHANGES TO THIS PRIVACY POLICY

We may update this privacy policy from time to time. When the changes are significant, we will notify all our account holders and visitors of our website. Along with this, we advise you to check this page regularly to acquaint yourself with the latest version.

 

This Privacy Policy was last updated on December 4, 2018.