What are “personal data”?
What is “processing” of personal data?
What is a “data subject”?
A data subject is any living natural person whose personal data are processed. For reasons of readability we will use the words “person” and “you(r)” to indicate the data subject.
What is a “controller”
What is a “processor”
A processor is a legal person who processes personal data on behalf of and at the instructions of the controller.
What does “GDPR” mean?
GDPR means General Data Protection Regulation, the European regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, adopted by the European Parliament and the European Council on April 27, 2016, and current as of May 25, 2018.
- COLLECTING PERSONAL DATA
What personal data do we collect?
prIME Oncology collects personal data directly from you or indirectly from third parties, such as our business partners and/or third-party vendors.
The personal data we collect are always and merely connected to you in your professional capacity. The data we collect include your names (first names, last name), gender, title, company and company address, e-mail address, telephone numbers, degrees, professional specialties, special professional interests, billing data such as credit card numbers or bank account numbers, possible billing address, and personalized registration numbers for events. If you ask us to book a flight or a hotel, we also collect location data (travel data). When you are a faculty member who contributes to one of our services (symposia, meetings, etc), we assess whether there are relevant financial relationships that may influence the content of your contribution and/or our services. Sometimes we ask faculty members to provide us with recent photographs to use on our promotional material.
We do not collect special personal data, except for – at your request – dietary information or special needs which may (or may not) relate to your health or religious beliefs.
When do we collect personal data?
Your personal data are collected when:
- you make an account on our website
- you register (or are registered with your consent) for one of our events and/or other services
- you subscribe to our newsletters
- you contribute to symposia, publications, meetings, boards, presentations, or surveys, and/or you contact us or we contact you to do so
- you will be reimbursed for any contribution to our services
- you ask us to provide extra services such as booking flights or hotels
- you engage with us on or through social media (by mentioning/tagging us or by contacting us directly)
- one of our business partners provides us with a list of personal data to provide specific services and/or these lists are provided by third-party vendors.
- you have confirmed intent to participate as chair or faculty member in one of our programs
Do we collect data of patients?
No, we do not. All information concerning patients’ personal data is always anonymized before we receive it.
Do we collect data of children?
No, we do not. Our business is not aimed at children.
- USE OF PERSONAL DATA
How we make use of personal data?
We use the personal data that we collect to provide you with the information and services that you expect and/or request from us. This may be access to (online) events, meetings, presentations, and publications, as well as receipt of newsletters and e-mails that inform you about our business activities.
Whenever you have registered for one of our events or other services, we use your personal data to meet our obligations to provide you with the information and services you asked for. Whenever this includes billing or reimbursement, we use the billing data you provided to exercise our financial rights and obligations.
Your personal data are also used for our internal business purposes, such as improving our services and communication, enhancing our website, and monitoring the use of our website. Data such as specialties, special interests, and degrees, combined with (general) data such as name and (e-mail) address, are used for direct marketing purposes (see below).
We rarely use special data (see definition above). These are only used in the event that you have responded to our questions concerning dietary requirements and/or special needs, which may relate to your health and/or religious beliefs.
Is this use lawful?
Yes, it is. Pursuant to the GDPR, there are various legal grounds for processing personal data. Insofar as is relevant, these are:
- you have given us consent to use your personal data for specific purposes
- we need the personal data for the performance of the contract (or entering into a contract) between you and us
- there is a legal obligation to process the personal data
- we – or a third party we work with – have a legitimate interest to process these data
In most cases, we have asked for your consent directly. In other cases, your personal data are provided to us by a business partner (ie, the party that has asked us to organize an event or render other services) or by third-party vendors (ie, parties that are specialized in compiling lists of professionals for whom our services may be of interest). In these two cases, prIME Oncology acts as processor rather than controller.
Since our core business is providing you with the knowledge, information, and other services you asked for, we need these data for performance of the agreement we have or will enter into. Without these data, access to our services, information, and knowledge is impossible.
Moreover, it may happen that we (have to) make use of these data to comply with a legal obligation to which prIME Oncology is subject, for example fiscal or medical (accreditation) legislation, court orders, or criminal charges.
Finally, we have our own legitimate interests in processing these data, which include the interests of our business partners. These interests are improving our services, our communication, our website, and business development. Our legitimate interests involve profiling for direct marketing purposes. If you wish to opt out from our direct marketing activities, see below.
As for the processing of special personal data (dietary requirements and/or special needs), this only takes place after your explicit consent. With that consent, we have met the legal obligation for the processing of special personal data.
- SHARING PERSONAL DATA
Since prIME Oncology consists of a group of companies, all legal entities share personal data with other entities within the group. All entities within the group use the same data for the same purposes.
We always work with trusted service providers, who help us to carry out our services and make us improve our work and our (online and offline) communication and act as processors. Since these service providers have skills and capabilities we may not have, it is in our and your interest that we collaborate with these third parties. These service providers are never allowed to process the personal data of prIME Oncology for other (commercial or noncommercial) purposes than the purposes previously defined by us.
In the context of an onward transfer of personal data, prIME Oncology shall remain responsible for the processing of personal data to a third party who acts as a processor on our behalf. Whenever this third party processes personal data in a manner that is inconsistent with our instructions, we shall remain liable for the consequences, unless we can prove that we are not responsible for the event giving rise to the damage.
Where appropriate we share your personal data with third parties, such as CME providers, organizers of live events, travel agencies and hotels/hotel booking agencies, credit card companies, and banks, for the performance of contractual obligations.
If necessary we also share personal data to meet legal obligations, such as combating fraud, adhering to medical law and accreditation regulations), and maintaining compliance with the EFPIA Code and Sunshine Act.
- DATA MINIMIZATION, ACCURACY, & STORAGE LIMITATION
prIME Oncology complies to the principles of data minimization, accuracy, and storage limitation. In short, this means that we will merely retain the personal data for as long as it is necessary, and that we clean up our databases containing personal data from time to time. Given the fact that we use personal data for different purposes, our retention periods may vary.
Along with own responsibility in this regard, you can at all times exercise your rights concerning the accuracy of the personal data we collected from you (see below).
We do our utmost to keep the security of your personal data up to date. This implies technical and organizational measures such as encryption techniques, login procedures, firewalls, and regular updates of our technical infrastructure.
As part of this, we see to it that access to (part of) our systems is restricted to employees who actually work with personal data. An account with access to (part of) our systems is created for an employee only after authorization.
- YOUR RIGHTS AS DATA SUBJECT
As data subject, you are entitled to be informed about what happens with your personal data. This means that you can exercise the following rights:
- the right to have access to the personal data we collected about you: you can request a copy of your personal data collected by us, which will be provided to you in a machine readable form
- the right to know the source when these data are not directly collected from you
- the right to know with whom your data are shared by us
- the right to have your personal data rectified when these are incomplete, out-of-date, incorrect, or otherwise inaccurate
- the right to have your personal data erased (the “right to be forgotten”)
- the right to obtain a restriction of processing by us for a period of time when the use of the personal data is contested on the ground that this use is inaccurate, unlawful, or no longer necessary or when you have objected to processing pursuant to article 21 (1) GDPR (profiling), pending the verification
- the right to have your personal data transferred to another service provider
- the right to object to automated decision making, including profiling (see below)
Whenever you wish to exercise one of the above-mentioned rights, please contact us. The information you request shall be provided by us in a commonly used electronic form.
- DIRECT MARKETING
You have the right to object at any time to the processing of your personal data for direct marketing purposes. Whenever you do, we shall no longer use your data for direct marketing. However, this doesn’t mean that we will no longer use these data for other specified, explicit and legitimate purposes.
If you have any difficulties or complaints regarding our direct marketing activities, which cannot be solved in the above mentioned way, please contact us.
- PRIVACY SHIELD
With respect to personal data received or transferred pursuant to the Privacy Shield, prIME Oncology is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC) and/or the Department of Transportation. In certain situations, prIME Oncology may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, prIME Oncology commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact prIME Oncology at: info@prIMEoncology.org. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. For more information, see: https://www.privacyshield.gov/article?id=A-Scope.
prIME Oncology shall, at all times, cooperate with EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources and non-human resources data transferred from the EU and Switzerland.
- EU citizens: Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, P.O. Box 93374, 2509 AJ The Hague (the Netherlands),
Telephone number +31 70 8888 500
- Swiss citizens: Office of the Federal Data Protection and Information Commissioner FDPIC Feldeggweg 1
CH – 3003 Berne
Telephone number +41 58 46243 95