Last updated: February 2020
This policy explains how the information we collect when you use an NEJM Group website, mobile or tablet application, or other online service (each a “Service” and collectively “Services”) that links or refers to this policy will be used and shared.
WHAT INFORMATION DO WE COLLECT?
Information You Provide to Us
We will collect information from you if you register, establish a personal profile to gain access to certain content or services, if you ask to be notified by email about online content, if you participate in surveys we conduct, or otherwise interact with the Services. This requires the input of information that identifies you or your device, directly or indirectly, whether used on its own or combined with other information (“Personal Information”).
Personal Information we collect includes, but is not limited to, identifiers such as your name, username and password, address (postal and email), telephone number, professional background and educational information, certain legally protected demographic information, such as your age, and inferences that can be drawn from that information.
If you request paid content or services, including subscriptions, we will also ask for credit card and other billing information. We also retain records of what products and services you obtain from us and collect information that you provide when you comment on our content, register to participate in events (either in-person or online), and when you submit material to a Service.
NEJM CareerCenter users — In addition to the above information, we also collect your CV.NEJM Knowledge+ users — In addition to the above information, we also collect information about your professional board membership and certifications.
Third Party Social Media
If you choose to register and sign in using a third party social media account, the authentication of your login is handled by the third-party account and the Services may collect your name, profile photograph, email address, and any other information from your third-party account that you agree to share at the time you give permission to link your third-party account with the Services. By doing this, you are authorizing us to collect, store, and use the data they send us.
Information Collected Automatically
In addition to the information that you provide to us directly, we may collect information about your Internet Activity and use of the Services to help us measure and analyze traffic and usage. This helps us to enhance and improve the Services. For example, we may collect:
- Device Information — such as your hardware model, IP address, other unique identifiers, operating system version, browser type and settings, and the settings of the device you use to access a Service.
- Usage Information — such as information about the Services you use, the date and time, the duration of your usage, the files downloaded or viewed, and other information about your interaction with content offered through a Service.
- Geo-Location Information — such as the general location of your device in order to provide you with more relevant content and ads for where you are in the world when you use certain Services.
Other Information We Collect
We may also collect other information about you, your device, or your use of the Services in ways that we describe to you at the point of collection or otherwise with your consent. You may choose not to provide us with certain types of information but doing so may affect your ability to use the Services.
Most web browsers automatically accept cookies but can be configured not to or to notify you when a cookie is being sent. If you wish to disable cookies, refer to your browser help menu to learn how. If you disable cookies, doing so may interfere with or prevent the proper function of a Service.
Clear Gifs (Web Beacons/Web Bugs)We may also use clear gifs, which are tiny graphics with unique identifiers that function similarly to cookies to help us to track activity. We do not use these to collect personally identifying information.
HOW IS THIS INFORMATION USED?
Information collected automatically is used to monitor users’ interests and usage patterns in order to help us enhance and improve our service offerings.
How We Share Your Information
We may share information with certain third parties, including vendors providing contracted services to us, such as hosting vendors, advertising service providers, data analytics and customer support providers, IT service providers, and list managers. We share your information, including your payment information, as appropriate to process your payment for a Service or to complete a transaction. When requested by you, we may also share your information with medical credentialing and accreditation organizations in connection with our continuing medical education and maintenance of certification offerings. These providers and organizations are obligated to maintain your personal information as confidential and have access to your personal information only as necessary to perform their requested function on your behalf.
We may also report aggregate information about usage to third parties, including our service providers and advertisers.
We may share your information within NEJM Group or otherwise use your information with your consent or at your direction.
For NEJM Catalyst users, we may share your information with sponsors or other third parties to provide them with an opportunity to offer products and services that may be of interest to you. If so, we will notify you and obtain your consent at the time of download or registration.
For NEJM Knowledge+ users, if your access is purchased for you through a residency program, we may share with your residency program administrators your personal information and certain usage and performance data, including your progress and time spent in various modules, your practice exam scores, and your metacognitive scores.
For NEJM Resident 360 users, the profile information you provide (including your profile photo, bio, professional specialty, employer, and the school you attend) may be made public. We may also use your profile information if you invite others to join or connect with you. You may be invited to participate in discussions, post comments, or otherwise engage in networking activities. MMS does not control what users post to these forums or social networks. You should carefully consider whether you wish to submit personal information to these forums or social networks and tailor any content you submit appropriately.
For NEJM CareerCenter users, CVs and cover letters uploaded to our site are not shared or forwarded, except at the option of the jobseeker. Jobseekers are not required to create a physician profile to apply for an open position but are encouraged to do so. The contact information included in the physician profile is controlled by and may be limited by the jobseeker and you have the option to hide your profile so that it is not available to prospective employers.
Advertisers and Use of Personal Information
From time to time, we rent our print subscriber list, which includes personal identifiers such as subscriber names and postal addresses, to third parties that have products or services that we believe will be of interest to our customers. Even if we share our mailing lists with these other companies, however, please be assured we do not share your email address or credit card information. If you do not want us to rent your postal address information, contact us at DPO@mms.org.
Advertisement Servers and Third-Party Tracking
Some of the advertisements included on the Services are delivered or served by third parties that may collect anonymous information. These third parties may place or recognize cookies, pixel tags, web beacons or other technology to track anonymous information, in part, to measure and analyze the efficacy of the advertising they place at the Services. These third parties also may have the ability to link the information they collect when you use the Services, such as the identifier for the device you are using, with other information they collect elsewhere on the Internet to gain additional insights into their target audience.
WHAT SECURITY MEASURES ARE USED?
We endeavor to keep your personal information confidential and protected against unauthorized access, misuse or alteration with commercially reasonable physical, technical, and administrative measures. However, as effective as these measures are, no security system is impenetrable. We cannot guarantee the security of electronic data nor can we guarantee that the information you supply will not be intercepted.
HOW TO MAKE CHANGES TO YOUR INFORMATION
Once you have created an account at one of our Sites, you can update your personal information at any time. You may also choose to stop receiving offer information from us about content or services by updating your account preferences or using the “unsubscribe” or other means provided within the communications you receive from us. You may also contact our Customer Service Department by the following:
- Telephone: 800-843-6356 or +1 781-434-7888 (outside the United States and Canada)
- Email: firstname.lastname@example.org
- Mail: Customer Service, NEJM Group, 860 Winter Street, Waltham, MA 02451-1413, USA.
User-Generated Content Forums
Any data or personal information that you submit to us as user-generated content becomes public and may be used by the MMS in connection with the Services and other NEJM Group and MMS publications and offerings in any and all media.
Do Not Track Signals
Like most web services, at this time we do not alter our behavior or change our Services in response to do not track signals.
Compliance with Legal Process
We may disclose personally identifying information if we are required to do so by law or we in good faith believe that such action is necessary to (1) comply with the law or legal process; (2) protect our rights and property; (3) protect against misuse or the unauthorized use of a Service; or (4) protect the personal safety or property of our employees, users, or the public.
Cross-Border Transfer of Your Information
The Services are headquartered in the United States. Your personal information may be transferred outside of your country of residence to the United States or another country for processing. By using a Service, you consent to the collection, international transfer, storage, and processing of your information outside of your country of residence, in which case the personal data protection rules may differ from the rules in your country.
The Services are not intended for children under 16 years of age. We do not knowingly collect or store any personal information from children under 16.
Changes to This Policy
We can also be contacted by telephone at 800-834-6356 or +1 781-434-7888 (outside the United States and Canada)
NEJM Group offices are located at 860 Winter Street, Waltham, MA 02451, USA.
Additional Privacy Information for Users in the EU
For our users in the European Union we are providing some additional information below as required by the EU General Data Protection Regulation (“GDPR”).
The data controller for the Services is: Massachusetts Medical Society, 860 Winter Street, Waltham, MA 02451 USA
2. Data Protection Officer
You can contact our Data Protection Officer at: Attn: Data Protection Officer, Massachusetts Medical Society, 860 Winter Street, Waltham, MA 02451 USA
3. Representative in the EU
MMS’s representative in the EU (Art. 27 GDPR) is: Dr. Stefan Freytag, Straßer Ventroni Deubzer Freytag & Jäger Rechtsanwälte, Oberanger 30, 80331 München, Germany
4. Additional Information about Processing of Personal Data
4.1 Processing for or Prior to Entering into a Contract
4.2 Processing on the Basis of Your Consent
You may at any time revoke a consent granted hereunder in accordance with GDPR. In case of revocation, MMS will not process the personal data subject to this consent any longer unless legally required to do so. However, any revocation of your consent has by law no effect on past processing of personal data by MMS up to the point in time of your revocation. Furthermore, if your use of a Service, requires your consent, MMS will no longer able to provide the relevant Service to you after your revocation.
4.3 In Order to Comply with a Legal Obligation
4.4 Aggregated Anonymous or Pseudonymous Use of Data
4.5 Duration of Processing of Personal Data
Where MMS is processing and using your personal data as permitted by law (including in the context of a contract with you) or under your consent, MMS will store your personal data (i) only for as long as is required to fulfill the respective purposes or (ii) until you revoke your consent. However, where MMS is required by mandatory law to retain your personal data longer or where your personal data is required for MMS to assert or defend against legal claims, MMS will retain your personal data, in accordance with applicable law, until the end of the relevant retention period or until the claims in question have been settled.
4.6 Where will my personal data be processed?
MMS is a U.S. based, internationally operating organization. Consequently, whenever MMS is using or otherwise processing your personal data for the purposes set out in its privacy policies, your data may be collected from, processed, or transferred to a country outside of the EU or European Economic Area (“EEA”).
4.7 No Decisions Based Solely on Automated Processing (Art. 22 GDPR)
Our processing of your personal data does not involve decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you.
5. Data Subject’s Rights under GDPR
5.1 Data Access, Correction, and Deletion Right
You can request from MMS at any time information about which personal data MMS processes about you and the correction or deletion of such personal data.
Please note that MMS can delete your personal data only if there is no legal or contractual obligation or prevailing right of MMS to retain it. Please also note that if you request that MMS delete your personal data, you will not be able to continue to use a Service that requires MMS’s use of your personal data.
If MMS uses your personal data based on your consent or to perform a contract with you, you may further request from MMS a copy of the personal data that you have provided to MMS. In this case, please contact MMS’s Data Protection Officer and specify the information or processing activities to which your request relates, the format in which you would like this information, and whether the personal data is to be sent to you or another recipient. Please also provide reasonable information and evidence that permits MMS that the request originates from you as the data subject entitled to receive such personal information and that no one else is abusively trying to access your personal data by requesting a copy of it from MMS.
Furthermore, you can request from MMS that MMS restrict your personal data from any further processing in any of the following events: (i) you state that the personal data MMS has about you is incorrect, (but only for as long as MMS requires to check the accuracy of the relevant personal data), (ii) there is no legal basis for MMS processing your personal data and you demand that MMS restricts your personal data from further processing, (iii) MMS no longer requires your personal data, but you claim that you require MMS to retain such data in order to claim or exercise legal rights or to defend against third party claims or (iv) in case you object to the processing of your personal data by MMS (based on MMS’s legitimate interest as further set out in Art. 6 (1) (f) GDPR) for as long as it is required to review as to whether MMS has a prevailing interest or legal obligation in processing your personal data.
5.2 Right to Lodge a Complaint
If you believe that MMS is not processing your personal data in accordance with applicable EU/EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EU/EEA member state in which you live or with the data protection authority of the country or state in which MMS has its registered seat.
Additional Privacy Information For California Users
We are a not for profit entity and therefore, we are not required to comply with the California Consumer Privacy Act of 2018 (“CCPA”). We do however take privacy issues seriously and while we may choose to offer you some rights regarding your Personal Information, those rights are not offered pursuant to CCPA and may be rescinded by us at any time.
Access to Specific Information:
You may request that MMS disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories and sources of Personal Information we collected about you.
- Our business or commercial purpose for collecting or selling that Personal Information.
- The categories of third parties with whom we share that Personal Information.
You may request that MMS delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to comply with a business or legal obligation.
Exercising Access, Data Portability, and Deletion
To exercise the access, data portability, and deletion described above, please submit a verifiable consumer request to us by any of the below methods:
- Emailing us at DPO@mms.org
- Contact us at 800-834-6356
- Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.
- You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
- We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
- We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Personal Information Sales Opt-Out
You may request that we do not sell your Personal Information at any time (the “Right to Opt-Out”).
To exercise the Right to Opt-Out, you (or your authorized representative) may submit a request to us at DPO@mms.org.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back in to Personal Information sales at any time by contacting MMS at the email address or phone number provided in this notice.
You do not need to create an account with us to exercise your Right to Opt-Out. We will only use Personal Information provided in an opt-out request to review and comply with the request.
We will not discriminate against you for exercising any of the above rights.
California Shine the Light Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at DPO@mms.org.
Notice to Nevada Residents
Nevada Senate Bill 220 provides consumers (Nevada residents) with specific rights regarding their Personal Information. This section describes your Nevada privacy rights and explains how to exercise those rights.
Right To Opt Out
You have the right to direct us to not sell your Personal Information at any time (the “Right to Opt-Out”).
To exercise the Right to Opt-Out, you (or your authorized representative) may submit a request to us at DPO@mms.org.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within sixty days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.