Last updated: November 2022
Please read through this Policy in its entirety and understand its terms. We may update the Policy from time to time, so please check it occasionally.
Information You Provide to Us
We may collect, use, store and transfer different kinds of Personal Information about you, which we have grouped together as follows:
For each of these categories of Personal Information, we will not hold such information longer than is reasonably necessary for the disclosed purpose and as required by law.
Information You Provide to Us
We may collect Personal Information from you that you voluntarily provide to us in various ways, including, but not limited to, when you:
Information We Collect From You
Information You Voluntarily Provide. We may collect Personal Information from you that you voluntarily provide to us in various ways, including when you contact us or otherwise interact with us or our Services.
Automated technologies or interactions. As is true of most websites, we receive and store certain types of Personal Information whenever you interact with us or our Services. This information may include Technical and Usage Data. You may manage how your mobile device and mobile browser share location information with us, as well as how your mobile browser handles cookies and related technologies by adjusting your mobile device privacy and security settings. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn how to adjust your settings.
Information We Collect From Third Parties
We may collect Personal Information from various third parties, including those listed below. We do not control third-party websites and are not responsible for any information they may collect. The collection, use, and disclosure of Personal Information received from third parties is governed by the privacy policies listed on the website where the information was collected by the third party and/or submitted by the user. Third parties may send their own cookies and pixel tags to you, and may collect information and use it in a way that is different from this Policy. Please carefully review these third-party privacy policies to understand how your information may be collected, used and disclosed by these third parties.
NEJM Healer Program Users. If you register to use our NEJM Healer program, your personal information may be provided by a distributor of our program who will provide us with your name, email address, year in school, and school name.
National Provider Identifier (NPI). We may collect NPI numbers from third parties and match those numbers to personal information in our system to provide you with content and advertisements tailored to your individual interests and needs.
Third Party Service Providers. We collect Personal Information from service providers including website hosting platforms and email service providers.
Third Party Advertising Partners. In some cases, we may work with third-party advertising partners to help deliver advertisements on our behalf across the Internet. We collect Personal Information received from third party advertising partners that may place or recognize Cookies and Tracking Technologies to track anonymous information, in part, to measure and analyze the efficacy of the advertising they place at the Services. They may also have the ability to link the information they collect when you use the Services, such as the identifier for the device you are using, with other information they collect elsewhere on the Internet to gain additional insights into their target audience. We only share pseudonymous information with such third parties that does not include an individual’s name, email address, or contact information.
Google Analytics. We use third party cookies such as those provided by Google Analytics to assist us in better understanding our visitors. These cookies collect Technical Information such as IP address and Usage or Click Stream Data, such as the length of time a user spends on a page, the pages a user visits, and the websites a user visits before and after visiting our Services. Based on this information, Google Analytics compiles data about website traffic and interactions, which we use to offer better user experiences and tools in the future. For information on how to opt-out from Google Analytics, here.
Your ‘Do Not Track’ Browser Setting. Some web browsers incorporate a Do Not Track (“DNT”) feature that signals to the websites that you visit that you do not want to have your online activity tracked. At this time, our Services do not respond to DNT signals. Other third party websites may keep track of your browsing activities when they provide you with content, which enables them to customize what they present to you on their websites.
We will use your Personal Information for the following purposes:
We share your Personal Information with third parties in the ways described below.
Information You Instruct Us to Share. You may be presented with a survey or an option on our Services to have us send certain information to third parties or give them access to it. If you choose to do so, your Personal Information and other information may be disclosed to such third parties and all information you disclose will be subject to the third-party privacy policies and practices of such third parties.
NEJM Group. We may share your information within NEJM Group.
Trusted Partners. We may share your Personal Information with medical credentialing and accreditation organizations in connection with our continuing medical education and maintenance of certification offerings. Trusted Partners are obligated to maintain your personal information as confidential and have access to your personal information only as necessary to perform their requested function on your behalf.
Other Business Partners. We may share aggregated or pseudonymous information (including demographic information, race, ethnicity or gender) with partners, such as publishers, advertisers, measurement analytics, apps, or other companies. We may also share personal information with third parties who enter into business relationships with us. These business partners may include direct marketers, publishers and unaffiliated third parties.
Service Providers. We may use third-party service providers to perform certain business services and may disclose Personal Information to such service providers as needed for them to perform these business services. Business services provided include, but are not limited to, hosting vendors, advertising service providers, data analytics and customer support providers, IT service providers, list managers, communications services, website development services, payment processing services, compliance services, analytics services, and survey services.
Advertisers. From time to time, we rent our print subscriber list, which includes personal identifiers such as subscriber names and postal addresses, to third parties that have products or services that we believe will be of interest to our customers. We do not share your email address or credit card information. We may also share your name and email address with LinkedIn and other social media sites to provide you with tailored ads about our services. If you do not want us to rent your postal address information or share your name and email address with LinkedIn and other social media sites to provide you with tailored ads, contact us at DPO@mms.org.
Business Transactions. We may do business with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Information in the same way as set out in this Policy.
Legal Process. Subject to applicable law, we may disclose information about you: (i) if we are required to do so by law, regulation or legal process, such as a subpoena; (ii) in response to requests by government entities, such as law enforcement authorities; (iii) when we believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss; or (iv) in connection with an investigation of suspected or actual unlawful activity.
We have reasonable security measures in place to prevent your Personal Information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Information on our instructions and they are subject to a duty of confidentiality.
We endeavor to keep your Personal Information confidential and protected against unauthorized access, misuse or alteration with commercially reasonable physical, technical, and administrative measures. However, as effective as these measures are, no security system is impenetrable. We cannot guarantee the security of electronic data nor can we guarantee that the information you supply will not be intercepted.
User-Generated Content Forums
Any data or Personal Information that you submit to us as user-generated content becomes public and may be used by the MMS in connection with the Services and other NEJM Group and MMS publications and offerings in any and all media.
Cross-Border Transfer of Your Information
The Services are headquartered in the United States. Your Personal Information may be transferred outside of your country of residence to the United States or another country for processing. By using a Service, you consent to the collection, international transfer, storage, and processing of your information outside of your country of residence, in which case the personal data protection rules may differ from the rules in your country. For persons in EU, EEA and UK, please see Privacy Information for Users in the EU, EEA and UK below.
Our Services are intended for adult use only and are not directed towards children, minors, or anyone under the age of 18. If you are under the age of 13, you are not authorized to provide us with any Personal Information. If the parent or guardian of a child under 13 believes that the child has provided us with any Personal Information, the parent or guardian of that child should contact us at the email address below and to have this Personal Information deleted from our files.
We are a not-for-profit entity and therefore, we are not required to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and its amendments. We do however take privacy issues seriously and while we may choose to offer you some rights regarding your Personal Information, those rights are not offered pursuant to CCPA and its amendments and may be rescinded by us at any time.
Right to Know: You have the right to know the categories of Personal Information that we collect about you over the past 12 months, the categories of sources from which the Personal Information was collected, the business or commercial purposes for which the Personal Information was collected, sold, shared, and the categories of third parties with whom we share the Personal Information, and the specific pieces of personal information we collected about you.
Right to Correct: You have the right to correct inaccurate personal information that we maintain about you.
Right to Delete: You have the right to request that we delete Personal Information that we collected from you and retained, subject to certain exceptions.
Right to Opt-Out of the Sale/Sharing: You have the right to opt out of the future sale of your Personal Information. The law defines “sale” very broadly to include making data available to third parties in some cases. As noted above, we may share certain information with advertisers or social media sites. In doing so, we may make available or transfer your Personal Information (e.g., Identifiers and Contact Information) to Advertising Companies (e.g., advertising agencies, advertising servers, sponsored content providers, social media platforms and other similar technology companies). Making such information available to third parties may constitute a “sale” of data. You may adjust your device or browser’s settings to limit how your online usage data and device data is shared with third parties or request to opt-out.
Right to Limit the Use or Disclosure of Sensitive Personal Information: You have the right to limit the use of your Sensitive Personal Information to that which is necessary to perform Services or provide the goods you request. Please note that the only Sensitive Information that will be shared is your IP address with advertisers. Race and ethnicity will be collected only for diversity, equity and inclusion purposes on a voluntary basis from authors and reviewers and shared on an aggregated and de-identified basis.
Non-Discrimination: Unless permitted by applicable law, we will not discriminate against you for exercising any of your privacy rights under CCPA or applicable law, including by, but not limited to:
Exercising Your Rights – Only you or an authorized agent may make a verifiable consumer request related to your Personal Information. Each of these rights may be exercised by sending an email to email@example.com
Designating a Third-Party to Act on Your Behalf – In order to designate a third party to act on your behalf, that person must be registered with the California Secretary of State and must have valid written evidence of authority from you to act on your behalf, e.g., a validly executed Power of Attorney or some other written, notarized documentation that they can provide to us. Absent such documentation, we reserve the right to refuse to comply with third-party requests for information.
Verifying Your Requests – During the verification process, depending on the nature of your request, e.g., whether you are seeking access to information versus deleting information, we will first seek to verify your identity against known information in our environment, such as your name, e-mail address, and telephone. Upon receiving your request, we may also contact you via email and/or other secured communication channel to verify your identity. In certain instances, e.g., a mismatch against known information or where you are seeking information on behalf of another person with authorization, we may seek additional verification from you, which may be in the form of you providing a copy of a valid, government issued identification or a notarized attestation.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Exceptions – We may deny certain requests, in whole or in part, based on our legal rights and obligations. For example, we may retain personal information as permitted by law, such as for tax or recordkeeping or to comply with legal obligations, to process transactions, perform continuing obligations, and facilitate requests.
NEJM Group offices are located at:
For our users in the European Union and UK we are providing some additional information below as required by the EU General Data Protection Regulation (“GDPR”) and UK General Data Protection Regulations (together, “GDPR”).
The data controller for the Services is: Massachusetts Medical Society, 860 Winter Street, Waltham, MA 02451 USA
2. Data Protection Officer
You can contact our Data Protection Officer at: Attn: Data Protection Officer, Massachusetts Medical Society, 860 Winter Street, Waltham, MA 02451 USA
3. Representative in the EU
Rickert Rechtsanwaltsgesellschaft mbH
4. Representative in the UK
Rickert Services Ltd UK
PO Box 1487
5. Additional Information about Processing of Personal Data
5.1 Processing for or Prior to Entering into a Contract
5.2 Processing on the Basis of Your Consent
You may at any time revoke a consent granted hereunder in accordance with GDPR. In case of revocation, MMS will not process the personal data subject to this consent any longer unless legally required to do so. However, any revocation of your consent has by law no effect on past processing of personal data by MMS up to the point in time of your revocation. Furthermore, if your use of a Service, requires your consent, MMS will no longer able to provide the relevant Service to you after your revocation.
5.3 In Order to Comply with a Legal Obligation
5.4 Aggregated Anonymous or Pseudonymous Use of Data
5.5 Duration of Processing of Personal Data
Where MMS is processing and using your personal data as permitted by law (including in the context of a contract with you) or under your consent, MMS will store your personal data (i) only for as long as is reasonably required to fulfill the respective purposes (including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements), or (ii) until you revoke your consent (where consent is the basis we use to process your personal data). However, where MMS is required by mandatory law to retain your personal data longer or where your personal data is required for MMS to assert or defend against legal claims, MMS will retain your personal data, in accordance with applicable law, until the end of the relevant retention period or until the claims in question have been settled. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
4.6 Where will my personal data be processed?
MMS is a U.S.-based, internationally operating organization. Consequently, whenever MMS is using or otherwise processing your personal data for the purposes set out in its privacy policies, your data may be collected from, processed, or transferred to a country outside of the EU, UK or European Economic Area (“EEA”).
Whenever we transfer your personal data out of the EU, UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where we use certain service providers, we may use specific contracts approved for use in the UK, EU or EEA which give personal data the same protection it has in the EU, UK or EEA.
5.7 No Decisions Based Solely on Automated Processing (Art. 22 GDPR)
Our processing of your personal data does not involve decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you.
6. Data Subject’s Rights under GDPR
6.1 Data Access, Correction, and Deletion Right
You can request from MMS at any time information about which personal data MMS processes about you and the correction or deletion of such personal data.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Please note that MMS can delete your personal data only if there is no legal or contractual obligation or prevailing right of MMS to retain it. Please also note that if you request that MMS delete your personal data, you will not be able to continue to use a Service that requires MMS’s use of your personal data.
If MMS uses your personal data based on your consent or to perform a contract with you, you may further request from MMS a copy of the personal data that you have provided to MMS. In this case, please contact MMS’s Data Protection Officer and specify the information or processing activities to which your request relates, the format in which you would like this information, and whether the personal data is to be sent to you or another recipient. Please also provide reasonable information and evidence that permits MMS that the request originates from you as the data subject entitled to receive such personal information and that no one else is abusively trying to access your personal data by requesting a copy of it from MMS.
You can withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw consent.
Furthermore, you can request from MMS that MMS restrict your personal data from any further processing in any of the following events: (i) you state that the personal data MMS has about you is incorrect, (but only for as long as MMS requires to check the accuracy of the relevant personal data), (ii) there is no legal basis for MMS processing your personal data and you demand that MMS restricts your personal data from further processing, (iii) MMS no longer requires your personal data, but you claim that you require MMS to retain such data in order to claim or exercise legal rights or to defend against third party claims or (iv) in case you object to the processing of your personal data by MMS (based on MMS’s legitimate interest as further set out in Art. 6 (1) (f) GDPR) for as long as it is required to review as to whether MMS has a prevailing interest or legal obligation in processing your personal data.
6.2 Right to Lodge a Complaint
If you believe that MMS is not processing your personal data in accordance with applicable EU/EEA/UK data protection laws, you can at any time lodge a complaint with the data protection authority.
EU residents have the right to lodge a complaint with a data protection supervisory authority (‘DPA’), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of EU Member State DPAs and EEA DPAs can be found here: ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en#answer.
UK residents have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (ico.org.uk).