Collecting Personal Information from Site Users.
- Personal Information Defined. In order to provide access to certain services or information within the Site, we may require that users of the Site (“you”, “your”, or “Users”) provide certain “personal data”, “personal information” or any other similar term as defined in any applicable law or regulation, together with information or materials, in any form, that alone or in combination with other information or materials: (a) uniquely identifies any individual (e.g., names, addresses, telephone numbers, account information, financial information, etc.); or (b) is considered “sensitive personal data” such as political opinions, ethnicity, religious beliefs, or health information (collectively “Personal Information”). HMG also collects non-personal information that does not, on its own, identify an individual person. When non-personal information is combined with other information so that it does identify an individual person, we treat that combination as Personal Information.
Types of Information We May Collect. The following are examples of the types of Personal Information that may be collected from Users:
- contact information (including name, street address, email address, telephone number);
- government issued identifications (such as national provider identification number);
- username, password, and other information used in combination to verify your identity;
- financial information (including credit/debit card and bank account information, credit and repayment history, and payment default information);
- geolocation, demographic, shipping, billing, and other information related to your use of the Site or any information contained therein; and
- any other Personal Information or characteristics about an individual that is connected to one of the above, such as date or place of birth, geographical indicators, or photographic images.
Automatic Data Collection. The Site may use automatic data collection tools and techniques including cookies, clickstream, and web beacons, as follows:
- Clickstream. We may collect information about the “clickstream” of Users. This clickstream data contains the pages the Users came from, the navigational paths they took, and the areas of the Site they visited. From time to time we track such information inside and outside of the Site. Additionally, we may track and match clickstream data with Personal Information you provide to us in order to deliver content and other offerings, including products and services that might improve Users’ experience. We may also share clickstream data with third parties in an aggregate or anonymous format.
- Web Beacon. Certain email communications you receive from us may contain “web beacons”. Web beacons consist of a line of code on the Site that delivers a small graphic image. The web beacon may not be visible as it is a 1x1 pixel that is often designed to blend into the background of a web page. Web beacons allow us to obtain information such as the Internet Protocol (“IP”) address of the computer that downloaded the page on which the web beacon appears, the URL of the page on which the web beacon appears, the time the page containing the web beacon was viewed, the browser type used to view the page and the information in cookies. We use web beacons for activities such as monitoring the effectiveness of the headlines in our emails or ad banners.
- IP Address. Your IP address is a numerical label assigned to each device (e.g., computer, printer, mobile device, or server) and is usually associated with the place from which you enter the internet. It is how devices find each other on a network. We may use your IP address to help diagnose problems with our servers, gather broad demographic information, gather geographic data, and administer the Site.
- Tracking Requests. We do not act on, alter, or change our Site behavior upon receiving “do not track” requests from your browser.
Sharing Personal Information.
- With Service Providers and Affiliates. HMG may rent, sell or otherwise share your Personal Information where permitted by law, for example:
- within the HMG family of businesses;
- with third parties that perform services for us or on our behalf (such as credit card companies, credit and/or investigative reporting agencies, finance companies, transport companies, consultants, advisors and market research firms), or
- for marketing campaigns conducted by us or other companies or organizations that offer products or services we believe may be of interest to Users.
- With Other Third Parties. We may also make Personal Information available to third parties in the following circumstances:
- when we have a good faith belief it is required by law or to otherwise cooperate with law enforcement activity;
- when we have a good faith belief it is necessary to protect our rights or property from fraudulent, abusive, or unlawful activity; or
- in the event of a proposed financing, merger, acquisition, liquidation, dissolution, sale of assets, or other transaction involving us, our business, or the Site.
- With Service Providers and Affiliates. HMG may rent, sell or otherwise share your Personal Information where permitted by law, for example:
- Protecting Personal Information. We maintain reasonable administrative, technical and physical safeguards to protect the Personal Information we collect and process.
- California Residents. California residents are legally entitled (at no charge and no more than once per year) to request information about how we may have shared your information with others for direct marketing purposes. To obtain this information or make changes to your Personal Information, please refer to the instructions provided in the Contact Us section below.
- Children. The Site is not intended for children under 18 years of age. We do not knowingly collect or store any Personal Information from children under 18. If you believe HMG has received Personal Information from children under the age of 18, please contact us by: (1) sending an email to firstname.lastname@example.org
- Your Choices. If you wish to opt out of receiving marketing communications from HMG, you may do so by (i) following the instructions provided in our marketing communications, or (ii) indicating your preferences on the relevant account profile/preferences section (such as Your Account), or (iii) referring to the instructions provided in the Contact Us section below. If you wish to request changes to your Personal Information, you may do so by referring to the instructions provided in the Contact Us section below. Please note, by electing to not share certain Personal Information with us, we may be unable to provide you with all of the functionality on the Site. Where required by law you may request access to your Personal Information that we maintain. As permitted by law we may charge a reasonable fee for providing access to Personal Information but we do not charge for lodging a request for access.
- Your Rights to Access Personal Information. Where required by law, you may request access and/or make corrections to your Personal Information that we maintain. When accessing or updating your Personal Information, we may ask you to verify your identity before we can act on your request. Please note that we may reject requests, or limit the information we provide access to, if we determine it could risk the privacy of others or if unreasonable or repetitive, or if it would require disproportionate effort. As permitted by law, we may charge a reasonable fee for providing access to Personal Information, but we do not charge for lodging a request for access.
- Contact Us. To opt out of marketing communications, click here and you will be removed from HMG promotional/marketing email lists. If you would like to make changes to your Personal Information (such as address information and phone number), please contact us at email@example.com or Health Media Group, Inc., 222 Merchandise Mart Plaza, Suite 1230, Chicago, IL 60654 USA.
- Basic Information. You have the right to obtain confirmation from HMG as to how your personal data are being processed, including the following information:
- confirmation of whether, where, and by whom your personal data is being processed;
- purpose(s) for the processing;
- categories of personal data being processed;
- categories of recipients with whom the data may be shared;
- the period for which the data will be stored (or the criteria used to determine that period);
- the source of the data (where you were not the source); and
- information about the existence of, and an explanation of the logic involved in, any automated decision-making that has a significant effect on you.
- Right to Data Portability. You have the right to transfer your personal data between controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:
- receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
- transfer your personal data from one controller to another;
- store your personal data for further personal use on a private device; and
- have your personal data transmitted directly between controllers without hindrance.
- Right to Correct Information. HMG is required to ensure that inaccurate or incomplete data are erased or corrected. You have the right to request that HMG correct or erase personal data that you believe to be inaccurate or incomplete.
- Right to Withdraw Consent. Your consent can provide a lawful basis for HMG to process your personal data and/or transfer your data internationally. However, you have the right to withdraw such consent. Please note, however, that lawful bases other than consent may permit the continued processing or transfer of your data.
- Right to be Forgotten. Under the GDPR, in certain circumstances, you may have the right to have HMG erase your personal data, cease further dissemination of your personal data, and potentially have third parties halt processing your data upon your request. This right is commonly referred to as the “right of data erasure” or “the right to be forgotten.” You have the right to erasure of your personal data if:
- the data is no longer needed by HMG for its original purpose (and no new lawful purpose exists);
- the lawful basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists for HMG to process the data;
- you exercise your right to object to processing and HMG has no overriding grounds for continuing the processing;
- the data have been processed unlawfully; or
- erasure is necessary for compliance with other EU laws or the national law of a relevant EU Member State.
- Right to Object to Processing Personal Data for Public or Legitimate Interests. Where HMG is processing your personal data on the basis of having a “public interest” or “legitimate interests”, those bases are not absolute and you may have a right to object to such processing. If you object, HMG must cease such processing unless it either: (i) demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms; or (ii) requires the data in order to establish, exercise, or defend legal rights.
- Right to Object to Processing for the Purposes of Direct Marketing. You have the right to object to the processing of your personal data for the purposes of receiving direct marketing from HMG (including “profiling” activities as detailed further below).
- Right to Object to Processing for Scientific, Historical, or Statistical Purposes. Where your personal data is processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- Right to Restrict Processing. In some circumstances, you may be entitled to limit the purposes for which HMG can process your personal data. Specifically, you have the right to restrict the processing of your personal data if:
- the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
- the processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
- HMG no longer needs the data for their original purpose, but the data is still required by HMG to establish, exercise, or defend legal rights; or
- verification of overriding grounds is pending in the context of an erasure request.
- Fees. HMG is required to give effect to your rights of access, rectification, erasure, and the right to object free of charge. However, HMG may charge a reasonable fee for repetitive requests, unfounded or excessive requests, or further copies beyond the initial copy provided.
- Right to Complain to the Applicable DPA. Data Protection Authorities (“DPAs”) are the regulatory authorities responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR, and bring legal proceedings where necessary. If you believe that your rights have been infringed by HMG, you have the right to ask HMG to remedy the situation. If you believe you have not received an adequate response from HMG, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs may be found at: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm (current as of November 2018).
HMG’s Legal Basis for Processing Personal Data. Under the GDPR, in order to process your personal data, HMG is required to identify a legal basis (or bases) for its processing activities. HMG’s legal bases for processing your personal data are as described below.
- Consent. HMG is permitted to process your personal data to the extent you have given consent for HMG to perform processing activities. Please note that your consent to processing can be revoked at any time (though there may be other applicable legal bases that may justify ongoing processing of your personal data). Your consent may be revoked by sending an email to: firstname.lastname@example.org
- Contractual Requirements. HMG is permitted to process your personal data to the extent the processing is necessary:
- to respond to your request to access your personal data; or
- for the conclusion or performance of a contract between HMG and a third party where it is in your interest for the processing to occur.
- Legitimate Interests. HMG is permitted to process your personal data to the extent the processing is necessary for the purposes of legitimate interests pursued by HMG or a third party (“legitimate interests”), except where those legitimate interests are overridden by your interests, fundamental rights, or freedoms. You have the right to object to HMG’s processing of your personal data on the basis of legitimate interests; if you wish to raise such an objection, please send an email detailing your objection to email@example.com HMG’s identified legitimate interests for processing your personal data include:
- ORGANIZATION: HMG may be required to transmit your personal data within its organizational group. Processing is necessary so that data can be shared amongst HMG’s affiliates so that each entity can carry out their legal, regulatory, and/or contractual responsibilities and/or coordinate/implement business plans, logistics, and/or operations. This is especially true because HMG’s affiliated entities may perform critical services for HMG, such as services related to accounting, compliance, research and development, human resources, information technology and security, legal, management, etc.
- OPERATIONS: Processing your personal data is necessary to facilitate the day-to-day operation of our business and to allow for business planning for strategic growth. This may include managing our relationship with you, our employees, other Users, vendors, business partners, and/or others, sharing intelligence with internal stakeholders, implementing training procedures, planning and allocating resources and budgets, performing data modelling, facilitating internal reporting, analyzing growth strategies, creating and aggregating analytics, and/or processing personal data to create anonymized data (e.g., for service improvement, analytics, etc.).
- LOGISTICS: Processing your personal data is necessary to enable HMG’s business operations to run more efficiently, e.g., establishing how to allocate resources or to predict future demand.
- RESEARCH AND DEVELOPMENT: Processing your personal data is necessary for us to deliver and/or improve the Site. This includes processing your personal data to determine whether the Site is working as intended, monitoring usage and conduct, and identifying and troubleshooting issues.
- MARKET INTELLIGENCE AND ANALYTICS: HMG has a legitimate need to conduct market intelligence so that it can better promote the Site by creating a better understanding of User preferences. This could include using diagnostic analytics to optimize services, and/or marketing campaigns by assessing/monitoring Users’ usage of the Site and/or conduct while using the Site. Common metrics for evaluation could include monitoring pages and links accessed, ad performance and conversion tracking, number of posts, number of page views, patterns of navigation, time at a page, devices used, User reviews, User location, hardware used, operating system version, advertising identifiers, unique application identifiers, unique device identifiers, browser types, languages, wireless or mobile network information, etc. These metrics could be used to personalize services and communications; determine which Users should receive specialized communications based on how they use the Site, create aggregate trend reports, determine the most effective advertising channels and messaging, and/or measure the audience for a certain communication.
- PERSONALIZATION: We process personal data in order to enhance and personalize the experience we offer our current and/or prospective Users on the Site.
- MONITORING: In order to identify recurring problems and/or analyze the patterns of behavior of Users, and comply with certain legal/regulatory obligations, it is necessary for HMG to monitor your performance/behavior on the Site.
- DIRECT MARKETING: Processing your personal data is necessary for direct marketing purposes to occasionally update Users regarding the Site and other services and products which may be of interest to Users, including occasional communications regarding updates to our activities, services, and/or events.
- MARKETING AND SALES: HMG has a legitimate interest in processing personal data in the context of marketing the Site to prospective advertisers, third-party content providers, and Users.
- DUE DILIGENCE: It is necessary for HMG to process your personal data for the purposes of conducting due diligence. This could include, for example, monitoring official watch-lists, sanction lists and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
- FRAUD DETECTION AND PREVENTION: Processing your personal data is necessary for HMG to help detect and prevent fraud, e.g., verifying that the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.
- UPDATING USER DETAILS AND PREFERENCES: Processing your personal data is necessary to verify the accuracy of your User data and to create a better understanding of our past, present, and/or prospective Users.
- NETWORK AND INFORMATION SECURITY: Processing your personal data is necessary for the purposes of ensuring our network and information security, e.g., monitoring users’ access to the Site for the purpose of preventing cyber-attacks, inappropriate use of data, corporate espionage, hacking, system breaches, etc. This could include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping “denial of service” attacks and damage to computer and electronic communication systems.
- BUSINESS CONTINUITY/DISASTER PLANNING: HMG processes your personal data because it is necessary to allow for the backup and protection of your information (e.g., utilizing cloud-based services to archive/protect data) in order to ensure that such information is not improperly lost or modified. Such processing is also necessary to archive/protect data in accordance with legal, regulatory, organizational, and/or contractual obligations.
- ARTIFICIAL INTELLIGENCE: In processing your personal data, HMG may process your data utilizing an algorithm that helps to streamline organizational processes, or your User experience e.g., recommending suggested content based upon your past activity on the Site.
- COMPLIANCE WITH LAWS AND REGULATIONS: HMG may be subject to binding legal or regulatory obligations and may need to process your personal data in order to comply with such laws or regulations. Examples include: complying with reporting obligations, complying with screening obligations, responding to law enforcement requests, and/or responding to judicial/regulatory agency requests.
- REPORTING POTENTIAL THREATS TO PUBLIC SECURITY/SAFETY: HMG has a legitimate interest in reporting possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.
- Legal or Regulatory Obligations. HMG is permitted to process your personal data where it has a binding legal or regulatory obligation to perform the processing to stay in compliance with applicable laws or regulations (e.g., tax reporting purposes). Other examples could include where HMG or one of its affiliates is required to respond to a court order, subpoena, or law enforcement agency request, to prevent fraud or abuse, or to protect the safety of individuals.
EUROPEAN DATA PRIVACY ADDENDUM
Last Updated November 16, 2018