EU General Data Protection Regulation

AMERICAN ACADEMY OF DERMATOLOGY
EUROPEAN UNION GENERAL DATA PROTECTION REGULATION POLICY

Scope
The following sections apply to you if you are an individual located within the European Union (“EU”) and your Personal Data is processed in connection with the American Academy of Dermatology communication of activities, benefits and marketing of goods or services within the EU.  Personal Data means any information that allows you to be directly or indirectly identified.

Data Controller and Contact Information
The American Academy of Dermatology (“AAD” or “the Academy”) is the “data controller” for the processing of your Personal Data. Contact Barbara Paez regarding the processing of your Personal Data by sending an e-mail to personaldata@aad.org or by sending your request in writing to Barbara Paez, American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216.

Contact Details of the Data Protection Officer
If you have questions regarding the data protection policies of the AAD, please contact the Director of Information Technology, Erik Horn, at ehorn@aad.org.

Purposes and Legal Basis for Data Processing
We collect your personal and practice information such as your name, address, e-mail address, phone/fax/cell numbers, photo(s), gender, type of practice, specialties, and procedures for the purposes of creating a membership or customer profile, communicating membership information, marketing products and services relevant to dermatologists, including registering for meetings/events.  We also collect financial information as necessary to process payments for membership dues, event registration, or the purchase of publications or other products and services.

Applying for Membership:
You voluntarily provide your Personal Data as part of the membership application process.  Your information allows us to ensure you qualify for membership and you receive member benefits to which you are entitled once membership is granted.  In order to gain full benefits of membership, we may require you to provide us with certain information.  This information is noted as “required” on your membership application form.  If you choose to withhold certain Personal Data requested by us, it may not be possible to grant membership.

Current Members:
You voluntarily provide and we collect your Personal Data as part of your membership agreement with the organization.  Your information allows us to ensure that you receive member benefits to which you are entitled in exchange for paying dues and acting in accordance with our membership policies.  In order to gain full benefits of membership, we may require you to provide us with certain information.  If you choose to restrict certain Personal Data requested by us, it may not be possible for you to gain access to certain aspects of membership.

Non-Members
You voluntarily provide and we collect your Personal Data as part of a past purchase of a product, event registration and/or other offering from the Academy.  Your information allows us to deliver and ensure payment for the product/event that you purchased, as well as to provide information about future products and events of interest.  

Personal Data Collection and Usage
The collection of your Personal Data is necessary to support our legitimate interests as a nonprofit organization.  “Legitimate interests” means our interest in conducting and managing our organization and fulfilling our charitable and educational mission.  For example, we have a legitimate interest in processing your Personal Data when you become a member of our organization or register to attend one of our events.  When we process your Personal Data for our legitimate interest, we ensure adequate protection of your Personal Data and consider your rights under data protection laws.

The AAD website uses pixels, which are a type of code that triggers user cookies. A cookie is a small file stored on the site user's computer or Web server. Session cookies are temporary files created when a user signs in on the website or uses the personalized features (such as keeping track of items in the shopping cart). Session cookies are removed when a user logs off or when the browser is closed. Persistent cookies are permanent files and must be deleted manually through the site user’s web browser. Tracking or other information collected from persistent cookies or any session cookie is used to provide users with efficient navigation of the site, for the collection of site use analytics, or for marketing purposes, including retargeted marketing when users of this website visit the websites of third parties.

Information provided on any printed or online form (such as registering for an AAD Meeting) is maintained at the Academy solely for that intended use, unless stated otherwise.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services, registration companies) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You may withdraw your consent to our use of cookies at any time by disabling cookies on your web browser(s).  If you browse our website with the cookies option turned off, you may not be able to use various features of our site.

The Academy ties IP addresses to user ids for a period of time no longer than 26 months. We do this to tailor content and functionality of the site to the individual, including updating account information, purchasing products, and making member only materials available depending on the user and their relationship to the organization.

If you do not login to the website, we do not tie your identity to a visit, but the user would not be able to use features requiring a login.

If we collect your Personal Data for reasons beyond the performance of our obligations to our members or the pursuit of our legitimate interests, we will ask for your consent to collect such data.

If we intend to use your information in a way that is different from the reasons for which it was collected, we will notify you before doing so and, if necessary, ask your permission before collecting any additional data or using it in any way not addressed in this policy.

Special Categories of Data
Racial/ethnic origin, sexual orientation is considered to be a “special category of personal data” and may be collected by us in order to carry out legitimate charitable and educational activities as a nonprofit entity. ¬This data will not be disclosed outside of our organization without your consent.

Access to Your Personal Data
Personal member and customer data is housed in the Academy’s Association Management System. This database is password protected and accessible only by qualified employees of the Academy who are required at employment to sign confidentiality agreements as it relates to the release of any Academy information, including member/non-member data.  A limited number of third-party organizations may also have access to the database and are contractually bound to follow non-disclosure and confidentiality requirements.

Members are automatically listed in the membership directory; however, they can specify/control their personal contact information available to other members. Members also control what personal data is shared on the “Find a Derm” public website.

The AAD exchanges mailing lists with other organizations who share/complement the mission of the Academy, e.g., other dermatological organizations. Shared information is limited to member ID, name, mailing addresses, phone and fax numbers, and email address. The Academy also rents its mailing list, which provides only name and mailing address to qualified organizations.

Meeting registration data is stored by the Academy’s registration vendor on secure servers.  The data is accessed only by the Academy and only for legitimate Academy purposes. Any other use of the data is prohibited by non-disclosure and confidentiality contractual terms.

If we intend to transfer your Personal Data for purposes other than those already stated to an organization outside of the European Union, we will notify you before doing so.

Data Processing and Storage of Personal Data
We use secured and monitored Microsoft SQL Servers to securely store and process your Personal Data.

Any data that is no longer needed for the purposes for which it was collected will be deleted.

  • Membership Data – Membership data is kept indefinitely for historical reference as well as to accurately track membership trends.
  • Member Profile – additional demographic information that is freely provided to populate the member directory and Find-a-Derm resources is archived for historical reference and to accurately track membership trends.
  • Event Registration Data – Event Registration data is archived for historical reference and to track registration trends and is kept indefinitely.   
  • Purchasing Data – Purchasing data is archived for historical reference and to track sales trends and is kept indefinitely.
  • Session cookies are removed when a user logs off or when the browser is closed. Persistent cookies are permanent files and must be deleted manually through the site user’s web browser.

Rights
Subject to applicable law, you have the following rights in relation to your personal data:

  • Right of access:  You can request an electronic copy of your personal data contained within our system. Requests can be made by emailing your inquiry to personaldata@aad.org or by sending your request in writing to: American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216.   In order to comply with your request, you may be asked to verify your identity.
  • Right to rectification: If your Personal Data is inaccurate or incomplete, you are entitled to have it rectified or completed.  Updates to your Personal Data may be done, in some instances, by going to ‘Your Account’ page located at /account/ or by emailing this information to MRC@aad.org.
  • Right to erasure: You may ask us to delete or remove your Personal Data.  Requests must be made in writing and sent to: Barbara Paez, American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216. If you are a current member, the request must be notarized.  In some situations, deletion of certain Personal Data may mean it is no longer possible to gain access to certain parts of our site, retain access to membership activities, or retain membership.
  • Right to restrict or object to processing: You may ask us to restrict or block the processing of your Personal Data in certain circumstances, or request no contact from us; which may result in the loss of membership if a member.  Requests should be made to the Personal Data Controller by sending an e-mail to personaldata@aad.org or by sending your request in writing to, American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216.
  • Right to data portability: You have the right to obtain your Personal Data from us that is contained in our system.  Requests for your data should be made by sending an e-mail to personaldata@aad.org or by sending your request in writing to, American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216.
  • Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on your prior consent. Requests should be made by sending an e-mail to personaldata@aad.org or by sending your request in writing to, American Academy of Dermatology, 9500 W. Bryn Mawr Avenue, Suite 500, Rosemont, IL 60018-5216.  
  • Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we have handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.  The relevant authority is the data protection authority in your country of residence, the country where you work, or the country in which the alleged unlawful use of your Personal Data occurred.