Revised April 2022
This privacy policy tells you about the information we may collect from you when you engage with EDPMA. We may also from time to time seek from you supplemental information in furtherance of the EDPMA’s advocacy activities. Both are designed to be in compliance with the principles and provisions espoused in all applicable federal, state, and international data protection laws including the EU General Data Protection Regulation (GDPR). In collecting this information, we are acting as a data controller and are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
Who are we?
We are EDPMA. Our office address is EDPMA, 7918 Jones Branch Drive, Suite 300, McLean, VA 22102. You can contact us by post at the above address or by email at edpmahq@edpma.org.
Any inquiries about our use of your personal data should be addressed to the contact details above.
Why do we collect your information and what is the legal basis for data protection?
To fulfill its purpose and deliver value to its members, EDPMA collects and processes certain information from its members, partners, business contacts, collaborators, event delegates, and other stakeholders in the field of activity of EDPMA. We collect this information for contractual reasons (i.e., of members and suppliers), or to fulfill our legitimate interests as an association. “Legitimate interests” means our interest in conducting and managing our organization and fulfilling our charitable, educational, advocacy, and legislative affairs mission. For example, we have a legitimate interest in processing your personal data when you become a member of our organization or register to attend one of our events. We also have a legitimate interest in requesting data from our member organizations for use in aggregating with other contributing members to deliver to Congress, state legislatures or state and federal regulatory agencies all in furtherance of the association’s advocacy mission rendered on behalf of its members. When we process your personal or organization’s data for our legitimate interests, we ensure adequate protection of the data and consider your rights under data protection laws.
If EDPMA intends to use your information in a way that is different from the reasons for which it was collected, then we will notify you before doing so and, if necessary, ask your permission before collecting any additional data or using it in this way. If you give us your consent to use or collect your data, you have the right to withdraw your consent at any time by emailing edpmahq@edpma.org. Withdrawal of your consent may mean that it is no longer possible for you to gain access to certain parts of the site or retain access to membership activities.
- Membership Data is stored under the organization record and cannot be deleted as they are tied with payment records. However, EDPMA can anonymize this data when requested.
- Event Registration Data is stored under the organization record and the individual record and cannot be deleted as they are tied with payment records. However, EDPMA can anonymize individual and organizational data when requested.
- Purchasing Data is stored under the organization record and the individual record and cannot be deleted as they are tied with payment records. However, only the last four digits, payment date, and merchant authorization token are stored. EDPMA can anonymize individual and organizational data when requested.
Data we may collect from you
We may collect data from you during the following interactions:
- Information acquired/provided through our website or websites of our member organizations (if applicable), or data processors. This may include information provided at the time of registering for events, subscribing to services such as newsletters or briefings, participating in discussion boards, posting material or requesting further information. We may also collect information that is available from your browser, or collect information when you respond to a survey and/or when you report a problem.
- Information acquired/provided through correspondence. If you contact us, we may keep a record of that correspondence, including your contact data.
- Information acquired/provided when entering into a formal or informal contractual relationship with us – e.g. by becoming a member, joining an event, project or working group, or by offering or providing services to us or our members.
This data may include:
- Contact information, such as name, address, contact telephone number, email address
- Browsing information, such as IP address, session time
- In case of contracts and purchases: payment information, such as bank account details or credit card information
- In case of content collaborations or member profiles: identification data, such as photographs or biographies
Your rights as a data subject
By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate.
- If we have asked for your consent to process your personal data, you may withdraw that consent at any time.
- If we are processing your personal data for reasons of consent or to fulfill a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.
- If your personal data is inaccurate or incomplete, you are entitled to have it rectified or completed.
- You may ask us to delete or remove your personal data and we will anonymize your personal data so that activities within our member management system will no longer be relatable back to you. In some situations, deletion of certain personal data may mean that it may no longer be possible for you to gain access to certain parts of the site or retain access to membership activities.
- You may ask us to restrict or block the processing of your personal data in certain circumstances or to request no contact from EDPMA. This includes requesting that your information not be included in the online Member Directory.
- If you have a concern about our privacy practices, including the way we have handled your personal data, you can report it to the data protection authority that is authorized to hear those concerns. The relevant authority is the data protection authority in your country of residence, the country where you work, or the country in which the alleged unlawful use of your personal data occurred.
EDPMA use of “cookies”
EDPMA uses cookies to store and track certain information about you. A cookie is a small amount of data sent to your browser from a Web server and stored on your computer’s hard drive. In general, EDPMA uses cookies to store your logged-in status for members-only and subscription areas of our site, and to keep track of your order as you make online purchases via our e-commerce system.
- EDPMA uses Google Analytics to collect information about use of edpma.org. Google Analytics collects information such as how often users visit this site, what pages they visit when they do so, and what other sites they used prior to coming to this site. We use the information from Google Analytics only to improve this site. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. We do not combine the information collected by Google Analytics with personally identifiable information. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit this site, the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser.
- For customers and members: Our association management system offers optional cookies to simplify the login process but is not required. This function remembers your email address used for login. You can prevent our association management system from recognizing you on return visits to this site by not opting in to “Remember me next time” or disabling cookies on your browser.
You may withdraw your consent to EDPMA’s use of cookies at any time by blocking cookies. If you browse EDPMA websites with the cookies option turned off, you may not be able to use various features of our site.
Competitively Sensitive Information
All data, vignettes (examples), survey responses, and other financial or reimbursement related information submitted by members and collected by EDPMA, which may include but not limited to claims submissions or payer adjudication practices including denials, downcoding or specific information related to the ‘qualifying payment amount’ under the No Surprises Act may be considered “competitively sensitive.” When you share such data with EDPMA, extra precautions shall be provided to information that staff, consultants, or members determine is competitively sensitive. EDPMA will only share such information in an anonymized and de-identified format, and it will be shared without attributing who provided the example, survey response, or data.
A member can label its data as “competitively sensitive” at the top of its submission and that data will be treated as competitively sensitive information. Competitively sensitive information is information that a member would not likely want disclosed if there was a chance someone in the public could guess the source of the information.
EDPMA may disclose de-identified, competitively sensitive information in the following situations:
- if the information comes from a minimum of five groups or sources and no more than 20% of the data comes from one group or source;
- if the information comes from a minimum of five groups or sources and the members who provided more than 20% of the data give written permission to disclose the information; and
- if fewer than five members submit data and all of the members who provided data give written permission to disclose the information.
Data, vignettes, survey responses, and other information that is determined not to be competitively sensitive will be de-identified and shared anonymously, but no other protection outside of what is addressed in this Privacy Policy will be afforded this information.
GDPR Policies
The following section applies to you if you are an individual located within the European Union (EU) and your personal data is processed in connection with EDPMA offering goods or services within the EU. Personal data means any information that allows you to be directly or indirectly identified.
Access to Your Personal Data
EDPMA Staff has access to your personal data which includes but is not limited to full name, address(es), email(s), phone, fax, website, job title, relationship to organization(s), duration of relationship(s), positions held within EDPMA, event registration/purchases and associated demographic information.
EDPMA utilizes third-party systems which include storing of limited contact and/or registration data for mass email communications, event admission/production, and carrying out expected services paid for with your membership/registration.
Our members can access a limited amount of contact information about other members either via Individual or Organization via our membership directory. We occasionally exchange mailing lists with other organizations to further our mission.
EDPMA also shares registration data which includes name, title, and company with sponsors. If we intend to transfer your personal data to an organization outside of the European Union, we will notify you before doing so.