Privacy user policy

Privacy Policy

Medicom Education B.V.

Version 1.0  |  Effective date: 24 February 2026  |  Last reviewed: 26 February 2026

1. Data Controller

Medicom Education B.V., a private limited liability company incorporated under the laws of the Netherlands, with Chamber of Commerce (KvK) number 97709247 (“Medicom”, “we”, “us” or “our”), is the controller responsible for the processing of personal data as described in this Privacy Policy.

General enquiries: support@medicom-publishers.com

For data protection enquiries, please contact our Data Protection Officer directly (see Section 15).

Medicom Education provides online medical education platforms, accredited e-learning programmes, educational and informational websites, and related services (the “Services”).

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed in connection with:

  • our websites and learning platforms;
  • accredited educational programmes and events;
  • user accounts and subscriptions;
  • communications relating to our Services.

This policy applies to healthcare professionals and other individuals who interact with our Services. If you are a patient or member of the general public and believe you have provided personal data to us, please contact us using the details in Section 15.

3. Personal Data We Collect

We collect personal data directly from you and automatically through your use of the Services.

3.1 Information You Provide

Depending on your interaction with the Services, we may collect the following categories of personal data:

Identity and contact data:

  • name, email address, postal address, telephone number
  • gender (optional)
  • professional social media handle (optional)

Professional and accreditation data:

  • profession and specialty
  • employer or institution
  • professional registration or doctor identification number (where required for accreditation)
  • areas of medical interest
  • ORCID ID (optional)
  • profile photo (optional)

Account data:

  • username and encrypted password
  • account preferences and language settings

Educational participation data:

  • course enrolments, module progress, and completion status
  • answers to assessments and tests
  • accreditation status and certificates issued

User content:

  • comments, annotations, discussion contributions, or uploaded materials

Communication preferences:

  • newsletter subscriptions and notification settings

3.2 Device and Usage Data

We automatically collect the following when you use the Services:

  • IP address
  • browser and device information, operating system
  • session identifiers
  • website navigation and interaction data
  • timestamps and referring pages
  • learning activity metrics (modules viewed, progress, completion status)

This data is collected via servers, cookies, and similar technologies. Please refer to our Cookie Notice (Section 10) for further details.

4. Purposes and Legal Bases for Processing

We process personal data only where a lawful basis under Article 6 GDPR applies. The table below sets out each purpose, the applicable legal basis, and — where we rely on legitimate interests under Article 6(1)(f) — an explanation of those interests and our assessment that they are not overridden by your rights.

 

Purpose

Legal Basis (GDPR)

Legitimate Interest Rationale (where Art. 6(1)(f) applies)

Creating and managing user accounts

Art. 6(1)(b) — Contract performance

Providing access to e-learning and educational content

Art. 6(1)(b) — Contract performance

Tracking course progress and issuing certificates

Art. 6(1)(b) and Art. 6(1)(c) — Legal obligation where accreditation rules apply

Verifying healthcare professional status and eligibility

Art. 6(1)(f) — Legitimate interest

Medicom Education has a legitimate interest in ensuring that accredited medical education is delivered only to eligible professionals, as required by accreditation standards. This interest is proportionate and does not override data subjects’ rights, as only the minimum data necessary is used and users are made aware of this processing.

Improving platform performance and the learning experience

Art. 6(1)(f) — Legitimate interest

Medicom Education has a legitimate interest in maintaining a functional and improving platform. Analytics data is processed at the aggregate level where possible, and individual data is not shared externally for this purpose.

Security, fraud prevention and platform integrity

Art. 6(1)(f) — Legitimate interest

Medicom Education has a legitimate interest in protecting the platform, its users, and the integrity of accreditation records from fraudulent, abusive or unlawful activity. Processing is limited to what is necessary for this purpose.

Service communications (essential)

Art. 6(1)(b) — Contract performance

Marketing communications

Art. 6(1)(a) — Consent

Compliance with legal and regulatory obligations

Art. 6(1)(c) — Legal obligation

 

Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment (LIA) balancing our interests against those of data subjects. In conducting these assessments, we considered the reasonable expectations of users, the minimal nature of the data processed, and the safeguards implemented to protect user rights.

Where we rely on consent as a legal basis, you may withdraw that consent at any time by contacting us or using the unsubscribe mechanism in any marketing communication. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5. Special Categories of Personal Data

Medicom Education’s Services are directed exclusively at healthcare professionals, not patients. We do not intentionally collect or process special category data within the meaning of Article 9 GDPR (including health data about individuals as patients).

Professional information — such as medical specialty, registration number, or professional eligibility — is not health data within the meaning of Article 9 GDPR. It is processed as professional data on the basis of Article 6(1)(b) and 6(1)(f), solely to:

  • verify professional eligibility to access accredited content;
  • allocate accreditation points in accordance with applicable standards;
  • comply with regulatory and educational requirements.

In the unlikely event that a data subject voluntarily submits health data (for example, via a user content field), we will treat such data with particular care and process it only to the extent strictly necessary and with an appropriate Article 9(2) basis. If you are concerned that health data about you has been inadvertently processed, please contact our Data Protection Officer (DPO) (Section 15).

6. Educational Independence and Accreditation Safeguards

Medicom Education operates accredited medical education in accordance with applicable independence and accreditation standards. The following safeguards apply:

  • Sponsors or funding partners do not receive access to identifiable learner data unless legally required or you have explicitly consented.
  • Educational participation data is used solely for accreditation administration, certification, quality improvement, and regulatory audit requirements.
  • Sponsors receive only aggregated and anonymised statistics, unless otherwise required by applicable law.

7. Sharing of Personal Data

We do not sell your personal data. We may share personal data in the following circumstances:

7.1 Service Providers (Processors)

We engage third-party service providers to support our Services, including:

  • hosting and cloud infrastructure providers;
  • learning management system providers;
  • analytics providers;
  • email and communication platforms;
  • technical support providers.

All processors act under data processing agreements compliant with Article 28 GDPR. Where processors are located outside the EEA, the safeguards described in Section 8 apply.

7.2 Accreditation Bodies

Where required for the administration of accreditation, limited personal data (such as name, registration number, and completion status) may be shared with:

  • medical scientific societies;
  • accreditation authorities;
  • certification organisations.

Such sharing is limited to what is strictly necessary for accreditation validation and is carried out on the basis of Article 6(1)(c) (legal obligation) or Article 6(1)(b) (contract performance), as applicable. Where accreditation bodies independently determine the purposes and means of processing, they act as independent controllers or joint controllers as defined under Article 26 GDPR.

7.3 Legal Obligations

We may disclose personal data where required by applicable law, court order, or lawful authority. Where possible and legally permissible, we will notify you before complying with such a request.

8. International Data Transfers

Personal data is primarily processed within the European Economic Area (EEA). Where data is transferred to or accessed from outside the EEA, we ensure that appropriate safeguards are in place, including:

  • European Commission Standard Contractual Clauses (SCCs) — the primary mechanism we rely on for transfers to non-adequate third countries;
  • adequacy decisions issued by the European Commission, where applicable.

Our principal third-country data flows involve cloud hosting and analytics services. The main regions involved are [e.g. the United States and the United Kingdom]. All such transfers are supported by SCCs or, in the case of the UK, the UK Addendum to the SCCs.

Further information on the specific safeguards applied to international transfers is available on request from our Data Protection Officer.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Data Category

Retention Period

Basis for Retention

User account data

Duration of account + 2 years after closure

Art. 6(1)(b); inactive accounts reviewed after 24 months of inactivity

Accreditation records

Up to 10 years

Art. 6(1)(c) — regulatory audit requirements

User content (comments, annotations, uploads)

Duration of account + 12 months after closure

Art. 6(1)(b); deleted upon verified account closure request

Learning analytics

24 months from creation

Art. 6(1)(f); anonymised thereafter for statistical purposes

Marketing consent records

Until consent is withdrawn + 3 years

Art. 6(1)(c) — accountability obligation under Art. 7(1) GDPR

Technical and security logs

Maximum 12 months

Art. 6(1)(f) — security and integrity

Data subject request records

3 years from request

Art. 6(1)(c) — compliance and accountability

Where data must be retained beyond these periods to comply with a legal obligation, it will be retained in a restricted form with access limited to authorised personnel. At the end of the applicable retention period, data is securely deleted or anonymised.

Inactive accounts (no login activity for 24 months) will be flagged for review. We will contact you before deleting your account.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enable platform functionality, analyse usage, and improve the learning experience. We distinguish between:

  • Essential cookies: necessary for the operation of the platform and placed without consent;
  • Non-essential cookies (analytics, preference, and marketing cookies): placed only with your prior consent, which may be withdrawn at any time.

Cookie consent is managed through a consent management platform, allowing granular choice and withdrawal of consent at any time. Full details of the cookies we use, their purposes, and how to manage your preferences are provided in our Cookie Notice, which is available at [link to Cookie Notice]. The Cookie Notice also explains how we comply with the Dutch Telecommunications Act (Telecommunicatiewet) implementing the ePrivacy Directive.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • encrypted connections (HTTPS/TLS) for all data in transit;
  • encryption of data at rest for sensitive data categories;
  • role-based access controls and strong authentication requirements;
  • secure hosting environments with regular vulnerability assessments;
  • staff training on data protection and security awareness;
  • an incident response procedure that includes breach notification processes in accordance with Article 33 GDPR.

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

12. Your Rights Under GDPR

You have the following rights in relation to your personal data, subject to applicable conditions and limitations under GDPR:

  • Right of access (Art. 15): you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): you may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): you may request deletion of your personal data where there is no legitimate ground for continued processing.
  • Right to restriction of processing (Art. 18): you may request that we limit how we process your data in certain circumstances.
  • Right to object (Art. 21): you may object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
  • Right to data portability (Art. 20): where processing is based on consent or contract and is carried out by automated means, you may request your data in a structured, machine-readable format.
  • Right to withdraw consent (Art. 7(3)): where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of the above rights, please submit your request to:

Email: dpo@medicom-publishers.com

Postal address: PO Box 90, 3740AB Baarn

We will respond to your request within one month of receipt. In cases of complexity or when we receive multiple requests from the same individual, we may extend this period by an additional month. In that case, we will notify you within the first month and explain the reason for the extension (Article 12(3) GDPR).

We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests, but reserve the right to charge a reasonable fee or refuse manifestly unfounded or excessive requests in accordance with Article 12(5) GDPR.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of an alleged infringement. In the Netherlands, the relevant authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)

Website: https://autoriteitpersoonsgegevens.nl

13. Automated Decision-Making and Profiling

Medicom Education does not use personal data for automated decision-making that produces legal or similarly significant effects, as described in Article 22 GDPR. Medicom does not perform profiling within the meaning of Article 4(4) GDPR for marketing or behavioural prediction purposes.

Learning analytics are used solely for educational functionality (such as showing your progress) and internal platform improvement. These analytics do not generate automated decisions that materially affect your rights or access to services.

14. Updates to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our processing activities, legal requirements, or best practices. Material changes — meaning changes that affect your rights or the way we process your data in a significant way — will be communicated to you:

  • by email to the address associated with your account, and/or
  • by a prominent notice on the platform prior to the change taking effect.

Non-material changes (such as corrections or clarifications) will be published on this page with an updated revision date. We encourage you to review this Policy periodically. The current version will always be published at Privacy-policy-of-medicom-education with its effective date.

Continued use of the Services after notice of a material change constitutes acceptance of the updated Policy, except where your consent is required, in which case we will seek it separately.

15. Data Protection Officer and Contact Details

Medicom Education has appointed a Data Protection Officer (DPO) in accordance with Article 37 GDPR. The DPO may be contacted directly and independently on matters relating to the processing of personal data and the exercise of data subject rights.

Data Protection Officer

Paul Willers, Medicom Education B.V.

PO Box 90, 3740 AB Baarn

Email: dpo@medicom-publishers.com

 

Please use the DPO contact details for all data protection enquiries and subject access requests. General product support queries should be directed to support@medicom-publishers.com.

We aim to respond to all data protection enquiries within five business days, and to all formal data subject requests within one calendar month as required by Article 12 GDPR.

 

Back
Back to top