STS Privacy Policy

(effective 5/25/2018)

The Society of Thoracic Surgeons (“STS”) is committed to protecting the privacy rights of individuals with whom we interact, including our members and others who utilize our websites, attend our meetings, attend our educational offerings, purchase our products, serve as volunteer leaders within our governance bodies, participate in the STS National Database, or submit articles for publication in The Annals of Thoracic Surgery. This Privacy Policy has been established by STS, 633 N. Saint Clair St., Suite 2100, Chicago, IL 60611, United States of America. It sets forth the information we collect about you as you interact with us, how we use that information, and the rights you have regarding the way we use such information. Our Privacy Policy also describes the measures we take to protect your personal data, and how to contact us should you wish to update or remove your data from our records. This Privacy Policy has been revised effective May 25, 2018, to coincide with the effective date of the General Data Protection Regulation (“GDPR”) adopted by the European Union, which applies to some of the individuals who interact with us. We may further revise it from time to time as the law and interpretations pertaining to the GDPR develop, so please remember to revisit this page regularly for any policy updates. In case of any substantial change to this Privacy Policy, we will post a notice on the home page of https://www.sts.org, and the change will be effective beginning only on the date stated in the notice.

Summary

The data controller as it relates to this Privacy Policy is STS. We only use your personal data, such as your name and contact details, qualifications, funding or conflict-of-interest disclosures, areas of practice/interest, references and any payment details, and, when required, your age, in our legitimate business activities, including administering membership and membership-related benefits, educational and other programs, Society governance, and the STS National Database. We do not sell your data to any third parties except to the extent that we offer it on a temporary basis for purposes of mailing or emailing promotional materials to members and Annual Meeting attendees as described further below. In order to provide our services to you (such as administration of our Annual Meeting, standalone educational courses, membership benefits, subscriptions to The Annals of Thoracic Surgery, and participation in the STS National Database™), we may be required to send your relevant personal data to our trusted third-party processors and affiliated organizations, a summary of which are listed in the section “Use By Third-Party Processors at Our Request.”

Please read this full Privacy Policy carefully. By accessing any of our websites, you consent to the collection and use of any information you provide in accordance with this policy.

Who we are and what we do

We are a not-for-profit organization representing thousands of surgeons, researchers, and allied health care professionals worldwide who are dedicated to ensuring the best possible outcomes for surgeries of the heart, lungs, and esophagus, as well as other surgical procedures within the chest. Our vision is “improving the lives of patients with cardiothoracic diseases;” our mission is to “enhance the ability of cardiothoracic surgeons to provide the highest quality patient care through education, research, and advocacy.” In pursuing our vision and mission, it is necessary for us to collect relevant personal data from a wide variety of individuals, including our members, applicants, visitors to our websites, authors, candidates, speakers and attendees of our meetings and educational programs, and database participants.

We operate websites at, among other URLs, https://www.sts.org, https://publicreporting.sts.org, and https://ctsurgerypatients.org, publish The Annals of Thoracic Surgery and own the STS National DatabaseTM. We also develop and presents our Annual Meeting and other standalone educational programs, many of which offer Continuing Medical Education and other forms of professional credit. Some of the benefits of membership include eligibility to receive various weekly, monthly, and quarterly newsletters, as well as email updates.

How we collect information

In order to carry out the important work of STS described above, we collect your personal data. One of the reasons we do so is that it helps to ensure that our interactions with you are timely, relevant, and tailored for you.

CRM Accounts. When you interact with us to apply for membership, register for meetings or programs, or purchase products and services, we collect personal data from you by requiring you to create an account in our Customer Relationship Management database (“CRM”). By personal data we mean “any information relating to an identified or identifiable natural person” such as name, postal address, and email address. You provide the information requested on a voluntary basis so that we may perform obligations under our contracts with you or otherwise serve our legitimate business interests. For example, the information you supply is necessary for us to deliver products or services to you (such as physical mailings of purchases, or granting online access to products or services delivered electronically), maintain your membership status continuously, or apply member discount benefits when you shop online with us for eligible products and services. When applying for STS membership, registering for courses, or submitting material for publication such as an abstract, case study, article, or surgical video, we may ask for personal data such as your name, title, email address, telephone number, the name of your organization, qualifications, areas of practice/interest, payment details and, where required, your date of birth. We use this data for identity, membership and eligibility verification, and billing purposes. As discussed below, you have access to many of the pertinent data fields in your CRM account and control the information that exists in those fields. We use an order form and "shopping cart" system for customers who wish to purchase products and services through our websites. We utilize browser cookies placed on your browsing device to keep track of your shopping cart. We also collect requested contact information (such as name, postal address, telephone numbers, and email address) and financial information (such as credit card numbers) for use in processing and fulfilling your orders for products and services. We may also use your contact information to contact you when necessary. Financial information collected by us is used only to bill you and collect payment for products and services you purchase. We use various technologies and security measures to protect the loss, misuse, and alteration of the personal data under our control. We use modern security and encryption services to secure credit card transactions.

Websites and Cookies. We collect personal data during your visits to https://www.sts.org, https://publicreporting.sts.org, and https://ctsurgerypatients.org and other Society websites. If we ask you for personal data while you are visiting our websites, the data we process is provided directly by you on a voluntary basis. To the extent you visit our websites anonymously, we collect certain types of data automatically. We detect and use the IP addresses of visitors to our websites in order to assist in diagnosis and solving problems with the server, to assist with the administration of the websites, and to make available enhanced features of such websites.

Like many organizations, we use cookies and log files to enhance your visit to our websites and to better understand how our websites are used. Cookies are small text files that are placed on your device to help us give you a better experience of using our websites. Cookies do lots of different things, such as:

  • Allowing you to avoid having to log in to your CRM account repeatedly while visiting various pages within our websites
  • Enabling shopping cart functionality
  • Helping us understand how visitors use our websites so that we can enhance their experience

Browsers typically permit you to configure settings so that your device accepts all cookies, to notify you when a cookie is issued, or to not accept cookies at any time. If you disable cookies, this will prevent us from being able to provide some personalized services we deliver through our websites. You should read the information that came with your browser software to learn how to configure its treatment of cookies.

From time to time, we use Facebook, Twitter, LinkedIn, YouTube, and other social media platforms to promote educational offerings to visitors to our site. To opt out of receiving their cookies, please visit those social media platforms and configure the settings accordingly.

Further information about cookies is available from these third party sites: http://www.allaboutcookies.org and http://www.youronlinechoices.eu (these provide information tailored to users in European Union countries).

Webforms. We also collect information that you voluntarily provide to us through the use of webforms on our websites. Some webforms ask for identifying information or are used in connection with websites that require you to log in and thereby identify you, and in those cases we collect personal data about you. We use that personal data for the specific purposes identified as the webforms are presented. For example, we use webforms for submission of certain types of applications, and use the personal data provided thereby for purposes of administering and tracking the applications received.

Surveys. Sometimes we contact members and others to request that they complete surveys. Some surveys are anonymous but others may allow voluntary submission of identifying information. We use personal data submitted in response to a survey for purposes of administering the survey and communicating with participants about the survey.

Email Communications. When you contact us via email or information request links on our websites, we will use the data you provide (such as your email address) in order to provide the information or support you requested.

STS National Database. Parties who participate in the STS National Database include groups of surgeons that have formed a practice or a more formal business entity (and occasionally individual surgeons), groups of anesthesiologists that have formed a practice or a more formal business entity (and occasionally individual anesthesiologists), as well as hospital owners or their representatives. We collect personal data regarding individual surgeons and anesthesiologists who have signed contract documents, and we use those data for purposes of verifying eligibility of the procedural records that are submitted for inclusion in the database. We also collect contact information of associated administrative personnel for administration and billing purposes. This information is stored in a database maintained for us by one of our third party service providers. In addition, we offer a service to eligible surgeons whose procedures are submitted to the STS National Database, and who return a completed Data Sharing Consent Form, under which we report data on quality measures to the Centers for Medicare & Medicaid Services on their behalf as part of the Merit-Based Incentive Payment System (“MIPS”) program. Personal data pertaining to such surgeons is used to provide services under the MIPS reporting program.

You may withhold data

You may choose not to provide us with any or all of the personal data that we request. However, if you choose not to provide some data, it may affect the way you navigate our websites or receive the products and services that we provide. Depending on the information you choose to withhold, we may not be able to, for example, complete a transaction you have initiated or deliver membership benefits to you.

How we use your information

We do not sell, rent, trade or otherwise disclose your personal data except as described below. When you provide us with personal data that we request from you or that you provide on your own initiative, you consent to us using that personal data for our lawful reasons as set out below.

STS Internal Use. As described above, we collect and use personal data that you provide to us so that we may perform our obligations under contracts with you, provide you the information, product or service that you have requested, or interact with you at your request. We also collect data from website visitors automatically as described above, and use it for the internal reasons and in the manner described above. Furthermore, we also collect, use and share non-personal, aggregated data such as statistical or demographic data for business purposes. Such aggregated data may be derived from your personal data but is not legally considered personal data as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data that will be used in accordance with this Privacy Policy.

Use by Third-Party Processors at Our Request. We share your personal data with third-party processors and controllers whom we have retained to perform various services on our behalf, and to fulfill our contracts with you, all in relation to the purposes set forth in this Privacy Policy. These types of companies and organizations include:

  • Publishing partners (for publication and delivery of The Annals of Thoracic Surgery and STS News)
  • Affiliated organizations such as the European Association for Cardio-Thoracic Surgery (“EACTS”) and CTSNet, Inc. (for membership benefits)
  • Website development companies (for development and management of our websites, including data collection that occurs through those websites)
  • Abstract submission system companies (for development and management of our abstract submission systems)
  • Learning management system companies (for development and management of our e-learning platforms)
  • Mobile application development companies (for development and management of our mobile applications)
  • Data warehousing and analytics services providers (for use with the STS National Database and the STS/ACC TVT Registry™)
  • Financial services companies (for handling payments made to us)
  • Event registration management companies (for use with the STS Annual Meeting and certain standalone courses)
  • Travel and destination management companies (for use with the STS Annual Meeting and certain standalone courses)

Mailing of Advertisements to Members and Annual Meeting Attendees. Limited personally identifiable information (such as name and postal address) is occasionally shared with third parties who license our mailing lists on a temporary basis for specific uses that we approve, so that you can be sent promotional materials about such third parties’ educational programs or goods and services. If you do not wish to continue to receive any postal mailings of promotional materials from third parties who license our mailing lists, please send an email to privacy@sts.org.

Our lawful reasons for processing your information

We may disclose data about you: (1) if we are required to do so by law or pursuant to court order, or (2) in response to a legitimate request from law enforcement authorities.

If it applies to you, please be aware that the GDPR states that we only are allowed to process your personal information if we have a proper reason to do so. This includes sharing it with third parties. We must be clear about why we process your data and what our lawful basis is for processing such data. The six lawful bases for processing are set out in the GDPR, and at least one of them must apply whenever we process the personal data of individuals to whom the GDPR applies. Further information is available at this third-party website: https://ico.org.uk/For-Organisations/Guide-To-The-General-Data-Protection-Regulation-Gdpr/Lawful-Basis-For-Processing. These lawful bases are:

  1. Contract: The processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
  2. Legal obligation: The processing is necessary for us to comply with the law (not including contractual obligations).
  3. Vital interests: The processing is necessary to protect someone’s life.
  4. Public task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  5. Legitimate interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
  6. Consent: You have given clear consent for us to process your personal data for a specific purpose.

Contractually, in order to provide our services to you, we need to process your data to accomplish various objectives, including to:

  • Administer your membership benefits by sharing a limited amount of your individual data with, among others, EACTS and CTSNet, Inc.
  • Process your membership dues payments and other financial transactions as required
  • Produce membership certificates and conference badges
  • Enroll you in courses and email you information that you have requested
  • Publish journal articles in The Annals of Thoracic Surgery
  • Administer the STS National Database
  • Deliver our products and services

When it is in our legitimate interest, we process your data to accomplish various objectives, including to:

  • Process your STS membership application
  • Communicate with you about your membership
  • Email you information about our educational programs and publications
  • Invite you to speak at our Annual Meeting and standalone courses
  • Invite you to submit articles to The Annals of Thoracic Surgery
  • Invite you to participate on an STS governance body such as a standing committee or workforce
  • Process financial transactions as required
  • Maintain accurate membership and correspondence records
  • Publish your abstracts

We may also use social media platforms such as Facebook, Twitter, LinkedIn, and You Tube, among others, to reach you about our educational opportunities and publications. If you do not want to see targeted advertising from us on social media, please refer to the instructions provided by those social media platforms.

We may disclose personal information if required to do so by law or if we believe that such action is necessary to protect and defend the rights, property, or personal safety of STS, our websites or our visitors and for other lawful purposes.

Links to other sites

We may provide links on our websites to non-STS websites for your convenience and information. These websites operate independently and are neither affiliated with us nor under our control. These websites may have their own privacy policies in place, which we strongly suggest you review, if you choose to visit such websites. We cannot be responsible for the privacy policies and practices of other websites even if you access them using links from our websites.

How we keep your data secure

We maintain appropriate administrative, technical and physical safeguards to protect your personal data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and all other unlawful forms of processing of the personal data in our possession.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. All of our staff with access to your personal data understand the importance of keeping your information safe and secure at all times and are given applicable training.

However, the transmission of information over the internet is never completely secure and, as a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your data, we make reasonable efforts to ensure its security, both on our systems and while in transit between our systems and third parties who work on our behalf.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

If you are a resident of the European Economic Area (EEA), you should be aware that the personal data we collect from you is collected and stored in the United States, which may not have the same level of data protection as your home country.

How long we keep your information

We will hold your personal information on our systems for as short a time as is necessary or appropriate for the relevant activity and meet any legal or regulatory requirement. This is so that we can provide the services, products, or information that you have requested, administer your relationship with us, ensure that we don’t communicate with you if you have asked us not to, and comply with the law.

Personal data rights of individuals to whom the GDPR applies

If you are a person to whom the GDPR applies, you have the right to:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request that we transfer your personal data to someone you designate
  • Withdraw any consent you have granted to us regarding your personal data

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request under such circumstances.

We try to respond to all legitimate requests within 1 month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you would like to know more about the personal data we process about you; access a copy of the personal data we have collected from you; correct, update, erase, or transfer the data we hold about you; revoke your consent for us to use your data; or ask any other questions you may have about our privacy practices, we offer three options:

  1. To review and update personal data stored in your CRM account, please log in at http://portal.sts.org. Not all of your personal data that are contained within the CRM may be viewable via http://portal.sts.org. To request a report showing all the data related to you that are stored in the CRM, please send a request to privacy@sts.org. As noted above, we will try to respond to all such legitimate requests within 1 month.
  2. To review and update personal data relating to your participation in the STS National Database, please contact privacy@sts.org. To administer your request, we will need you to provide a description of the information you would like, as well as approved proof of identity.
  3. Privacy related queries also may be sent via email to privacy@sts.org or in writing to The Society of Thoracic Surgeons, 633 N. Saint Clair St., Suite 2100, Chicago, IL 60611, United States of America. For all other matters, not related to data privacy, please send email to sts@sts.org.

When you tell us that you no longer want to hear from us for marketing purposes, please be aware that we may still contact you for administrative purposes.

Lastly, if you are a citizen of the European Union, you also have the right to lodge a complaint about the way we manage your data with the applicable European Union Data Protection Authority (“DPA”). We would, however, appreciate the chance to hear your concerns and resolve any problems before you approach the DPA, so please contact us in the first instance as set out above.

Consent to this Privacy Policy

Your use of any of our websites or conduct of other interactions with us as described above constitute your unconditional acceptance of the practices described in this Privacy Policy and the other terms and conditions of the terms of use. If you do not agree with and accept all of the practices described in this Privacy Policy, do not use our websites or conduct any of the other interactions with us that are described above, and refrain from voluntarily submitting any personal data to us.