We will only use the personal data gathered over this website as set out in this policy. Below you will find information on how we use your personal data, for which purposes your personal data is used, with whom it is shared and what control and information rights you may have.
I. Summary of our processing activities
The authentication and access management services are a global platform for user identification and login for the specialist publishing houses of the Springer Nature group.
You will find more detailed information under the indicated sections below.
- As soon as you book services on one of the participating Internet portals (e.g. restricted access information, subscriptions), further personal data will be processed in this context (see under III.2 and III.3).
- If applicable, part of your personal data will be processed to provide online-advertising (see under V).
- If applicable, your personal data will be disclosed to third parties (see under VII).
- We have taken appropriate security measures to protect your personal data (see VIII) and only store it for as long as necessary (see under IX).
- Depending on the circumstances of the specific case, you may have certain rights in relation to the processing of your personal data (see under X).
- Personal data: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
- Processing: means any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or any kind of disclosure or other use.
III. Registration for our services
By the authentication and access management services we provide a central registration and authentication for users. After initial registration the user can access all restricted areas and content of the associated platforms (participating specialist publishing houses of the Springer Nature group) having implemented the services using the same authentication data without having to do repeated registrations.
The authentication and access management service generates a unique user ID for each user which can be recognised and verified by all participating internet portals. This allows users, in addition, to have the data stored in their services account (e.g. their name and address and subscriptions purchased) used automatically, e.g. to access their subscribed journals without having to re-enter and re-verify the access data manually.
During your registration for the SSO service, we collect and store certain personal data about you. The following information must always be provided:
- an email address
- a password that meets the security requirements
For certain professions, further mandatory information may be required in addition to that referred to above, e.g. in the case of doctors, their specialty and medical association [Ärztekammer] or, in the case of students, the name of their study programme. What information specifically is required will be indicated in the registration form, which automatically adapts to your basic input data. The following information about you will be collected and stored:
- your full name
- your date of birth
- your profession/job (e.g. doctor, pharmacist or member of the pharmaceutical industry)
- your area or place of work (e.g. doctor’s surgery, hospital or university/research)
Optionally, you can always enter your title (Mr., Mrs, Ms. or other title). In addition, you can enter further details about your professional work, e.g. about your main areas of interest. Furthermore, you can indicate that you are a member of a cooperating association.
Further personal data might be processed when you add information to your personal profile.
Data required for providing a service are marked as mandatory, provision of additional information is optional.
We will process the personal data you provide to:
- Identify you at sign-in
- Provide you with the services and information offered through the website or which you request
- Administer your account
- Communicate with you
For this, the legal basis is Article 6 sec. 1 sent. 1 lit. b GDPR.
2. Verification of membership of an eligible profession
Before we can activate your account, we will ask you to provide appropriate proof that you are a member of one of the specified professions (e.g. a copy of your doctor’s ID card or medical licence). This proof must be sent to us by post, fax or email.
Alternatively, you may specify your EFN (ÖÄN, BIG), your unique CPD number, in the registration form. If we receive this number and are able to verify it, no further proof of profession is required and your user account can be activated immediately. However, to be able to do this, we need to transmit your EFN to the main server of the German Medical Association [Bundesärztekammer – BÄK] or to other certifying medical associations (in Austria or the Netherlands) and have to receive appropriate confirmation from them.
3. Addition of data during use of the user account
Once you have registered and use the offers of the participating Internet portals of the Springer Nature group, further inventory and content data may be added.
Information about the subscriptions, newsletters and/or other services of the participating Internet portals you use will be stored with your data record.
Moreover, various metadata will be added to the data record comprising your inventory and content data. These include, without limitation, the following information:
- the password assigned to you
- the creation date of the data record
- the author of the data record (i.e. normally you, or in some cases an SSBM customer service agent whom you contacted)
- a user ID assigned to you
- the customer number assigned to you
- a key known as “ident key” which allows you to unsubscribe from newsletters without logging in
- the date of your last login through the SSO service and the date of the last change to the data record
- a note indicating that you have given your consent to the transmission of the data pursuant to clause III
IV. Automated decision making
We use your personal data to perform automated decision making. These decisions are used to identify your access rights for
- internet portals providing content for members of certain professions and requiring proof of profession
- services provided through cooperation with specific societies or institutions and limited to members of the society or students of the institution
They are based on an automated check of the membership information you provided (proof of profession, society membership, access via institutional IP-range). If the authentication and access management service cannot identify a valid legitimation in your user account access will not be granted.
If access is denied in spite of a valid legitimation please contact our customer service, see section XI.
V. Online advertising
If you have entered your occupational group and/or a specialisation in your user profile, we use this information in order to be able to play out advertisements with suitable content for the specified occupational group or specialisation. The legal basis for this use of your personal data is Art. 6 (1) sentence 1 lit. f GDPR. We use it to pursue our legitimate interest of enhancing your user experience and optimising our services. Apart from the information about occupational group/specialization provided by you we will not use other information from your user profile for this purpose. Transfer of information to advertisers is in aggregated form only (e.g. amount of users with a specific specialization).
If you have any questions about this process, please contact one of the contacts named in section XI.
Whenever the registration portal is visited, our web server stores certain data in what is known as log files. A log file contains
- information about the Internet browser and operating system used by a user,
- the domain name of the website from which the user came to the registration site,
- the start and end of use of the authentication and access management service and
- the volume of data transmitted by the service.
In this context, we would like to point out as a precaution that our log files do not log IP addresses, i.e. they are completely anonymous.
The Internet portal concerned transmits the data you have provided in your registration form (normally your email address and password) and a service URL to the authentication server. The authentication server then uses these data to verify the login request. If the login request is accepted on that basis, the user ID assigned to you will be transmitted to the server of the Internet portal concerned.
Based on these data, your personal settings, if any (e.g. preferred location, profession, speciality), of the Internet portal concerned can be displayed. Moreover, the Internet portal you have thereby logged into will then be able to request also all other relevant inventory and content data required to use the Internet portal via a specific web service. This makes it possible, for instance, to give you access to your subscriptions and all other services of the Internet portal.
The authentication and access management service uses various authentication cookies. Cookies are small text files stored locally, in memory, by your browser. Authentication cookies automatically identify your Internet browser beyond the participating Internet portals. They thereby serve as identifiers that save you from having to log in repeatedly to the participating websites.
When you login to any of the participating Internet portals, you will be assigned an identifier for (at least) the current session that allows you to use the other participating Internet portals and their offerings without the need for further logins (Single-Sign-On).
While the standard authentication cookie is automatically deleted from the single-sign-on when you log out, an authentication cookie that lasts longer (for 30 days) may be set that persists beyond the life of a session. However, this will only be the case if you actively select the “stay logged-in” option. However, you should be careful not to select this option if you use a public computer or a computer that is shared by multiple users.
VII. Information sharing
Your personal data will be disclosed to the following third parties for the purposes mentioned above:
- Participating Internet portals have access to the data to assign access rights to you.
- If you entered information about membership in a cooperating society during registration we transfer your name and birthdate to that society to verify your membership and obtain a confirmation.
- Springer Customer Service Center GmbH (SCSC), Tiergartenstr. 15-17, 69121 Heidelberg, Germany.
Legal basis for the transfer of your personal data is Article 6 sec. 1 sent. 1 lit. b and f GDPR and represents our legitimate interest to implement our general terms and conditions of business or any other agreements concluded with you and to improve our services.
We may disclose anonymous aggregate statistics about users of the website in order to describe our services to prospective partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics will include no personal data.
In the event that we undergo re-organisation or are sold to a third party, any personal data we hold about you may be transferred to that re-organised entity or third party in compliance with applicable law.
We may disclose your personal data if legally entitled or required to do so (for example if required by law or by a court order).
We have reasonable state of the art security measures in place to protect against the loss, misuse and alteration of personal data under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal data. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.
You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via our website whilst it is in transit over the internet and any such submission is at your own risk.
IX. Data retention
The data of your user account mentioned in section III are stored for specific use with the authentication and access management service and are kept separate from other (and maybe partially identical) data stored about your person.
We strive to keep our processing activities with respect to your personal data as limited as possible. In the absence of specific retention periods set out in this policy, your personal data will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements.
X. Your rights
Under the legislation applicable to you, you may be entitled to exercise some or all of the following rights:
1. require (i) information as to whether your personal data is retained and (ii) access to and/or duplicates of your personal data retained, including the purposes of the processing, the categories of personal data concerned, and the data recipients as well as potential retention periods;
2. request rectification, removal or restriction of your personal data, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn; if data have been shared with third parties (see section VII) we will communicate your request to those parties except in cases where this turns out to be impossible or can only be achieved by unproportional effort.
3. refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time;
4. object, on grounds relating to your particular situation, that your personal data shall be subject to a processing. In this case, please provide us with information about your particular situation. After the assessment of the facts presented by you we will either stop processing your personal data or present you our compelling legitimate grounds for an ongoing processing;
5. take legal actions in relation to any potential breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators;
6. require (i) to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and (ii) to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the personal data transmitted directly from us to another controller; and/or
7. not to be subject to any automated decision making, including profiling (automatic decisions based on data processing by automatic means, for the purpose of assessing several personal aspects) which produce legal effects on you or affects you with similar significance.
You may (i) exercise the rights referred to above or (ii) pose any questions or (iii) make any complaints regarding our data processing by contacting us using the contact details set out below.
XI. Contacting us
The information you provide when contacting us (email@example.com or in writing to Springer Fachmedien Wiesbaden GmbH, Abraham-Lincoln-Straße 46, 65189 Wiesbaden) will be processed to handle your request and will be erased when your request is completed. Alternatively, we will restrict the processing of the respective information in accordance with statutory retention requirements.
XII. Amendments to this policy