PRIVACY POLICY
Last Updated: 11 March 2026
1. INTRODUCTION
We, at the Translational Medicine Academy (“TMA”, “Company”, “we”, “us”, or “our”), are committed to protecting your personal information and your right to privacy. TMA is a global nonprofit foundation registered in Switzerland (Picasso Platz 8, 4052 Basel, Switzerland).
If you have any questions or concerns about this Privacy Policy or our practices with regard to your personal information, please contact us at info@tmacademy.org.
This Privacy Policy describes how we collect and use your personal information when you visit our website at www.tmacademy.org (“Site”) or use our related services, including events, webinars, and educational programmes (“Services”). It should be read together with our Cookie Notice, available at www.tmacademy.org/cookie-notice.
Please read this Privacy Policy carefully. If you do not agree with its terms, please discontinue use of our Services immediately.
2. WHO IS THE DATA CONTROLLER?
The data controller responsible for your personal information is:
| Organisation | Translational Medicine Academy (TMA) |
| Legal Form | Non-profit foundation (Switzerland) |
| Registered Address | Picasso Platz 8, 4052 Basel, Switzerland |
| Contact Email | info@tmacademy.org |
| Data Protection Contact | info@tmacademy.org (subject: “Data Protection Query”) |
| Website | www.tmacademy.org |
TMA has assessed whether appointment of a Data Protection Officer (DPO) is required under Article 37 GDPR. As TMA is not a public authority, does not carry out large-scale systematic monitoring of individuals, and does not process special category data at large scale as a core activity, formal appointment of a DPO is not currently required. TMA will keep this assessment under annual review. Any data protection enquiries should be directed to the contact above.
3. WHAT PERSONAL INFORMATION DO WE COLLECT?
3.1 INFORMATION YOU PROVIDE DIRECTLY
We collect personal information that you voluntarily provide when you:
- Register for a webinar or event
- Submit an enquiry via our contact form
- Subscribe to our newsletter or mailing list
- Otherwise communicate with us
The categories of personal information we collect include: full name, professional title / job role, employer or institution, email address, country or region of residence, and any other information you choose to include in a message to us.
3.2 Information Collected Automatically
When you visit our Site, certain information is collected automatically by our web server and analytics tools, including: IP address (anonymised where possible), browser type and version, device type and operating system, pages visited and time spent on those pages, referring URL, and geographic region (country/city level). This information is collected via cookies and similar technologies. Please see our Cookie Notice for full details.
3.3 Information from Third-Party Sources
We may supplement the information we hold about you with data obtained from the following external sources, solely to support our professional medical education programmes and ensure our communications are relevant:
- Publicly available professional databases and medical society membership directories
- Conference and event organisers with whom we collaborate
- Joint programme partners who have obtained appropriate consent or have a legitimate interest in sharing professional contact details
Before using data from third-party sources, we verify that the third party holds a lawful basis for sharing it and that the transfer is governed by a written data processing agreement or data sharing agreement. The categories of data obtained from third parties are limited to: name, professional title, employer, and professional email address.
4. HOW DO WE USE YOUR PERSONAL INFORMATION?
We process your personal information only where we have a documented lawful basis under Article 6 GDPR. The table below maps each processing activity to its lawful basis.
| Processing Activity | Lawful Basis (Art. 6 GDPR) | Details |
| Webinar / event registration and administration | Contract — Art. 6(1)(b) | Processing your name, email, and region is necessary to fulfil your registration and deliver the event. |
| Sending service-related communications (e.g. event confirmations, access links, follow-up materials) | Contract — Art. 6(1)(b) | Necessary to administer the service you have registered for. |
| Sending marketing emails, newsletters, and programme updates | Consent — Art. 6(1)(a) | We will only send marketing communications where you have given us a clear, specific opt-in. You may withdraw consent at any time. |
| Responding to contact form enquiries | Legitimate Interests — Art. 6(1)(f) | Our legitimate interest is to respond to professional enquiries. We have assessed that this does not override your rights. |
| Website analytics and performance monitoring | Consent — Art. 6(1)(a) | Analytics cookies are only placed with your prior consent via our cookie consent banner. See our Cookie Notice. |
| Fraud prevention, security, and enforcement of our terms | Legitimate Interests — Art. 6(1)(f) | Our legitimate interest is to protect the integrity of our services and the safety of our community. |
| Compliance with legal obligations | Legal Obligation — Art. 6(1)(c) | Where required by applicable law, including Swiss and EU law. |
5. Will Your Information Be Shared with Anyone?
We do not sell your personal information. We only share it in the following circumstances:
- [object Object][object Object]
- [object Object][object Object]
- [object Object][object Object]
- [object Object][object Object]
- [object Object][object Object]
6. International Transfers of Personal Data
TMA is headquartered in Switzerland and operates globally. Your personal data may be transferred to, stored in, or processed in countries outside the European Economic Area (EEA) and Switzerland, including countries that may not provide a level of data protection equivalent to that in your home country.
Whenever we transfer personal data outside the EEA or Switzerland, we take steps to ensure that appropriate safeguards are in place, as described below.
6.1 Transfers to Countries with Adequacy Decisions
Where personal data is transferred to a country that has received an adequacy decision from the European Commission (or, in the case of Switzerland, from the Swiss Federal Council / the Federal Data Protection and Information Commissioner (FDPIC)), we rely on that adequacy decision as the transfer mechanism. No further safeguards are required for such transfers.
Switzerland itself benefits from an EU adequacy decision (Commission Decision 2000/518/EC, as maintained). Transfers from the EEA to TMA in Switzerland therefore rely on this adequacy decision.
6.2 Transfers Based on Standard Contractual Clauses (SCCs)
Where we transfer personal data to recipients in countries that do not benefit from an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism under Article 46(2)(c) GDPR. These are model contracts approved by the European Commission that impose data protection obligations on both the data exporter and the data importer.
For transfers from Switzerland, we use the Swiss SCCs approved or recognised by the FDPIC, or the EU SCCs where these are accepted as equivalent under Swiss law.
We also conduct a Transfer Impact Assessment (TIA) where required, to evaluate whether the laws and practices of the destination country provide adequate protection in light of the SCCs.
6.3 Key Third-Party Recipients and Transfer Mechanisms
The table below identifies the key third-party service providers to whom we may transfer your personal data, and the safeguard we rely upon:
| Recipient / Service | Country | Transfer Mechanism | Details |
| Google LLC (Google Analytics, Google Workspace, YouTube) | USA | SCCs + TIA | Google relies on EU SCCs (Module 2: controller to processor). Google’s processing addendum is incorporated by reference. TIA conducted. |
| Zoom / Webinar Platform (if applicable) | USA | SCCs + TIA | Standard Contractual Clauses apply per Zoom’s Data Processing Addendum. Recordings stored on EU-region servers where possible. |
| Mailchimp / Email Service Provider (if applicable) | USA | SCCs + TIA | Intuit/Mailchimp relies on EU SCCs (Module 2). Data Processing Agreement in place. |
| WordPress.com / Automattic (if applicable) | USA | SCCs | Automattic relies on EU SCCs per their Data Processing Agreement. |
| Kinsta (Website Hosting) | USA / EU | SCCs / Adequacy | Kinsta hosting may use data centres within the EU (adequacy) and in the US (SCCs). DPA in place. |
| Microsoft (Office 365, Teams, if applicable) | USA | SCCs + TIA | Microsoft relies on EU SCCs per their Data Protection Addendum (DPA). EU Data Boundary commitment applies. |
| Third-party event co-organisers (EEA-based) | EEA | Adequacy (intra-EEA) | Where co-organisers are located in the EEA, no transfer mechanism is required beyond standard GDPR compliance. |
6.4 Your Rights in Relation to International Transfers
You have the right to request a copy of the Standard Contractual Clauses or other safeguards we rely upon for international transfers. Please contact us at info@tmacademy.org to make such a request.
If you are located in the EEA or UK and believe that we are transferring your personal data in a manner that does not comply with GDPR, you have the right to lodge a complaint with your national data protection supervisory authority (see Section 10 below).
7. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (such as web beacons and pixels) on our Site. Non-essential cookies are only placed with your prior consent, which you may provide or withdraw via our cookie consent banner.
Full details of the cookies we use, their purpose, duration, and third-party providers are set out in our Cookie Notice, available at: www.tmacademy.org/cookie-notice.
8. How Long Do We Keep Your Information?
We retain your personal information only for as long as necessary for the purposes for which it was collected, taking into account our legal obligations and the criteria set out in the table below.
| Data Category | Retention Period | Rationale |
| Webinar / event registration and administration | 3 years from the date of the event | To provide on-demand access to session recordings, respond to post-event queries, and maintain programme records. |
| Contact form enquiries | 2 years from the date of the enquiry | To manage follow-up and maintain a record of correspondence. |
| Marketing consent records | Duration of consent + 3 years after withdrawal | To demonstrate compliance with consent requirements and handle disputes. |
| Website analytics data (aggregated) | 26 months (Google Analytics default) | Aggregate data only; individual-level retention is shorter (see Cookie Notice). |
| Supplier / partner contact data | Duration of relationship + 5 years | For contract and legal record-keeping purposes. |
| Legal compliance records | As required by applicable law | E.g. financial or tax records may be required to be kept for up to 10 years under Swiss law. |
We retain your personal information only for as long as necessary for the purposes for which it was collected, taking into account our legal obligations and the criteria set out in the table below.
9. How Do We Keep Your Information Safe?
We implement appropriate technical and organisational security measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit using TLS/HTTPS
- Access controls limiting personal data access to authorised personnel on a need-to-know basis
- Regular review of our data processing practices and security arrangements
- Data processing agreements with all third-party processors requiring them to maintain appropriate security measures
However, no method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. Transmission of data to and from our Site is at your own risk.
10. Your Data Protection Rights
Depending on your location, you may have the following rights in relation to your personal information under the GDPR, UK GDPR, and / or the Swiss nFADP:
| Right | What It Means |
| Right of Access (Art. 15) | You may request a copy of the personal data we hold about you and information about how it is processed. |
| Right to Rectification (Art. 16) | You may ask us to correct inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You may request deletion of your personal data where there is no compelling reason for its continued processing. |
| Right to Restriction (Art. 18) | You may ask us to restrict processing of your personal data in certain circumstances (e.g. while the accuracy of data is contested). |
| Right to Data Portability (Art. 20) | Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. |
| Right to Lodge a Complaint | You have the right to complain to a supervisory authority. See Section 10.1 below. |
To exercise any of the above rights, please contact us at info@tmacademy.org with the subject line “Data Subject Request”. We will respond within one calendar month of receiving your request. In complex or multiple cases, we may extend this period by a further two months and will notify you accordingly. We will not charge a fee unless your request is manifestly unfounded or excessive.
We may need to verify your identity before processing your request. We will ask for reasonable proof of identity and will not process the request until this is confirmed.
10.1 Supervisory Authorities
If you are a resident of the European Economic Area (EEA) and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the data protection supervisory authority in the EU member state where you are habitually resident, where you work, or where the alleged infringement took place.
If you are based in Switzerland, you may lodge a complaint with:
| Swiss Authority | Federal Data Protection and Information Commissioner (FDPIC) |
| Website | www.edoeb.admin.ch |
| Address | Feldeggweg 1, 3003 Bern, Switzerland |
For EEA residents, the European Data Protection Board (EDPB) maintains a list of national supervisory authorities at: edpb.europa.eu/about-edpb/about-edpb/members_en.
11. Children and Minors
Our Services are directed at healthcare professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such data, please contact us at info@tmacademy.org and we will take prompt steps to delete it.
12. Third-Party Websites and Linked Programmes
Our Site contains links to and from third-party websites and partner programme sites (including, without limitation, icardioalliance.org, espaceobesity.org, espace-crm.org, and sites hosted on subdomain properties). These sites are operated independently and have their own privacy policies. We are not responsible for the content or privacy practices of those sites and encourage you to review their privacy policies before providing any personal data.
Where TMA acts as a joint controller or data processor for a linked programme, a separate data processing or joint controller agreement will govern the relationship and appropriate privacy information will be made available on the relevant programme site.
13. Swiss Federal Act on Data Protection (nFADP)
In addition to GDPR obligations arising from our services to EEA residents, TMA is subject to the revised Swiss Federal Act on Data Protection (nFADP), which entered into force on 1 September 2023. The nFADP introduces requirements broadly equivalent to those in GDPR, including obligations relating to:
- Provision of privacy notices to data subjects
- Documentation of processing activities (equivalent to a Record of Processing Activities)
- Data Protection Impact Assessments for high-risk processing
- Notification of data breaches to the FDPIC and affected individuals
- Obligations on processors and sub-processors
TMA is committed to compliance with both GDPR (where applicable) and nFADP. Where the two frameworks differ, we apply the higher standard.
14. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our data practices. When we make material changes, we will update the “Last Updated” date at the top of this document. We encourage you to review this policy periodically. Continued use of our Services following any update constitutes acceptance of the revised policy.
15. How to Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data processing practices, please contact us:
| Organisation | Translational Medicine Academy (TMA) |
| Registered Address | Picasso Platz 8, 4052 Basel, Switzerland |
| General Enquiries | info@tmacademy.org |
| Data Protection Enquiries | info@tmacademy.org (subject: “Data Protection Query”) |
| Data Subject Requests | info@tmacademy.org (subject: “Data Subject Request”) |
