- What is personal data?
- What personal data is processed and why?
- Who has access to the data and what do we do with it?
- With whome do we share data, why and when?
- How do we protect the data?
- How long do we store the data?
- What are your rights?
- Cookies and websites
- Contact and questions about privacy
1. What is personal data?
The Data Protection Authority provides the following definition on its website:
The General Data Protection Regulation (GDPR) states that personal data is any information relating to an identified or identifiable natural person. This means that the information either relates directly to someone or can be traced back to that person. Data relating to deceased persons or organisations is not considered personal data under the GDPR.
Obvious examples of personal data are a person’s name, address and place of residence. Telephone numbers and postcodes with house numbers are also personal data. Sensitive data such as a person’s race, religion or health are referred to as special categories of personal data. These are subject to additional protection by law.
When processing personal data, you are dealing with various parties:
The data subject = the person to whom the personal data relates. [Employer or employee]
The controller = the person who determines the purpose and means of the processing. [The company doctor]
The processor = the party that (as a supplier) processes personal data on behalf of and for the benefit of the controller (its customer). [Software supplier or hosting party]
2. What personal data is processed and why?
The company doctor processes various personal data for different purposes and on different grounds. A name and telephone number or email address are required to communicate with employees, customers and colleagues.
We require other information if you or your insurer and/or employer are interested in our services. This data will naturally expand if you are an actual customer, for example when you request a second opinion. As an employee, additional personal data is required for the medical file (which falls under special personal data).
3. Who has access to the data and what do we do with it?
We have restricted access to data with authorisations, so depending on the department and role, someone will be able to view or edit the data. All employees have also submitted a Certificate of Good Conduct and signed a confidentiality agreement. General emails will be seen by our secretarial or sales department. Complaints and compliments are received by our quality manager. Customer data for administrative purposes is handled by sales, while financial data is handled by the financial administration department.
Absenteeism files are processed by the case managers (limited) and only our doctors and the medical secretariat (limited) have access to the medical files.
Functional Management has access to the absenteeism system and user accounts.
4. With whom do we share data, why and when?
In principle, we do not share data with third parties. However, there are a few exceptions to this rule. These include legal requirements or legal proceedings.
For example, we are legally obliged in certain cases to pass on specific information to the UWV (Employee Insurance Agency). We are allowed to do this without your consent because the UWV needs this data to be able to do its work. We will only share the necessary data and not a complete file.
There are strict rules for sharing personal data, which we strictly adhere to.
5. How do we protect the data?
Our data is stored with extra security and only on Dutch servers. The parties responsible for this storage must also comply with strict quality and security requirements, which are regularly tested.
Access to the various data is protected by specific roles and rights assigned to users. Users must always log in using two-factor authentication (= username, password and confirmation code via text message/app or Yubikey).
6. How long do we store the data?
We may and must retain personal data for as long as necessary for the purpose for which we collect and/or process it. This means for as long as we need it to do our work or, for example, to answer your question. This is followed by the period during which the personal data may still be needed or during which the personal data is archived. In this phase, we retain data for administrative reasons or legal requirements. (See the statutory retention periods below).
Finally, there is the phase in which the personal data is no longer needed in any way. This means that we are no longer allowed to store the personal data, at least not in the form of personal data. We must erase, destroy or anonymise the data unless a different statutory retention period is specified in legislation and regulations.
7. What are your rights?
The GDPR has established a number of rights for data subjects, which you are entitled to exercise:
- the right to information: We must inform you about what data we process and for what purpose.
- the right of access: You have the right to view the data we process.
- the right to rectification: if incorrect data about you has been processed, we will correct it.
- the right to erasure (right to be forgotten): You have the right to ask us to erase data. In some cases, we are not permitted to do so by law, but we will inform you if this is the case.
- The right to restriction of processing: if you want part of your data to be erased or amended, or if you feel that too much data is being processed, you may ask us to address or investigate this and, in the meantime, not to do anything with your data.
- the right to data portability: You may request a copy of your files or data, which we will then provide in a usable format (please note that costs may be incurred, but we will let you know in advance).
- the right to object: You may object to the fact that we process data or part of it.
- the right not to be subject to automated individual decision-making/profiling: If a decision is made automatically, you may refuse it and request that a ‘living’ person review it.
8. Cookies and websites
When you visit our website, we place cookies on your computer, tablet or mobile phone. (A cookie is a small file that is placed on your computer and sends us a signal when you visit our website). We only use necessary cookies, but you can also change this setting.
These cookies allow us to see which pages you visit and what you find interesting or where you drop out. We do not store any personal data with these cookies. However, these statistics do allow us to improve our website.
If you fill in a form on our site, we will only use the information you provide for the purpose for which the form is intended. You will therefore never receive unsolicited emails or quotations.
9. Contact and questions about privacy
The Privacy Statement described above is a simple summary. If you would like to read the full version, you can download it in PDF format.
If you have any questions about how or what personal data we process, or if you wish to exercise any of your rights (see point 7), please contact us.