Privacy Policy

PRIVACY POLICY

Dental practice name: Verhaeg Tandartsen

Practice address: Tolakkerweg 157a.

E-mail address: info@verhaegtandartsen.nl
Phone number: 0346 - 213 450
 

Article 1. General
The dental practice ensures that (special category) personal data of patients is processed with due care. We comply with the applicable laws and regulations, including the General Data Protection Regulation. This Privacy Policy was compiled to provide you with more information about our policy.

Article 2. Definitions

For clarity, certain terms are briefly described below:

Personal data : any information relating to an identified or identifiable patient (data subject).

Controller: the person responsible for processing the data as referred to in Article 4(7) of the General Data Protection Regulation. For the purpose of these privacy regulations: the dental practice.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

'Processor' : a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data subject: the person to whom the personal data relate, in general the patient.

Implementation Act: General Data Protection Regulation Implementation Act.

Regulation: regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (PbEU 2016, L 119).

Privacy policy: this document.

Pseudonymised data: replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified. This additional data is stored in such a way that it cannot be linked to a person to be identified.

Article 3. Collection of data

Personal data originates, or is derived, from information provided orally and in writing by the data subject or his/her legal representative. Personal data may also be provided by the health insurer, the general practitioner, other practitioners, specialists, emergency services or other persons or parties other than those mentioned above.

Article 4. Purpose and method of processing personal data

Personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. In addition, the collection of personal data is carried out for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Processing shall be lawful only if and to the extent that at least one of the following applies:

The data subject has given consent;

Processing is necessary for the performance of a treatment (contract);

Processing is necessary in order to protect the vital interests of the data subject, such as emergencies;

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (e.g. business continuity);

Processing is necessary for compliance with a legal obligation or for the performance of a contract to which the data subject is party.

Personal data will only processed to the extent that it is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is are processed.

The dental practice processes personal data for the following purposes:

To provide treatment to the data subject;

To inform and contact the data subject(s);

For financial records;

To ensure proper functioning of the website.

Article 5. Conditions for consent

The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The data subject shall have the right to withdraw his or her consent at any time.

Article 6 Other data

Anonymised information is not covered by the terms of this Privacy Policy

Article 7. What data does this concern?

Processing can concern the following data categories:

Surname, first names, initials, title, gender, date of birth, address, post code, place of residence, telephone number and similar information necessary for communication, as well as payment details of the data subject;

An administration number that does not contain any information other than stated in (a);

Data referred to in (a) of the parents, guardians or carers of data subjects who are minors;

Data referred to in (a) of the relations or family members of the data subject as well as other persons who are notified about the health and well-being of the data subject;

Data on the health status of the data subject and, in the case of hereditary diseases, his or her relations and family members;

Other special category personal data for the purpose of the proper treatment or care of the data subject;

Data on the treatment given and to be given to the data subject as well as the medication or facilities provided;

Data on the calculation, recording and collection of the fees;

Data on the insurance details of the data subject;

Other data necessary for treatment.

Article 8. Obligation to provide information

Before personal data is processed, the controller shall provide the data subject and/or his or her legal representative with the following information:

The identity and the contact details of the controller;

The purposes of the processing for which the personal data is intended;

The contact details of the data protection officer, where applicable;

The way in which personal data is processed;

The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

Any other data to be provided for the purpose of due diligence. This also means: the more sensitive the nature of the personal data that the controller wishes to process, the more thoroughly the data subject must be informed.

If personal data is requested through a third party, or is transferred to a third party, the obligation to provide information is fulfilled in the same way, before the personal data is obtained or transferred, unless this can only be done with disproportionate effort.

Article 9. Right of access

The data subject has the right to access his or her personal data and request the following information:

The purposes of the processing of personal data;

All available information regarding the origin of the personal data;

The categories of personal data concerned;

The recipients or categories of recipient to whom the personal data have been or will be disclosed;

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

That the data subject has the right to rectification of personal data, the right of erasure (‘right to be forgotten’) and the right to restriction of processing.

An application for the right of access may be refused on the following grounds:

The applicant is not a data subject or his or her application does not relate to data relating only to the applicant;

The applicant has not yet reached the age of 16 years and/or has been placed under control of a legal guardian (deputyship). In that case, only the legal representative is entitled to submit the request;

The controller has already recently complied with a similar request from the same applicant;

To protect the data subject or of the rights and freedoms of others;

For reasons of national security, and/or the prevention, detection, investigation and prosecution of criminal offences.

Article 10. Other rights

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The controller shall no longer process the personal data.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

The data subject shall have the right to obtain from the controller without undue delay the erasure of personal data concerning him or her 
 and, the controller shall have the obligation to erase personal data without undue delay when the data subject withdraws consent and when the personal data is no longer necessary in relation to the purposes for which it was collected.

The data subject shall have the right to obtain from the controller restriction of processing when the accuracy of the personal data is contested by the data subject.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.

Article 11. The exercise of rights by the data subject

The controller shall take appropriate measures to provide any information referred to in this Privacy Policy relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Article 12. Access to and recipients of personal data

Access to personal data shall, in principle, be restricted to those persons directly involved in providing treatment to the data subject to the extent that such access is necessary for their tasks.

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation, the Implementation Act or any regulations derived from this.

In other cases, the following persons and institutions may be granted access to or provided with data:

Researchers as referred to in Article 7:458 of the Dutch Civil Code;

Health insurers to the extent necessary for the purposes of fulfilling obligations under the insurance contract;

Third parties charged with the recovery of losses or claims to the extent that access to or provision of data is necessary and does not concern medical data;

Others, whereby the principle of the processed data is:

The data subject has given consent;

Necessary to comply with legal obligations;

Necessary in order to protect the vital interests of the data subject.

Others, where further processing is for the purposes of scientific or historical research, provided the controller has taken the necessary measures to ensure that further processing is carried out solely for those purposes.

Article 13. Records

The controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain the following information:

The name and contact details of the controller and, where applicable, the data protection officer;

The purposes of the processing;

The categories of personal data concerned;

The categories of recipients to whom the personal data have been or will be disclosed;

Where possible, the envisaged time limits for erasure of the different categories of data;

Where possible, a general description of the technical and organisational security measures taken.

Article 14. Notification of a personal data breach

In the case of a personal data breach, the controller shall without undue delay and, in so far as it necessary to comply with a legal obligation, notify the personal data breach to the data subject and the competent supervisory authority.

The notification referred to in paragraph 1 shall include at least:

Describe the nature of the personal data breach;

Describe the likely consequences of the personal data breach;

Describe the measures taken or proposed to be taken by the controller to address the personal data breach;

Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.

Article 15. Data retention periods

Medical data obtained to enter into or fulfil a treatment agreement shall be retained for 15 years. The controller is not obliged to observe longer data retention periods than required by law, in particular as referred to in Article 7:454(3) of the Dutch Civil Code.

Other personal data shall not be retained for longer than is necessary in relation to the purpose for which it was originally collected/processed. If personal data is no longer required, it must be erased.

Article 16. Confidentiality

The controller, the processor and any person who has access to personal data acting under the authority of the controller shall be obliged to respect the confidentiality of the personal data.

Data relating to the health of the data subject(s) is considered to be 'special personal data'. When special personal data is processed, all parties involved in the processing must comply with a duty of confidentiality. This obligation of confidentiality will either arise from the profession, the occupation or the contract of employment of that person.

Article 17. Security

The controller shall implement appropriate technical and organisational measures to secure the personal data.

'Appropriate' means that the security measures implemented are appropriate to the risk of the personal data being (further) processed carelessly or unlawfully and the damage that would result therefrom. The measures taken must ensure that:
Only authorised persons have access to personal data;
The personal data is correct and not lost;
​The personal data is available without hindrance for lawful processing according to the agreements made within the organisation.

In all cases, the controller is responsible for the data security policy and its implementation at the dental practice.

Article 18. Final provisions

The controller does not accept more obligations than those obliged by law, unless otherwise agreed in writing with the data subject.

The data subject shall have the right to lodge a complaint with the supervisory authority.

Amendments to this Privacy Policy are made by the controller. Amendments made to the Privacy Policy are effective in relation to the data subject(s) after the data subject(s) have been notified of the amendments.

This Privacy Policy entered into force on 01-05-2018 and can be consulted at the dental practice.

For any questions or to exercise of the rights of the data subject, please contact Thomas de Haan via info@verhaegtandartsen.nl or call 0346 – 213 450